Skip to main content

Leveraging APM Solutions to Protect Payment Card Information

Brad Reinboldt

Security breaches are common today – from computer viruses, such as Bash Bug or Heartbleed, undermining the security of millions of websites, to credit card cyber theft experienced by big retailers. One effort to protect cardholder information is Payment Card Industry (PCI) Data Security Standard (DSS), which was created in October 2008 to protect personal cardholder information whenever used in a financial transaction. PCI DSS, which is applied wherever cardholder data is stored, processed or transmitted, is becoming a requirement for organizations that utilize credit cards. Failure to adhere to the PCI DSS standard can result in revocation of card processing privileges or monetary penalties. However, Application Performance Management (APM) designed to capture and retain network application transaction data, also has the potential to violate compliance. Below is an outline of the 12 requirements to be PCI DSS-compliant and how to manage APM to avoid violations.

In general, PCI DSS procedures are based on 12 requirements that fall within six categories:

BUILD AND MAINTAIN A SECURE NETWORK

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords.

PROTECT CARDHOLDER DATA

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM

Requirement 5: Use and regularly update anti-virus software or programs.

Requirement 6: Develop and maintain secure systems and applications.

IMPLEMENT STRONG ACCESS CONTROL MEASURES

Requirement 7: Restrict access to cardholder data by business need-to-know.

Requirement 8: Assign a unique ID to each person with computer access.

Requirement 9: Restrict physical access to cardholder data.

REGULARLY MONITOR AND TEST NETWORKS

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.

MAINTAIN AN INFORMATION SECURITY POLICY

Requirement 12: Maintain an information security policy.

Below are seven considerations when assessing which APM solution to select, in order to make sure it does not hinder compliance:

1. Do not use vendor-supplied defaults for system passwords and other security parameters

Most systems today provide default passwords, but require that they are changed upon installation and configuration. The IT team needs to ensure all components of the APM solution that track or retain customer cardholder data include strong and flexible password protection.

2. Protect stored cardholder data

There are a number of APM solutions that include packet-level storage capabilities. This functionality enables simplified troubleshooting of application and network anomalies. Depending on configuration, it could also capture cardholder data within the payload. Therefore, it is critical the data is protected while at rest or when transmitted using a strong encryption method.

3. Encrypt transmission of data across open, public networks

Whenever credit card data traverses an unsecured network, it must be encrypted. If an APM solution allows for remote console access across an open public network, verify the data is likewise encrypted.

4. Develop and maintain secure systems and applications

Two sections of this requirement do affect APM solutions: secure authentication and data encryption. A compliant APM solution needs to incorporate these attributes into their feature set.

5. Restrict access to cardholder data by business need-to-know

APM solutions that capture cardholder information must be capable of restricting access by staff to the minimum level required to perform their duties. Best-in-class APM solutions enable unique access rights to each user to ensure only select individuals have access to the most sensitive data.

6. Restrict physical access to cardholder data

APM solution components that store cardholder data must be located in secure data center locations.

7. Track and monitor all access to network resources and cardholder data

APM solutions with post-event forensic analysis can greatly enhance a company’s ability to satisfy this requirement by enabling detailed access tracking and identification of compromised data or system components.

When utilized with other enterprise system logging solutions, APM solutions can greatly strengthen an organization’s ability to satisfy this important PCI DSS requirement. When selecting APM solutions, be sure to select products that offer feature sets that satisfy PCI DSS compliance. For example, look for products that allow each user to have distinct logon identification and offer post-event forensic analysis and data-at-rest encryption. This will help ensure that your APM solution protects cardholder data while remaining in full compliance with PCI DSS requirements.

The Latest

If you've been in the tech space for a while, you may be experiencing some deja vu. Though often compared to the adoption and proliferation of the internet, Generative AI (GenAI) is following in the footsteps of cloud computing ...

Lose your data and the best case scenario is, well, you know the word — but at worst, it is game over. And so World Backup Day has traditionally carried a very simple yet powerful message for businesses: Backup. Your. Data ...

Image
World Backup Day

A large majority (79%) believe the current service desk model will be unrecognizable within three years, and nearly as many (77%) say new technologies will render it redundant by 2027, according to The Death (and Rebirth) of the Service Desk, a report from Nexthink ...

Open source dominance continues in observability, according to the Observability Survey from Grafana Labs.  A remarkable 75% of respondents are now using open source licensing for observability, with 70% reporting that their organizations use both Prometheus and OpenTelemetry in some capacity. Half of all organizations increased their investments in both technologies for the second year in a row ...

Significant improvements in operational resilience, more effective use of automation and faster time to market are driving optimism about IT spending in 2025, with a majority of leaders expecting their budgets to increase year-over-year, according to the 2025 State of Digital Operations Report from PagerDuty ...

Image
PagerDuty

Are they simply number crunchers confined to back-office support, or are they the strategic influencers shaping the future of your enterprise? The reality is that data analysts are far more the latter. In fact, 94% of analysts agree their role is pivotal to making high-level business decisions, proving that they are becoming indispensable partners in shaping strategy ...

Today's enterprises exist in rapidly growing, complex IT landscapes that can inadvertently create silos and lead to the accumulation of disparate tools. To successfully manage such growth, these organizations must realize the requisite shift in corporate culture and workflow management needed to build trust in new technologies. This is particularly true in cases where enterprises are turning to automation and autonomic IT to offload the burden from IT professionals. This interplay between technology and culture is crucial in guiding teams using AIOps and observability solutions to proactively manage operations and transition toward a machine-driven IT ecosystem ...

Gartner identified the top data and analytics (D&A) trends for 2025 that are driving the emergence of a wide range of challenges, including organizational and human issues ...

Traditional network monitoring, while valuable, often falls short in providing the context needed to truly understand network behavior. This is where observability shines. In this blog, we'll compare and contrast traditional network monitoring and observability — highlighting the benefits of this evolving approach ...

A recent Rocket Software and Foundry study found that just 28% of organizations fully leverage their mainframe data, a concerning statistic given its critical role in powering AI models, predictive analytics, and informed decision-making ...

Leveraging APM Solutions to Protect Payment Card Information

Brad Reinboldt

Security breaches are common today – from computer viruses, such as Bash Bug or Heartbleed, undermining the security of millions of websites, to credit card cyber theft experienced by big retailers. One effort to protect cardholder information is Payment Card Industry (PCI) Data Security Standard (DSS), which was created in October 2008 to protect personal cardholder information whenever used in a financial transaction. PCI DSS, which is applied wherever cardholder data is stored, processed or transmitted, is becoming a requirement for organizations that utilize credit cards. Failure to adhere to the PCI DSS standard can result in revocation of card processing privileges or monetary penalties. However, Application Performance Management (APM) designed to capture and retain network application transaction data, also has the potential to violate compliance. Below is an outline of the 12 requirements to be PCI DSS-compliant and how to manage APM to avoid violations.

In general, PCI DSS procedures are based on 12 requirements that fall within six categories:

BUILD AND MAINTAIN A SECURE NETWORK

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords.

PROTECT CARDHOLDER DATA

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM

Requirement 5: Use and regularly update anti-virus software or programs.

Requirement 6: Develop and maintain secure systems and applications.

IMPLEMENT STRONG ACCESS CONTROL MEASURES

Requirement 7: Restrict access to cardholder data by business need-to-know.

Requirement 8: Assign a unique ID to each person with computer access.

Requirement 9: Restrict physical access to cardholder data.

REGULARLY MONITOR AND TEST NETWORKS

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.

MAINTAIN AN INFORMATION SECURITY POLICY

Requirement 12: Maintain an information security policy.

Below are seven considerations when assessing which APM solution to select, in order to make sure it does not hinder compliance:

1. Do not use vendor-supplied defaults for system passwords and other security parameters

Most systems today provide default passwords, but require that they are changed upon installation and configuration. The IT team needs to ensure all components of the APM solution that track or retain customer cardholder data include strong and flexible password protection.

2. Protect stored cardholder data

There are a number of APM solutions that include packet-level storage capabilities. This functionality enables simplified troubleshooting of application and network anomalies. Depending on configuration, it could also capture cardholder data within the payload. Therefore, it is critical the data is protected while at rest or when transmitted using a strong encryption method.

3. Encrypt transmission of data across open, public networks

Whenever credit card data traverses an unsecured network, it must be encrypted. If an APM solution allows for remote console access across an open public network, verify the data is likewise encrypted.

4. Develop and maintain secure systems and applications

Two sections of this requirement do affect APM solutions: secure authentication and data encryption. A compliant APM solution needs to incorporate these attributes into their feature set.

5. Restrict access to cardholder data by business need-to-know

APM solutions that capture cardholder information must be capable of restricting access by staff to the minimum level required to perform their duties. Best-in-class APM solutions enable unique access rights to each user to ensure only select individuals have access to the most sensitive data.

6. Restrict physical access to cardholder data

APM solution components that store cardholder data must be located in secure data center locations.

7. Track and monitor all access to network resources and cardholder data

APM solutions with post-event forensic analysis can greatly enhance a company’s ability to satisfy this requirement by enabling detailed access tracking and identification of compromised data or system components.

When utilized with other enterprise system logging solutions, APM solutions can greatly strengthen an organization’s ability to satisfy this important PCI DSS requirement. When selecting APM solutions, be sure to select products that offer feature sets that satisfy PCI DSS compliance. For example, look for products that allow each user to have distinct logon identification and offer post-event forensic analysis and data-at-rest encryption. This will help ensure that your APM solution protects cardholder data while remaining in full compliance with PCI DSS requirements.

The Latest

If you've been in the tech space for a while, you may be experiencing some deja vu. Though often compared to the adoption and proliferation of the internet, Generative AI (GenAI) is following in the footsteps of cloud computing ...

Lose your data and the best case scenario is, well, you know the word — but at worst, it is game over. And so World Backup Day has traditionally carried a very simple yet powerful message for businesses: Backup. Your. Data ...

Image
World Backup Day

A large majority (79%) believe the current service desk model will be unrecognizable within three years, and nearly as many (77%) say new technologies will render it redundant by 2027, according to The Death (and Rebirth) of the Service Desk, a report from Nexthink ...

Open source dominance continues in observability, according to the Observability Survey from Grafana Labs.  A remarkable 75% of respondents are now using open source licensing for observability, with 70% reporting that their organizations use both Prometheus and OpenTelemetry in some capacity. Half of all organizations increased their investments in both technologies for the second year in a row ...

Significant improvements in operational resilience, more effective use of automation and faster time to market are driving optimism about IT spending in 2025, with a majority of leaders expecting their budgets to increase year-over-year, according to the 2025 State of Digital Operations Report from PagerDuty ...

Image
PagerDuty

Are they simply number crunchers confined to back-office support, or are they the strategic influencers shaping the future of your enterprise? The reality is that data analysts are far more the latter. In fact, 94% of analysts agree their role is pivotal to making high-level business decisions, proving that they are becoming indispensable partners in shaping strategy ...

Today's enterprises exist in rapidly growing, complex IT landscapes that can inadvertently create silos and lead to the accumulation of disparate tools. To successfully manage such growth, these organizations must realize the requisite shift in corporate culture and workflow management needed to build trust in new technologies. This is particularly true in cases where enterprises are turning to automation and autonomic IT to offload the burden from IT professionals. This interplay between technology and culture is crucial in guiding teams using AIOps and observability solutions to proactively manage operations and transition toward a machine-driven IT ecosystem ...

Gartner identified the top data and analytics (D&A) trends for 2025 that are driving the emergence of a wide range of challenges, including organizational and human issues ...

Traditional network monitoring, while valuable, often falls short in providing the context needed to truly understand network behavior. This is where observability shines. In this blog, we'll compare and contrast traditional network monitoring and observability — highlighting the benefits of this evolving approach ...

A recent Rocket Software and Foundry study found that just 28% of organizations fully leverage their mainframe data, a concerning statistic given its critical role in powering AI models, predictive analytics, and informed decision-making ...