Default banner

PCI DSS Compliance Solutions

Addressing Payment Card Industry Data Security Standard (PCI DSS) compliance requirements can represent a massive effort for today’s security teams—and the work is never done. Industry-leading businesses around the world rely on Thales to effectively and efficiently address these requirements.

The Challenge: PCI DSS Continues to Change

Since Visa first rolled out its Cardholder Information Security Program (CISP) in 2001, organizations that manage cardholder data have been given detailed guidelines for securing their infrastructure and ultimately the payment data they manage.

While the PCI DSS requirements aren’t new, organizations’ technological environments and the threats that have to be combatted have changed dramatically in recent years. Further, the industry's guidelines continue to evolve, with the most recent release of PCI DSS, version 3.2, taking effect in July 2018.

While the PCI DSS features rules on everything from changing employee passwords regularly to deploying firewalls, many rules focus on the security of cardholder data and the systems used to manage it.

Encryption, Key Management and Strong Authentication for PCI Compliance

Thales can help address many of the critical challenges of addressing these PCI DSS standards. Our data security solutions help organizations take a comprehensive, data-centric approach to security that not only helps address near-term compliance objectives but ensures the security of sensitive assets in the long term.

 

PCI DSS Solutions

 

Why You’ll Love Our PCI Compliance Solutions:

One of the key challenges merchants, banks, and payment processors face is the implementation of data encryption, key management, and strong authentication to comply with the PCI security requirements—and to do so in an efficient and cost-effective manner.

Thales Solutions Help Organizations:

  • Reduce the cost and complexity of PCI compliance with the most complete and easy-to-manage data protection solution.
  • Protect sensitive data at rest, in use and in transit to meet the most challenging PCI security requirements.
  • Implement the industry's only comprehensive end-to-end solution that encrypts and controls access to sensitive data from clients, to databases, to endpoint devices
  • Streamline implementation, ensuring that PCI compliance deadlines are met and fines avoided

In short, Thales data protection solutions address PCI compliance challenges without impacting your ability to leverage the data or deliver on the bottom line.

Specific PCI DSS compliance requirements Thales can help you address:

  • PCI DSS Goal: Build and Maintain a Secure Network
  • PCI DSS Goal: Protect Cardholder Data
  • PCI DSS Goal: Maintain a Vulnerability Management Program
  • PCI DSS Goal: Implement Strong Access Control Measures
  • PCI DSS Goal: Regularly Monitor and Test Networks

To establish secure networks, it is critical to institute strong, granular controls around such aspects as administrative access, server functions, virtual machines, and so on.

How Thales can help establish secure networks:

  • Encryption solutions from Thales enable multi-tenancy and separation of duties to ensure that only authorized users can access secure data.
  • Thales HSMs enable partitioning that establishes effective isolation of critical cryptographic keys.

Encryption represents a vital requirement for safeguarding cardholder data. To address PCI DSS requirements, organizations need to leverage encryption of cardholder data in storage and transit.

How Thales can help protect cardholder data:

  • Thales offers a portfolio of solutions that offer capabilities for encrypting unstructured files, columns in databases, virtual machines, applications, and more, so organizations can granularly protect PCI DSS-regulated records and files.
  • Thales also offers a tokenization solution that addresses PCI DSS requirements by converting the PAN (primary account number) to a token in the same format, which means associated applications can continue to operate seamlessly.
  • Encrypted data is only as secure as the keys used to encrypt it. Thales offers the strong, certified controls that address many requirements for key creation, administration, and retirement.
  • Thales High Speed Encryptors delivers the Layer 2 network encryption capabilities that are essential in addressing requirements for safeguarding sensitive cardholder data transmitted over open network.

An essential part of addressing this goal is through the development and maintenance of secure systems and applications. To achieve these objectives, organizations need to incorporate information security throughout the software development lifecycle.

How Thales can help maintain a vulnerability management program:

Digital signatures are an essential aspect to establishing the validity of applications. Thales HSMs provide maximum security of signing material, storing this sensitive information in robust, tamper-resistant appliances, helping ensure the authenticity and integrity of code files.

To achieve and sustain compliance, it is essential to establish strong controls around who can access sensitive resources, and under what circumstances.

How Thales can help implement strong access controls:

  • Thales' authentication solutions offer comprehensive capabilities for managing user access. With these solutions, organizations can ensure individuals are assigned unique credentials, establish operational role segregation, log and report on user access, and automatically apply policies.
  • With Thales' encryption solutions, organizations can establish granular controls over who can access cardholder data. For example, by encrypting at the application level, your security teams can ensure that unauthorized users, even those with administrative permissions for an underlying server, cannot access sensitive data in the application.
  • Thales' key management solutions provide centralized key management throughout the data lifecycle. Once the encryption keys are destroyed, the data cannot be accessed in clear text.

Effective capabilities for tracking user activities are essential in enabling security teams to prevent and detect compromises, and to minimize their impact should a breach occur.

How Thales can help monitor and test networks:

  • By leveraging Thales' key management solutions, organizations can leverage a central repository for all cryptographic activity data, which significantly steamlines auditing and logging efforts. Then maintain an extensive set of log files for tracking administrator and user activities. Further, the solution digitally signs log files to ensure their integrity.
  • By leveraging Thales' encryption offerings, organizations can gain an effective means for auditing and logging access to encrypted cardholder data.