PCI Compliant Solutions
The Payment Card Industry Data Security Standard (PCI DSS) defines a comprehensive set of requirements which must be followed by larger merchants. Failure to follow these requirements can lead to large fines, or ultimately, to the removal of card payment privileges from merchants.
Virtuous Networking’s Managed Services are designed to take the the strain of many of the most demanding aspects of PCI
compliance. The Threat Manager service provides not only the management and handling of Vulnerability Scanning and Intrusion Protection services, but also removes the costs, effort and need for management supervision on the supporting infrastructure.
Threat Manager
;)
Threat Manager provides secure, auditable compliance to key PCI requirements:
|
Vulnerability Assessment |
6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. |
|
6.2 Establish a process to identify newly discovered security vulnerabilities |
|
|
11.2 Run internal and external network vulnerability scans at least quarterly |
|
|
Intrusion Protection |
5.1.1 Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. (Threat Manager covers ‘zero-day’ attacks not covered by Anti-Virus) |
|
11.4 Use IDS/IPS to monitor all traffic in the CDE and alert personnel to suspected compromises. Keep all IDS/IPS engines up-to-date. |
Virtuous' service provision partner Alert Logic is a PCI Approved Scanning Vendor, and reports specifically tailored to the needs of PCI are available on-demand from the service.
Log Manager
;)
Log Manager is a cloud-based Log Management solution designed to eliminate the cost and effort of on-premise solutions and to meet the Log Management needs of organisations subject to PCI regulation. It collects log data via an agentless collection device and provides log storage, reporting, correlation and monitoring in highly secure, redundant datacentres.
Log Manager removes the need for customers to purchase hardware, software or maintenance and greatly reduces the total cost of ownership. All storage, monitoring, maintenance, upgrades, and support are handled by Alert Logic, removing the need for staff resources to manage the solution.
A further enhancement to Log Manager is available through the Log Review Service, which extends the value of Log Manager and frees up resources by transferring the burden of daily log review and maintaining a PCI DSS compliant audit trail to our team of certified security analysts. Log Manager and Log Review meet a number of challenging PCI requirements:
|
Log Manager |
7.1 Limit access to computer resources and cardholder information (Successful login reports) |
|
10.2 Implement automated audit trails for all the system components (Automatic collection, aggregation, normalisation, analysis and secure archiving) |
|
|
10.3 Capture audit trails (Audit trail reporting) |
|
|
10.4 Synchronise all critical system clocks (Network Time Protocol Reporting) |
|
|
10.5.1 Limit Viewing of log data (Role based access to logs) |
|
|
10.5.2 Protect Audit Trails (Logs are stored offsite in secure datacentres) |
|
|
10.5.3 Back up log files (Logs stored in fully redundant datacentres) |
|
|
10.7 Retain audit trail history (12 month online log storage, expandable as required) |
|
|
Log Review |
10.6 Daily review of log data |
Our PCI DSS Datasheet explains how our Vulnerability Scanning, Intrusion Protection, Log Management and Log Review services support your PCI DSS compliance.
