CyberArk Recommends Steps for Achieving PCI Version 2.0 Compliance

October 28, 2010

NEWTON, Mass. — October 28, 2010 — With new standards published today by the PCI Security Standards Council (PCI SSC), Cyber-Ark® Software examines the steps that retail and e-commerce organizations should take to improve compliance, ease audit pressures and deliver more effective IT risk management strategies. Cyber-Ark provides mature privileged identity management and governed file transfer technology to address PCI compliance requirements associated with user account management, encryption, and safe exchange and sharing of sensitive information, including the ability to manage and monitor access to high-value applications and systems by privileged users and accounts.

On October 28, 2010, the PCI SSC introduced version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). According to the PCI SSC, the revisions are meant to “improve the flexibility of organizations to implement controls, better manage evolving threats and address scoping and reporting elements.”

“Even though PCI standards in general are fairly mature, many organizations are still playing catch up. Despite the new, minor changes, these organizations will continue to face significant challenges complying with 2.0,” said Adam Bosnian, executive vice president Americas and corporate development, Cyber-Ark Software. “Our customers and prospects still view overcoming manual processes and controls as major hurdles in complying with PCI guidelines. Automating control over privileged users and accounts, including the ability to streamline management of embedded application credentials, will address these issues and enable our customers to achieve full compliance with the new regulations.”

Addressing PCI 2.0 Requirements: Easing Process and Automating Key Steps
According to the Verizon 2010 Payment Card Industry Compliance Report, a review of 2008-2009 payment card breaches demonstrated that exploitation of default and guessable credentials, abuse of system access/privileges and use of stolen login credentials were among the top threat actions during that period.

With the Cyber-Ark Privileged Identity Management and Governed File Transfer Suites, customers gain security intelligence and control over the “human factor” to address specific PCI requirements and many of the threat actions identified in the Verizon report. Specifically, Cyber-Ark supports customers’ compliance initiatives and addresses necessary security steps including the need to:

    • Secure, manage, automatically change and log activities associated with all types of privileged passwords (i.e. System Administrator on a Windows server, Root on a UNIX server, Cisco Enable on a Cisco device) as well as embedded passwords found in applications, scripts and application servers.
    • Define the storage, reset parameters and usage policies of passwords as well as personalize administrative access that is usually carried with generic shared accounts, such as root or DBA users.
  • Eliminate the usage of clear-text, hard-coded passwords within application code.
  • Establish a protected, secure location for storing passwords, documents and files, and a mechanism for effective encryption key management and rotation.
  • Secure and manage file transfers containing cardholder information to and from partners, customers and business units while ensuring only designated recipients have access to cardholder information.
  • Maintain secure, tamper-proof auditing and logging of all activities done with files containing cardholder data, including who “has” or “had” access to the files.

Global Cyber-Ark Customers Focus on PCI Compliance and Risk Management
A major global publishing company relies on Cyber-Ark’s Governed File Transfer Suite for PCI compliance, ensuring files that are exchanged between advertisers, readers and its fulfillment and processing departments are encrypted in transit and at rest. Files include flat files such as Excel spreadsheets and other human-readable document files, machine-readable and transaction files. Cyber-Ark centralizes control and streamlines file transfer processes while improving efficiency, providing operational simplicity and reducing risk.

Additionally, a large U.S. airline with a robust e-commerce business chose Cyber-Ark to get user and hard-coded application passwords under control, while at the same time enforce new security policies built to protect its customers. Using Cyber-Ark’s Privileged Identity Management Suite, the airline was able to take the necessary steps to prove to auditors that passwords to its database of sensitive customer data (including names, credit card numbers, billing addresses and other information) were being effectively monitored, managed and changed regularly.

The IT team was also able to overcome several security challenges including how best to manage non-expiring database passwords associated with the airline’s back-end systems. Results of the airline’s work with Cyber-Ark include the ability to control and monitor access to UNIX and Windows privileged accounts; effectively manage database passwords and credentials across the technology infrastructure; manage application and service credentials that have access to credit card data; increase security posture; and, ultimately, become PCI compliant.