Technical White Paper Vormetric Data Security: Complying With PCI DSS Encryption Rules

Vormetric Data Security Complying With PCI DSS Encryption Rules

Vormetric, Inc. 888.267.3732 408.433.6000 [email protected] www.vormetric.com

Technical White Paper Vormetric Data Security: Complying With PCI DSS Encryption Rules

Page | 1

Executive Summary The Payment Card Industry Data Security Standard, commonly referred to as the PCI DSS, has proven beneficial in protecting cardholder information since 2001. Its required controls mandate that companies take appropriate steps to safeguard sensitive cardholder payment information. These same standards, however, have posed a number of challenges to risk managers, Information Security personnel, and IT operations professionals. Companies must achieve and maintain compliance with the PCI DSS, but also manage geographically distributed networks, usually containing both structured and unstructured data. Vormetric Data Security helps organizations meet PCI DSS compliance demands with a transparent data security approach for heterogeneous IT environments that requires minimal administrative support and does not undermine performance. This paper: • Outlines how Vormetric addresses PCI DSS compliance • Addresses Vormetric’s position relative to the Payment Card Industry Security Standards Council’s (PCI SSC) guidance on point-to-point encryption solutions. • Features case studies of PCI DSS regulated companies leveraging Vormetric for PCI DSS compliance • Maps PCI DSS requirements 3, 7, and 10 to Vormetric Data Security capabilities (see Appendix A)

Challenges Facing Organizations Accepting Payment Card Information Companies today employ increasingly complex networked environments. These environments often include file servers, databases, and applications across multiple versions and operating systems. Such heterogeneous environments require diligent administration and cooperation between a variety of teams and groups within the organization. Information flowing through and across the networks is vital to the operation of the organization, as is the protection of that information. Experience working with many enterprises suggests that the vast majority of organizations handling payment card data maintain the information in both structured and unstructured data stores. These storage facilities may include databases, file server files, documents, images, voice recordings, access logs, and a variety of other storage mechanisms. Protecting such varied assets in a manner that is compliant with the PCI DSS can prove challenging. Among a number of other requirements, compliance with the PCI DSS requires organizations to successfully manage access control, encryption, key management, and auditing of cardholder data at rest. Requirements 3, 7 and 10 of PCI DSS and all of their sub-requirements can be addressed by the Vormetric solution. Managing all of these requirements demands a transparent data security approach for heterogeneous IT environments that requires minimal administrative support and does not undermine performance. Using Vormetric Data Security to protect sensitive cardholder information can help companies achieve and maintain compliance with the PCI DSS, while allowing the business to meet its objectives with respect to agility and system performance.

Achieving and Maintaining Compliance While achieving compliance with the PCI DSS can prove complex, those with experience in the payment card industry understand that maintaining compliance is often more challenging than achieving it. Organizations often stress the trials faced in the first year of PCI DSS compliance including challenges that can include; re-architecting networks, updating software, hardening servers, writing and implementing policies, and assigning personnel to be responsible for compliance. PCI DSS compliance must be validated on an annual basis, and in the case of a Level 1 merchant (processing 6 million or more transactions annually) or service provider (definitions may vary according to card brand), PCI DSS validation is required to be conducted by an approved Qualified Security Assessor (QSA). For a Level 1 Merchant or Service Provider, a QSA will conduct an evaluation of the organization’s compliance posture. At first glance, it may seem that validating compliance in subsequent years would be easier than the initial validation. That assumption is predicated upon the belief that the organization implements no changes to the environment in the intervening twelve months and that the PCI Security Standards Council (SSC) has not made any material changes to the PCI DSS. Any changes to the cardholder data environment that may impact the security of cardholder data, or the organization’s PCI DSS compliance, have to be evaluated to ensure that the entity has not fallen out of compliance. If an organization cannot prove compliance, it must present a plan to remediate the deficiencies. If remediation is not accomplished according to

Technical White Paper Vormetric Data Security: Complying With PCI DSS Encryption Rules

Page | 2

schedule, the organizations face significant fines. Additionally, if the organization suffers a compromise during this period, the penalties associated with a breach of cardholder data will be applied. Since the introduction of the PCI DSS in 2006 1, the payment card industry has learned many lessons that have made the protection of data more efficient and more effective. However, observation has shown that at least one major cause of tension remains within organizations struggling to achieve and maintain PCI DSS compliance – the tension between the technology groups and the business groups. While IT and information security teams struggle to stay abreast of changing threat environments and technology, the business teams face the significant challenges introduced by an uncertain economic outlook, many organizations are struggling to find a balance. When contemplating a data security technology such as encryption, organizations must find a solution that marries the objectives of these two groups in ensuring the security of data while keeping within the constraints of the business. Such a solution must: • Aid the company in achieving and maintaining PCI DSS compliance in a cost-effective manner • Integrate transparently with existing environments • Consolidate key and policy management across heterogeneous environments • Provide strong separation of duties for encryption keys without additional hardware or key management infrastructure • Maintain a high level of performance with no impact to end-users It is also important to note that while PCI DSS is the impetus for many companies to encrypt sensitive data, there are other regulatory benefits to implementing such a solution. Driven on by relentless news about security breaches and data loss, regulators and law makers the world over are increasingly engaging in implementing legal frameworks and defining obligations for data security. Many of which include a “safe harbor” clause for personal data that is encrypted and for which the key is securely managed, so encrypting data at rest enables enterprises to better meet the compliance burden of multiple frameworks.

Evolving Guidance from the PCI DSS The Payment Card Industry Security Standard Council (PCI SSC) is burdened with a difficult charter – to protect the security of cardholder data in the face of rapidly changing technology and a dynamic threat environment. One example of such a change is the introduction by the PCI SSC of the “Point-to-Point Encryption Solution Requirements: Encryption, Decryption and Key Management within Secure Cryptographic Devices (Hardware/Hardware)” published in September 2011. The P2P guidance contains six “control” domains for P2P solutions. Among those domains are (3) Encryption Environment; (5) Decryption Environment; and (6) Cryptographic Key Operations. The document parses out the compliance responsibilities of the merchant employing the P2P solution and the service provider of the solution. While it certainly important to effectively manage one’s internal environment, it is equally important to ensure that one’s vendors and service providers are offering solutions that are consistent with the guidance and new requirements being disseminated by the PCI SSC.

Vormetric Data Security and PCI DSS Compliance Vormetric Data Security product offerings can enable companies to quickly and efficiently achieve compliance with the encryption and key management requirements of the PCI DSS requirements. Installed and configured within as little as one week, organizations can transparently encrypt across a dispersed, heterogeneous environment, ensuring protection of both structured and unstructured data. This can be accomplished without the laborious and time-consuming coding required by other encryption solutions, and without significant impact to system or network performance. That means that data can be protected while allowing the company to maintain service level and high availability goals. In order to better understand how Vormetric Data Security encryption and key management can assist organizations in achieving and maintaining compliance, it is important to first understand the unique functionality of Vormetric Data Security. (For a complete description of Vormetric Data Security product family, read the Vormetric Data Security Architecture whitepaper.)

1. The CISP, the PCI DSS predecessor was introduced in 2001.

Page | 3

Technical White Paper Vormetric Data Security: Complying With PCI DSS Encryption Rules

Vormetric Architecture While Vormetric Data Security is a comprehensive solution providing encryption of data at rest and key management, it is more than simple data encryption. Vormetric offers strong data security controls that leverage policy-based access controls, separation of duties, and auditing capabilities, all of which can be managed through a centralized management console. Vormetric Data Security integrates encryption and access control at the operating system layer to provide separation of duties between data security administrators and server operations. Organizations can apply Vormetric Data Security policies to ensure System Administrators and root users can maintain systems and backups without being able to view sensitive data. Vormetric also offers encryption key management and policy management that is secure, easy to administer and centrally managed. This allows organizations to ensure consistency in the application of policies to both structured and unstructured data. Furthermore, Vormetric provides two methods by which organizations can ensure strong separation of duties. First, the Vormetric Data Security Manager separates server management from security management through providing a separate console to control security of data and keys through policies that are distributed to agents. Second, the Vormetric Data Security Manager offers granular role-based administration and the ability to implement segmented domains for security management. Encryption solutions of this magnitude can typically involve a deployment cycle of months, even years, —and affect performance. By contrast, Vormetric Data Security can be implemented quickly without the need to re-architect databases, applications or files, storage networks and without degrading the performance of existing systems. Inserted above the file system and/or logical volume layers, Vormetric Data Security is transparent to users, applications, databases and storage systems. No modification to the application or database is required and therefore deployments can be managed in days.

PCI DSS Requirement 3: Protect Stored Data Requirement 3 of the PCI DSS is very simple – Protect Stored Data. The standard goes on to detail that the data should be rendered “unreadable” and provides a number of methods by which that might be achieved. Among these methods are one-way hashes, truncation, tokenization (which has its own set of PCI SSC guidelines), and strong cryptography. The PCI DSS recognizes the value of strong cryptography coupled with proper key management. According to the PCI DSS “If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person.” Requirement 3.4 is more specific, stating that data must be rendered unreadable “anywhere it is stored.” Since most organizations have heterogeneous environments, this seemingly simple mandate can quickly become quite complex. Varying operating systems, applications, and even hardware requirements can cause the costs and time associated with this requirement to quickly spiral out of control. However, Vormetric Data Security can address this requirement without intensive coding or integration efforts. Vormetric Data Security protects stored data by encrypting the information and controlling access to the resources on which the data resides- whether that is an application or a system. Using policy-based encryption, Vormetric ensures that only authorized users and services can encrypt and decrypt the data. Further, the PCI DSS requires that organizations must ensure that any cryptographic solution deployed uses strong cryptography. The Payment Card Industry Security Standards Council (PCI SSC) defines strong cryptography as “Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices.” The PCI SSC cites AES 128 or higher, RSA 1024 and higher, and Triple DES, among others. Vormetric complies with the PCI DSS by encrypting with AES 128-bit and 256-bit key length.

Requirement 7: Restrict Access to Cardholder Data According to Business Need to Know Requirement 7 mandates that companies restrict access to resources and systems containing cardholder data based on business needs. This means that only those users and resources that must access cardholder data in order to complete their job should have access to systems containing cardholder data. This allows companies to protect against the threat of internal compromise, as well as against external threats. In order to maximize the benefits realized from encryption, organizations are advised to identify a solution that enables the application of security policies on the data itself, as opposed to simply on the system or application that accesses the data.

Page | 4

Technical White Paper Vormetric Data Security: Complying With PCI DSS Encryption Rules

Encryption alone is insufficient to provide the granular control described above and required by the PCI DSS. Encryption is only as strong as the associated key management and access controls. In combining encryption and key management with an access control-based decryption policy, Vormetric Data Security enables companies to comply with these requirements in one transparent, system-agnostic solution. Also, unlike native point encryption solutions, Vormetric easily extends across disparate, complex environments. Vormetric Data Security enables compliance with Requirement 7 and its sub-requirements by offering organizations the ability to layer additional access control functionality over that of the native file system. Vormetric’s access control, in accordance with the PCI DSS, follows the least-privilege model, which denies any activity that has not been expressly permitted. Vormetric’s access control capabilities allow authorized users to perform only authorized operations with the intended application and during specified time-frames. This five-factor access control system (who, what, where, when, and why) allows organizations to enable context-aware access control. That means, even in the event that a default password is not changed, an unauthorized user cannot misuse the data resource. Further, by leveraging the organization’s existing authentication system, Vormetric’s access control features introduce negligible administrative overhead.

Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data The PCI DSS requires that all organizations track access to cardholder data, and to systems and resources that can access cardholder data. According to the PCI DSS documentation, the ability to track these activities is “critical in preventing, detecting, or minimizing the impact of a data compromise.” Vormetric enables organizations to comply with this requirement through its own auditing and tracking capabilities, as well as its ability to protect both system-generated and Vormetric generated audit logs. The rich auditing capability of Vormetric Data Security enables the review of the file I/O activity of the tests performed on security systems. Denied and unauthorized access attempts to cardholder data are logged, allowing organizations to track and analyze simulated security breaches.

Vormetric Data Security in Practice: British Columbia Automobile Association With an understanding of the Vormetric Data Security solution and the PCI DSS, it is helpful to review a case study, in which an organization successfully implemented Vormetric Data Security in order to achieve compliance with the PCI DSS, and to secure other sensitive customer information. PCI DSS mandates include data encryption, protection of stored cardholder data, detailed auditing and logging of attempts to access that data, and controls as to who can access the data. The following describes how Vormetric enabled BCAA to meet these stringent PCI DSS requirements.

About BCAA British Columbia Automobile Association (BCAA) is a leading provider of emergency roadside assistance, insurance, and travel services. BCAA provides services to more than 786,000 motorists in the province of British Columbia, Canada. The company maintains 27 office locations throughout the province. The organization was seeking a solution that would allow the organization to protect sensitive customer information in order to comply with a variety of regulations, including PCI DSS, across a distributed, heterogeneous environment.

Vormetric Assists BCAA in Achieving and Maintaining Compliance After a thorough evaluation of available solutions and careful consideration of both security and business objectives, BCAA selected Vormetric Data Security based on proven performance, strong access controls, and the ability of Vormetric to meet diverse data protection needs through an easy to manage, centralized solution. BCAA implemented Vormetric Data Security in order to protect data throughout its environment, which includes applications such as Open Text Hummingbird document management, Business Objects, Microsoft Exchange, IBM DB2, Microsoft SQL Service and a variety of file servers. Vormetric was able to provide BCAA with a centralized data protection solution that did not require any underlying changes to the myriad applications and file types used in the environment. As a result, BCAA was able to save significant time and costs that are often associated with encryption implementations. In addition, Vormetric introduced negligible administrative overhead, as it encrypts and protects data regardless of where it resides.

Page | 5

Technical White Paper Vormetric Data Security: Complying With PCI DSS Encryption Rules

“At BCAA, our mission is to earn our members’ and customers’ trust by exceeding their expectations for high value, enjoyment and peace of mind. To achieve this it is of paramount importance that we put our best efforts towards protecting sensitive personal information,” said Ken Ontko, CIO of BCAA. “With Vormetric Data Security, we are able to simultaneously meet our data security and customer service objectives. Vormetric provides us with a low-cost, scalable, auditable, and consistent means of placing security directly at the data source throughout our enterprise, while providing the performance that allows us to maintain the top-notch service our customers expect.”

Vormetric and the Evolving Requirements of the PCI SSC The task of protecting sensitive cardholder information is made infinitely more difficult by the rapidly changing tactics of data thieves and the rapid advancement of technology. As a result, the PCI SSC often releases new guidance and requirement documents. Among these new requirements is the “Point-to-Point Encryption Solution Requirements: Encryption, Decryption and Key Management within Secure Cryptographic Devices (Hardware/Hardware).” Vormetric can be implemented to create a compliant, point-to-point solution. While a complete discussion of the Vormetric Data Security solution relative to the P2P requirements is beyond the scope of this document, there follows a brief discussion of some of these requirements and how Vormetric can support compliant P2P solutions. The elements of the P2P requirements that are addressed by Vormetric are primarily those related to the encryption and decryption of cardholder data. Domain 6 of the P2P requirements deals specifically with Cryptographic Key Operations. Requirement 6A mandates that “Account data must be processed using cryptographic methodologies that ensure account data is kept secure.” Vormetric encrypts data using strong encryption algorithms, such as TripleDES and AES (128- and 256 bit lengths). Requirement 6C requires that cryptographic keys are distributed in a secure manner. Vormetric encryption keys are securely stored on a FIPS- 140 Level 2 and Level 3 validated security server (hardware appliance). The security server has its own local users that are decoupled from Active Directory users to maintain separation of duties. When encryption keys are stored locally to eliminate network latency performance hits, Vormetric securely wraps the keys to protect against access by root administrators. While this is certainly not a complete evaluation of the Vormetric solution relative to the P2P Solution Requirements published by the PCI SSC, it does provide a brief illustration of the ability of Vormetric Data Security to support the implementation of a compliant solution.

Conclusion Complying with the PCI DSS can be difficult for any number of reasons, not the least of which include industry requirements that cover policies, technologies and physical security. Vormetric Data Security can help companies cost-effectively achieve and maintain compliance with PCI DSS requirements 3, 7, and 10. Ease of implementation is equally important, and the experiences of companies like BCAA demonstrate the ability of Vormetric to aid in compliance with rigorous regulatory programs while maintaining business agility and the performance expected by end users.

About Vormetric Vormetric is the leader in enterprise encryption and key management for physical, virtual and cloud environments. The Vormetric Data Security product line provides a single, manageable and scalable solution to manage any key and encrypt any file, any database, any application, anywhere it resides— without sacrificing application performance and avoiding key management complexity. For more information, please visit: www.vormetric.com.

Copyright © 2012 Vormetric, Inc. All rights reserved. Vormetric is a registered trademark of Vormetric, Inc. in the U.S.A. and certain other countries. All other trademarks or registered trademarks, product names, and company names or logos cited are the property of their respective owners.

Technical White Paper Vormetric Data Security: Complying With PCI DSS Encryption Rules

Page | 6

Appendix A: PCI DSS Rquirements Supported by Vormetric Data Security PCI DSS Requirement

Requirement 3.4: Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: • One-way hashes based on strong cryptography (hash must be of the entire PAN) • Truncation (hashing cannot be used to replace the truncated segment of the PAN) • Index tokens and pads (pads must be securely stored)

Vormetric Capabilities

Vormetric Data Security protects stored data by encrypting and controlling access to the files or volumes where PANs reside. Vormetric’s ability to encrypt structured and unstructured data means that it can protect the data whether it is in audit files or in databases. Additionally, Vormetric offers Backup Encryption Expert to secure backup media. Vormetric encrypts data using strong encryption algorithms, such as TripleDES and AES (128and 256 bit lengths). PANs are protected using policybased encryption so that only authorized users and services can encrypt and decrypt the protected files.

• Strong cryptography with associated key manage ment processes Requirement 3.4.1: If disk encryption is used (rather than file or column-level encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts.

Vormetric uses file-level and volume-level encryption, not disk encryption. Cryptographic keys are not tied to user accounts, but are contained within the Vormetric system. Vormetric performs the encryption/decryption functions, as opposed to granting authorized and authenticated users access to the key.

Requirement 3.5: Protect any keys used to secure cardholder data against disclosure or misuse.

Encryption keys are securely stored on a FIPS- 140 Level 2 validated security server (hardware appliance). Level 3 is available with the HSM. The security server has its own local users that are decoupled from Active Directory users to maintain separation of duties. When encryption keys are stored locally to eliminate network latency performance hits, Vormetric securely wraps the keys to protect against access by root administrators.

Note: This requirement also applies to key-encrypting keys used to protect data-encrypting keys - such keyencrypting keys must be at least as strong as the dataencrypting key.

Requirement 3.5.1 Store cryptographic keys securely in the fewest possible locations and forms.

Cryptographic keys are centrally generated and stored by the Data Security Manager cluster. All data encryption keys are stored encrypted within the Data Security Manager. Best practice also dictates that custodians store cryptographic keys off-site. When cryptographic keys are backed-up for off-site storage, the Data Security Manager encrypts them with a split wrapping key.

Requirement 3.6 Fully document and implement all key management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following:

The Data Security Manager is the central repository for cryptographic keys and policies managed via a secure web management console, a command line interface over SSH, or a direct console connection. Keys never leave the Data Security Manager in the clear. Custodians can create keys, but do not have direct access to key material.

Technical White Paper Vormetric Data Security: Complying With PCI DSS Encryption Rules

Page | 7

PCI DSS Requirement

Vormetric Capabilities

Requirement 3.6.1 Generation of strong cryptographic keys

Cryptographic keys are centrally generated by the Data Security Manager appliance and are fully compliant with FIPS standards.

Requirement 3.6.2 Secure cryptographic key distribution

Data encryption keys are wrapped and then securely distributed via HTTPS to Vormetric agents configured to protect the PANs residing on file, app, or database servers.

Requirement 3.6.3 Secure cryptographic key storage

Cryptographic keys are centrally stored within the Data Security Manager. Customers have the option to store cryptographic keys on the host server. Vormetric’s highly secure agents protect these keys from unauthorized access, even from root administrators.

Requirement 3.6.4 Periodic cryptographic key changes:

The Vormetric solution includes utilities for changing both Data Security Manager master keys and data encryption keys as defined by the organization’s security policy.



• One-way hashes based on strong cryptography (hash must be of the entire PAN)





• Truncation (hashing cannot be used to replace the truncated segment of the PAN)

Requirement 3.6.5 Retirement or replacement of old or suspected compromised keys

The Data Security Manager is the central repository for cryptographic keys. When a key is deleted by a custodian, it is deleted permanently and securely from the Data Security Manager cluster.

Requirement 3.6.6 Split knowledge and establishment of dual control of cryptographic keys

Vormetric follows a “no knowledge” approach in which the keys never leave the Data Security Manager in the clear. Custodians can create keys, but do not have access to the key material. The Data Security Manager supports an “n of m” sharing scheme. A specific number of shares must be provided in order to restore the encrypted contents of the Data Security Manager archive into a new or replacement Data Security Manager.

Requirement 3.6.7 Prevention of unauthorized substitution of cryptographic keys

Cryptographic key policy and usage is defined and managed by the custodian of the Data Security Manager, thereby prohibiting unauthorized substitution of cryptographic keys by developers, database administrators, or any other unauthorized users. Further, the Vormetric solution provides robust separation of duties, such that one administrator may create a key but a separate administrator must activate or apply that key to protect data.

Technical White Paper Vormetric Data Security: Complying With PCI DSS Encryption Rules

Page | 8

PCI DSS Requirement

Vormetric Capabilities

Requirement 3.6.8 Requirement for cryptographic key custodians to sign a form stating they understand and accept their key custodian responsibilities

The Data Security Manager is the key central repository for cryptographic keys, and forms can be distributed easily to the Data Security Manager custodians.

Requirement 7.1 Limit access to components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following:

Vormetric Data Security adds a layer of access control on top of the native operating system access control. It also can harden the access control defined at the OS layer and prevent root administrators and privileged users from accessing or viewing cardholder data.

Requirement 7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities

Vormetric ensures that data cannot be viewed by system administrators who do not have a “need to know,” while simultaneously ensuring that there is no interruption to data backup processes. By leaving metadata in the clear, but encrypting the underlying data, administrators can identify the files that require backup without providing them access to the file itself.

Requirement 7.1.2 Assignment of privileges is based on individual personnel’s job classification and function

Vormetric Data Security policies help enforce policies that ensure individuals, applications and processes are provided access to the cardholder data based on their classification and functions, thereby restricting access based on “need to know.”

Requirement 7.1.3 Requirement for a documented approval by authorized parties specifying required privileges

Vormetric provides audit records to assist with the monitoring of privileges. Any change made to the access control policies is always audited. Any changes to authorizations can be reviewed.

Requirement 7.1.4 Implementation of an automated access control system

Vormetric provides a granular, policy-based system that restricts access based on individual, role, process, time of day, and location of data. Available rights for Vormetric policies include release of encrypted contents for backup, decryption of contents based on need to know, and control of writes to the data file.

Requirement 7.2 Establish an access control system for system components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. The access control system must include the following:

Vormetric Data Security access control policies define a list of authorized users and applications. Only users and applications that are part of this list can access the data in clear text. (Administrators are given access to the cardholder data, but data is not decrypted for them.)

Requirement 7.2.1 Coverage of all system components

Vormetric Data Security protects the cardholder data at rest anywhere on the server.

Technical White Paper Vormetric Data Security: Complying With PCI DSS Encryption Rules

Page | 9

PCI DSS Requirement

Vormetric Capabilities

Requirement 7.2.2 Assignment of privileges to individuals based on job classification and function

Refer to 7.1.2

Requirement 7.2.3 Default “deny-all” setting

Vormetric Data Security’s default setting is “deny-all” for all access control policies.

Note: Some access control systems default to “allowall,” thereby permitting access unless/until a rule is written to specifically deny it. Requirement 10 Track and Monitor all access to network resources and cardholder data.

Vormetric Data Security provides a detailed auditing at the File System level. Any read/write request for sensitive data can be audited and the trails contain information to track access back to a specific user, application and time.

Requirement 10.2 Implement automated audit trails for all system components to reconstruct the following events:

The Vormetric solution includes logging and flexible policy options to audit access and changes to Vormetric infrastructure and protected resources.

Requirement 10.2.1 All individual accesses to cardholder data

The Vormetric solution includes flexible policy options to audit access and changes to protected resources. Policies can be constructed to monitor individual access to cardholder data.

Requirement 10.2.2 All actions taken by any individuals with root or administrative access

Policies can be constructed to monitor individual access to cardholder data. Policies can also prevent privileged users from accessing data in the clear without interfering with their ability to perform their day-to-day administrative duties.

Requirement 10.2.3 Access to all audit trails.

Administrators of the Data Security Manager that are assigned the role of “audit officer” can access audit trails, which are centrally stored. Vormetric recommends that audit/log data be sent to a centralized log server safeguarded by Vormetric

Requirement 10.2.4 Invalid logical access attempts

The Vormetric solution can be configured to audit all denied access requests.

Requirement 10.3 Record at least the following audit trail entries for all system components for each event:

(see below)

Requirement 10.3.1 User identification

The Vormetric solution audit entries include the username and group membership.

Requirement 10.3.2 Type of event

The audit entries include the type of event.

Technical White Paper Vormetric Data Security: Complying With PCI DSS Encryption Rules

Page | 10

PCI DSS Requirement

Vormetric Capabilities

Requirement 10.3.3 Date and time

The audit entries include the date and time.

Requirement 10.3.4 Success or failure indication

The audit entries include a success or failure indication. In the case of a permitted action, the event data also includes whether the access was to clear text or to encrypted data.

Requirement 10.3.5 Origination of event

The audit entries note the origination of the event.

Requirement 10.3.6 Identity or name of affected data, system component or resource

The audit entries include the host and the full path to the file that was the target of the access request.

Requirement 10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented of acquiring, distributing, and storing time.

The Vormetric solution can be configured to synchronize with an NTP server

Requirement 10.4.1 Critical systems have the correct and consistent time.

The Vormetric solution can be configured to synchronize with an NTP server

Requirement 10.5 Secure audit trails so they cannot be altered

(see below)

Requirement 10.5.2 Protect audit trails with from unauthorized modifications

Audit trails cannot be modified while they reside on the Vormetric Data Security Manager. If log and audit files are sent to a centralized log server, this external log repository can be protected and safeguarded with Vormetric encryption and access control.

Requirement 10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter.

Vormetric Data Security Manager provides an extensive set of log and audit capabilities to track and monitor access to cardholder data. These files can be sent to a customer’s centralized log server or event management solution via syslog. In addition, this external log repository can be protected and safeguarded with the Vormetric solution.

Requirement 10.5.5 Use file-integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

Log files cannot be modified while they reside on the Vormetric Data Security Manager. Further, customers may use the Vormetric solution to block or monitor changes to log files and other audit trails.