SOLUTION PAPER

PAYMENT CARD INDUSTRY (PCI)

DATA SECURITY STANDARD (DSS)
 HOW APPGATE CAN HELP TO
ACHIEVE PCI COMPLIANCE

Use AppGate to secure your compliance

- One security system for all access

In a world with fewer borders, the demand for network security changes from Control access
security at the gate, to security at the source. AppGate is the leader in this space,
with a solution that protects applications, protects communication and secures to your
end point devices. The AppGate solution supports all types of transmission, fixed, sensitive
wireless and mobile and is easily integrated into any customer environment. resources with
AppGate has customers in 23 countries, many from market segments like defence,
government and Fortune 500 companies. AppGate

Preface
This document describes the twelve requirements defined in the Payment Card Industry (PCI)
Data Security Standard (DSS) v1.1 and how AppGate may support your PCI DSS compliance.
The twelve PCI DSS requirements are organized into six logically related groups called the
“control objectives.” The following table illustrates commonly used elements of cardholder and sensitive
authentication data whether storage of each data element is permitted or prohibited and if each
data element must be protected. This table is not exhaustive, but is presented to illustrate the
different types of requirements that apply to each data element.

DATA ELEMENT STORAGE PROTECTION PCI DSS

PERMITTED REQUIRED REQ. 3.4

Cardholder data Primary Account YES YES YES

Number (PAN)

Cardhoder name* YES YES* NO

Service Code* YES YES* NO

Expiration date YES YES* NO

Sensitive Full Magnetic Stripe NO N/A N/A

Authentication Data**

CVC2/CVV2/CID NON N/A N/A

PIN/ PIN Block NO N/A N/A

*These data elements must be protected if stored in conjunction with the PAN. this protection must be consisitent with
PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example,
related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of
this data, or proper disclosure of a company´s prctices if consumer relatd personal data is being collected during the
course of usiness. PCI DSS; however, does not apply if PANs are not stored, processed, or transmitted.

** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted)
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or
transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.
These security requirements apply to all “system components.”
System components are defined as any network component, server, or application that is included in or
connected to the cardholder data environment. The cardholder data environment is that part of the network
that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which
isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the
scope of the cardholder data environment. Network components include but are not limited to firewalls,
switches, routers, wireless access points, network appliances, and other security appliances. Servers
include but are not limited to the following: web, database, authentication, mail, proxy, network time
protocol (NTP), and domain name servers (DNS).

Applications include all purchased and custom-made applications including internal and
external (Internet) applications.

The PCI Security Standards Council is an open global forum for the ongoing development,
enhancement, storage, dissemination and implementation of security standards for account data
protection. Read all about the standard at https://www.pcisecuritystandards.org/

Overview of requirements
Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

What AppGate can do for you
AppGate helps you implement requirement 1, 2, 4, 6, 7 and 8. The consumers visit your e-business
application from the Internet using SSL when handling payment card data. The administrative personnel,
the non-consumers, access the system by logon to AppGate.
AppGate will authentication and give authorized access to the different application and servers in your
Service Network to administrate payment card data, customers, price lists and other sensitive data.

Mobile users!

Web server!
App server!

Service!
Network! DB server!
Internet!

Payment server!

Home! AppGate !
Security !
Admin!
Server!
Access!

Internal!
LAN!
Office!

B2B solutions may use AppGate for strong authentication and access control on the client side too, if
needed.
Hosting Providers and Service Providers may share the same AppGate server to administrate the different
services on different servers.
Requirement 1:

Install and maintain a firewall configuration to protect cardholder data

“Firewalls are computer devices that control computer traffic allowed into and out of a company’s network,
as well as traffic into more sensitive areas within a company’s internal network. A firewall examines all
network traffic and blocks those transmissions that do not meet the specified security criteria.
All systems must be protected from unauthorized access from the Internet, whether entering the system as
e-commerce, employees’ Internet-based access through desktop browsers, or employees’ e-mail access.
Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key
systems. Firewalls are a key protection mechanism for any computer network.”

AppGate supports

• that inbound Internet traffic is limited to IP addresses within the DMZ

• that internal addresses cannot pass from the Internet into the DMZ
• stateful inspection, also known as dynamic packet filtering (that is, only ”established” connections are
allowed and only if they are associated with a previously established session)
• mobile and/or employee-owned with direct connectivity to Internet and which are used to access the
organisation’s network, have personal firewall installed and active, which is configured by the
organisation to specific standards and not alterable by the employee.
• prohibiting direct public access between external networks and any system component that stores
cardholder data (for example, databases, logs, trace files)
• implementation of IP masquerading to prevent internal addresses from being translated and revealed on
the Internet. Use technologies that implement RFC 1918 address space, such as port address translation
(PAT) or network address translation (NAT).

Requirement 2:

Do not use vendor-supplied defaults for system passwords and other

security parameters
“Hackers (external and internal to a company) often use vendor default passwords and other vendor default
settings to compromise systems. These passwords and settings are well known in hacker communities and
easily determined via public information.”

AppGate supports

• wireless environments and adds strong encryption and authentication.

• encryption of all non-console administrative access, using technologies such as SSH and SSL/TLS
(transport layer security) for web-based management and other non-console administrative access.
• hosting providers that must protect each entity’s hosted environment and data. These providers must
meet specific requirements as detailed in PCI DSS Appendix A: “PCI DSS Applicability for Hosting
Providers.”.
Requirement 4:

Encrypt transmission of cardholder data across open, public networks

“Sensitive information must be encrypted during transmission over networks that are easy and common for
a hacker to intercept, modify, and divert data while in transit.”
AppGate supports uses of strong cryptography and security protocols such as secure sockets layer (SSL) /
transport layer security (TLS) and SSH technology to safeguard sensitive cardholder data during
transmission over open, public networks. Examples of open, public networks that are in scope of the PCI
DSS are the Internet, WiFi (IEEE 802.11x), global system for mobile communications (GSM), and general
packet radio service (GPRS).

Requirement 6:

Develop and maintain secure systems and applications

“Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Vendor-
provided security patches fix many of these vulnerabilities. All systems must have the most recently
released, appropriate software patches to protect against exploitation by employees, external hackers, and
viruses. Note: Appropriate software patches are those patches that have been evaluated and tested
sufficiently to determine that the patches do not conflict with existing security configurations. For in-house
developed applications, numerous vulnerabilities can be avoided by using standard system development
processes and secure coding techniques.”

AppGate supports separation of development, test, and production environments when you implement
Separation of Duties on the business level.

Requirement 7:

Restrict access to cardholder data by business need-to-know

“This requirement ensures critical data can only be accessed by authorized personnel.”

AppGate supports

• limiting access to computing resources and cardholder information only to those individuals whose job
requires such access.
• establishment of a mechanism for systems with multiple users that restricts access based on a user’s
need to know and is set to “deny all” unless specifically allowed.
Requirement 8:

Assign a unique ID to each person with computer access

“Assigning a unique identification (ID) to each person with access ensures that actions taken
on critical data and systems are performed by, and can be traced to, known and authorized
users.”

AppGate supports

• in addition to assigning a unique ID, employing the following methods to authenticate all users

o Password
o One-Time-Password via GSM/SMS
o SecurID
o Cryptocard
o Certificate
o Public Key

• implementation of two-factor authentication for remote access to the network by employees,

administrators, and third parties. Use technologies such as remote authentication and dial-in service
(RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on
SSL/TLS or IPSEC) with individual certificates.
• encryption of all passwords during transmission and storage on all system components.
• ensuring proper user authentication and password management for non-consumer users and
administrators on all system components.
o Do not allow an individual to submit a new password that is the same as any of the last four
passwords he or she has used
o Limit repeated access attempts by locking out the user ID after not more than six attempts
o Authenticate all access to any database containing cardholder data. This includes access by
applications, administrators, and all other users

AppGate makes it easier to be compliant with PCI DSS for every type of
organisation. Through its unique way of enforcing “who should be able to
access what” according to a security policy, AppGate is a cost-effective and
secure way to control access. For more information please contact
sales@appgate.com or visit our website www.appgate.com.
www.appgate.com