Payment Card Industry (PCI) Compliance Solutions

1. Install and maintain a firewall configuration to protect cardholder data.

How does SecureWorks Help?

This requirement mandates the need to implement a sound firewall infrastructure to protect cardholder data from external access. SecureWorks’ Professional Services team can perform an assessment to identify the state of your current firewall and network architecture, identify any gaps, recommend solutions to these gaps and implement the changes necessary.

SecureWorks’ Managed Firewall service removes the burden of firewall management by providing you with a 24x7x365 team of experts. Our firewall experts will audit policies to ensure they align with PCI requirements, perform ongoing rule-set changes and monitor these devices for any signs of attack.

Our Security Monitoring service provides real-time monitoring for known and unknown threats across your firewall infrastructure by our security experts, while our Security Information Management service enables your team to perform this monitoring internally. All three of these services will deliver robust reporting through the secure, web-based SecureWorks Portal, enabling your team to easily demonstrate your compliance with this PCI DSS requirement.

• Security and Risk Consulting
• Managed Firewall
• Security Monitoring
• SIM On-Demand

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

How does SecureWorks Help?

This requirement dictates that organizations must use sound password policies, such as not using vendor supplied passwords, and wireless and infrastructure configuration standards. SecureWorks' Professional Services can help you meet this requirement by conducting a Vulnerability Assessment of your environment to identify any weaknesses in your configuration practices including weak passwords, unnecessary services and rogue web servers. Our team of consultants can work with your organization to develop a secure configuration standard for all critical systems that is based on industry best practices.

Additionally, you can utilize our Vulnerability Scanning service to perform ongoing internal and external vulnerability scans to ensure your infrastructure remains secure. Using the SecureWorks Portal, you will be able to generate on-demand vulnerability reports that highlight any exposures and the actions your team has taken to eliminate them.

Additionally this requirement calls for your hosting providers to be secure as described in Appendix A of the PCI DSS. The services described in this document can apply to the hosting providers as well to help them become PCI compliant. Also, with their permission, we can provide security visibility into their environment through the SecureWorks Portal.

• Security and Risk Consulting
• Vulnerability Scanning

3. Protect stored cardholder data.

How does SecureWorks Help?

This requirement mandates rendering stored cardholder data unreadable if possible or implementing other compensating controls, such as preventing web application attacks, as outlined in Appendix B of the PCI DSS. SecureWorks' Professional Services can help you classify your assets and the data residing in them and help formulate a data protection strategy appropriate to your infrastructure.

Our Managed Intrusion Prevention and Detection service provides the prevention/detection controls identified in Appendix B to protect any data that cannot be encrypted. This service provides implementation of a commercial IPS/IDS technology or can be bundled with our award winning iSensor IPS technology to deliver superior protection in a cost-effective manner. Once implemented, our experts will manage these devices, including ongoing tuning, and monitor them to identify and respond to any threats. The SecureWorks Portal provides you with real-time visibility into your intrusion prevention and detection infrastructure including any alerts and the actions we have taken against them, while also delivering on-demand reports to demonstrate PCI compliance.

• Security and Risk Consulting
• Managed Intrusion Prevention and Detection

4. Encrypt transmission of cardholder data across open, public networks.

How does SecureWorks Help?

This requirement calls for all cardholder data to be encrypted during transmission over public or untrusted networks. SecureWorks' Professional Services can help you meet this requirement by assessing your current infrastructure to ensure all VPNs and wireless networks are configured properly to encrypt sensitive data, as well as identify any gaps in your data transmission flows that may leave sensitive information unencrypted.

SecureWorks' Managed Firewall service removes the burden of site-to-site VPN management by providing you with a team of experts to administer these devices. Our experts will also monitor your VPNs for any signs of malicious activity to respond before damage is done. All information is collected and presented to your team via the SecureWorks Portal, providing your team with real-time visibility and on-demand reporting to demonstrate PCI compliance.

SecureWorks' Email Encryption service will ensure all cardholder data is transmitted via encrypted email. This solution uses lexicons to identify any cardholder data being sent in unencrypted emails and will automatically encrypt the message. The solution is easy-to-use and requires very little end user training, making compliance with this requirement painless.

• Security and Risk Consulting
• Managed Firewall
• Email Encryption

5. Use and regularly update anti-virus software or programs.

How does SecureWorks Help?

This requirement mandates the use of anti-malware solutions to prevent all known types of malicious software from impacting your critical systems. SecureWorks Managed Intrusion Prevention and Detection service with our iSensor IPS appliance can provide an additional layer of defense against these types of attacks. iSensor contains anti-virus and anti-spyware engines to block this code before it enters your environment. Our experts will manage this infrastructure to ensure it is properly tuned and has the latest definitions, as well as monitor these devices in real-time, 24x7x365 for any signs of attack.

SecureWorks' Log Monitoring service provides a team of experts to monitor your anti-virus and anti-spam infrastructure to identify attacks before damage is done. Should you prefer to monitor this activity in-house, SecureWorks SIM On-Demand service provides the same event aggregation and correlation technology used by our experts as a service so that your team can analyze any threats that may occur. With both services, you will be provided with real-time security visibility and on-demand reports to demonstrate PCI compliance through the SecureWorks Portal.

• Managed Intrusion Prevention and Detection
• Security Monitoring
• SIM On-Demand

6. Develop and maintain secure systems and applications.

How does SecureWorks Help?

This requirement mandates the need to ensure your environment maintains current patch levels, you adhere to secure coding practices and that all web applications undergo periodic web application assessments. SecureWorks' Professional Services can help you meet this requirement by conducting periodic vulnerability assessments to ensure the security of your environment, perform web application assessments to identify any areas of concern across your web facing infrastructure including vulnerabilities that may lead to cross-site scripting attacks, buffer overflows, etc and work with your team to align your application development with secure coding best practices.

SecureWorks' Vulnerability Scanning service provides you with the ability to conduct periodic scans of your infrastructure to identify any potential vulnerabilities or out-of-date systems. SecureWorks' Threat Intelligence service provides you with new vulnerability and threat alerts tailored to your environment, which keeps your team on top of any new patches relevant to your systems. With both the Scanning and Intelligence services you will gain access to the SecureWorks Portal to generate on-demand reports to demonstrate PCI compliance.

• Security and Risk Consulting
• Vulnerability Scanning
• Threat Intelligence

7. Restrict access to cardholder data by business need-to-know.

How does SecureWorks Help?

This requirement mandates the need for organizations to implement proper identity and access management across systems that house cardholder information. SecureWorks' Professional Services can help you meet this requirement by working with your team to classify your systems and identify those that house cardholder information. Our consultants can then help your organization design an appropriate identity and access management strategy. The Professional Services team can also assess your infrastructure to ensure the proper access controls have been implemented in accordance with this PCI requirement.

SecureWorks' Log Monitoring service provides real-time monitoring of these systems by true security experts to ensure only authorized personnel gain access. SecureWorks' SIM On-Demand delivers the technology you need to perform monitoring of these systems as a service, should you choose to keep this function in-house. Both services provide you with access to the SecureWorks Portal where you will receive real-time visibility into the activity occurring on the systems housing cardholder information and on-demand reporting to demonstrate PCI compliance.

• Security and Risk Consulting
• Security Monitoring
• SIM On-Demand

8. Assign a unique ID to each person with computer access.

How does SecureWorks Help?

This requirement mandates the need for ensure that actions taken by known and authorized individuals with computer access can be monitored and traced. SecureWorks' Professional Services can help you meet this requirement by working with your team to develop and implement proper policies and procedures for assigning unique IDs and authentication measures. The Professional Services team can also assess your identification and authentication measures to ensure their effectiveness in protecting cardholder data and complying with PCI requirements for password management and authentication.

SecureWorks' Log Monitoring service provides real-time monitoring of access to systems in your environment. SecureWorks' SIM On-Demand delivers the technology you need to monitoring access to these systems as a service, should you choose to keep this function in-house. Both services provide you with access to the SecureWorks Portal where you will receive real-time visibility into the actions being taken by known and authorized individuals in your cardholder data environment as well as on-demand reporting to demonstrate PCI compliance.

• Security and Risk Consulting
• Security Monitoring
• SIM On-Demand

9. Restrict physical access to cardholder data.

How does SecureWorks Help?

This requirement dictates that organizations implement appropriate physical security controls to limit access to critical systems, proper visitor handling procedures and that organization have proper procedures when moving or destroying physical media where cardholder information is stored. SecureWorks' Professional Services can help you address this requirement by working with your team to identify areas where physical security controls must be implemented and testing controls to ensure compliance through social engineering and other tactics. The Professional Services team can also help you develop physical data handling and destruction procedures that align with industry best practices, such as those from the Department of Defense.

• Security and Risk Consulting

10. Track and monitor all access to network resources and cardholder data.

How does SecureWorks Help?

This requirement calls for companies to implement logging mechanisms across all network, security and server infrastructure that houses or handles cardholder information and monitor the logs for any violations. SecureWorks' Log Monitoring service provides real-time log aggregation, correlation and analysis across any security device or critical information asset. All logs and alerts are monitored in real-time, 24x7x365 by true security experts to identify known and unknown threats or unusual user behavior. Any malicious activity identified is immediately responded to before damage is done.

Our SIM On-Demand provides your team with the same aggregation and correlation technology used by our Analysts as a service to enable your team to monitor your environment in-house. With both services, log information is stored indefinitely with the previous two years accessible via the SecureWorks Portal. Also with both services, you will gain access to the Portal to gain real-time security visibility and generate on-demand reports to demonstrate PCI compliance.

• Security Monitoring
• Log Retention
• SIM On-Demand

11. Regularly test security systems and processes

How does SecureWorks Help?

This requirement mandates that organizations periodically test their systems and protect them through vulnerability scans, penetration testing, intrusion prevention and detection and file integrity software. SecureWorks' Professional Services can help you comply with this requirement by providing vulnerability assessments and penetration testing. SecureWorks is an approved scanning vendor and our Vulnerability Scanning service can be utilized to comply with the quarterly external scan that is required for PCI compliance.

Our Managed Intrusion Prevention and Detection service provides the prevention/detection controls identified in this requirement. This service provides implementation of a commercial IPS/IDS technology or can be bundled with our award winning iSensor IPS technology to deliver superior protection in a cost-effective manner. Once implemented, our experts will manage these devices, including ongoing tuning, and monitor them to identify and respond to any threats. Likewise, SecureWorks' Managed Host Intrusion Prevention service provides you with the technology and a team of experts to manage and monitor this infrastructure in order to keep it operating at peak performance.

SecureWorks' Log Monitoring service provides real-time monitoring across your systems by true security experts to respond to any unauthorized activity occurring. SecureWorks' SIM On-Demand service delivers the technology you need to perform monitoring of these systems as a service, should you choose to keep this function in-house.

The Scanning, Managed Intrusion Prevention and Detection, Monitoring and SIM On-Demand services provide you with access to the SecureWorks Portal where you will receive real-time visibility into the activity occurring on the systems housing cardholder information and on-demand reporting to demonstrate PCI compliance.

• Security and Risk Consulting
• Vulnerability Scanning
• Managed Intrusion Prevention and Detection
• Managed Host Intrusion Prevention
• Security Monitoring
• SIM On-Demand

12. Maintain a policy that addresses information security for employees and contractors.

How does SecureWorks Help?

This requirement dictates that organizations must create an information security policy that is kept up-to-date and addresses all the security requirements in the PCI DSS, as well as operational security, system usage, security management, security awareness and incident response. SecureWorks' Professional Services can help you address this requirement by working with your team to create a robust, effective information security policy that addresses all the requirements of this section and the PCI DSS as a whole.

Additionally, our Log Monitoring Service can provide you with the incident response plan and experts necessary to conduct effective response to stop threats before damage is done. With this service, you will be able to utilize the SecureWorks Portal to gain real-time security visibility, access to our incident response plan and on-demand reporting to demonstrate PCI compliance.

• Security and Risk Consulting
• Security Monitoring