Providing stronger security practices that enable PCI
Compliance and protect cardholder data.
Establish and Maintain Secure
Cardholder Data with IBM Payment
Card Industry Solutions
Highlights


Offers pre-assessment
service
Includes annual onsite PCI
assessment with report on
compliance (ROC)
 Provides
services


quarterly scanning
Determines current
vulnerabilities with
penetration testing
Validates payment
applications for PCI with
application security
assessment
Secure consumer data and trust
MasterCard Worldwide and Visa
For any organization that collects,
International to “develop, enhance,
stores or transmits personal card-
disseminate and assist with implemen-
holder data, security is vital to earning
tation of security standards for
and maintaining trust. Identity theft,
payment account security.” Resulting
weekly headlines about data breaches
from the efforts of this group, the PCI
and the perception of loose controls
Data Security Standard (PCI DSS) has
over personal cardholder information
created common industry require-
drove the payment card industry (PCI)
ments for safeguarding cardholder
to establish standards that would
data. Card issuers aggressively
protect cardholder data from theft and
enforce PCI DSS with financial
misuse.
institutions and merchants. Failure to
meet PCI DSS requirements can have
In September 2006, the PCI Security
widespread economic impacts for
Standards Council (PCI SSC) was
merchants and financial institutions.
founded by American Express,
Discover Financial Services, JCB,
Billions of credit cards lead to broad PCI
Establish and maintain PCI compliance and
Throughout each phase of achieving
compliance impacts
secure cardholder data using IBM
PCI compliance, IBM consultants
With more than 1.5 billion cards in
PCI solutions
recognize common pitfalls that impede
circulation from Visa alone, PCI compli-
Since PCI compliance impacts any
organizations from meeting PCI
ance requirements impact a large
organization that touches consumer
standards. Businesses should pay close
contingent. Merchants, service provid-
card data, service providers that
attention to the following issues that
ers or other organizations that store,
process merchants’ cardholder transac-
deter successful compliance efforts:
process or transmit cardholder data
tions are also subject to PCI DSS. While
must conform to PCI requirements.
merchants and service providers are
Failure to comply can result in fines or
held to different standards based on
increased transaction charges from
card activity and services provided, they
•Lack of encryption for data at rest
merchant banks. Impacted industries
both face two key compliance issues:
•Lack of knowledge about where all data
resides
1. Establishing and proving initial
compliance
•Lack of segregation of duties
•Lack of encryption for e-mails and
messaging
include:
hotel chains
•Transportation – airlines, car rental, limo
services
•Financial Services – banks, credit card
processors, brokerages and insurance
companies
•Healthcare/Education – hospitals, doctors,
dentists, universities
•Telecommunications and Utilities– wireless,
cable, electric, gas or water, etc.
•Lack of network segregation
•Back end operation networks often break
IBM Payment Card Industry solutions are
the isolation of PCI networks
designed to help businesses achieve
•Too many firewall rules with no business
and maintain PCI compliance in accor-
justification
dance with annual audits. Following
•Insufficient documented policies and
best-practice guidelines, IBM supports
procedures
organizations through the five phases of
•Un-patched systems
PCI compliance: assessment, design,
•Storing sensitive magnetic stripe data
deployment, management and support,
and education. Using a phased
From expert consulting, to assessment
approach helps organizations identify
services, advanced security technology
and fix root causes of non-compliance
and managed security offerings, IBM
and establish internal controls to promote
solutions are designed to enable
ongoing compliance year after year.
enterprise-wide compliance.
IBM’s Five-Phased Approach to Achieving PCI Compliance
Phase 5.
Education
Phase 1.
Assessment
E
CAT
A SS
E
DESIG
Phase 4.
Management
and Support
DU
SS
E
• Hospitality – restaurants, resorts,
(using generic, default and shared IDs)
2. Maintaining compliance on an
on-going basis. N AGE &
MA PPORT
SU
businesses, mail/telephone order
•Lack of adequate access controls N
DEPLOY
• Retail – online sites, brick and mortar Phase 3.
Deployment
Phase 2.
Design
IBM products and services deliver PCI
compliance solutions
Organizations may require both
services and technology in order to
The Payment Card Industry Data Security Standard
PCI Compliance Solutions
Req 1. Install and maintain a firewall configuration to protect cardholder data
meet PCI standards. IBM offers a
Req 2. Do not use vendor-supplied defaults for system passwords and other security parameters
variety of products and services
Req 3. Protect stored cardholder data
designed to help businesses meet
each of the 12 PCI requirements,
referred to as “the digital dozen.”
IBM’s PCI solutions help executives
feel secure by establishing complete
Req 4. Encrypt transmission of cardholder data sent across open, public networks
Req 5. Use and regularly update anti-virus software
Req 6. Develop and maintain secure systems and applications
processes to safeguard cardholder
Req 7. Restrict access to cardholder data by business need-to-know
data and satisfy the digital dozen.
Req 8. Assign a unique ID to each person with computer access
Req 9. Restrict physical access to cardholder data
The PCI DSS includes 12 requirements –
referred to as “the digital dozen” – which
organizations must meet each year in
order to maintain PCI compliance.
Req 10. Track and monitor all access to network resources and cardholder data
Req 11. Regularly test security systems and processes
Req 12. Maintain a policy that addresses information security
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
IBM Payment Card Industry solutions offer organizations the following benefits through software products and professional services:
Comprehensive PCI solutions and
Leading managed services – IBM
Pre-assessment – a customized gap services – from assessments, consult-
delivers one of the most comprehensive
assessment determines the current level
ing, incident response and managed
managed security services portfolios in
of compliance and outlines the specific
services, IBM combines the skills of
the industry designed to transfer the
steps required to effectively achieve PCI
security experts with provensolutions to
burden of managing security in-house to
DSS compliance before performing the
help build effective programs that
a trusted security expert.
formal assessment.
IBM solutions for PCI Compliance begin
Annual onsite PCI assessment with Significant presence and reach in
with an assessment
report on compliance (ROC) – provides
vertical industries – proven experience
Often, organizations are too close to
a comprehensive evaluation of the
serving a wide variety of vertical
their own systems to identify all compli-
organization’s information security
industries makes IBM well-suited to
ance items that qualified independent
program according to PCI specifications
helping all types of organizations meet
security assessors routinely evaluate. A
for networks, servers and databases
PCI compliance requirements.
better approach uses qualified third
involved in the transmission, storage and
party assessors to conduct an initial
processing of credit card data.
protect systems and customer data.
Access to security expertise –
IBM’s elite team of security experts
comprises senior security professionals
who have honed their skill through
corporate security leadership, security
consulting, investigative branches of the
government, law enforcement, research
and development.
Customized solutions –
IBM consultants partner with the client’s key staff and management members to
design a customized plan that meets the
client’s specific security goals.
Specialized skills and tools –
IBM consultants combine proprietary
and industry-leading security assessment tools with in-depth analysis of
vulnerability data to evaluate and build
an effective security program.
assessment of the IT environment
against PCI standards. From there,
Quarterly scanning services – includes
consultants can help organizations
a vulnerability assessment to help
remediate problems, enhance security
ensure and validate that proper security
technology and improve security policies
precautions are in place.
in order to meet PCI DSS requirements.
Penetration testing – demonstrates a
IBM Professional Security Services
real-life network attack to determine
deliver expert security consulting to help
current vulnerabilities and analyze how
organizations of all sizes reduce risk,
attackers significantly impact a business.
achieve regulatory compliance, maintain
business continuity and reach their
security goals. IBM Internet Security
Systems (ISS) is globally recognized as
a PCI Qualified Security Assessor (QSA)
and Approved Scanning Vendor (ASV),
and is well-qualified to help enterprises
comply with the PCI DSS requirements.
As the logical first step to compliance,
the IBM PCI assessment offering
comprises the following services:
Application security assessment for
payment application providers –
validates payment applications for PCI
(as a Qualified Payment Application
Security Company, IBM ISS has met the
requirements to perform PCI payment
application security assessments)
IBM Internet Security Systems PCI
IBM Proventia® Server Intrusion Preven-
IBM Proventia Network Enterprise
Certifications and Expertise
tion System (IPS) – identifies and blocks
Scanner – helps clients manage the
•Qualified Data Security Company (QDSC)
known and unknown threats and helps
vulnerability lifecycle, from initial
•Qualified Security Assessor (QSA)
enforce corporate security policies for
scanning through remediation. Proventia
•Approved Scanning Vendor (ASV)
servers. Proventia Server IPS combines
Network Enterprise Scanner provides
•Qualified Payment Application Security
a local firewall, intrusion detection and
internal security departments with the
Company (QPASC), having met the require-
prevention system, and application
same tools external auditors use when
ments to validate payment applications.
integrity monitoring to protect servers
assessing the network for risk. Proventia
•Qualified CISP Incident Response
Assessor. IBM ISS is qualified to provide
incident response and forensic analysis
in the event of a security emergency.
and help clients adhere to regulatory
Network Enterprise Scanner assists with
compliance standards. Proventia Server
PCI requirements 6 and 11.
IPS assists with PCI requirements 1, 5, 6,
10 and 11.
IBM ISS solutions for PCI compliance
Products and services from IBM Internet
Security Systems™ (ISS) help to create
stronger security practices that enable PCI
compliance and protect cardholder data.
IBM Professional Security Services –
deliver comprehensive, enterprise-wide
security assessment, design and deployment services to help build effective
network security solutions. Using the
penetration testing services to meet
requirement 11, PSS simulates covert and
hostile network attacks to identify specific
vulnerabilities in the protection of an
organization’s sensitive data. IBM Professional Security Services help clients
quickly set security roadmaps and identify
steps required for PCI compliance.
IBM Proventia Desktop Endpoint
Management service and IBM Managed
Tivoli Compliance Insight Manager –
Security – combines a personal firewall,
Protection Services. Clients can access
serves as a key component of IBM’s
intrusion prevention, buffer overflow
reporting and workflow through the MSS
compliance management offering that
exploit prevention, application protection
Customer Portal. The portal can also be
helps clients monitor the activity of
and virus prevention in a single agent. It
used to correlate security and network
privileged users. The product collects,
protects desktops and helps clients
events to more easily address PCI
centralizes and archives relevant
adhere to corporate standards while
requirements 1, 5, 6, 10, 11 and 12. IBM
security log data from heterogeneous
blocking attacks before they can cause
Managed Security Services along with IBM
sources, filtering collected information
outages, employee downtime and
products can aid PCI compliance efforts.
against requirements and corporate
excessive calls to the helpdesk. Proven-
security policies, and provides consoli-
tia Desktop assists with PCI
IBM Tivoli Security and Compliance
dated viewing and reporting through a
requirements 5 and 6.
Software Solutions
central, compliance-oriented dash-
Tivoli products assist with a variety of
board. Tivoli Compliance Insight
IBM Protection Platform Products –
PCI requirements. Tivoli software enables
Manager can help you to reduce audit
integrated products complement and
organizations to deliver service excel-
preparation time and meet monitoring
support the family of IBM products.
lence in support of business objectives
requirements to assist with PCI require-
Proventia Management SiteProtector
through integration and automation of
ments 10 and 11.
provides centralized command, control
processes, workflows and tasks.
and correlation of a broad array of network
Tivoli Identity Manager (TIM) –
security agents and appliances includ-
IBM Tivoli ® Access Manager for e-
provides a security-rich, automated,
ing Proventia Network Anomaly Detection
business and IBM Tivoli Identity
policy-based user management
System, Proventia Network Multi-Function
Manager – help businesses define and
solution. It helps enterprises set up new
Security (MFS), and IPS products.
manage a centralized authentication,
accounts and passwords quickly for
access and audit policy. The solutions
employees and customers, validate
IBM Managed Security Services –
also establish a new audit and reporting
every user account on every resource,
assist customers by providing 24x7x365
service that collects audit data from
and allows for users to reset and
management and monitoring of firewalls
multiple enforcement points as well as
synchronize their own passwords to
and IDS/IPS devices, directly address-
from other platforms and security
efficiently gain access to valid
ing PCI requirement 1 with a service
applications to assist with PCI require-
resources. With TIM, clients can
option. IBM’s Managed Security Services
ments 6, 8 and 12.
address PCI requirements 2 and 8.
include IBM Vulnerability Management
Service, the IBM Security Event and Log
Tivoli Security Compliance Manager –
and enforce policy compliance. Tivoli
acts as an early warning system by
zSecure Audit, a component of the Tivoli
identifying security vulnerabilities and
zSecure suite, offers the capability to
security policy violations. Tivoli Security
fingerprint sequential log data residing
Compliance Manager helps organiza-
on both tape and direct access storage
tions meet PCI requirement 6 to define
device (DASD) media to check the
and monitor consistent security policies.
integrity of System Management Facility
Security policies can be based on both
(SMF) logs. Tivoli zSecure provides
internal security requirements and
critical reporting about compliance
industry-standards.
efforts for PCI requirements 1, 2, 10, 11
and 12.
Tivoli Security Operations Manger –
centralizes and stores security data
Learn how IBM Payment Card Industry
throughout the IT and operations
solutions can secure cardholder data
infrastructure and provides a platform
With a broad product and service
from which to automate incident
portfolio, industry expertise and a deep
recognition and response, streamline
understanding of PCI requirements, IBM
incident handling, enable policy
delivers the level of support organiza-
monitoring and enforcement, and
tions need to achieve and maintain PCI
provide comprehensive reporting for
compliance. With its combined solu-
regulatory compliance. The end result is
tions, IBM helps companies evaluate
an efficient, cost-effective approach to
their overall security posture and
security operations that addresses PCI
implement proper controls and security
requirement 10.
technology to meet the PCI DSS
regulations.
Tivoli zSecure suite – helps ensure the
security of mainframe systems by
For more information on IBM software
automating administration and auditing.
and services for PCI compliance:
Consisting of modular components, the
zSecure suite enable enterprises to
administer a mainframe, monitor for
threats, audit usage and configurations,
•Visit ibm.com/itsolutions/governance
•Contact Ask Security Solutions at askss@us.ibm.com
•Call 1-800-IBM-4YOU
©Copyright IBM Corporation 2007
IBM Global Services
Route 100
Somers, NY 10589
U.S.A.
Produced in the United States of America
09-07
All Rights Reserved
IBM, the IBM logo and Tivoli are trademarks or
registered trademarks of International Business
Machines Corporation in the United States, other
countries, or both.
Proventia and X-Force are trademarks or
registered trademarks of Internet Security
Systems, Inc., a wholly-owned subsidiary of
International Business Machines Corporation.
Other company, product and service names may
be trademarks or service marks of others.
References in this publication to IBM products or
services do not imply that IBM intends to make them
available in all countries in which IBM operates.
Disclaimer: The customer is responsible for ensuring compliance with legal requirements. It is the
customer’s sole responsibility to obtain advice of
competent legal counsel as to the identification
and interpretation of any relevant laws and regulatory requirements that may affect the customer’s
business and any actions the reader may have to
take to comply with such laws. IBM does not provide legal advice or represent or warrant that its
services or products will ensure that the customer
is in compliance with any law or regulation.
GTD01940-USEN-00