McAfee PCI DSS Requirement Mapping Tool

PCI DSS 2.0 Requirement Mapping Tool
Use our interactive tool to select your specific PCI DSS requirements and print a custom report showing the McAfee solutions that suit your needs. Click here for more help.

McAfee Solutions

McAfee Vulnerability Manager - click to learn more

McAfee Policy Auditor - click to learn more

McAfee Change Control - click to learn more

McAfee Vulnerability Manager for Databases - click to learn more

McAfee Database Activity Monitoring - click to learn more

McAfee Email and Web Security Appliances - click to learn more

McAfee Network Security Platform - click to learn more

McAfee Network User Behavior Analysis - click to learn more

McAfee Firewall Enterprise - Sidewinder - click to learn more

McAfee E-Business Server - click to learn more

McAfee Host Data Loss Prevention - click to learn more

McAfee Endpoint Encryption - click to learn more

McAfee Network Access Control - click to learn more

McAfee VirusScan Enterprise - click to learn more

McAfee Host Intrusion Prevention - click to learn more

McAfee Application Control - Solidcore - click to learn more

McAfee Secure for Websites Service (includes McAfee PCI Certification Service) - click to learn more

McAfee Security Advisories - click to learn more

Foundstone Professional Services - click to learn more

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Expand the family to see product level details

Click here to expand the sub requirements

1.1 Establish firewall and router configuration standards that include the following:

Security assessment, policy gap analysis and program development (Click here to expand the sub requirements)

1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations

McAfee Firewall Reporter provides formal and auditable trail for implementing or approving changes to firewall configuration(s). Firewall Profiler and Firewall Enterprise Control Center also provide cross-firewall visibility and streamlined management capabilities.

By using McAfee ePolicy Orchestrator to manage McAfee Host Intrusion Prevention, formal and auditable procedures can be implemented for approving changes to firewall configuration(s).

Security assessment, policy gap analysis and program development

1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks

1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone

Can enforce Access Control Lists between the DMZ and internal network zones

Multiple firewalls can be installed as needed at Internet connections and DMZs. Restricts and alerts on inbound traffic to IP addresses beyond the DMZ

Can be deployed as a secondary level of firewall protection (to supplement a primary firewall).

1.1.4 Description of groups, roles and responsibilities for logical management of network components

Monitors Active Directory groups and access

Roles and responsibilities can be delegated using management interface

Roles and responsibilities can be delegated using McAfee ePolicy Orchestrator

1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.

Identifies services and ports on all devices

Policy views of services and ports offered per network device

Policies can be printed to show which ports are allowed on a particular server

1.1.6 Requirement to review firewall and router rule sets at least every six months

Policy report is available via Admin Console tool. Firewall Reporter also provides customizable reports, which makes for easy review. Control Center provides tools to review seldom used and outdated policies for rule optimization.

McAfee ePolicy Orchestrator provides a central location for storing all McAfee Host Intrusion Prevention firewall policies, which makes for easy review.

1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An "untrusted network" is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.

Access Control Lists can be used to deny traffic from untrusted networks and hosts (Click here to expand the sub requirements)

Denies traffic from untrusted hosts and networks (Click here to expand the sub requirements)

Provides a method (trusted networks) which allows for the blocking of “risky” protocols from all untrusted networks (Click here to expand the sub requirements)

1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.

Can scan networks to verify that inbound/outbound restrictions are properly configured.

Access Control Lists can be used to deny traffic from untrusted networks and hosts

Denies traffic from untrusted hosts and networks

Provides a method (trusted networks) which allows for the blocking of “risky” protocols from all untrusted networks

1.2.2 Secure and synchronize router configuration files.

1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.

Monitors and restricts all inbound and outbound traffic to ensure specific and limited protocols and only hosts that are trusted

Firewall rules can be applied on a per server basis to further restrict access to all systems with cardholder data

1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Can scan networks to verify that inbound/outbound restrictions are properly configured. (Click here to expand the sub requirements)

Access Control Lists can be used to enforce this (Click here to expand the sub requirements)

Unauthorized IP addresses are flagged as violating events (Click here to expand the sub requirements)

Monitors and restricts all inbound and outbound traffic to ensure specific and limited protocols and only hosts that are trusted (Click here to expand the sub requirements)

Firewall rules can be applied on a per server basis to further restrict access to all systems with cardholder data (Click here to expand the sub requirements)

1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

Access Control Lists can be used to enforce this

Monitors and alerts on inbound and outbound traffic beyond the DMZ

Firewall feature acts as a filter between a computer and the network or Internet. The firewall scans all incoming and outgoing traffic at the packet level.

1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.

Unauthorized IP addresses are flagged as violating events

1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.

Provides stateful inspection and “packet scrubbing” functionality

Provides stateful and encrypted packet inspection

1.3.4 Do not allow internal addresses to pass from the Internet into the DMZ.

Hides internal addresses from DMZ or external networks

1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only ”established” connections are allowed into the network.)

Performs stateful inspection and packet filtering, as well as application inspection via proxies

1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

Can build policies to segregate databases

Can be deployed with a default deny policy

1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties.
Note: Methods to obscure IP addressing may include, but are not limited to: 1) Network Address Translation (NAT), 2) Placing servers containing cardholder data behind proxy servers/firewalls or content caches, 3) Removal or filtering of route advertisements for private networks that employ registered addressing, 4) Internal use of RFC1918 address space instead of registered addresses.

1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.

Includes an audit check to determine whether desktop firewall software is installed

Includes a system-level firewall ideal for securing laptops and computers

System-level firewall is ideal for securing laptops and computers

Provides an additional layer of security via application whitelisting and memory protection especially on devices that may not be able to have a personal firewall installed.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

2.1 Always change vendor-supplied defaults before installing a system on the network, including but not limited to passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.

Scans for account and password settings as well as SNMP strings on Windows and UNIX systems (Click here to expand the sub requirements)

Measures managed systems for compliance towards enforcing changes to vendor supplied defaults

The product will report on default database passwords. In addition it will report on weak database passwords and weak passwords of various applications that store passwords within the database.

Can check for this before allowing systems on network

2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.

Scans and assesses wireless network devices for vulnerabilities

2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to: 1) Center for Internet Security (CIS), 2) International Organization for Standardization (ISO), 3) SysAdmin Audit Network Security (SANS) Institute, 4) National Institute of Standards Technology (NIST)

Scans for compliance with configuration standards as defined by NIST and SANS (Click here to expand the sub requirements)

Measures systems for compliance to configurations to the ISO, CIS and NIST standards (Click here to expand the sub requirements)

The product scans databases and reports on all issues that require hardening. This includes remediation scripts where applicable. In addition the product compares findings to the CIS database security benchmarks. (Click here to expand the sub requirements)

2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)

Reports can be used to check that only one primary function is implemented

2.2.2 Enable only necessary and secure services, protocols, daemons, etc., as required for the function of the system.
Implement security features for any required services, protocols or daemons that are considered to be insecure-for example, use secured technologies such as SSH, S-FTP, SSL, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.

Scans for services and protocols which could be used to compromise a network

Identifies policy violations, e.g., Telnet, time services, etc.

Can be used to block access to all protocols not necessary for business process.

2.2.3 Configure system security parameters to prevent misuse.

Scans for security settings and parameters that have known security implications

Measures managed systems for compliance to these parameters including permissions to install software, guest accounts, etc.

Can help to prevent misuse through restricting outbound access

2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

Identifies scripts, drivers, file systems, and web servers.

Audits managed systems for unnecessary functionality, such as scripts that may compromise systems or slow system start up

Database scan reports include information on the existence of unnecessary database components.

2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.

Reports can be used to demonstrate whether these technologies are running on systems used for web-based management and non-console administrative access

Enable Secure Shell (SSH) to be used for remote access.

All communication between Admin Console and Firewall is encrypted. Enables Secure Shell (SSH) to be used for remote access.

2.4 Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.

Requirement 3: Protect stored cardholder data

3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes, as follows.

Scans identify the database tables that contain cardholder data, greatly reducing the work required for accomplishing requirement 3

Offers encryption for secure retention, and unrecoverable wiping of data for secure disposal (Click here to expand the sub requirements)

Tagging rules enable data to be classified by location, content and file type (Click here to expand the sub requirements)

3.1.1 Implement a data retention and disposal policy that includes: 1) Limiting data storage amount and retention time to that which is required for legal, regulatory, and business requirements, 2) Processes for secure deletion of data when no longer needed, 3) Specific retention requirements for cardholder data, 4) A quarterly automatic or manual process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements

Offers encryption for secure retention, and unrecoverable wiping of data for secure disposal

Tagging rules enable data to be classified by location, content and file type

3.2 Do not store sensitive authentication data after authorization (even if encrypted).
Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 through 3.2.3.

Encrypted data may be stored or destroyed as required by policy (Click here to expand the sub requirements)

Endpoint Encryption does not store authentication credentials (Click here to expand the sub requirements)

3.2.1 Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data.

Allows encryption of select items or entire files which contain select data to support the required data storage policy

Authentication credentials are not stored

3.2.2 Do not store the card-verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.

3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block.

Does not store sensitive authentication data

3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).

3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: 1) One-way hashes based on strong cryptography (hash must be of the entire PAN), 2) Truncation (hashing cannot be used to replace the truncated segment of PAN), 3) Index tokens and pads (pads must be securely stored), 4) Strong cryptography with associated key-management processes and procedures

DAM is used as a compensating control whenever encrypting PAN in the database is not possible (e.g. older databases, applications that cannot be changed, etc.). DAM allows constant monitoring of the PAN tables, full audit trail, real time alerts when the data is accessed by unauthorized applications, and in some cases access to the data can be blocked if access policy is breached.

Capable of rendering the PAN unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, etc). It uses strong-one-way hash functions and strong cryptography, such as 3DES and AES 256 with required key management.

3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local system or Active Directory accounts). Decryption keys must not be tied to user accounts.

Can be configured so that only the owner of the machine can access the key and log into the system

3.5 Protect any keys used to secure cardholder data against disclosure and misuse:

DAM can protect database tables that contain encryption keys (Click here to expand the sub requirements)

Keys are protected by being stored in hashed data stores and requiring pass phrases (Click here to expand the sub requirements)

Protects encryption keys via the user key. The user key is protected either by password or by a hardware authentication token, e.g. a smart card. (Click here to expand the sub requirements)

3.5.1 Restrict access to cryptographic keys to the fewest number of custodians necessary.

DAM can control the access to database tables that contain encryption keys

Supports procedures to limit holders of pass phrases and for key splitting

3.5.2 Store cryptographic keys securely in the fewest possible locations and forms.

The encryption key is unique per machine and is only stored fully encrypted as a backup for recovery reasons in the central database.

3.6. Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following:

This is covered in the McAfee Endpoint Encryption Administrator Guide. (Click here to expand the sub requirements)

3.6.1 Generation of strong cryptographic keys

MVM Can scan for and alert on SSL certificates and keys that are generated using weak or out-dated cryptographic keys

Strong keys may be generated using RSA and DH 1024, 2048, or 4096 size keys as part of a key management process per 3.6

Encryption keys are generated in accordance with the specifications for each algorithm supported

3.6.2 Secure cryptographic key distribution

Has the capability for secure key distribution through diffie-hellman key exchange which may be implemented through key management processes and then documented per 3.6

Encryption keys are distributed from the central McAfee Encryption Manager database to the clients using an SSL like protection mechanism with 1024 bits RSA key lengths, Diffie-Hellman key exchange and line bulk encryption.

3.6.3 Secure cryptographic key storage

Keys are securely stored and can be further protected through key management processes per 3.6

: All keys are stored and fully encrypted in the McAfee database. The unique machine encryption keys are fully encrypted and protected with the user's key or certificate (Public Key).

3.6.4 Cryptographic key changes for keys that have reached the end of their crypto period (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57).

Generates a random session key each time a public key encryption is performed, which can be implemented through key management processes and documented per 3.6

3.6.5 Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key), or keys are suspected of being compromised.

Can revoke old keys, which can then be documented per 3.6

Ensures that keys permanently deleted from the database cannot be recovered

3.6.6 If manual clear-text cryptographic key management operations are used, these operations must be managed using split knowledge and dual control (for example, requiring two or three people, each knowing only their own key component, to reconstruct the whole key).

Has dual control capability through key splitting

3.6.7 Prevention of unauthorized substitution of cryptographic keys.

Keys are hashed and verified for validity, and can be used as part of a process to prevent unauthorized substitution of keys.

Has very strong granular rights management which can be used to restrict the view and access rights

3.6.8 Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities.

Capable of replacing known or suspected compromised keys and can be implemented as part of key management processes

Requirement 4: Encrypt transmission of cardholder data across open, public networks

4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.
Examples of open, public networks that are in scope of the PCI DSS include but are not limited to: 1) The Internet, 2) Wireless technologies, 3) Global System for Mobile communications (GSM), 4) General Packet Radio Service (GPRS).

Reports can show the protocols in use on web servers (Click here to expand the sub requirements)

Enables TLS encryption to be configured for inbound and outbound email provided the other end offers or suggests encryption.

Could be used as a compensating control (pending implementation and support with correct policies and procedures) to block protocols that do not safeguard sensitive cardholder data during transmission, while also alerting security personnel in real time

Uses IPSec VPN to establish encrypted tunnels

Can encrypt data before it is transmitted over open public networks using RSA, DH/DSS, SHA-1, 3DES, AES256, and SSL/TLS to ensure data is secure while transmitted

Does not read and communicate card holder data. However, all communication between the central McAfee Encryption Manager database and the client is protected using an SSL-like protection mechanism with 1024 bits RSA key lengths, Diffie-Hellman key exchange and line bulk encryption. (Click here to expand the sub requirements)

4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.

Reports can show the protocols in use on web servers.

The central McAfee Encryption Manager database and the client protect communication using an SSL-like mechanism with 1024 bits RSA key lengths, Diffie-Hellman key exchange and line bulk encryption.

4.2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).

Non-secure technologies can be discovered and reported.

Privacy templates are score and threshold based and are designed to accumulate scores against numerical formats, such as personally identifiable account numbers

Client can be used to encrypt data and transmit it securely by email as part of a policy

Can help prevent PAN data from being sent via email via tagging rules. Reaction Rules prevent unauthorized distribution of tagged data via network connections.

Requirement 5: Use and regularly update anti-virus software or programs

5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).

Checks that anti-virus is deployed on all systems (Click here to expand the sub requirements)

Checks that anti-virus is deployed on all managed systems (Click here to expand the sub requirements)

Anti-virus engine scans HTTP, FTP, and SMTP for viruses, Trojans, spyware, and other malware in transit (Click here to expand the sub requirements)

Checks for correct deployment and can quarantine systems that are non compliant and send for remediation. As part of McAfee Total Protection for Endpoint Advanced, it can enforce deployment of anti-virus software on managed systems. (Click here to expand the sub requirements)

McAfee ePolicy Orchestrator can be used to deploy anti-virus software on all managed systems (Click here to expand the sub requirements)

Provides security via application whitelisting and memory protection and can either be used in lieu of anti-virus software or as an additional layer of defense (Click here to expand the sub requirements)

5.1.1 Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.

Checks that anti-virus is deployed on all systems

Checks that anti-virus is deployed on all managed systems

Detects known viruses, new viruses and variants. The scanners can also detect potentially unwanted programs (PUPs) such as spyware, adware, and cookies. By default, all protocols are enabled, and traffic is scanned in both directions.

Anti-virus engine scans HTTP, FTP, and SMTP for viruses, Trojans, spyware, and other malware in transit

Checks for correct deployment and quarantines non-compliant systems as well as enforces updates

Detects known viruses, new viruses and variants

5.2 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs.

Scans for versions of anti-virus software; checks that real-time detection is enabled and that DAT files are current

Checks that real-time detection is enabled on anti-virus, and for current DAT files

Enables administrators to determine the frequency of updates.

Checks that anti-virus is current before allowing systems on the network.

Ensures that are anti-virus mechanisms are current

Requirement 6: Develop and maintain secure systems and applications

6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.

McAfee Vulnerability Manager scans managed and unmanaged systems for patch levels, provides patch information for vulnerabilities. and prioritizes systems that need to be patched.

Reports on patch status of systems and identifies systems requiring patch updates

Reports on missing database patches, on known vulnerabilities and on user-introduced vulnerabilities in store procedure code installed on the database (e.g. PL/SQL and TSQL code)

Database virtual patching (vPatch) is used as a compensating control when users are unable to patch the databases on time (according to recent surveys, about 90% of the customers do not patch databases within one month after the patch is available and 70% patch after more than 6 months).

Deployed patches to the firewall are integrated into the SecureOS operating system at same time. Common-criteria certified.

Reports on patch status of all systems and identifies systems requiring patch updates and quarantines devices that don't meet patch policy

Vulnerability shielding enables protection for critical systems and servers which may not be able to be patched within 30 days

Shields systems from vulnerabilities via application whitelisting and memory protection

6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.

Threat Correlation Module receives threat intelligence updates from McAfee AVERT Labs, enabling organizations to immediately correlate threats with known open vulnerabilities on their network

The product is updated whenever new database vulnerabilities are discovered and after vendor patches are released.

6.3 Develop software applications (internal and external, and including web-based administrative access to applications) in accordance with PCI DSS (for example, secure authentication and logging), and based on industry best practices. Incorporate information security throughout the software development life cycle. These processes must include the following:

MVM can scan custom and off the shelf web applications for vulnerabilities in OWASP Top 10 and CWE/SANS Top 25 categories. (Click here to expand the sub requirements)

Product reports on insecure code within the databases (PL/SQL. TSQL) - e.g. when the user added code is vulnerable to SQL injection

6.3.1 Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers

MVM can test applications for default/custom credentials.

6.3.2 Review of custom code prior to release to production or customer in order to identify any potential coding vulnerability.

MVM can scan custom and off the shelf web applications for vulnerabilities in OWASP Top 10 and CWE/SANS Top 25 categories.

6.4. Follow change control processes and procedures for all changes to system components. The processes must include the following:

McAfee Change Control tracks and reconciles configuration and policy changes via integration with change management systems (Click here to expand the sub requirements)

6.4.1 Separate development/test and production environments

6.4.2 Separation of duties between development/test and production environments

6.4.3 Production data (live PANs) are not used for testing or development

Supports policies to not use the data for testing and development

6.4.4 Removal of test data and accounts before production systems become active

6.4.5 Change control procedures for the implementation of security patches and software modifications. Procedures must include the following: 6.4.5.1 Documentation of impact, 6.4.5.2 Documented change approval by authorized parties, 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system, 6.4.5.4 Back-out procedures

McAfee Change Control tracks and reconciles configuration and policy changes via integration with change management systems

When using vPatch as a compensating control all of the impact associated with using the vendor patches including database downtime, and risk of application malfunction is reduced and in most cases eliminated

6.5 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes, to include the following:

Can be used to help scan for common coding vulnerabilities. (Click here to expand the sub requirements)

Web application testing is offered as one of three phases in the McAfee Secure for Website Services daily security audit and -can be used to help identify coding vulnerabilities and augment a security program. (Click here to expand the sub requirements)

Perform threat modeling services to ensure web applications and software meet with secure coding guidelines (Click here to expand the sub requirements)

6.5.1 Injection flaws, particularly SQL injection. Also consider LDAP and Xpath injection flaws as well as other injection flaws.

Provides signatures to detect and prevent Injection Flaw attacks

Perform threat modeling services to ensure web applications and software meet with secure coding guidelines

6.5.2 Buffer overflow

Provides signatures to detect and prevent XSS attacks

6.5.3 Insecure cryptographic storage

Supports the ability to analyze SSL traffic to assist in supporting applications

6.5.4 Insecure communications

Offers a positive security model, HTTPS inspection, and SSL decryption

6.5.5 Improper error handling

6.5.6 All "High" vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.2).

6.5.7 Cross-site scripting (XSS)

6.5.8 Improper Access Control (such as insecure direct object references, failure to restrict URL access, and directory traversal)

Offers the ability to deny specific URL matches (in hostname or path) and enforce a max URL length which can restrict how deep an end user can view into a website

6.5.9 Cross-site request forgery (CSRF)

6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: 1) Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes, 2) Installing a web-application firewall in front of public-facing web applications

Web application filtering based on OWASP’s recommended protections as well as the ability to decrypt and filter traffic in SSH, SFTP, SCP, and SSL/HTTPS

HTTP services and virtual domains are tested for the existence of potentially dangerous modules, configurations settings, CGIs and other scripts. Both generic and software-specific tests are performed in order to uncover misconfigurations and coding error vulnerabilities

Offers a comprehensive security assessment methodology to identify threats, vulnerabilities and risks associated with an organization’s web services infrastructure.

Requirement 7: Restrict access to cardholder data by business need-to-know

7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following:

MVM can scan systems/network devices/web servers and network shares for documents that contain credit card type data that is generally available without proper credentials.

Report on users with excessive privileges

Can be used to control the access to the cardholder data by applications, by users, by OS users, by time, by specific database commands and more.

Access rights are assigned by system administrator (Click here to expand the sub requirements)

Policies can be set per user, per group or department, i.e. allow CEO to connect any device while other employees can only connect to a sub-set of devices. (Click here to expand the sub requirements)

Can supplement access control mechanisms via its policy / role-based restrictions, proactively blocking unauthorized access at the directory / file access level (Click here to expand the sub requirements)

7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities

Access rights are assigned by system administrator

Proactively blocks unauthorized access at the directory / file access level

7.1.2 Assignment of privileges is based on individual personnel’s job classification and function

7.1.3 Requirement for a documented approval by authorized parties specifying required privileges.

7.1.4 Implementation of an automated access control system

Limits access to systems based on policy

7.2 Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. This access control system must include the following:

Product can be used as a full access control system for the databases. In addition white list rules can be easily created to ensure that all unauthorized activity in the database is denied by terminating the sessions that are in breach of the white list rules.

Limits access to systems based on policy (Click here to expand the sub requirements)

Proactively blocks unauthorized access at the directory / file access level (Click here to expand the sub requirements)

7.2.1 Coverage of all system components

Discovery and access controls may be used to verify that only privileged users access PCI systems

7.2.2 Assignment of privileges to individuals based on job classification and function

7.2.3 Default “deny-all” setting

Requirement 8: Assign a unique ID to each person with computer access

8.1 Identify all users with a unique user name before allowing them to access system components or cardholder data.

Measures systems for compliance with unique user accounts, e.g., audits for guest accounts without user names

Individual user account are assigned on device

8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: 1) Something you know, such as a password or passphrase, 2) Something you have, such as a token device or smart card, 3) Something you are, such as a biometric

Complex password and certificate based login is available.

Multiple connection authentication mechanisms can be supported.

8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.)

8.4 Encrypt all passwords during transmission and storage on all system components.

8.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components as follows:

8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.

Administrative rights are assigned on a per user basis

8.5.2 Verify user identity before performing password resets.

8.5.3 Set passwords for first-time use and resets to a unique value for each user and change immediately after the first use.

8.5.4 Immediately revoke access for any terminated users.

Custom User groups may be established to identify terminated users retaining access.

8.5.5 Remove/disable inactive user accounts at least every 90 days.

Can audit systems for these policy settings.

8.5.6 Enable accounts used by vendors for remote access only during the time period needed. Monitor vendor remote access accounts when in use.

8.5.7 Communicate authentication procedures and policies to all users who have access to cardholder data.

8.5.8 Do not use group, shared, or generic accounts and passwords, or other authentication methods.

Product will report on group and shared passwords in the database

Can validate whether User IDs are correctly configured

8.5.9 Change user passwords at least every 90 days.

Identifies managed systems with passwords older then 90 days

Product can report on passwords that have not changed for more than 90 days.

8.5.10 Require a minimum password length of at least seven characters.

Identifies managed systems with passwords that do not meet the required length

8.5.11 Use passwords containing both numeric and alphabetic characters.

Audits managed systems for passwords to see if they meet this specification

Product reports on weak database passwords and weak application passwords that are stored in the database

8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.

Audits managed systems for password history

8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts.

8.5.14 Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID.

8.5.15 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.

8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users.
Restrict user direct access or queries to databases to database administrators.

Requirement 9: Restrict physical access to cardholder data

9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.

9.1.1 Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.

9.1.2 Restrict physical access to publicly accessible network jacks.

Together with McAfee Network Access Control enabled may be a compensating control to aid in restricting "physical access to a network.

Can help restrict access in conjunction with Microsoft NAP framework

9.1.3 Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.

9.2 Develop procedures to easily distinguish between onsite personnel and visitors, especially in areas where cardholder data is accessible.

9.3 Make sure all visitors are handled as follows:

9.3.1 Authorized before entering areas where cardholder data is processed or maintained.

9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as not onsite personnel.

9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration.

9.4 Use a visitor log to maintain a physical audit trail of visitor activity. Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law.

9.5 Store media back-ups in a secure location, preferably an off-site facility, such as an alternate or back-up site, or a commercial storage facility. Review the location’s security at least annually.

9.6 Physically secure all media.

9.7 Maintain strict control over the internal or external distribution of any kind of media, including the following:

9.7.1 Classify media so the sensitivity of the data can be determined.

Can designate policy to monitor media ( different reactions depending on media) and can view which media is considered confidential within the management console

9.7.2 Send the media by secured courier or other delivery method that can be accurately tracked.

9.8 Ensure management approves any and all media that is moved from a secured area (especially when media is distributed to individuals).

9.9 Maintain strict control over the storage and accessibility of media.

9.9.1 Properly maintain inventory logs of all media and conduct media inventories at least annually.

9.10 Destroy media when it is no longer needed for business or legal reasons as follows:

9.10.1 Shred, incinerate, or pulp hardcopy materials so that cardholder data cannot be reconstructed.

9.10.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.

Requirement 10: Track and monitor all access to network resources and cardholder data

Extremely robust auditing and reporting capabilities are available for all activity at the network level. (Click here to expand the sub requirements)

10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.

Provides full audit trail for access to the database and tables containing cardholder data

Details on who, what group, system account or machine accessed payment systems or servers

10.2 Implement automated audit trails for all system components to reconstruct the following events:

Can audit systems for these policy settings. (Click here to expand the sub requirements)

Checks to see whether audit trails are enabled

Automated audit trails for all configurations and user accesses (Click here to expand the sub requirements)

Provides full audit trail for access to the database and tables containing cardholder data (Click here to expand the sub requirements)

Provides details on who, what group, system account or machine accessed the servers where the cardholder data is maintained. (Click here to expand the sub requirements)

10.2.1 All individual accesses to cardholder data

Provides full audit trail for access to the database and tables containing cardholder data including user names, OS user names, applications used.

Provides details on who, what group, system account or machine accessed the servers where the cardholder data is maintained. Identity collection requires AD integration across the enterprise.

10.2.2 All actions taken by any individual with root or administrative privileges

Audit trail includes all admins, including DBAs.

Group/identity based monitoring, allows for visibility into specific accounts

10.2.3 Access to all audit trails

System accounts generation process allows for least privilege access by individual name and logs all actions

10.2.4 Invalid logical access attempts

Audit trail records all actions and changes

Provides information on invalid database logins

Rejected access attempts are logged with specific details regarding the rejection reason.

10.2 5 Use of identification authentication mechanisms

Connections to Active Directory and the Kerberos ticket granting process are logged

10.2.6 Initialization of the audit logs

Audit trails can be easily reconstructed

Provides information on initialization and termination of DBMS native audit logs as well as full history of the DAM audit changes

Log engine records start and stop time of all monitoring processes

10.2.7 Creation and deletion of system-level objects

Can be configured to track these changes on Servers

Provides information on all changes to the system objects within databases

10.3 Record at least the following audit trail entries for all system components for each event:

Tracks user, event, timestamp and data/system component/resource (Click here to expand the sub requirements)

Access Control Lists log traffic between systems, recording the source and destination address as well as the type of alert. These logs can be analyzed in third party products such as Syslog . (Click here to expand the sub requirements)

Records who accessed what file as well as the date and time (Click here to expand the sub requirements)

Events are generated when an agent recognizes a signature or behavioral rule violation. Events are logged in the IPS Events tab. (Click here to expand the sub requirements)

10.3.1 User identification

Tracks user, event, timestamp and data/system component/resource

Records who accessed what file as well as the date and time

Logs the remote address that communication was either sent to or sent from

10.3.2 Type of event

Provides complete details surrounding port, protocol and services for each connection. Controls may be written to explicitly define behavior of all services.

Identifies the feature that performed the action -firewall action, application blocking action, etc.

10.3.3 Date and time

Date and time of file creation and subsequent changes are captured via periodic FIM

Connection start and stop time is collected for each event

10.3.4 Success or failure indication

Outcome description provides details regarding success or failure

10.3.5 Origination of event

Provided (user, os user, application, module)

Provides details on event origination at both the user and host level.

10.3.6 Identity or name of affected data, system component or resource.

All database accessed objects are recorded

ACLs log traffic between systems, recording the source and destination address as well as the type of alert. These logs can be analyzed in third party products such as Syslog .

System name, username, port and protocol are recorded for every session

10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.

NTP services can be expressly written via policy and event details will be logged (Click here to expand the sub requirements)

10.4.1 Critical systems have the correct and consistent time.

NTP services can be expressly written via policy and event details will be logged

10.4.2 Time data is protected.

10.4.3 Time settings are received from industry-accepted time sources.

10.5 Secure audit trails so they cannot be altered.

Audit trails are recorded in the database, which require access to the device (Click here to expand the sub requirements)

10.5.1 Limit viewing of audit trails to those with a job-related need.

Permission sets in ePO to control who can perform FIM and view audit trail

System accounts generation process allows for least privilege access by individual name and all actions are logged

10.5.2 Protect audit trail files from unauthorized modifications.

Audit logs are stored in password-protected database

10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter.

Export features of designated event criticalities is in place for all Medium to High events and all Web Sql Admin activities. Enterprise Reporting is available for long term storage of all events if desired.

10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN.

10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

Periodic file integrity monitoring on designated files and content

Real-time tracking and alerting on changes to designated files and content, and via McAfee Change Control, ability to prevent changes

10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS).

Export features of designated event criticalities is in place for all Medium to High events and all Web Sql Admin activities.

Firewall Reports centrally collects, monitors, and reports on audit streams of multiple firewalls. Includes PCI DSS reports

Log files can be reviewed as often as needed

10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up).

FIM audit trail can be retained per requirement

Database typically stores data for up to 3 months

Requirement 11: Regularly test security systems and processes

11.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.

MVM can scan and detect the presence of wireless access points and additionally scan them for vulnerabilities and default passwords.

Provides continuous real-time network based monitoring capabilities

11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

MVM can conduct vulnerability scanning of both internal and external networks. (Click here to expand the sub requirements)

Provides all necessary vulnerability scans for databases (over 4000 checks) (Click here to expand the sub requirements)

Provides continuous real-time network based monitoring capabilities (Click here to expand the sub requirements)

The PCI Certification Services is an Approved Scanning Vendor (ASV). A key component of the PCI certification program is scheduled quarterly and unlimited manual scans of domains or IP addresses. (Click here to expand the sub requirements)

Perform full external network scans in order to identify additional issues that automated scanners cannot find, and going above and beyond what is required and for PCI quarterly scans. The result is a complete and highly accurate view of the vulnerabilities in the customer's Internet facing environment. (Click here to expand the sub requirements)

11.2.1 Perform quarterly internal vulnerability scans.

MVM can conduct vulnerability scanning of both internal and external networks.

Scans can be scheduled to run on a quarterly basis

Perform penetration tests as a component of the Internal Security Assessment. Consultants test to see if networks can be penetrated from the inside and provide organizations a comprehensive list of security vulnerabilities on their internal network.

11.2.2 Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).

Consultants perform an application discovery process to gather information about the application and search for information disclosure vulnerabilities that reveal secrets such as passwords, cryptographic keys, or customer information.

11.2.3 Perform internal and external scans after any significant change.

Scans can be performed ad-hoc in addition to scheduled scans

11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following:

MVM can conduct vulnerability scanning of both internal and external networks. Additionally MVM contains intrusive scanning technology to test for buffer overflow, brute force, denial of service and other penetration testing techniques. (Click here to expand the sub requirements)

11.3.1 Network-layer penetration tests

11.3.2 Application-layer penetration tests

11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises.Keep all intrusion-detection and prevention engines, baselines, and signatures up-to-date.

Provides IDS and IPS at the database level, including intrusions that are performed locally (within the database server)

Monitors all network traffic and alert personnel's to suspected compromises. Engines are kept up-to-date.

Integrated IPS, with subscription-supported updates. Signature sets organized into relevant groups.

Quarantines systems that don't have host-based intrusion

McAfee ePolicy Orchestrator manages and delivers updates to McAfee Host Intrusion Prevention, When malicious activity is detected, alerts are sent to the ePolicy Orchestrator console and logged.

11.5 Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Real-time tracking and alerting on changes to designated files and content, and ability to prevent changes on critical files

Requirement 12: Maintain a policy that addresses information security for all personnel.

12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following:

The product is policy-driven, allowing granular policy control of the databases

Can be used to help establish and maintain a security policy (in conjunction with the correct processes, policy building and technologies) via the quarterly scans of domains or IP addresses and the an online PCI self-assessment questionnaire. (Click here to expand the sub requirements)

12.1.1 Addresses all PCI DSS requirements.

Can be used to help demonstrate how an organization meets the PCI DSS requirements via the online self assessment questionnaire.

12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.

Threat Correlation Module ranks the risk potential of new threats by correlating events to asset and vulnerability data.

12.1.3 Includes a review at least annually and updates when the environment changes.

12.2 Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).

Can be used to validate compliance to technical controls in established procedures for user account maintenance

12.3 Develop usage policies for critical technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants (PDAs), e-mail usage and Internet usage) and define proper use of these technologies. Ensure these usage policies require the following:

12.3.1 Explicit approval by authorized parties

12.3.2 Authentication for use of the technology

12.3.3 A list of all personnel and devices with such access

User based policy shows detailed analysis of access

12.3.4 Labeling of devices to determine owner, contact information and purpose

12.3.5 Acceptable uses of the technology

12.3.6 Acceptable network locations for the technologies

12.3.7 List of company-approved products

12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity

12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use

12.3.10 For personnel accessing cardholder data via remote-access technologies, prohibit copy, move, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need.

Enables classified data to be monitored, prevented from being distributed, or prevented from being replicated via: Microsoft Outlook, Internet Explorer web postings, network connections, printing, cut and paste, and physical devices such as floppy drives, CD-ROM drives, USB drives

12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.

12.5 Assign to an individual or team the following information security management responsibilities:

The product allows multiple roles to properly distribute alerts among the operators and stakes holders (including sending alerts via email)

12.5.1 Establish, document, and distribute security policies and procedures.

12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel.

Access to system, alerts from system and reporting can be set by username/e-mail address

12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.

12.5.4 Administer user accounts, including additions, deletions, and modifications

Modifications to AD user accounts such as additions or modifications will be covered by policy

12.5.5 Monitor and control all access to data.

Provides real-time network based monitoring

12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.

12.6.1 Educate personnel upon hire and at least annually.

12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.

12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history, and reference checks.)

12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:

12.8.1 Maintain a list of service providers.

12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.

12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.

12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach.

12.9.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: 1) Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum, 2) Specific incident response procedures, 3) Business recovery and continuity procedures, 4) Data back-up processes, 5) Analysis of legal requirements for reporting compromises, 6) Coverage and responses of all critical system components, 7) Reference or inclusion of incident response procedures from the payment brands

12.9.2 Test the plan at least annually.

12.9.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts.

12.9.4 Provide appropriate training to staff with security breach response responsibilities.

12.9.5 Include alerts from intrusion-detection, intrusion-prevention, and file-integrity monitoring systems.

May be setup to alert from the device for critical based alerts

12.9.6 Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.

Requirement A.1: Shared hosting providers must protect the cardholder data environment

A.1 Protect each entity’s (that is merchant, service provider, or other entity) hosted environment and data, per A.1.1 through A.1.4: A hosting provider must fulfill these requirements as well as all other relevant sections of the PCI DSS.

A.1.1 Ensure that each entity only runs processes that have access to that entity's cardholder data environment.

Can alert when unauthorized apps, IP addresses, users, os users are accessing the entity's data

A.1.2 Restrict each entity’s access and privileges to its own cardholder data environment only.

A.1.3 Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10.

Can centrally monitor all customer environments

A.1.4 Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider.

McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. (c) 2011 McAfee, Inc. All rights reserved.