NEWTON, Mass. – February 16, 2012 – With the PCI Security Standards Council’s release of the PCI Data Security Standard (PCI DSS) Virtualization Guidelines, Cyber-Ark® Software, a leading global information security provider for protecting and managing privileged accounts and sessions, critical applications and sensitive information, offers retail and e-commerce organizations guidance on necessary requirements to achieve PCI Version 2.0 compliance, including within virtualized environments. In the report, “An Independent QSA Assessment: How Cyber-Ark Helps You Achieve PCI Compliance,” Cyber-Ark is recognized for its ability to enable organizations to improve overall security levels, increase business process efficiencies and mitigate complex risks associated with protecting credit card data.
This report is the result of an independent analysis by Comsec Consulting, a PCI DSS Qualified Security Assessor. For companies seeking to establish and maintain PCI 2.0 compliance, the report outlines how Cyber-Ark can mitigate multiple risks that can lead to potential credit card compromise.
“Following an in-depth review of Cyber-Ark’s Privileged Identity Management, Privileged Session Management and Sensitive Information Management product suites, we can conclude that Cyber-Ark provides solutions that are critical for achieving PCI DSS compliance and meet a wide range of PCI requirements,” said Nadav Shatz, QSA, head of the PCI-DSS team, Comsec Consulting. According to the report, Cyber-Ark’s product suites offer enterprise ready solutions for securing, managing and controlling access to privileged identities and sessions across a wide range of systems in the data center.
Virtualized Environments: PCI DSS Rules Still Apply
With the rapid adoption of virtualization across all industries, the Virtualization Special Interest Group of the PCI Security Standards Council released an informational supplement on PCI DSS Virtualization Guidelines to inform merchants and service providers of new risks that arise with virtualization technologies. The guidelines serve as a reminder that if these technologies are used in a cardholder data environment, the same PCI DSS requirements still apply: all systems and networks that store, process or transmit cardholder information must be in compliance. This becomes even more difficult when protecting the hypervisor, or virtual machine manager that expands access for privileged users.
One of the more difficult and challenging requirements in PCI DSS compliance is associated with the management of privileged identities and controlling insiders and administrators from accessing sensitive data. In a virtualized environment where the hypervisor provides a single point of access to the virtual environment, it is crucial that privileged access be controlled and monitored. While the virtual environment is constantly changing, the ability to automatically discover privileged accounts in a virtual environment, and provision new accounts or deprovision dormant/inactive accounts based on these changes, remains critical in meeting audit standards.
“The benefits of adopting increasingly virtualized infrastructure is attractive for many retailers, but brings with it new security and compliance risks that cannot be ignored,” said Roy Adar, vice president of product management, Cyber-Ark Software. “Managing and monitoring access to the virtual environment while locking down administrative privileges is crucial to protecting sensitive data within this expanded threat environment. Many organizations are still trying to catch up on PCI 2.0 requirements, and those exploring virtualization will now need to fully understand new hurdles to meeting audit requirements and protecting sensitive customer data and financial information.”
Cyber-Ark Security and Compliance Features Assessed
Cyber-Ark solutions were submitted to hands-on reviews in context of specific PCI DSS requirements and evaluated on functionality such as their ability to help protect and store cardholder data; develop and maintain secure systems and applications; restrict access to cardholder data by business need to know; and track and monitor all access to network resources and cardholder data. Following are highlights from the assessment:
- Cyber-Ark’s product suites provide end-to-end security, implementing multiple layers of security and encryption and meet all “Visa Best Practices” for Data Field Encryption.
- The Privileged Identity Management Suite provides comprehensive automated management of privileged identities and secure password management.
- The Sensitive Information Management Suite ensures that all data (e.g. cardholder information) is secure at rest and in transit.
- Cyber-Ark’s products offer strong audit and monitoring capabilities.
PCI DSS Compliance in Action
Executive managers can be confident that Cyber-Ark’s solutions offer a multi-layered, attack resistant, broad security infrastructure that protects cardholder information while meeting PCI Compliance in both physical and virtual environments. For example, PCI DSS requires companies to track and monitor all access to network resources and cardholder data, yet a company’s normal workflow consists of administrators and third parties accessing this sensitive information. Cyber-Ark’s Privileged Session Management Suite enables security managers (and auditors) to see exactly what occurs with cardholder data with forensic support and footprint auditing. Without Cyber-Ark, companies and auditors would not have the ability to know exactly who accessed what data, and what actions they took while logged into the network.