Payment Card Industry – Data Security Standard

(PCI DSS)

Focus

PCI DSS protects Payment Card and Consumer Data throughout transactional storage, processing and transmission.

Data

Cardholder Data includes the PAN – the Primary Account Number, as well as cardholder name, service codes and expiration dates.

 Scope

Global – All Entities that Store, Process, or Transmit Cardholder Data.

 Breach

Notification to Payment Card Brand within 24 hours (MasterCard) or Immediately (All Others).

 Non-Compliance

Significant Fines (Up to $100,000 per month/violation), Loss of Payment Card Capabilities, Increased Fees.

PCI DSS Requirements

Encryption Discussion

WinMagic Solution

Requirement 3:

Protect Stored Cardholder Data

Strong encryption and key management are critical to cardholder data protection:

• Requires robust and secure key generation, storage and distribution (3.6.1, 3.6.2, 3.6.3)
• If using disk encryption, logical access controls must be managed separately and independently of the native OS authentication and access control mechanisms (3.4.1)

SecureDoc Enterprise Server Intelligent Key Management delivers secure key generation, storage and distribution.

SecureDoc Pre-Boot Authentication operates and is managed independently of native OS authentication and access control mechanisms.

Requirement 7:

Restrict Access to Cardholder Data by Business Need to Know

Role-based access controls and robust authentication are required to restrict access to cardholder data.

SecureDoc Enterprise Server (SES) integrates with Active Directory and synchronizes users and user groups to enforce policies and access controls for endpoint devices, and for Virtual machines or servers.

Requirement 8:

Identify and Authenticate Access to System Components

Users must be uniquely identifiable and accountable for authentication and access to cardholder data on systems and devices.

SecureDoc Pre-Boot Authentication offers identifiable user-based authentication and event logging for accountability.

Requirement 10:

Track and Monitor Access to Network Resources and Cardholder Data

Audit logs are critical to prevent, detect and minimize the impact of data loss or exposure.

SES Management Console and SES Web Console strengthen compliance with a unified, enterprise-wide security view for audit logs and compliance reports.

PCI DSS Cloud Computing Guidelines

Protection of cardholder data is a shared responsibility with Cloud IaaS provider.

SecureDoc CloudVM protects Virtual and Cloud IaaS workloads with enterprise-controlled encryption and key management.