Contact Us
Payment Card Industry (PCI) Compliance Solutions
SecureWorks is a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV)
SecureWorks is a Payment Card Industry (PCI) Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA), as well as a provider of a wide range of security services used by organizations to maintain PCI compliance and support security. SecureWorks PCI capabilities include:
|
What are your PCI validation requirements? View merchant levels and requirements
|
- Onsite assessment
- Report of compliance
- Penetration testing
- Vulnerability scanning and remediation prioritization
- Log monitoring and retention
- Intrusion prevention solutions (Host and Network)
- Web application code reviews
- Web application firewall monitoring and/or management
Designation as a QSA and ASV means that SecureWorks is qualified to assess an organization's compliance to the PCI DSS and to provide required external and/or internal scans. SecureWorks also offers a full breadth of services that will help your organization comply with PCI's DSS version 1.1 and 1.2. Our services provide the effective controls necessary to protect your cardholder information and demonstrate provable compliance with PCI's DSS.
PCI Compliance Requirements
| Build and Maintain a Secure Network | |
|---|---|
| Requirements | Solutions |
|
1. Install and maintain a firewall configuration to protect cardholder data. |
This requirement mandates the need to implement a sound firewall infrastructure to protect cardholder data from external access. SecureWorks’ Professional Services team can perform an assessment to identify the state of your current firewall and network architecture, identify any gaps, recommend solutions to these gaps and implement the changes necessary. SecureWorks’ Managed Firewall service removes the burden of firewall management by providing you with a 24x7x365 team of experts. Our firewall experts will audit policies to ensure they align with PCI requirements, perform ongoing rule-set changes and monitor these devices for any signs of attack. Our Security Monitoring service provides real-time monitoring for known and unknown threats across your firewall infrastructure by our security experts, while our Security Information Management service enables your team to perform this monitoring internally. All three of these services will deliver robust reporting through the secure, web-based SecureWorks Portal, enabling your team to easily demonstrate your compliance with this PCI DSS requirement. |
|
2. Do not use vendor-supplied defaults for system passwords and other security parameters. |
This requirement dictates that organizations must use sound password policies, such as not using vendor supplied passwords, and wireless and infrastructure configuration standards. SecureWorks’ Professional Services can help you meet this requirement by conducting a Vulnerability Assessment of your environment to identify any weaknesses in your configuration practices including weak passwords, unnecessary services and rogue web servers. Our team of consultants can work with your organization to develop a secure configuration standard for all critical systems that is based on industry best practices. Additionally, you can utilize our Vulnerability Scanning service to perform ongoing internal and external vulnerability scans to ensure your infrastructure remains secure. Using the SecureWorks Portal, you will be able to generate on-demand vulnerability reports that highlight any exposures and the actions your team has taken to eliminate them. Additionally this requirement calls for your hosting providers to be secure as described in Appendix A of the PCI DSS. The services described in this document can apply to the hosting providers as well to help them become PCI compliant. Also, with their permission, we can provide security visibility into their environment through the SecureWorks Portal.
|
| Protect Cardholder Data | |
|
3. Protect stored cardholder data. |
This requirement mandates encryption of stored cardholder data if possible or implementing other compensating controls, such as preventing web application attacks, as outlined in Appendix B of the PCI DSS. SecureWorks’ Professional Services can help you classify your assets and the data residing in them and help formulate an encryption strategy appropriate to your infrastructure. Our Managed Intrusion Prevention and Detection service provides the prevention/detection controls identified in Appendix B to protect any data that cannot be encrypted. This service provides implementation of a commercial IPS/IDS technology or can be bundled with our award winning iSensor IPS technology to deliver superior protection in a cost-effective manner. Once implemented, our experts will manage these devices, including ongoing tuning, and monitor them to identify and respond to any threats. The SecureWorks Portal provides you with real-time visibility into your intrusion prevention and detection infrastructure including any alerts and the actions we have taken against them, while also delivering on-demand reports to demonstrate PCI compliance.
|
|
4. Encrypt transmission of cardholder data across open, public networks. |
This requirement calls for all cardholder data to be encrypted during transmission over public or untrusted networks. SecureWorks’ Professional Services can help you meet this requirement by assessing your current infrastructure to ensure all VPNs and wireless networks are configured properly to encrypt sensitive data, as well as identify any gaps in your data transmission flows that may leave sensitive information unencrypted. SecureWorks’ Managed Firewall service removes the burden of site-to-site VPN management by providing you with a team of experts to administer these devices. Our experts will also monitor your VPNs for any signs of malicious activity to respond before damage is done. All information is collected and presented to your team via the SecureWorks Portal, providing your team with real-time visibility and on-demand reporting to demonstrate PCI compliance. SecureWorks’ Email Encryption service will ensure all cardholder data is transmitted via encrypted email. This solution uses lexicons to identify any cardholder data being sent in unencrypted emails and will automatically encrypt the message. The solution is easy-to-use and requires very little end user training, making compliance with this requirement painless.
|
| Maintain a Vulnerability Management Program | |
|
5. Use and regularly update anti-virus software or programs. |
This requirement mandates the use of anti-virus and anti-spyware solutions to prevent this malicious code from impacting your critical systems. SecureWorks Managed Intrusion Prevention and Detection service with our iSensor IPS appliance can provide an additional layer of defense against these types of attacks. iSensor contains anti-virus and anti-spyware engines to block this code before it enters your environment. Our experts will manage this infrastructure to ensure it is properly tuned and has the latest definitions, as well as monitor these devices in real-time, 24x7x365 for any signs of attack. SecureWorks’ Security Monitoring service provides a team of experts to monitor your anti-virus and anti-spam infrastructure to identify attacks before damage is done. Should you prefer to monitor this activity in-house, SecureWorks Security Information Management service provides the same event aggregation and correlation technology used by our experts as a service so that your team can analyze any threats that may occur. With both services, you will be provided with real-time security visibility and on-demand reports to demonstrate PCI compliance through the SecureWorks Portal.
|
|
6. Develop and maintain secure systems and applications. |
This requirement mandates the need to ensure your environment maintains current patch levels, you adhere to secure coding practices and that all web applications undergo periodic web application assessments. SecureWorks’ Professional Services can help you meet this requirement by conducting periodic vulnerability assessments to ensure the security of your environment, perform web application assessments to identify any areas of concern across your web facing infrastructure including vulnerabilities that may lead to cross-site scripting attacks, buffer overflows, etc and work with your team to align your application development with secure coding best practices. SecureWorks’ Vulnerability Scanning service provides you with the ability to conduct periodic scans of your infrastructure to identify any potential vulnerabilities or out-of-date systems. SecureWorks’ Threat Intelligence service provides you with new vulnerability and threat alerts tailored to your environment, which keeps your team on top of any new patches relevant to your systems. With both the Scanning and Intelligence services you will gain access to the SecureWorks Portal to generate on-demand reports to demonstrate PCI compliance.
|
| Implement Strong Access Control Measures | |
|
7. Restrict access to cardholder data by business need-to-know. |
This requirement calls for organizations to identify systems that house cardholder information and restrict access to those systems to only those with a need-to-know basis. SecureWorks’ Professional Services can help you meet this requirement by working with your team to classify your systems and identify those that house cardholder information. The Professional Services team can also assess your infrastructure to ensure the proper access controls have been implemented in accordance with this PCI requirement. SecureWorks’ Security Monitoring service provides real-time monitoring of these systems by true security experts to ensure only authorized personnel gain access. SecureWorks’ Security Information Management delivers the technology you need to perform monitoring of these systems as a service, should you choose to keep this function in-house. Both services provide you with access to the SecureWorks Portal where you will receive real-time visibility into the activity occurring on the systems housing cardholder information and on-demand reporting to demonstrate PCI compliance.
|
|
8. Assign a unique ID to each person with computer access. |
This requirement mandates the need for organizations to implement proper identity and access management across systems that house cardholder information. SecureWorks’ Professional Services can help you meet this requirement by working with your team to classify your systems and identify those that house cardholder information. Our consultants can then help your organization design an appropriate identity and access management strategy. The Professional Services team can also assess your infrastructure to ensure the proper access controls have been implemented in accordance with this PCI requirement. SecureWorks’ Security Monitoring service provides real-time monitoring of these systems by true security experts to ensure only authorized personnel gain access. SecureWorks’ Security Information Management delivers the technology you need to perform monitoring of these systems as a service, should you choose to keep this function in-house. Both services provide you with access to the SecureWorks Portal where you will receive real-time visibility into the activity occurring on the systems housing cardholder information and on-demand reporting to demonstrate PCI compliance.
|
|
9. Restrict physical access to cardholder data. |
This requirement dictates that organizations implement appropriate physical security controls to limit access to critical systems, proper visitor handling procedures and that organization have proper procedures when moving or destroying physical media where cardholder information is stored. SecureWorks’ Professional Services can help you address this requirement by working with your team to identify areas where physical security controls must be implemented and testing controls to ensure compliance through social engineering and other tactics. The Professional Services team can also help you develop physical data handling and destruction procedures that align with industry best practices, such as those from the Department of Defense.
|
| Regularly Monitor and Test Networks | |
|
10. Track and monitor all access to network resources and cardholder data. |
This requirement calls for companies to implement logging mechanisms across all network, security and server infrastructures that house or handle cardholder information, and monitor the logs for any violations. SecureWorks' Security Monitoring service provides real-time log aggregation, correlation and analysis across any security device or critical information asset. All logs and alerts are monitored in real-time, 24x7x365 by true security experts to identify known and unknown threats or unusual user behavior. Any malicious activity identified is immediately responded to before damage is done. The SecureWorks Log Retention service provides aggregation and archiving of all relevant logs for a wide range of devices, including servers, routers, firewalls and databases. Logs will be collected in their entirety, indexed for search and reporting capabilities and archived for a time period determined by the client. Access to raw logs is also supported. Our SIM On-Demand provides your team with the same aggregation and correlation technology used by our Analysts as a service to enable your team to monitor your environment in-house. With all three services, log information is stored indefinitely with the previous two years accessible via the SecureWorks Portal. You will have access to the SecureWorks Portal to gain real-time security visibility and generate on-demand reports to demonstrate PCI compliance.
|
|
11. Regularly test security systems and processes |
This requirement mandates that organizations periodically test their systems and protect them through vulnerability scans, penetration testing, intrusion prevention and detection and file integrity software. SecureWorks’ Professional Services can help you comply with this requirement by providing vulnerability assessments and penetration testing. SecureWorks is an approved scanning vendor and our Vulnerability Scanning service can be utilized to comply with the quarterly external scan that is required for PCI compliance. Our Intrusion Prevention and Detection service provides the prevention/detection controls identified in this requirement. This service provides implementation of a commercial IPS/IDS technology or can be bundled with our award winning iSensor IPS technology to deliver superior protection in a cost-effective manner. Once implemented, our experts will manage these devices, including ongoing tuning, and monitor them to identify and respond to any threats. Likewise, SecureWorks’ Managed Host Intrusion Prevention service provides you with the technology and a team of experts to manage and monitor this infrastructure in order to keep it operating at peak performance. SecureWorks’ Security Monitoring service provides real-time monitoring across your systems by true security experts to respond to any unauthorized activity occurring. SecureWorks’ Security Information Management service delivers the technology you need to perform monitoring of these systems as a service, should you choose to keep this function in-house. The Scanning, Managed Intrusion Prevention and Detection, Monitoring and Security Information Management services provide you with access to the SecureWorks Portal where you will receive real-time visibility into the activity occurring on the systems housing cardholder information and on-demand reporting to demonstrate PCI compliance.
|
| Maintain an Information Security Policy | |
|
12. Maintain a policy that addresses information security for employees and contractors. |
This requirement dictates that organizations must create an information security policy that is kept up-to-date and addresses all the security requirements in the PCI DSS, as well as operational security, system usage, security management, security awareness and incident response. SecureWorks’ Professional Services can help you address this requirement by working with your team to create a robust, effective information security policy that addresses all the requirements of this section and the PCI DSS as a whole. Additionally, our Security Monitoring Service can provide you with the incident response plan and experts necessary to conduct effective response to stop threats before damage is done. With this service, you will be able to utilize the SecureWorks Portal to gain real-time security visibility, access to our incident response plan and on-demand reporting to demonstrate PCI compliance.
|
