Trend Micro Enterprise Security Compliance
PCI DSS and Trend Micro Enterprise Security
Targeted threats, distributed environments, and evolving technology make it especially challenging to achieve and maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS). Yet, as important as it is, compliance alone is not enough to minimize your true risk. That’s where Trend Micro comes in.
Our unique solutions help you address key challenges to PCI compliance and PAN security including virtualization and cloud-computing, worker mobility, branch/POS security, and data encryption. See how our layered approach to content security can help ensure compliance and safeguard your customers, your employees, and your business.
PCI Compliance:
| PCI Requirements | ||||||
|---|---|---|---|---|---|---|
| Trend Micro Enterprise Solutions | ||||||
| Endpoint Security | Web Security | Messaging Security | Datacenter Security | Data Protection | Vulnerability & Threat Mgt | |
| Build & Maintain a Secure Network | ||||||
| 1. Install and maintain a firewall configuration |  |
|
|
|
|
|
| 2. Do not use vendor supplied defaults (shared hosting providers) | |
|
|
|
|
|
| Protect Cardholder Data | ||||||
| 3. Protect stored cardholder data | |
|
|
|
|
|
| 4. Encrypt transmission of cardholder data across open, public networks | |
|
|
|||
| Maintain a Vulnerability Protection Program | ||||||
| 5. Use and regularly update antivirus software | |
|
|
|
|
|
| 6. Develop and maintain secure systems and applications | |
|
|
|
||
| Implement Strong Access Measures | ||||||
| 7. Restrict access to data | ||||||
| 8. Assign unique IDs |
||||||
| 9. Restrict physical data access |
||||||
| Regularly Monitor and Test Networks | ||||||
| 10. Track/monitor access to network resources and cardholder data | |
|
|
|||
| 11. Regularly test security systems and processes | |
|
|
|
||
| Maintain an Information Security Policy | ||||||
| 12. Maintain information security for employees and contractors | |
|
|
|
|
|
PCI Concerns:
Addressing Today’s Top PCI Concerns
Achieving and maintaining PCI compliance and true security requires constant evaluation of the potential impact of evolving threats, employee behavior, and new business and technology initiatives. Trend Micro offers you unique and cost-effective solutions to address today’s top PCI challenges.
| Challenges | ||
|---|---|---|
| Business or Technology Driver | PCI Challenge | Trend Micro Solution |
| Virtualization | Virtualization allows for cost efficient and flexible datacenters and paves a path toward integrated cloud computing. But the complexity and fluidity of virtual environments pose special challenges, rendering traditional network security implementations for IPS, firewalls, and antivirus ineffective in preventing attacks on virtual servers that process or host cardholder data. | Trend Micro™ Deep Security provides advanced software-based security that protects physical, virtual and cloud-based servers with integrated IPS, firewall, configuration validation and more. Trend Micro™ Core Protection for Virtual Machines is designed specifically to meet the unique needs of the virtual environment with automated protection against malware. |
| Effective Data Protection | Traditional data loss prevention and data encryption solutions are complex and cumbersome to manage and use. | Trend Micro Data Protection solutions protect and encrypt PAN data wherever it resides and enable secure collaboration without end-user actions or usability limitations. |
| Worker Mobility | Mobile laptops and PDAs are at risk for inbound attacks and cardholder data loss, but network security solutions are ineffective in these cases. | Trend Micro OfficeScan™ endpoint protection and web reputation technology keep your employee devices protected from malware both on and off the corporate network. |
| IT Risk Management | Despite robust security measures, targeted and zero-day threats can penetrate even the most security-conscious organizations and threaten cardholder data security. | Trend Micro Vulnerability Management Services provides a SaaS-based suite of services which automate vulnerability, security, and compliance management across both internal and externally facing IT assets.
Trend Micro™ Threat Management Services provides network threat discovery and remediation services that detect and remove these evasive threats and continuously ensure your security posture. Deep Security delivers protection from zero-day threats and enables virtual patching to establish immediate protection for ‘un-patched’ or ‘un-patchable’ systems. |
| Controlling Cost and Complexity | According to Information Week, management complexity is the number one issue in security. With distributed environments, multiple point products and constant security signature updates, the cost and complexity of PCI compliance and secure operations is skyrocketing. | Trend Micro Enterprise Security and Smart Protection Network™ change the game by greatly simplifying security management and reducing resource requirements. We offer the breadth of solutions—including Software As A Service (SaaS) and virtualized appliances—that will allow you to reduce vendors, consolidate security and systems management, and cost effectively secure corporate and branch/POS (Point of Sale) environments. |
| Setting Your Budget Priorities | Rapidly achieving complete PCI compliance is difficult and costly. The PCI Council has issued a 6-step “prioritized approach” whitepaper which offers guidance on a risk-based prioritized compliance roadmap. | Trend Micro OfficeScan, Deep Security, and Messaging Security products each address many of the top-tier priorities cited by the PCI Council. |
Match the solution to the PCI requirement:
Trend Micro offers proven solutions that address most PCI DSS requirements and enable you to truly safeguard your business infrastructure against the compromise of cardholder data. The following table summarizes the products that address each requirement.
| PCI Requirements | ||
|---|---|---|
| PCI Requirement | Direct Mapping | Compensating Control |
| 1.1—Establish firewall and router configuration standards. |
|
|
| 1.2—Firewall connections between untrusted networks and any system containing cardholder data. |
|
|
| 1.3—Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
|
|
| 1.4—Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet. |
|
|
| 2.2—Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. |
|
|
| 2.4, A.1—Hosting providers must protect each entity’s environment. |
|
|
| 3.1—Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. |
|
|
| 3.2—Don’t store authentication info. |
|
|
| 3.4—Render PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media,…) |
|
|
| 3.5—Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse… |
|
|
| 3.6—Fully document and implement all key-management processes and procedures for cryptographic keys used for the encryption of cardholder data… |
|
|
| 4.1—Use strong cryptography and security protocols such SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. |
|
|
| 4.2—Never send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat). |
|
|
| 5.1—Deploy antivirus software on all systems commonly affected by malicious software (particularly personal computers and servers). |
|
|
| 5.2—Ensure that all antivirus mechanisms are current, actively running, and capable of generating audit logs. |
|
|
| 6.1—Ensure that all system components and software have the latest vendor-supplied security patches installed. |
|
|
| 6.2—Establish a process to identify newly discovered security vulnerabilities. |
|
|
| 6.3—Develop software applications in accordance with PCI DSS… |
|
|
| 6.5—Develop internal and external web applications based on secure coding guidelines. |
|
|
| 6.6—For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: - Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes. - Installing a web-application firewall in front of public-facing web applications. |
|
|
| 9.7—Control distribution of media containing cardholder data. |
|
|
| 9.9—Control storage and accessibility of media containing cardholder data. |
|
|
| 10.5—Secure audit trails so they cannot be altered. |
|
|
| 11.2—Run internal and external network vulnerability scans at least quarterly and after any significant change in the network … - Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV) |
|
|
| 11.4—Use intrusion detection systems |
|
|
| 11.5—Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; |
|
|
| 12.6—Implement a formal security awareness program |
|
|
| 12.9—Implement an incident response plan. Be prepared to respond immediately to a system breach. |
|
|
PCI Server Security:
Trend Micro offers proven solutions that address most PCI DSS requirements and enable you to truly safeguard your business infrastructure against the compromise of cardholder data. The following table summarizes the products that address each requirement.
Merchants, banks, and card service providers all face pressure to attract customers while protecting their account data from electronic theft. Not an easy task. Actively complying with the multi-faceted Payment Card Industry Data Security Standard (PCI DSS) in an evolving marketplace can result in a long—and often costly—effort.
Good news! The right server security solution can accelerate your compliance efforts by immediately addressing nearly half of the PCI requirements. So you can spend more time taking care of your customers and less time protecting them.
Trend Micro Deep Security helps accelerate and simplify your PCI audit and achieve PCI compliance with integrity monitoring, host intrusion, virtual patching, and more. Find out how
Core Protection for Virtual Machines stops malware and prevents data theft in VMware ESX/ESXi environments—without slowing performance. Discover more benefits