Solution BriefVormetric Data Security for PCI DSS

Payment Card Industry Data Security Standards (PCI DSS) mandate that all organizations that accept, acquire, transmit, process, and/or store cardholder data must take appropriate steps to continuously safeguard all sensitive customer information. While PCI DSS has improved the protection of cardholder information, achieving and maintaining compliance can pose a number of significant challenges to enterprise risk managers, information security personnel, and IT operations professionals.

PCI DSS Compliance Challenges

Banks, payment processors, and merchants all rely on increasingly complex, geographically distributed networks, typically containing both structured and unstructured data. Cardholder information may be stored in a variety of different databases and versions, as well as in file server files, documents, images, voice recordings, access logs, and a broad range of other data repositories. Safeguarding cardholder data in such a wide variety of assets and locations, in a manner compliant with PCI DSS, requires diligent administration and close cooperation between the enterprise’s IT teams and the many business units that need access to the data. Finding the right balance between protecting cardholder information, avoiding any disruptions to IT infrastructure, and ensuring uninterrupted access to the information that flows through and across these networks is vital to the security and ongoing operation of the business.

In order to comply with PCI DSS regulations, IT organizations need the ability to successfully manage access control, encryption, key management, and auditing of cardholder data at rest. However, many organizations still perceive this functionality as too complicated to operate and costly to implement. Organizations touching cardholder information need a comprehensive data security solution that:

• Enables them to achieve and maintain PCI DSS compliance in a cost- effective manner • Requires minimal administrative support • Integrates transparently with existing applications and complex storage infrastructures • Consolidates key and policy management across heterogeneous environments • Provides strong separation of duties for encryption keys without additional hardware or key management infrastructure • Maintains a high level of system performance with no impact to end users

Vormetric Data Security The Vormetric Data Security product portfolio provides data protection offerings to secure and control enterprise data at rest. It enables enterprises to encrypt sensitive data in heterogeneous IT environments, control access to that information, and report on who is accessing the protected data. Vormetric Data Security is comprised of two offerings, Vormetric Encryption and Vormetric Key Management. Vormetric Encryption combines encryption and key management for Linux, UNIX, and Windows servers. Vormetric Key Management supports storage of encryption keys for Vormetric Encryption Expert agents and Transparent Data Encryption (TDE) environments to both Oracle and Microsoft SQL Server 2008/2012. Vormetric Meets Evolving PCI DSS Encryption Requirements Vormetric Data Security helps enterprises protect sensitive cardholder information, enabling them to achieve and maintain compliance with PCI DSS. It minimizes administrative overhead without compromising key business objectives around agility and system performance. Installed and configured in as little as one week, organizations can transparently encrypt sensitive customer information across a dispersed, heterogeneous environments, ensuring protection of both structured and unstructured data.

Vormetric Data Security for PCI DSS Compliance

Vormetric Key Features and Benefits:

• Helps address PCI DSS Requirements 3, 7, and 10 through automatic encryption of cardholder data on Linux/UNIX/ Windows servers in physical, virtual, and cloud environments

• Enforcement of role-based and user-based decryption and data integrity policies meets PCI DSS requirements

• High performance block-level encryption ensures optimal support for business processes

• Granular auditing of data access requests facilitates monitoring for PCI DSS compliance

• Quick implementation helps meet audit deadlines

“With the release of PCI 2.0 and the increased need to prove that a method exists to find all cardholder data stores and protect them appropriately, the encryption of data will become even more important to merchants.”

Source: Verizon 2011 Payment Card Industry Compliance Report

Download the Whitepaper: Vormetric Data Security: Complying with PCI DSS Encryption Rules

Solution BriefVormetric Data Security for PCI DSS

Vormetric, Inc.2545 N.1st Street, San Jose, CA 95131

888.267.3727408.433.6000

sales@vormetric.comDownload the Whitepaper

Vormetric Data Security enables organizations to address Requirements 3, 7, and 10 of PCI DSS 2.0, as well as all sub-requirements:

About Vormetric Vormetric is the leader in enterprise encryption and key management for physical, virtual and cloud environments. The Vormetric Data Security product line provides a single, manageable and scalable solution to manage any key and encrypt any file, any database, any application, anywhere it resides— without sacrificing application performance and avoiding key management complexity. For more information, please call: (888) 267-3732 or visit: www.vormetric.com.

Copyright © 2012 Vormetric, Inc. All rights reserved. Vormetric is a registered trademark of Vormetric, Inc. in the U.S.A. and certain other countries. All other trademarks or registered trademarks, product names, and company names or logos cited are the property of their respective owners.

Customer Successes: Vormetric Enables PCI DSS ComplianceFortune 500 Financial Services Provider • Business Challenge: Safeguard credit and debit cardholder information on behalf of clients.• Technical Challenge: Protect a hetero geneous environment that includes various data repositories and virtual desktop infrastructure (VDI) environment. • Solution: Vormetric Encryption for Linux and AIX servers.

TAB Bank• Business Need: Encryption of data for banking cardholder information• Technology Need: Protect a mixed environment containing structured and unstructured information.• Solution: Vormetric Encryption for Windows and Linux servers.

RSIEH LLC (Rausch, Sturm, Israel, Enerson & Hornik) • Business Need: Protect all documents containing cardholder information.• Technology Need: Safeguard information used by credit collection application without application changes. • Solution: Vormetric Encryption for Windows servers.

Requirement 3: Protect Stored Data

Requirement 7: Restrict Access to Cardholder Data According to Business Need to Know

Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data

PCI DSS Requirement 3 mandates that all data should be rendered “unread-able–anywhere it is stored”, and provides a number of methods how that might be achieved. PCI DSS recognizes the value of strong cryptogra-phy coupled with proper key management.

PCI DSS Requirement 7 mandates that only users and resources that must access cardholder data in order to complete their job should have access to systems con-taining the data. In order to maximize the benefits realized from encryption, organiza-tions are advised to identify a solution that enables the application of security policies on the data itself, as opposed to simply on the systems or applications that access the data. Encryption alone is insufficient to provide the granular control required by the PCI DSS. Encryption is only as strong as the associ-ated key management and access controls.

PCI DSS Requirement 10 states that all organiza-tions must track access to cardholder data, and to all systems and resources that can access cardholder data.

Vormetric Encryption addresses PCI DSS Require-ment 3 without intensive coding or integration efforts. It protects stored data by encrypting information and controlling access to the resources on which the data resides – either an application or a system. Using policy-based encryption, Vormetric Encryption ensures that only authorized users and services can encrypt and decrypt the data with “beyond-industry-standard” AES 128-bit and 256-bit key length.

Vormetric Encryption combines encryption and key management with an access control-based decryption policy, enabling companies to comply with PCI DSS Require-ment 7 in one transparent, system-agnostic solution. It facilitates compliance by lay-ering additional access control functionality over that of the native file system. Vormetric access control, in accordance with the PCI DSS, follows the least-privilege model, which denies any activity that has not been expressly permit-ted by an authorized user. Further, by leveraging the organization’s existing authen-tication system, Vormetric’s features introduce negligible administrative overhead.

Vormetric Encryption enables organizations to comply with PCI DSS Requirement 10 through its own auditing and tracking capabilities, as well as its ability to protect both system-generated and Vormetric-generated audit logs. The rich auditing capability of Vormetric Encryption enables the review of the file I/O activity of the tests performed on security systems. Denied and unau-thorized access attempts to cardholder data are logged, enabling organizations to track and analyze simulated security breaches.

PCI DSS Requirement

Compliance Challenges

Vormetric Data Security Solution

“Vormetric Data Security is quick and easy to administer, while having negligible impact on performance. It’s the perfect solution for meeting PCI DSS requirements.”

Daryl Belfry, Director of IT, TAB Bank