WIXLIB

JCB InternationalLevelCriteria1 2 AnnualReport onCompliance(ROC) Audit byQualified SecurityAssessor (QSA)All Payment Processors who handlecardholder data and transaction datavia the Internet or Internetaccessible networkAll Payment Processors who do nothandle cardholder data andtransaction data via the Internet norInternet-accessible terlyInternal & ExternalVulnerability Scan andPenetration Test byApproved ScanningVendor (ASV) Recommended,not requiredRecommended,not required Recommended,not requiredSource: http://www.jcb-global.com/english/jdsp/index.html Rapid7 helps meet Report on Compliance (ROC) Audits through our trusted partner Qualified Security Assessors (QSAs). 2009 Rapid711

How Rapid7 HelpsRapid7 has extensive experience partnering with financial institutions, merchants and service providersnationwide such as Stein Mart, Trader Joe’s, Olympia Sports, The Blackstone Group, LendingTree, and E*TRADEFINANCIAL, to help them with their security and compliance requirements. Rapid7’s PCI Compliance Solutionsmeet the data security standards required for merchants and service providers to achieve PCI compliance byaddressing PCI DSS v1.2 Requirement 6.5, 6.6, 11.2 and 11.3 as follows: Performing quarterly internal and external vulnerability scans - Rapid7 has been recertified as anApproved Scanning Vendor (ASV) by the PCI Security Standards Council, authorizing us to help youachieve compliance with the PCI Data Security Standard (DSS). Rapid7 PCI Compliance Servicesperform an independent, quarterly ASV vulnerability scans and produce the certified documentationfor your records. In addition, Rapid7 helps meet Report on Compliance (ROC) Audits through ourtrusted partner Qualified Security Assessors (QSAs). (Requirement 11.2) Leveraging Rapid7 Managed PCI Services to provide the added value of automated quarterly scansincluding external vulnerability scanning - Includes up to twelve rescans per quarter without at noextra charge, full remediation plans, eight hours of consulting time with one of our professionalsecurity consultants (2 hours per quarter) to review scan results and discuss remediationrecommendations as well as any requested scan & report configuration changes. (Requirement 11.2) Performing Rapid7 PCI Compliance Services - Offering annual internal and external penetrationtesting services required by PCI DSS in order to detect deficiencies more quickly and provide detailedrecommendations for fixes that would prevent attacks. (Requirement 11.3) Performing Rapid7 PCI Gap Analysis - For a detailed audit of your networked environment, Webapplication development secure coding policies, physical security control policies, training polices, andpersonnel policies, in addition to providing guidance on network segmentation to show you how toreduce the scope of your PCI audit and limit your cardholder segment. (Requirement 6.5) Performing Web application assessment testing - To identify vulnerabilities based on the OWASP Top10 vulnerability list, in addition to providing Security Awareness Training, OWASP web developmenttraining and CEH/Penetration test training on request. (Requirement 6.6) Providing assistance in completing the appropriate PCI Self-Assessment Questionnaire (SAQ) - Whenrequired for PCI certification. 2009 Rapid712

Rapid7 Solutions for the Payment Card Industry Data Security Standard (PCI DSS)To meet PCI compliance, merchants adhere to the twelve PCI DSS requirements outlined below.PCI RequirementsDetailed RequirementsRequirement 1Install and maintaina firewall configuration toprotect cardholder data1.1Establish firewall and routerconfiguration standards that include:network connectivity diagrams;documentation of formal testing offirewall and router rules, review andchange processes; documentation ofroles engaged in networkcomponent logical management;and business justification for use ofall services, protocols, and portsallowed1.2Build a firewall configuration thatrestricts connections betweenuntrusted networks and any systemcomponents in the cardholder dataenvironment.1.3Prohibit direct public accessbetween the Internet and anysystem component in the cardholderdata environment.Rapid7 SolutionUse Rapid7 NeXpose to: Provide customizable scan settings that can be usedto setup a baseline configuration of policies andsettings to use when performing on-going scanningof firewalls, routers, switches, hubs, ports andnetwork services. Generate a comprehensivemapping of network devices and services in order todetect devices and services that may allowconnections between an untrusted network and anysystem components in the cardholder environment.(Requirement 1.1) Scan and monitor firewall configuration and routerfor vulnerabilities, and adherence to baselineconfiguration and policy settings, specifically todetect configuration violations that allowunauthorized connections between cardholder dataenvironments and untrusted networks.(Requirement 1.2)Use Rapid7 PCI Consulting Services to: Requirement 2Do not use vendor-supplieddefaults for systems1.4Install personal firewall software onany mobile and/or employee-ownedcomputers with direct connectivityto the Internet (for example, laptopsused by employees), which are usedto access the organization’s network.2.1Always change vendor-supplieddefaults before installing a systemon the network—for example,include passwords, simple networkmanagement protocol (SNMP)community strings, and eliminationof unnecessary accounts.2.2 2009 Rapid7Develop configuration standards forall system components. Assure thatthese standards address all knownsecurity vulnerabilities and areRecommend best practices to optimize networksecurity components, including firewall and routerconfiguration standards Evaluate and documentsecurity controls, identify gaps in your securityprogram, determine if security policies are beingfollowed in actual day-to-day operations, andrecommend ways to address any deficiencies.(Requirement 1.3 and 1.4)Use Rapid7 NeXpose to: Utilize our customized policy compliance frameworkto monitor for access violations, including number oflogin attempts, password length, allowable specialcharacters etc. Audits users and groups on yoursystems, and discovers unnecessary accounts to beeliminated (i.e. default vendor-supplied accounts,terminated employee accounts), allowing you toreview results either in the UI or in a report formatso you can then use the data to inform yourinformation access and management policies.13

PCI RequirementsDetailed RequirementsRapid7 Solutionconsistent with industry-acceptedsystem hardening standards.(Requirement 2.1) 2.32.4Requirement 3Protect stored cardholderdata3.1Shared hosting providers mustprotect each entity’s hostedenvironment and cardholder data.These providers must meet specificrequirements as detailed inAppendix A: Additional PCI DSSRequirements for Shared HostingProviders.Keep cardholder data storage to aminimum. Develop a data retentionand disposal policy. Limit storageamount and retention time to thatwhich is required for business, legal,and/or regulatory purposes, asdocumented in the data retentionpolicy.3.2Do not store sensitive authenticationdata after authorization (even ifencrypted).3.3Mask PAN when displayed (the firstsix and last four digits are themaximum number of digits to bedisplayed).3.4 2009 Rapid7Encrypt all non-consoleadministrative access. Usetechnologies such as SSH, VPN, orSSL/TLS for web-based managementand other non-consoleadministrative access.Render PAN, at minimum,unreadable anywhere it is stored(including on portable digital media,backup media, in logs) by using anyof the following approaches: Oneway hashes based on strongcryptography; Truncation; IndexUtilize our customized policy compliance frameworkto configure and implement automated monitoringaccess controls based on your own internal policiesor based on best practices defined by externalgroups (i.e. SANS, CIS or NIST). (Requirement 2.2)Use Rapid7 PCI Consulting Services to: Evaluate configuration of all non-consoleadministrative access to ensure appropriate use ofencryption in security controls, and to identifyvulnerabilities that could lead to tampering withencryption keys in files and other encryptioncontrols. (Requirement 2.3) Evaluate and recommend if shared hosting providersmeet requirements defined in Appendix A:Additional PCI DSS Requirements for Shared HostingProviders. (Requirement 2.4)Use Rapid7 PCI Consulting Services to: Evaluate cardholder data policy to ensureappropriate data retention and disposal policiesdocumentation as part of Rapid7 PCI Gap Analysis.Test if documentation is followed in practice byadding Rapid7 Social Engineering services to yourGap Analysis. (Requirement 3.1) Identifies gaps in your security program, determinesif security policies are being followed in actual dayto-day operations (i.e. data storage policies, PANmasking, and protection of cryptographic keys aspart of PCI Gap Analysis and Penetration Testing.(Requirements 3.2 to 3.5) Evaluate key-management processes andprocedures for encryption of cardholder data, andprovide recommendations as part of Rapid7 PCI GapAnalysis. (Requirement 3.6)14

PCI RequirementsDetailed RequirementsRapid7 Solutiontokens and pads (pads must besecurely stored); Strongcryptography with associated keymanagement processes andproceduresRequirement 4Encrypt transmission ofcardholder data across open,public networks3.5Protect cryptographic keys used forencryption of cardholder dataagainst both disclosure and misuse.3.6Fully document and implement allkey-management processes andprocedures for cryptographic keysused for encryption of cardholderdata.Use strong cryptography andsecurity protocols such as SSL/TLS orIPSEC to safeguard sensitivecardholder data during transmissionover open, public networks.4.14.2Use Rapid7 NeXpose to: Never send unencrypted PANs byend-user messaging technologies (forexample, e-mail, instant messaging,chat).Utilize our customized policy compliance frameworkto configure and monitor traffic over secured andunsecured ports. Identify all open ports, and logs allinformation, including any evidence that any Webapplications, software enterprise applications, ordatabases are not using the ports assigned as secureports for transmitting secure cardholder data.(Requirement 4.1)Use Rapid7 PCI Consulting Services to: Requirement 5Use and regularly updateantivirus software5.15.2 2009 Rapid7Deploy anti-virus software on allsystems commonly affected bymalicious software (particularlypersonal computers and servers).Ensure that all anti-virus mechanismsare current, actively running, andcapable of generating auditRecommend best practices to optimize data security,including end-user messaging policies. Evaluate anddocument security controls, identify gaps in yoursecurity program, determine if security policies arebeing followed in actual day-to-day operations, andrecommend ways to address any deficiencies.(Requirement 4.2)Use Rapid7 NeXpose to: Provide customizable scan settings forcontinuous, automatically generated,comprehensive mapping of all assets, includingapplications such as anti-virus software.(Requirement 5.1) Utilize our customizable risk scoring, policyauditing, and vulnerability scanning to alert you ofpolicy violations or misconfigurations, includingversioning and patch levels. (Requirement 5.2)15

PCI RequirementsDetailed RequirementsRapid7 SolutionRequirement 6Develop and maintain securesystems and applications6.1Use Rapid7 NeXpose to:6.2Ensure that all system componentsand software have the latest vendorsupplied security patches installed.Install critical security patches withinone month of release.Establish a process to identify newlydiscovered security vulnerabilities(for example, subscribe to alertservices freely available on theInternet). Update configurationstandards as required by PCI DSSRequirement 2.2 to address newvulnerability issues.6.3Develop software applications inaccordance with PCI DSS (forexample, secure authentication andlogging) and based on industry bestpractices, and incorporateinformation security throughout thesoftware development life cycle6.4Follow change control procedures forall changes to system components.6.5Develop all web applications (internaland external, and including webadministrative access to application)based on secure coding guidelinessuch as the Open Web ApplicationSecurity Project Guide.6.6 Scan all system assets to ensure security patches andconfigurations are maintained based on userspecified parameters for all system components andsoftware, including Web applications, enterprisesoftware, network components, and databases.(Requirement 6.1) Perform both scheduled and ad-hoc internalvulnerability scans to monitor the security posturebased on vulnerabilities, configuration, andcompliance status of your entire infrastructure,including network devices, databases, Webapplications, off-the-shelf commercial/enterpriseapplications, open source applications, in-housecustom applications, servers, operating systems,services and all IP-enabled devices using the mostup-to-date vulnerability checks provided by Rapid7’supdate services. NeXpose checks for updates every6 hours; there is a 24-hour SLA for Windowsmachines when new Microsoft vulnerability bulletinsare released. Provides up-to-date vulnerabilitychecks, including reliable 24 hour response toMicrosoft Patch Tuesday, plus new vulnerabilitiesupdates twice per month. (Requirement 6.2 and6.6) Perform ad-hoc vulnerability scans to monitor thesecurity posture based on vulnerabilities,comparison to desired baseline configuration, andcompliance status of specific systems, including anycustom Web applications or custom installedapplications. NeXpose allows administrators tosetup custom asset groups. Applications underdevelopment can be put in an asset group in atesting area outside the production environment,and scanned for vulnerabilities to validate thatsecure coding guidelines are incorporated into thechange control procedures. Fix weak codethroughout the entire software development cycle,and continue on an on-going basis to address newthreats. (Requirement 6.3 to 6.4, and 6.6)For public-facing web applications,address new threats andvulnerabilities on an ongoing basisand ensure these applications areprotected against known attacksUse Rapid7 PCI Consulting Services to: 2009 Rapid7Review custom Web application coding to ensuresecure best practices based on secure coding16

PCI RequirementsDetailed RequirementsRapid7 Solutionguidelines by testing the application using the FullOWASP Testing Methodology framework from theOpen Web Application Security Project Guide aspart of an onsite PCI Gap Analysis. Complete Webapplication assessment testing to identifyvulnerabilities based on the OWASP Top 10.(Requirement 6.5)Requirement 7Restrict access to cardholderdata by business need-toknow7.17.2Limit access to system componentsand cardholder data to only thoseindividuals whose job requires suchaccess.Use Rapid7 PCI Consulting Services to: Establish an access control system forsystems components with multipleusers that restricts access based on auser’s need to know, and is set to“deny all” unless specifically allowed.Recommend best practices to optimize data security,including system access policies to limit access tosystem components and cardholder data to onlythose whose job role absolutely requires suchaccess. Evaluate and document security controls,identify gaps in your security program, determine ifsecurity policies are being followed in actual day-today operations, and recommend ways to addressany deficiencies. (Requirement 7.1)Use Rapid7 NeXpose to: Requirement 8Assign a unique ID to eachperson with computer access8.18.28.3 2009 Rapid7Assign all users a unique ID beforeallowing them to access systemcomponents or cardholder data.In addition to assigning a unique ID,employ at least one of the followingmethods to authenticate all users:Password or passphrase; Two-factorauthentication (for example, tokendevices, smart cards, biometrics, orpublic keys)Incorporate two-factor authenticationfor remote access (network-levelaccess originating from outside thenetwork) to the network byemployees, administrators, and thirdparties. Use technologies such asremote authentication and dial-inLeverage our customized policy complianceframework to set up automated monitoring accesscontrols (including adherence to policies for rolebased access) to validate enforcement of accessrestrictions. (Requirement 7.2)Use Rapid7 NeXpose to: Leverage our customized policy complianceframework to set up automated monitoring accesscontrols, including number of login attempts,password length, allowable special characters, andother login ID access control policies. (Requirement8.1 - 8.2, 8.4)Use Rapid7 PCI Consulting Services to: Recommend best practices to optimize data security,including usage of two-factor authentication forremote access to the network, secure dial-in service,terminal access controls with tokens, or VPNs withindividual certificates. (Requirement 8.3)Evaluate and document security controls, identifygaps in your security program, determine if securitypolicies are being followed in actual day-to-day17

PCI RequirementsDetailed RequirementsRapid7 Solutionservice (RADIUS); terminal accesscontroller access control system(TACACS) with tokens; or VPN (basedon SSL/TLS or IPSEC) with individualcertificates.Requirement 9Restrict physical access tocardholder data8.4Render all passwords unreadableduring transmission and storage on allsystem components using strongcryptography (defined in PCI DSSGlossary of Terms, Abbreviations, andAcronyms).8.5Ensure proper user authenticationand password management for n

The five major payment card brands enforce PCI compliance validation by requiring merchant banks to meet specific auditing and reporting criteria for their respective merchants and service providers. Each payment card brand has its own compliance program to uphold the PCI standard by enforcing PCI auditing and reporting