"Protecting customer data is much less expensive than dealing with a security breach in which records are exposed and potentially misused. The Payment Card Industry compliance requirements provide enterprises with good justification to increase data protection."- Gartner
Comprehensive Protection For Customer Card Data
As early as 2000, the credit card industry began to realize that the current level of security provided for personal and financial cardholder information could have a material impact on their business. Criminals had begun to see databases of cardholder information as lucrative targets; the incidence of unintentional data loss was growing and becoming more public. Systems that stored and processed cardholder data were simply not being protected as effectively as they could be and the rate of card fraud had begun to skyrocket. While financial institutions typically don’t report detailed fraud data, an FBI report from 2005 indicated that the majority of the $315M fraud loss in the US was due to credit card fraud.
All payment card network members, including traditional and Internet organizations, banks and payment processors, are required to comply with the Payment Card Industry (PCI) Data Security Standard, introduced in 2004 by five leading credit card companies and later updated in 2007. In order to ensure compliance with the PCI Data Security Standard, all entities that accept credit cards as a form of payment must address the 12 requirements of the PCI standard as well as complete quarterly network scans of their payment network.
nCircle solutions allow organizations to comprehensively address compliance with the PCI Data Security Standard by:
- Creating a PCI security policy using pre-defined PCI policy templates and guidelines
- Monitoring the payment network for PCI non-compliance based on PCI security policy
- Shortening audit engagements using audit-ready, PCI-specific reports
- Improving the success rates of internal and external PCI audits
- Completing required quarterly network scans in a timely, cost-effective manner
Pre-defined PCI Policy Templates and Guidelines
nCircle solutions deliver a rich library of configuration policy templates and guidelines, from best-practice configuration standards from the National Institute of Standards and Technology (NIST) to configuration tests drawn from the PCI Data Security Standard itself. Organizations can easily create a comprehensive set of PCI controls and procedures to monitor and manage compliance with the standard. Administrators can use the default policies out of the box or configure them as the network environment requires.
Monitoring For PCI Compliance
nCircle solutions, specifically nCircle IP360 and nCircle Configuration Compliance Manager, accelerate PCI compliance by capturing detailed configuration information about all PCI-relevant systems that store or process cardholder data as well as infrastructure devices including routers and firewalls that protect the networks on which cardholder information is stored – all without the use of agents.
The payment network is periodically profiled to retrieve detailed configuration information automatically, including file-level auditing, one of the more challenging requirements of the PCI Data Security Standard. The gathered information is then compared to the desired configuration guidelines established when creating the security program for the payment network, highlighting which configuration variables are out of compliance. Changes to systems are also evaluated for risk using the severity of the change and the business value of the associated system.
PCI Specific Reporting
nCircle Configuration Compliance Manager delivers PCI control-specific reports to help measure compliance, helping to quickly and accurately identify which systems on the payment network will fail a PCI audit. Information may be gathered for short-term and long-term reporting and may be generated based on individual controls as well as by system to enable intelligent resource prioritization.
nCircle Suite360 Intelligence Hub offers an extensible solution for collecting and storing data over long periods of time, years if necessary, making it possible to perform long-term trending of PCI compliance performance in the largest, most complex payment networks.
With the rich audit data continuously monitored and reported on by nCircle solutions, administrators have a wealth of information about the payment network’s compliance with the PCI Data Security Standard. This information enables organizations to adequately prepare for auditors resulting in smoother, shorter audits and helps reduce audit costs.
Timely, Cost-Effective Quarterly Scanning
The nCircle Certified PCI Scan Service enables organizations to fulfill the PCI quarterly network scans requirement and ensures organizations are testing against the current standard with a continuously updated service.
Using a convenient online portal, organizations can register, pay, and launch a PCI scan on their Internet-facing payment network. The service scans the specified network and produces reports that can then be submitted to the customer’s bank. The simplicity of the service enables organizations to successfully complete the program within a few hours of enrollment.