PCI DSS 3.0 Compliance Using TierPoint’s Cloud & Managed Security Services In a recent poll conducted by American Consumer Credit Counseling (ACCC), 64% of consumers do not trust retailers with their credit card information. From 2012 to 2013, data breaches have gone up by 30% and the number continues to grow. In 2014 alone, we have seen 644 breaches and 78 million records exposed. This is another increase of 26% across multiple industries. To combat this, the Payment Card Industry Data Security Standards PCI DSS v3.0 were released this year, with a compliance deadline of January 1, 2015. These requirements comprise “a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional and sector laws and regulations.” But, doing only the status quo to meet these minimum requirements may not be enough to avoid a breach of your networks and your customer’s data. The chart below shows the 3.0 requirements and how you can enhance your security posture today by utilizing TierPoint’s compliance expertise and services. Required controls How TierPoint can help 1. Install and maintain a firewall configuration to protect cardholder data Fortinet’s world-class Next Generation Firewalls (NGFW) provide you with the ability to combat Advanced Persistent Threats (APT) using network antivirus, IDS/IPS, botnet protection, DOS protection, and more… 2. Do not use vendor-supplied defaults for system passwords and other security parameters Our CleanIP Managed Security service puts the responsibility for this in the hands of our certified, experienced security analysts. With the help of both Fortinet and Alert Logic, we can help ensure the health and compliance of your infrastructure. 3. Protect stored cardholder data Data Leak Protection ensures that you can track and block the exfiltration of private information and, with our CleanIP Advanced MSS, can be controlled based on SSN, Credit Card Numbers and other customizable information. We can also monitor and block secure channel communications such as SSL and SSH. 4. Encrypt transmission of cardholder data across open, public networks IPSec and SSL VPN can handle remote connectivity and transmission of your cardholder information. Within the TierPoint cloud, CloudLink provides storage or VM encryption for storing your customer information. Even better, you hold the encryption key… meaning even TierPoint can’t access this data. 5. Protect all systems against malware and regularly update anti-virus software or programs Network antivirus and IDS/IPS provided by Fortinet FortiGate NGFW protects your perimeter while Alert Logic’s Web Security Manager and Threat Manager with Active Watch provides 24x7 network threat detection. PCI DSS 3.0 Compliance Required controls How TierPoint can help 6. Develop and maintain secure systems and applications TierPoint utilizes the expertise of multiple vendor partners to provide Web Application Firewalling to enable your web applications to remain secure and protected. With the managed security offering by Alert Logic, your WAF can be tuned and managed by GIAC certified security experts. 7. Restrict access to cardholder data by business need to know Dedicated firewalls provide network isolation for your environment allowing you to restrict access to parts of the network. 8. Identify and authenticate access to system components Two-factor authentication is provided with Fortinet’s FortiAuthenticator and FortiTokens to verify that all access is secure and authorized. Our security experts will engineer a solution to best fit your needs and maintain the integrity of your environment. 9. Restrict physical access to cardholder data TierPoint datacenters are SSAE 16 SOC I and SOC II Type 1 and 2 audited and provide state-of-the-art physical security with 24x7 monitoring, badge and biometric access, and a security staff on premises ensuring that only authorized personnel gain access to your systems. 10. Track and monitor all access to network resources and cardholder data Multiple monitoring and tracking options are available including Alert Logic Log Manager to provide remote security log analysis to assist in validation of network activities. 11. Regularly test security systems and processes AlertLogic Threat Manager w/ Active Watch provides 24x7 management of internal and external network threats. Integrated intrusion detection and vulnerability scanning capabilities provide key elements to address the requirements of PCI DSS. 12. Maintain a policy that addresses information security for all personnel The responsibility of ensuring your security policy is in your hands, but with the peace of mind that you’re protected by TierPoint’s wide range of managed security services, your policy is easier to develop and maintain than ever! TierPoint can help meet your PCI DSS 3.0 compliance requirements using our comprehensive managed security services and our secure Public, Private, or Hybrid cloud offerings. Working with top industry partners such as Fortinet, Alert Logic,VMware, and CloudLink, we can work together to improve your security posture both on premises and in the cloud. BALTIMORE | DALLAS | OKLAHOMA CITY | PHILADELPHIA | SEATTLE | SPOKANE | TULSA TierPoint | 520 Maryville Centre Dr. | St. Louis | MO 63141 | www.tierpoint.com © 2014 TierPoint, LLC. All Rights Reserved.