Retail is a prime target for hackers. High profile breaches on retailers from all sizes cause reputational damage along with a drop in sales revenue. Additional costs often outstrip those related to revenue loss with legal costs running typically to five times the fines imposed. With the personal data of millions of users being exposed including credit card details, it doesn’t take long for the costs of a breach to run into millions of dollars.
The PCI DSS standard was introduced in 2004 to increase control over payment and transaction data and thus protect consumers against credit card fraud and information leaks. Some of the PCI DSS requirements demand companies to implement controls that assign a unique identity to each person with access to a computer, as well as fully monitoring network resources and customer payment data.
senhasegura helps organizations meet the following PCI DSS standard requirements:
Do not use vendor-supplied defaults for system passwords and other security parameters
During deployment of a system or device, one can override and remove default passwords from systems to manage privileged credentials through senhasegura. Moreover, senhasegura allows restricting which protocols can be used for remote administrative access, such as SSH or SSL/TLS, thus preventing access to management interfaces on networks through insecure protocols.
Develop and maintain secure systems and applications
An important part of this requirement is proper credential management and separation of duties in the development, testing, and production, environments. senhasegura reinforces duty-based access control for privileged credentials in all of these environments, supporting separation of duties while allowing quick and easy account removal in development and testing environments when no longer needed.
Restrict access to cardholder data by business need to know
Through senhasegura, one can implement the principle of least privilege for privileged access. The solution provides granular access controls for privileged users individually or in user groups. From the definition of Access Groups for segregation of duties, one can configure pre-approved or emergency access, or access from workflows with single or multiple approval, without the user having access to the credential password.
Identify and authenticate access to system components
Virtually all aspects from this requirement are covered by senhasegura. The solution requires a unique ID for each privileged user, even when the organization uses shared credentials. senhasegura provides a number of features for password management, as well as two-factor authentication support for operations such as login on the tool and device and credentials access. Lastly, senhasegura supports a hybrid network topology – from traditional data centers to cloud or virtualized environments.
Track and monitor all access to network resources and cardholder data
senhasegura addresses almost every aspect of this item. All privileged access made through senhasegura, as well as all actions performed in the environment, are stored in logs, in a tamper-resistant environment, providing complete visibility of all actions performed on systems and devices.