| PCI requirement | Description (from PCI standard) | StillSecure solution(s) |
| 2.1 |
Always change the vendor-supplied defaults before you install a system on the network (e.g., passwords, SNMP community strings, and elimination of unnecessary accounts).
|
VAM
VAM ensures through device testing that vendor-supplied defaults are not being utilized. If any issues are found, VAM logs this information, assigns mitigation to appropriate personnel, and confirms the successful remediation.
|
| 2.2 |
Develop configuration standards for all system components. Make sure these standards address all known security vulnerabilities and industry best-practices.
|
Safe Access & VAM
Both Safe Access and VAM enable you to define configuration standards and to test those configurations on an on-going basis. These configuration standards can address security vulnerabilities and industry best-practices.
|
| 2.2.1 |
Implement only one primary function per server (e.g., web servers, database servers, and DNS should be implemented on separate servers). |
VAM
VAM can test devices for more than one primary function. If any issues are found, VAM logs the issue, assigns mitigation to appropriate personnel, and confirms the successful remediation.
|
| 2.2.2 |
Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices' specified function).
|
VAM
VAM can test devices for unnecessary and insecure services and protocols that are enabled. If any issues are found, VAM logs the issue, assigns mitigation to appropriate personnel, and confirms the successful remediation.
|
| 2.2.3 |
Configure system security parameters to prevent misuse. |
Safe Access & VAM
Security settings and parameters can be tested by Safe Access and VAM to ensure compliance with this requirement. Once a posture has been chosen, Safe Access and VAM can automatically (on a scheduled basis) test devices to ensure they comply with the policy.
|
| 2.2.4 |
Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems (e.g., unnecessary web servers).
|
VAM
VAM can provide automated tests for finding unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, etc. If any issues are found, VAM logs the issue, assigns mitigation to appropriate personnel, and confirms the successful remediation.
|
| 5.1 |
Deploy antivirus mechanisms on all systems commonly affected by viruses (e.g., PC.s and servers).
|
Safe Access
Safe Access can ensure on an on-going basis that all systems contain antivirus. If desired, any systems without antivirus can be denied access to the network.
|
| 5.2 |
Ensure that all antivirus mechanisms are current, actively running, and capable of generating audit logs.
|
Safe Access
Safe Access can ensure that all systems have current antivirus DAT files and that the process is actively running. If desired, any systems without current or actively running antivirus can be denied access to the network.
|
| 6.1 |
Ensure that all system components and software have the latest vendor-supplied security patches.
|
Safe Access & VAM
A core functionality of these two products is to ensure that all systems are patched. Both Safe Access and VAM provide tests to ensure that devices have the latest vendor patches installed. If desired, through the use of Safe Access, end users could be denied access to the network unless their devices were completely patched. Note that VAM can provide full logging and historical data confirming the remediation of any issues.
|
| 6.1.1 |
Install relevant security patches within one month of release. |
Safe Access & VAM
Both Safe Access and VAM can provide an automated process to ensure that all relevant security patches have been installed within one month of their release.
|
| 6.2 |
Establish a process to identify newly discovered security vulnerabilities (e.g., subscribe to alert services freely available on the Internet). Update your standards to address new vulnerability issues.
|
VAM
VAM provides a built in vulnerability feed. This feed, created by StillSecure's Security Alert Team, provides 24x7x365 access to the latest vulnerabilities, checks for the issues, and remediation information. This feed is offered at no charge with the VAM.
|
| 11.1 |
Test security controls, limitations, network connections, and restrictions routinely to make sure they can adequately identify or stop any unauthorized access attempts. Where wireless technology is deployed, use a wireless analyzer periodically to identify all wireless devices in use.
|
Safe Access & VAM
Safe Access and VAM can be utilized to periodically test devices to ensure that they are correctly configured to identify and stop unauthorized access attempts. Any devices failing the tests can be logged and assigned for remediation.
|
| 11.2 |
Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (e.g., new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note that external vulnerability scans must be performed by a scan vendor qualified by the payment card industry.
|
VAM
VAM is a vulnerability management solution. VAM's core functionality is to provide vulnerability scans and then track the remediation efforts for any issues. VAM can be utilized internally or externally. By utilizing VAM on an on-going basis, merchants and transaction processors will implement a best-practices vulnerability scanning and remediation program that will greatly assist final PCI compliance testing from a qualified data security company (QDSC).
|
| 11.3 |
Perform penetration testing on network infrastructure and applications at least once a year and after any significant infrastructure or application upgrade or modification (e.g., operating system upgrade, sub-network added to environment, web server added to environment).
|
VAM
VAM can be utilized to conduct regularly scheduled penetration tests on the network infrastructure. PCI states that penetration tests should be conducted after any significant change or upgrade, so it is advisable to have an on-going, regular program of testing with VAM.
|
| 11.4 |
Use network intrusion detection systems, host-based intrusion detection systems, and/or intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date.
|
Strata Guard
Strata Guard is an award-winning intrusion detection / prevention system. Strata Guard is known for its ease-of-use and affordability.
|
| 12.2 |
Develop daily operational security procedures that are consistent with requirements in this specification (e.g., user account maintenance procedures, log review procedures).
|
Safe Access & VAM
Both Safe Access and VAM can drive daily best-practices implementation of security procedures. Safe Access provides for device compliance on a per-login basis, thus ensuring that on a continuous basis endpoints are compliant with internal security policies. VAM provides for scheduled vulnerability scanning and remediation efforts. By utilizing both of these tools, organizations can create a daily operational procedure for compliance.
|
| 12.4 |
Ensure the security policy and procedures clearly define information security responsibilities for all employees and contractors.
|
Safe Access
Safe Access can be utilized to enforce enduser security policy. For instance, Safe Access can ensure that all endpoints are patched with up-to-date antivirus and personal firewalls enabled. In addition, Safe Access can ensure that devices containing items against policy (for example, P2P software or insecure instant messenger clients) are denied access to the network.
|
| 12.5.1 |
Establish, document, and distribute security policies and procedures.
|
Safe Access & VAM
Both Safe Access and VAM can be utilized to enforce security policies and procedures. Both solutions will conduct regularly scheduled, automated tests of endpoint or server security policies. Any deviations can be escalated to the appropriate personnel and remediated accordingly.
|
| 12.5.2 |
Monitor and analyze security alerts and information, and distribute to appropriate personnel.
|
Safe Access, Strata Guard, & VAM
All three StillSecure products assist in monitoring for security alerts and disseminating the information to the appropriate personnel. All three products allow for role-based access to their data and also provide for alerts via email, pagers, or phone.
|
| 12.9.5 |
Include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems.
|
Strata Guard
Strata Guard can provide alerts in a number of formats to ensure compliance reporting.
|
Products
Overview »
PCI Compliance: A technology
