View
890
Download
1
Embed Size (px)
DESCRIPTION
The Impact of the New PCI-DSS Compliance Rules Issued on March 15, 2010 -- netVigilance, Inc., the only vulnerability assessment and PCI Approved Scanning Vendor (ASV) vendor that goes Beyond Compliance to detect up to 97% of all common vulnerabilities, today issued an urgent bulletin warning all merchants and retailers subject to PCI-DSS Compliance that new PCI regulations significantly increase their chances of PCI failure during mandatory quarterly external vulnerability scans, unless the merchants take corrective actions. While these new regulations officially go into effect on September 1, 2010, preparing for them can take months. The time to start is now, because merchants who wait will be at a high risk of failing and being unable to quickly remediate.The need for this bulletin arose because on March 15, 2010, the PCI Security Standards Council’s (PSI SSC) released “ASV Program Guide v1.0,” which tightens and changes existing rules governing both customers requiring PCI scans and the Approved Scanning Vendors (ASVs) who perform those scans. netVigilance also calls attention to the fact that, despite being numbered as v1.0, the new ASV Program Guide governs PCI v1.2 and enhances, improves and supersedes the Technical and Operation Requirements for ASVs v1.1 and Security Scanning Procedures v1.1.
Citation preview
SLIDE 1 © 2010 netVigilance, Inc. All rights reserved.
Ten Actions Merchants Must Take Immediately
To Avoid PCI Failure
The Impact of the New PCI Compliance RulesIssued on March 15, 2010
SLIDE 2 © 2010 netVigilance, Inc. All rights reserved.
1. Identify & verify out-of-scope components
New discovery rules make formerly out-of-scope components in-scope
Identify & verify before quarterly scan fails
Examples:Spam filters
Mail servers
Web servers that don’t process credit cards
SLIDE 3 © 2010 netVigilance, Inc. All rights reserved.
2. Prove your ISP complies with PCI
Your ISP can pass by itself; or
You need their permission to scan them
Otherwise, get a new ISP
Ultimately, the responsibility is yours, not your ISP’s
SLIDE 4 © 2010 netVigilance, Inc. All rights reserved.
3. Take all secure database servers off the Internet and place them
behind a firewall
If any secure database server remains publicly accessible, you will automatically fail PCI
SLIDE 5 © 2010 netVigilance, Inc. All rights reserved.
4. Scan your website for HTTP response splitting/header injection
Be prepared to remediate all problems found
SLIDE 6 © 2010 netVigilance, Inc. All rights reserved.
5. Verify that your DNS server prohibits zone transfers
Zone transfers allow unaffiliated, unapproved third parties to see and obtain all the servers comprising your domain
If someone else hosts your domain, you are still responsible
Consequence of allowed zone transfers is automatic PCI failure
SLIDE 7 © 2010 netVigilance, Inc. All rights reserved.
6. Ensure your ASV uses a PCI-qualified Professional Security Engineer to review
each and every scan
ASVs often use fully automated processes
These automated processes are never acceptable under the new rules
To pass PCI you must use an ASV that adheres to the new rules
SLIDE 8 © 2010 netVigilance, Inc. All rights reserved.
7. Turn off SSL v2
Next, ensure that servers using TLS v1.0 or newer are not backwards compatible with the weak SSL v2
Use a qualified ASV to verify and remediate
SLIDE 9 © 2010 netVigilance, Inc. All rights reserved.
8. Remove all non-critical uses of all remote access software
Examples:pcAnywhere
VNC
RDP
Even VPN
For critical uses:Ensure strong authentication
SLIDE 10 © 2010 netVigilance, Inc. All rights reserved.
9. Move all POS (Point-of-Sale) systems behind the firewall
ASVs that discover POS systems are now required to pay special attention to them
SLIDE 11 © 2010 netVigilance, Inc. All rights reserved.
10. Named employees must sign and attest to their company’s responsibility
Attestation concerns proper scoping of the external scan
Attestation can no longer be anonymous
SLIDE 12 © 2010 netVigilance, Inc. All rights reserved.
netVigilance Key Advantages
Beyond Compliance™Compliance is simply not enough. It is a minimum, rather than a maximum standard. Only netVigilance detects up to 97% of all common vulnerabilities, far more than competitors.
Labor- and Time-Saving ReportsOur reports provide a wealth of specific detail on precisely how to remediate the vulnerabilities we detect. Instead of spending time researching a fix, engineers and support personnel spend their time making the fix.
SLIDE 13 © 2010 netVigilance, Inc. All rights reserved.
For More Information
netVigilance, Inc.14525 SW Millikan #34423Beaverton, OR, USA 97005-2343(+1) 503-524-5758
PR & Analyst Contact: Steven Mason
(+1) 650-776-7968