Helping Customers Meet PCI DSS Requirements
KEMP’s flagship ADC LoadMaster™ comes standard with support for private, public and hybrid cloud environments and can be deployed on a wide array of platform types, making it easy for customers to scale and optimize their application infrastructures. With features including integrated distributed denial of service (DDoS) mitigation, intrusion prevention/intrusion detection (IPS/IDS), authentication verification and web application firewalling (WAF), customers can rest assured that their deployment is protected. Based on the fact that the ADC has a requirement to inspect incoming traffic, even in encrypted streams, it’s an ideal placement for these types of services. While KEMP’s LoadMaster ADC doesn’t claim to make an environment PCI (Payment Card Industry ) compliant, it definitely helps customers meet those requirements for their deployments. Here’s how:
Requirement 1.2: Deny traffic from untrusted networks and hosts
All systems in a PCI DSS compliant environment must be protected from unauthorized access from the internet, regardless of source. Network firewalls play a key role in meeting this requirement. KEMP’s LoadMaster with web application firewall protection further supports this by limiting access to only explicitly allowed entities and using only the protocols that are dictated as allowable on published services. IP reputation checking and blacklisting also make it possible to explicitly prevent access to application services by untrusted networks and hosts.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Default passwords make up one of the easiest ways for hackers to infiltrate networked environments and exploit vulnerabilities. Failure to change default passwords at deployment is a leading contributor to successful attacks. To support this requirement, KEMP’s LoadMaster products enable and require customers to change credentials at initial deployment to ensure that this task is always completed with every LoadMaster installation.
Requirement 3.3: Mask account numbers when displayed
While the parent objective of this requirement touches significantly on encryption at rest of data, requirement 3.3 primarily focuses on the obfuscation of PAN data when displayed. KEMP’s web application firewall engine can be easily configured through supplied and custom rules to look for patterns in web application server response data to prevent the leakage of sensitive personal information, such as credit card and social security numbers.
Requirement 3.5: Protect encryption keys from disclosure and misuse
The protection of cryptographic keys used to encrypt transmitted card holder data is imperative since access to these keys would result in the ability to decrypt data. The default protection afforded encryption keys by all KEMP LoadMasters is strong. All key exports can only be accomplished with strong passphrase protection. By supporting FIPS 140-2 Level 2 compliance, the LoadMaster 5305-FIPS load balancer goes a step further, protecting encryption keys through the use of a readily auditable physical hardware security module while delivering the application delivery functionality and support for all other listed PCI requirements.
Requirement 4.1: Use strong cryptography and security protocols
Since the internet is an open and public network, criminals can easily intercept cardholder data when it is transmitted. For this reason, efficient and up-to-date encryption methods must be used for cardholder data while in transit. KEMP’s LoadMaster provides a security overlay for applications to improve infrastructure security. LoadMaster further extends capabilities for administrators to restrict ciphers that can be used to access protected services as well as enable re-encryption for terminated traffic streams to ensure secure end-to-end flows.
Requirement 6.6: Audit and correct application vulnerabilities or implement a web application firewall
Application and system vulnerabilities are often used to gain malicious access to card holder data. PCI DSS requirement 6.6 stipulates that all compliant organizations address new threats and vulnerabilities on public-facing web applications on an ongoing basis. They must also ensure that they are protected against known attacks by reviewing these threats via an application vulnerability security assessment at least annually and specifically after any changes. An organization can also install an automated technical solution that detects and prevents web-based attacks (e.g. a web application firewall). It should be noted that the vulnerability scans and checks needed to meet this requirement are distinct from the assessments that must take place under other PCI DSS requirements. In order to reduce the amount of manual or automated checks that an organization must conduct as well as ensure that protection is automated, the deployment of a web application firewall is often implemented. KEMP’s web application firewall, which is known as Application Firewall Pack (AFP), integrates one of the world’s most deployed Open Source web application firewall engines – ModSecurity, which is augmented by information security threat intelligence and research to comprehensively enable ongoing real-time protection against the latest application threats and prevent the exploitation of potential application code vulnerabilities. With a targeted focus on application-specific exploits missed by traditional firewalling techniques, AFP supports a defense-in-depth security posture, mitigates risk and helps organizations meet PCI DSS compliance.
KEMP’s LoadMaster platform enables organizations to address many of the core requirements of PCI-DSS and has proven to be a valuable asset to many for securing their web application infrastructures.
Read the entire Application Delivery in PCI DSS Environments White Paper