Download full paper
This paper discusses the ways that Cloakware Password Authority™ supports and complies with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) V1.1.
Position paper
Achieve PCI Compliance: Privileged Password Management
This paper discusses the ways that Cloakware Password Authority™ supports and complies with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) V1.1.
What is PCI DSS V1.1?
To aid in preventing the theft of payment card information, key industry players including Visa, MasterCard and Discover
created the Payment Card Industry data security standard (PCI
DSS). In September 2006, the group published Version 1.1
of the specification that incorporates feedback from the Version
1.0 specification. Version 1.2 is planned for release in late
2008.
Merchants and other organizations that collect and store payment card information are responsible for implementing and adhering to the PCI standard.
The next sections outline some of the specific security elements
of PCI DSS V1.1.
Build and maintain a secure network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data
- Requirement 3: Protect stored cardholder data.
- Requirement 4: Encrypt cardholder data transmission across open, public networks.
Maintain a vulnerability management program
- Requirement 5: Use and regularly update anti-virus software.
- Requirement 6: Develop and maintain secure systems and applications.
Implement strong access control measures
- Requirement 7: Restrict access to cardholder data by business to a need-to-know basis.
- Requirement 8: Assign a unique ID to each person with computer access.
- Requirement 9: Restrict physical access to cardholder data.
Regularly monitor and test networks
- Requirement 10: Track and monitor all access to network resources and cardholder data.
- Requirement 11: Regularly test security systems and processes.
Maintain an information security policy
- Requirement 12: Maintain a policy that addresses information security.
Challenges for password management
Several of the PCI Requirements have implications for how
an organization manages the passwords it uses in its IT operations.
These passwords are of three main types, as outlined in
the following diagram.
While many organizations have investigated password management from the end-user perspective, few have addressed the
need for password management for elevated privilege accounts
used by administrators and unattended applications in the
datacenter. An organized, workable approach to managing
these passwords is critical to achieving PCI compliance. Often
the passwords used by scripts and applications are hard-coded,
in the clear and unchanged—creating a large vulnerability.
This threat “hiding in plain sight” poses risks to all collected
data that forms the foundation of any organization’s mission
and services. Nevertheless, the effort and cost of changing passwords
manually, and the risk of system outages caused by incorrectly
changed passwords have created an environment of audit
exception reports. Organizations often choose to absorb the security
risks. However, internal and external auditors are aware
of this issue and are stopping the practice of issuing exception
forms. Now they are focusing on encouraging organizations to
seek ways to fix the password management problem...
> Download paper for full text