Security breaches are common today – from computer viruses, such as Bash Bug or Heartbleed, undermining the security of millions of websites, to credit card cyber theft experienced by big retailers. One effort to protect cardholder information is Payment Card Industry (PCI) Data Security Standard (DSS), which was created in October 2008 to protect personal cardholder information whenever used in a financial transaction. PCI DSS, which is applied wherever cardholder data is stored, processed or transmitted, is becoming a requirement for organizations that utilize credit cards. Failure to adhere to the PCI DSS standard can result in revocation of card processing privileges or monetary penalties. However, Application Performance Management (APM) designed to capture and retain network application transaction data, also has the potential to violate compliance. Below is an outline of the 12 requirements to be PCI DSS-compliant and how to manage APM to avoid violations.
In general, PCI DSS procedures are based on 12 requirements that fall within six categories:
BUILD AND MAINTAIN A SECURE NETWORK
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords.
PROTECT CARDHOLDER DATA
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM
Requirement 5: Use and regularly update anti-virus software or programs.
Requirement 6: Develop and maintain secure systems and applications.
IMPLEMENT STRONG ACCESS CONTROL MEASURES
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
REGULARLY MONITOR AND TEST NETWORKS
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
MAINTAIN AN INFORMATION SECURITY POLICY
Requirement 12: Maintain an information security policy.
Below are seven considerations when assessing which APM solution to select, in order to make sure it does not hinder compliance:
1. Do not use vendor-supplied defaults for system passwords and other security parameters
Most systems today provide default passwords, but require that they are changed upon installation and configuration. The IT team needs to ensure all components of the APM solution that track or retain customer cardholder data include strong and flexible password protection.
2. Protect stored cardholder data
There are a number of APM solutions that include packet-level storage capabilities. This functionality enables simplified troubleshooting of application and network anomalies. Depending on configuration, it could also capture cardholder data within the payload. Therefore, it is critical the data is protected while at rest or when transmitted using a strong encryption method.
3. Encrypt transmission of data across open, public networks
Whenever credit card data traverses an unsecured network, it must be encrypted. If an APM solution allows for remote console access across an open public network, verify the data is likewise encrypted.
4. Develop and maintain secure systems and applications
Two sections of this requirement do affect APM solutions: secure authentication and data encryption. A compliant APM solution needs to incorporate these attributes into their feature set.
5. Restrict access to cardholder data by business need-to-know
APM solutions that capture cardholder information must be capable of restricting access by staff to the minimum level required to perform their duties. Best-in-class APM solutions enable unique access rights to each user to ensure only select individuals have access to the most sensitive data.
6. Restrict physical access to cardholder data
APM solution components that store cardholder data must be located in secure data center locations.
7. Track and monitor all access to network resources and cardholder data
APM solutions with post-event forensic analysis can greatly enhance a company’s ability to satisfy this requirement by enabling detailed access tracking and identification of compromised data or system components.
When utilized with other enterprise system logging solutions, APM solutions can greatly strengthen an organization’s ability to satisfy this important PCI DSS requirement. When selecting APM solutions, be sure to select products that offer feature sets that satisfy PCI DSS compliance. For example, look for products that allow each user to have distinct logon identification and offer post-event forensic analysis and data-at-rest encryption. This will help ensure that your APM solution protects cardholder data while remaining in full compliance with PCI DSS requirements.
The Latest
The OpenTelemetry End-User SIG surveyed more than 100 OpenTelemetry users to learn more about their observability journeys and what resources deliver the most value when establishing an observability practice ... Regardless of experience level, there's a clear need for more support and continued education ...
A silo is, by definition, an isolated component of an organization that doesn't interact with those around it in any meaningful way. This is the antithesis of collaboration, but its effects are even more insidious than the shutting down of effective conversation ...
New Relic's 2024 State of Observability for Industrials, Materials, and Manufacturing report outlines the adoption and business value of observability for the industrials, materials, and manufacturing industries ... Here are 8 key takeaways from the report ...
For mission-critical applications, it's often easy to justify an investment in a solution designed to ensure that the application is available no less than 99.99% of the time — easy because the cost to the organization of that app being offline would quickly surpass the cost of a high availability (HA) solution ... But not every application warrants the investment in an HA solution with redundant infrastructure spanning multiple data centers or cloud availability zones ...
The edge brings computing resources and data storage closer to end users, which explains the rapid boom in edge computing, but it also generates a huge amount of data ... 44% of organizations are investing in edge IT to create new customer experiences and improve engagement. To achieve those goals, edge services observability should be a centerpoint of that investment ...
The growing adoption of efficiency-boosting technologies like artificial intelligence (AI) and machine learning (ML) helps counteract staffing shortages, rising labor costs, and talent gaps, while giving employees more time to focus on strategic projects. This trend is especially evident in the government contracting sector, where, according to Deltek's 2024 Clarity Report, 34% of GovCon leaders rank AI and ML in their top three technology investment priorities for 2024, above perennial focus areas like cybersecurity, data management and integration, business automation and cloud infrastructure ...
While IT leaders are preparing organizations for accelerated generative AI (GenAI) adoption, C-suite executives' confidence in their IT team's ability to deliver basic services is declining, according to a study conducted by the IBM Institute for Business Value ...
The consequences of outages have become a pressing issue as the largest IT outage in history continues to rock the world with severe ramifications ... According to the Catchpoint Internet Resilience Report, these types of disruptions, internet outages in particular, can have severe financial and reputational impacts and enterprises should strongly consider their resilience ...
Everyday AI and digital employee experience (DEX) are projected to reach mainstream adoption in less than two years according to the Gartner, Inc. Hype Cycle for Digital Workplace Applications, 2024 ...
When an IT issue is not handled correctly, not only is innovation stifled, but stakeholder trust can also be impacted (such as when there's an IT outage or slowdowns in performance). When you add new technology investments and innovations into the mix, you have a recipe for disaster ...