The Payment Card Information Data Security Standard (PCI-DSS) was created in 2004 by leading credit companies in response to the growing problem of cardholder information theft.? Security problems have continued despite heavy fines for violations and other costs incurred by retailers.? In addition, recent high-profile data thefts have increased concerns about customer security and generated a strong interest in finding a solution.
Many organizations find it difficult, however, to comply with the PCI standard regarding the security of customer databases.
Database encryption, the most obvious solution, is complex, costly, and can take years to retrofit into legacy applications.? Other approaches, in the form of monitoring database logs (even when combined with log-management or SIEM tools), fail to provide granular access controls, database-focused analytics, or sufficient visibility into read operations or the activities of privileged users.? More fine-grained database auditing utilities are also impractical because of the heavy performance load they impose on database systems.
In addition, native database logging tools do not address auditors’ requirements for separation of duties, since they are components of the database infrastructure and therefore under the control of privileged users such as DBAs.
Guardium provides a practical solution that can be implemented quickly and easily to comply with PCI-DSS.? It allows you to:
| ˙ |
Address key PCI requirements such as Req. 3 (Protect Stored Data), Req. 6 (Maintain Secure Systems), Req. 7 (Restrict Access to Cardholder Data by Business Need-to-Know), and Req. 10 (Track & Monitor All Access) |
| ˙ |
Protect against both external Web attacks (such as SQL injection) and insider threats with policy-based, real-time alerts and continuous comparisons to baselines of normal activity |
| ˙ |
Provide granular access controls for sensitive data, such as restricting access to specific tables by client application, subnet, OS login, etc |
| ˙ |
Provide detective controls via the creation of a detailed, verifiable audit trail of all database activities, including privileged user activities |
| ˙ |
Automatically discover and classify sensitive data such as 16-digit credit card numbers; generate alerts when sensitive data is located for the first time; and quickly identify faulty business or IT processes that result in the prohibited storage of magnetic stripe or PIN block information |
| ˙ |
Monitor returned data for sensitive data patterns such as Track 2 data and/or an unusually high count of returned records |
| ˙ |
Monitor unstructured data such as spreadsheets that contain cardholder data |
| ˙ |
Increase operational efficiency by automating your entire compliance reporting process across all your applications and DBMS platforms. This includes automated report distribution, sign-offs, and escalations |
| ˙ |
Pass audits quickly and easily by producing key reports required by assessors. Guardium’s PCI Accelerator includes pre-configured report templates showing PCI information such as: |
| |
| ˙ |
Cardholder server IPs |
| ˙ |
Cardholder databases |
| ˙ |
Cardholder objects (combinations of fields that together represent sensitive objects, such as first name, last name, and credit card number) |
| ˙ |
Database clients accessing cardholder servers (visual map with session counts) |
| ˙ |
Active database users |
| ˙ |
Database administration activities on cardholder databases |
| ˙ |
Source programs used to access cardholder databases |
| ˙ |
Shared accounts |
|
To learn how Guardium addresses key PCI-DSS requirements click here |
