Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for protecting credit card transactions.

It was established from five previous security programs setup by the major credit card companies, which all shared similar goals. In 2004 the first version of PCI DSS was established, and the major vendors adopted it. There have been several revisions and updates to the requirements since that time. Any organisation that wants to handle data related to credit card transactions, from the main credit card companies, must configure their network and server infrastructure in compliance with the PCI DSS requirements. Failure to do so can result in them losing the ability to store and process credit card transaction data.

The six PCI DSS objectives

Ensuring security of infrastructures used for payment processing and prevention of PII misuse

Maintenance of a secure network and systems

Covers the use of technologies such as firewalls as well as defines that factory supplied default authentication data and security parameters be changed on network systems.

Protection of systems against vulnerabilities and malicious activities

Mandates the use of regularly updated anti-malware software along with development of secure applications and use of.

Regular network monitoring and testing

Dictates that measures be enacted to ensure that networks security processes are behaving properly and that access to network resources and card holder data is tracked.

Protection of card holder data

Entails that controls be put in place to protect stored data against hacking and that effective encryption methods be used for data in transit.

Restricted access to system and operational information

Involves restriction of access to card holder data based on a need-to-know policy. In other words, card holders shouldn’t be required to provide.

Implementation, maintenance and enforcement of a formal security policy

Requires that an information security policy be followed by all personnel along with audits and non-compliance penalties.

Supporting PCI Compliance with Kemp

Web facing applications are the leading target of cyber-attacks because of the potential gains that can be achieved by those who stage them. Significant losses can be inflicted on organizations that suffer breaches which result in compromised card holder data. Technologies serving and delivering web facing applications must support the satisfaction of PCI DSS requirements. Load balancers accelerate, scale and ensure the availability of web applications. Given their criticality to application deployments and key placement between clients and workload servers customers expect load balancers provide mechanisms to help organizations meet PCI DSS compliance.

Kemp’s LoadMaster is delivered with support for multi-cloud and hybrid cloud environments and is compatible with deployment on a many platform types making it easy for customers to scale and optimize their application infrastructures. Integrated distributed denial of service (DDoS) mitigation, intrusion prevention/intrusion detection (IPS/IDS), authentication verification and web application firewalling (WAF) help customers protect their deployment. Since the load balancer has a requirement to inspect incoming traffic, even in encrypted streams, it’s an ideal placement for these types of services. Kemp does not claim LoadMaster will make an environment fully PCI DSS compliant it helps customers meet the requirements.

LoadMaster helps customers meet PCI DSS requirements
for application deployments.

  • Requirement 1.2: Deny traffic from untrusted networks and hosts
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 3.3: Mask account numbers when displayed
  • Requirement 3.5: Protect encryption keys from disclosure and misuse
  • Requirement 4.1: Use strong cryptography and security protocols
  • Requirement 6.6: Audit and correct application vulnerabilities or implement a web application firewall