PCI DSS Compliance
What is the Payment Card Industry Data Security Standard (PCI DSS)?
The PCI DSS is a regulation developed by the five leading payment brands—Visa, MasterCard, American Express, Discover, and JCB—to bolster the security of cardholder data. The PCI standard consists of twelve high-level requirements and hundreds of sub-requirements that organizations must address to lower the risk of credit card fraud and data loss.
All organizations that store, process, or transmit payment card data must comply with the PCI DSS. To document compliance, organizations must engage a PCI-certified QSA or complete a self-assessment questionnaire, depending on how many credit card transactions they process.
The PCI DSS was first released in December 2004. Since that time, the PCI Security Standards Council (SSC) was formed to oversee and promote the PCI standard and to qualify assessors and solutions such as Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). In addition, the PCI SSC has issued several updates to the original PCI DSS.
PCI Requirement 11.4: Intrusion Detection or Intrusion Prevention
PCI DSS requirement 11 governs how organizations test their security systems and processes. It consists of over a dozen sub-requirements, including requirement 11.4, which requires organizations to “Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network.” According to the testing procedures and guidance of the PCI standard, the intrusion detection or prevention system must:
- Be deployed at the perimeter and at all critical points in the cardholder data environment
- Compare traffic with known signatures or behaviors of thousands of compromise types such as hacker tools, Trojans, and other malware
- Send alerts or stop an attempted attack as it happens
The PCI DSS standard also states that security defenses, including engines, signatures, and baselines, should be up-to-date. To be PCI compliant, organizations must deploy an intrusion detection or prevention system. These systems can be signature-based or behavioral-based.
What does LightCyber have to do with it?
LightCyber engaged HALOCK Security Labs, a PCI Qualified Security Assessor (QSA), to evaluate whether the LightCyber Magna™ Behavioral Attack Detection platform met the PCI DSS requirements that relate to intrusion detection in the PCI standard. HALOCK concluded that Magna satisfied PCI DSS requirement 11.4.
LightCyber Magna is the ideal solution to address intrusion detection requirements at critical points in the network, such as between endpoints and servers that store or process cardholder data. LightCyber Magna accurately and efficiently detects advanced attacks, insider threats, malware, and risky behavior. Organizations that deploy LightCyber Magna also benefit from detailed security alerts with rich investigative data and graphical reports that document security status.
LightCyber Magna allows organizations to satisfy PCI DSS compliance and close dangerous gaps in breach detection. Organizations also benefit by drastically reducing the typical flood of daily security alerts from signature-based intrusion detection systems that are mainly false positives.
To find out how to address PCI DSS Requirement 11.4 with LightCyber Magna Behavioral Attack Detection, download a white paper that discusses how to achieve PCI compliance and increase security.