Leveraging APM Solutions to Protect Payment Card Information
November 18, 2014

Brad Reinboldt
Network Instruments

Share this

Security breaches are common today – from computer viruses, such as Bash Bug or Heartbleed, undermining the security of millions of websites, to credit card cyber theft experienced by big retailers. One effort to protect cardholder information is Payment Card Industry (PCI) Data Security Standard (DSS), which was created in October 2008 to protect personal cardholder information whenever used in a financial transaction. PCI DSS, which is applied wherever cardholder data is stored, processed or transmitted, is becoming a requirement for organizations that utilize credit cards. Failure to adhere to the PCI DSS standard can result in revocation of card processing privileges or monetary penalties. However, Application Performance Management (APM) designed to capture and retain network application transaction data, also has the potential to violate compliance. Below is an outline of the 12 requirements to be PCI DSS-compliant and how to manage APM to avoid violations.

In general, PCI DSS procedures are based on 12 requirements that fall within six categories:

BUILD AND MAINTAIN A SECURE NETWORK

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords.

PROTECT CARDHOLDER DATA

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM

Requirement 5: Use and regularly update anti-virus software or programs.

Requirement 6: Develop and maintain secure systems and applications.

IMPLEMENT STRONG ACCESS CONTROL MEASURES

Requirement 7: Restrict access to cardholder data by business need-to-know.

Requirement 8: Assign a unique ID to each person with computer access.

Requirement 9: Restrict physical access to cardholder data.

REGULARLY MONITOR AND TEST NETWORKS

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.

MAINTAIN AN INFORMATION SECURITY POLICY

Requirement 12: Maintain an information security policy.

Below are seven considerations when assessing which APM solution to select, in order to make sure it does not hinder compliance:

1. Do not use vendor-supplied defaults for system passwords and other security parameters

Most systems today provide default passwords, but require that they are changed upon installation and configuration. The IT team needs to ensure all components of the APM solution that track or retain customer cardholder data include strong and flexible password protection.

2. Protect stored cardholder data

There are a number of APM solutions that include packet-level storage capabilities. This functionality enables simplified troubleshooting of application and network anomalies. Depending on configuration, it could also capture cardholder data within the payload. Therefore, it is critical the data is protected while at rest or when transmitted using a strong encryption method.

3. Encrypt transmission of data across open, public networks

Whenever credit card data traverses an unsecured network, it must be encrypted. If an APM solution allows for remote console access across an open public network, verify the data is likewise encrypted.

4. Develop and maintain secure systems and applications

Two sections of this requirement do affect APM solutions: secure authentication and data encryption. A compliant APM solution needs to incorporate these attributes into their feature set.

5. Restrict access to cardholder data by business need-to-know

APM solutions that capture cardholder information must be capable of restricting access by staff to the minimum level required to perform their duties. Best-in-class APM solutions enable unique access rights to each user to ensure only select individuals have access to the most sensitive data.

6. Restrict physical access to cardholder data

APM solution components that store cardholder data must be located in secure data center locations.

7. Track and monitor all access to network resources and cardholder data

APM solutions with post-event forensic analysis can greatly enhance a company’s ability to satisfy this requirement by enabling detailed access tracking and identification of compromised data or system components.

When utilized with other enterprise system logging solutions, APM solutions can greatly strengthen an organization’s ability to satisfy this important PCI DSS requirement. When selecting APM solutions, be sure to select products that offer feature sets that satisfy PCI DSS compliance. For example, look for products that allow each user to have distinct logon identification and offer post-event forensic analysis and data-at-rest encryption. This will help ensure that your APM solution protects cardholder data while remaining in full compliance with PCI DSS requirements.

Brad Reinboldt is Senior Product Manager for Network Instruments, a division of JDSU.
Share this

The Latest

May 20, 2019

In today's competitive landscape, businesses must have the ability and process in place to face new challenges and find ways to successfully tackle them in a proactive manner. For years, this has been placed on the shoulders of DevOps teams within IT departments. But, as automation takes over manual intervention to increase speed and efficiency, these teams are facing what we know as IT digitization. How has this changed the way companies function over the years, and what do we have to look forward to in the coming years? ...

May 16, 2019

Although the vast majority of IT organizations have implemented a broad variety of systems and tools to modernize, simplify and streamline data center operations, many are still burdened by inefficiencies, security risks and performance gaps in their IT infrastructure as well as the excessive time it takes to manage legacy infrastructure, according to the State of IT Transformation, a report from Datrium ...

May 15, 2019

When it comes to network visibility, there are a lot of discussions about packet broker technology and the various features these solutions provide to network architects and IT managers. Packet brokers allow organizations to aggregate the data required for a variety of monitoring solutions including network performance monitoring and diagnostic (NPMD) platforms and unified threat management (UTM) appliances. But, when it comes to ensuring these solutions provide the insights required by NetOps and security teams, IT can spend an exorbitant amount of time dealing with issues around adds, moves and changes. This can have a dramatic impact on budgets and tool availability. Why does this happen? ...

May 14, 2019

Data may be pouring into enterprises but IT professionals still find most of it stuck in siloed departments and weeks away from being able to drive any valued action. Coupled with the ongoing concerns over security responsiveness, IT teams have to push aside other important performance-oriented data in order to ensure security data, at least, gets prominent attention. A new survey by Ivanti shows the disconnect between enterprise departments struggling to improve operations like automation while being challenged with a siloed structure and a data onslaught ...

May 13, 2019

A subtle, deliberate shift has occurred within the software industry which, at present, only the most innovative organizations have seized upon for competitive advantage. Although primarily driven by Artificial Intelligence (AI), this transformation strikes at the core of the most pervasive IT resources including cloud computing and predictive analytics ...

May 09, 2019

When asked who is mandated with developing and delivering their organization's digital competencies, 51% of respondents say their IT departments have a leadership role. The critical question is whether IT departments are prepared to take on a leadership role in which collaborating with other functions and disseminating knowledge and digital performance data are requirements ...

May 08, 2019

The Economist Intelligence Unit just released a new study commissioned by Riverbed that explores nine digital competencies that help organizations improve their digital performance and, ultimately, achieve their objectives. Here's a brief summary of 7 key research findings you'll find covered in detail in the report ...

May 07, 2019

Today, the overall customer scenario has digitally transformed and practically there is no limitation to the ways in which the target customers can be reached. These opportunities are throwing multiple challenges for brands and enterprises, and one of the prominent ones is to ensure Omni Channel experience for customers ...

May 06, 2019

Most businesses (92 percent of respondents) see the potential value of data and 36 percent are already monetizing their data, according to the Global Data Protection Index from Dell EMC. While this acknowledgement is positive, however, most respondents are struggling to properly protect their data ...

May 02, 2019

IT practitioners are still in experimentation mode with artificial intelligence in many cases, and still have concerns about how credible the technology can be. A recent study from OpsRamp targeted these IT managers who have implemented AIOps, and among other data, reports on the primary concerns of this new approach to operations management ...