Leveraging APM Solutions to Protect Payment Card Information
November 18, 2014

Brad Reinboldt
Network Instruments

Share this

Security breaches are common today – from computer viruses, such as Bash Bug or Heartbleed, undermining the security of millions of websites, to credit card cyber theft experienced by big retailers. One effort to protect cardholder information is Payment Card Industry (PCI) Data Security Standard (DSS), which was created in October 2008 to protect personal cardholder information whenever used in a financial transaction. PCI DSS, which is applied wherever cardholder data is stored, processed or transmitted, is becoming a requirement for organizations that utilize credit cards. Failure to adhere to the PCI DSS standard can result in revocation of card processing privileges or monetary penalties. However, Application Performance Management (APM) designed to capture and retain network application transaction data, also has the potential to violate compliance. Below is an outline of the 12 requirements to be PCI DSS-compliant and how to manage APM to avoid violations.

In general, PCI DSS procedures are based on 12 requirements that fall within six categories:

BUILD AND MAINTAIN A SECURE NETWORK

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords.

PROTECT CARDHOLDER DATA

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM

Requirement 5: Use and regularly update anti-virus software or programs.

Requirement 6: Develop and maintain secure systems and applications.

IMPLEMENT STRONG ACCESS CONTROL MEASURES

Requirement 7: Restrict access to cardholder data by business need-to-know.

Requirement 8: Assign a unique ID to each person with computer access.

Requirement 9: Restrict physical access to cardholder data.

REGULARLY MONITOR AND TEST NETWORKS

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.

MAINTAIN AN INFORMATION SECURITY POLICY

Requirement 12: Maintain an information security policy.

Below are seven considerations when assessing which APM solution to select, in order to make sure it does not hinder compliance:

1. Do not use vendor-supplied defaults for system passwords and other security parameters

Most systems today provide default passwords, but require that they are changed upon installation and configuration. The IT team needs to ensure all components of the APM solution that track or retain customer cardholder data include strong and flexible password protection.

2. Protect stored cardholder data

There are a number of APM solutions that include packet-level storage capabilities. This functionality enables simplified troubleshooting of application and network anomalies. Depending on configuration, it could also capture cardholder data within the payload. Therefore, it is critical the data is protected while at rest or when transmitted using a strong encryption method.

3. Encrypt transmission of data across open, public networks

Whenever credit card data traverses an unsecured network, it must be encrypted. If an APM solution allows for remote console access across an open public network, verify the data is likewise encrypted.

4. Develop and maintain secure systems and applications

Two sections of this requirement do affect APM solutions: secure authentication and data encryption. A compliant APM solution needs to incorporate these attributes into their feature set.

5. Restrict access to cardholder data by business need-to-know

APM solutions that capture cardholder information must be capable of restricting access by staff to the minimum level required to perform their duties. Best-in-class APM solutions enable unique access rights to each user to ensure only select individuals have access to the most sensitive data.

6. Restrict physical access to cardholder data

APM solution components that store cardholder data must be located in secure data center locations.

7. Track and monitor all access to network resources and cardholder data

APM solutions with post-event forensic analysis can greatly enhance a company’s ability to satisfy this requirement by enabling detailed access tracking and identification of compromised data or system components.

When utilized with other enterprise system logging solutions, APM solutions can greatly strengthen an organization’s ability to satisfy this important PCI DSS requirement. When selecting APM solutions, be sure to select products that offer feature sets that satisfy PCI DSS compliance. For example, look for products that allow each user to have distinct logon identification and offer post-event forensic analysis and data-at-rest encryption. This will help ensure that your APM solution protects cardholder data while remaining in full compliance with PCI DSS requirements.

Brad Reinboldt is Senior Product Manager for Network Instruments, a division of JDSU.
Share this

The Latest

May 28, 2020

On Wednesday, May 6th, iOS users all over the world experienced an app crash when they tried to open popular apps such as TikTok, GroupMe, Spotify, and Pinterest. How did simultaneous crashes occur across so many independent apps? What's the common thread that would cause widespread app crashes? Turns out, it was a change in behavior in the Facebook API ...

May 27, 2020

Keeping networks operational is critical for businesses to run smoothly. The Ponemon Institute estimates that the average cost of an unplanned network outage is $8,850 per minute, a staggering number. In addition to cost, a network failure has a negative effect on application efficiency and user experience ...

May 26, 2020

Nearly 3,700 people told GitLab about their DevOps journeys. Respondents shared that their roles are changing dramatically, no matter where they sit in the organization. The lines surrounding the traditional definitions of dev, sec, ops and test have blurred, and as we enter the second half of 2020, it is perhaps more important than ever for companies to understand how these roles are evolving ...

May 21, 2020

As cloud computing continues to grow, tech pros say they are increasingly prioritizing areas like hybrid infrastructure management, application performance management (APM), and security management to optimize delivery for the organizations they serve, according to SolarWinds IT Trends Report 2020: The Universal Language of IT ...

May 20, 2020

Businesses see digital experience as a growing priority and a key to their success, with execution requiring a more integrated approach across development, IT and business users, according to Digital Experiences: Where the Industry Stands ...

May 19, 2020

Fully 90% of those who use observability tooling say those tools are important to their team's software development success, including 39% who say observability tools are very important ...

May 18, 2020

As our production application systems continuously increase in complexity, the challenges of understanding, debugging, and improving them keep growing by orders of magnitude. The practice of Observability addresses both the social and the technological challenges of wrangling complexity and working toward achieving production excellence. New research shows how observable systems and practices are changing the APM landscape ...

May 14, 2020
Digital technologies have enveloped our lives like never before. Be it on the personal or professional front, we have become dependent on the accurate functioning of digital devices and the software running them. The performance of the software is critical in running the components and levers of the new digital ecosystem. And to ensure our digital ecosystem delivers the required outcomes, a robust performance testing strategy should be instituted ...
May 13, 2020

The enforced change to working from home (WFH) has had a massive impact on businesses, not just in the way they manage their employees and IT systems. As the COVID-19 pandemic progresses, enterprise IT teams are looking to answer key questions such as: Which applications have become more critical for working from home? ...

May 12, 2020

In ancient times — February 2020 — EMA research found that more than 50% of IT leaders surveyed were considering new ITSM platforms in the near future. The future arrived with a bang as IT organizations turbo-pivoted to deliver and support unprecedented levels and types of services to a global workplace suddenly working from home ...