PCI DSS 4.0 is a non-negotiable industry standard for any organization that stores, processes, or transmits cardholder data (CHD) or sensitive authentication data (SAD). But although its requirements are detailed and can be onerous, there are technology solutions available to help streamline the process of compliance, reduce the operational and financial burden, and provide peace of mind for enterprises.
To articulate the benefits of comforte’s SecurDPS Enterprise Solution for encryption and tokenization, we commissioned Coalfire Systems to run a detailed and independent technical analysis. It offers useful insight into how the product can support PCI DSS 4.0 compliance by reducing the risk and scope of CHD stores in enterprise environments.
PCI DSS 4.0 and comforte
PCI DSS has gone through several iterations since it was first published in 2004, in response to surging levels of card data theft. But the latest is comprised of 12 requirements grouped into six objectives:
- Build and maintain a secure network and systems
- Protect account data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
comforte’s SecurDPS offers a data-centric security approach to help protect sensitive data in line with the above objectives. It does this via encryption, format-preserving encryption, tokenization, format-preserving hashing, and masking. And there are capabilities to automatically and continuously discover and classify CHD. The solution can be simply integrated into existing applications via easy-to-use APIs, without changing the record format of the original data. And there are audit and analysis capabilities to help different IT/security stakeholders.
What Coalfire found
Coalfire found the comforte solution to perform well at supporting PCI DSS 4.0 compliance. The report notes the following:
“Coalfire found that SecurDPS solution protected sensitive data using appropriate tokenization, masking and/or hashing strategies. SecurDPS relied on a tokenization mechanism which resided within the SecurDPS Virtual Appliance. Users could tokenize sensitive data or access tokenized data and view the full contents (i.e. Primary Account Number(PAN)) via the REST API. Coalfire observed that the tokenization algorithm used by SecurDPS generated a random output to ensure unique tokens for each instance of sensitive data protected by the solution.”
Coalfire adds that the product’s discovery and classification capabilities “appropriately identified unprotected sensitive data using both vendor and user defined search parameters” – providing a centralized view of all sensitive data by asset type, data source and/or data subject. Role Based Access Controls (RBAC) at the application and/or entity level can be used to enhance security further, it said.
Coalfire found comforte’s SecurDPS either meets or supports the following PCI DSS 4.0 requirements:
Requirement 2: Apply Secure Configurations to All System Components
2.2 System components are configured and managed securely.
Requirement 3: Protect Stored Account Data
3.4 Access to displays of full PAN and ability to copy account data is restricted.
3.5 PAN is secured wherever it is stored.
3.6 Cryptographic keys used to protect stored account data are secured.
3.7 Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.
Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
- 2 Access to system components and data is appropriately defined and assigned.
7.3 Logical access to system components and data is managed via an access control system(s).
Requirement 8: Identify Users and Authenticate Access to System Components
8.2 User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.
8.3 Strong authentication for users and administrators is established and managed.
8.6 Use of application and system accounts and associated authentication factors are strictly managed.
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.3 Audit logs are protected from destruction and unauthorized modifications.
10.5 Audit log history is retained and available for analysis.
Requirement 12: Support information security with organizational policies and programs
12.3 Targeted risks to the cardholder data environment are formally identified, evaluated, and managed.
12.5 PCI DSS scope is documented and validated.
There’s plenty more detail in the analysis. But at a high-level the message is clear. Merchants, processors, acquirers, issuers, service providers and other organizations looking to streamline their PCI DSS 4.0 compliance processes should consider comforte SecureDPS a valuable ally.
