PCI Compliance

Imperva SecureSphere helps organizations meet the most challenging requirements in the Payment Card Industry (PCI) Data Security Standard (DSS). Plus, SecureSphere meets organizations’ deployment and resource requirements by requiring no changes to existing network infrastructure and having zero impact on database performance.

Pre-defined PCI compliance reports are provided as a part of Imperva’s ADC Insight Services. The Credit Card Data and Infrastructure Attacks Report shows attacks to sensitive data by attack type.

SecureSphere Meets the Application Security Requirement in Section 6.6

PCI DSS version 1.1 contains a new requirement, 6.6, which mandates that all Web-facing applications be protected against known attacks by either undergoing an external code review or by installing an application layer firewall.

The SecureSphere Web Application Firewall (WAF) more than meets requirement 6.6 – and provides the highest level of automation on the market today.

SecureSphere Advantages:

SecureSphere dynamically inspects, profiles, and controls user activity through Web applications and Web services. It is installed in hours and operates automatically without ongoing manual administration or tuning and with no impact to existing infrastructure. This translates to greater protection with fewer resources from your organization.

Application Changes are No Problem for SecureSphere

When changes are made to applications, Dynamic Profiling technology enables SecureSphere to detect the application changes and automatically adjust its profiles accordingly. No manual intervention or tuning is necessary, keeping your on-going administrative costs to a minimum. Of course you can choose to be notified about these application changes though alerts and change logs to provide a closed-loop for your application change control process.

The Alternative Is Costly and Time Consuming

If you decide not to deploy a Web Application Firewall such as Imperva SecureSphere in front of Web facing applications, your organization will need to engage a specialist in Web application security to go through your Web application source code, line by line – for each Web-facing application.

SecureSphere Meets the Data Monitoring Requirement in Section 10

Section 10 in the PCI standard mandates that companies track and monitor all access to cardholder data. This requirement includes auditing all access by user, recording the creation and deletion of system objects, and protecting logs from modification. The SecureSphere Database Gateway meets all of the monitoring and auditing requirements in section 10. SecureSphere monitors all access to cardholder data, records all database changes, and audits suspicious and unauthorized access attempts. Universal User Tracking tracks all activity back to the end user, even when connection pooling is used. Since SecureSphere does not rely on native database logging, it does not impact database performance and it cannot be disabled by a rogue DBA. Organizations can optionally encrypt or digitally sign log files for file integrity.

SecureSphere Meets the Compensating Controls for Requirement 3.4

One of the most important PCI requirements is protecting stored cardholder data. It can also be one of the most difficult requirements to implement. Organizations unable to render cardholder data unreadable due to a technological or business constraint can use the compensating controls defined in Appendix B of the PCI 1.1 standard. SecureSphere addresses all of the requirements for compensating controls: SecureSphere can restrict access to cardholder data by IP address, application, user, and data type, it can prevent database and application attacks, and its network firewall provides additional segmentation. SecureSphere limits logical access to the database independent of LDAP or Active Directory. Furthermore, SecureSphere enhances security by assessing databases for vulnerabilities, identifying bad business practices, and preventing leaks of cardholder data from the database.

The Twelve High Level PCI DSS Requirements

In addition to three of the most challenging PCI DSS requirements listed above, SecureSphere also helps organizations meet several other mandates in the PCI standard.

Requirement SecureSphere Capabilities for PCI DSS
Requirement 1: Install and maintain a firewall configuration to protect cardholder data SecureSphere has a built-in network firewall and intrusion prevention system (IPS).
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Database assessment, available in the SecureSphere Database Gateway, scans databases for default passwords, insecure settings, unpatched software versions and other vulnerabilities and configuration flaws.
Requirement 3: Protect stored cardholder data SecureSphere can identify and prevent storage of magnetic track data to demonstrate compliance.
Requirement 6: Develop and maintain secure systems and applications SecureSphere’s integrated Web Application Firewall provides a layer of defense to protect applications.
Requirement 7: Restrict access to cardholder data by business need-to-know Dedicated user assessment reports allow compliance personnel to verify that only users with a legitimate need have access to cardholder data. SecureSphere enforces a need-to-know access policy based on business activities.
Requirement 8: Assign a unique ID to each person with computer access SecureSphere’s monitoring and reporting capabilities identify shared user accounts and other potential user account violations.
Requirement 10: Track and monitor all access to network resources and cardholder data SecureSphere provides both full access auditing for sensitive data and intelligent alerts that notify administrators of suspicious activity. This makes the compliance effort easier by providing actionable information.
Requirement 11: Regularly test security systems and processes. SecureSphere’s compliance reports allows administrators to have up-to-date assessments of compliance status. Dynamic Profiling alerts administrators to changes in usage and application dynamics, which helps to automate ongoing compliance assessment.