Castleforce IT Security Team

Protect Cardholder Data

Requirement 4 Encrypt transmission of cardholder data across open, public networks

Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols can be continued targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments.

4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.

4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (e.g., IEEE 802.11i) to implement strong encryption for authentication and transmission.

  • For new wireless implementations, it is prohibited to implement WEP after March 31, 2009.
  • For current wireless implementations, it is prohibited to use WEP after June 30, 2010.

4.2 Never send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat).

Encryption Partners

DESlock+ CESG CCTM Full disk, Removable Media, Email, Folder Encryption DES's award winning DESlock+ encryption software helps organisations and individuals to protect against all types of data breach by offering a simple, yet extremely powerful set encryption tools to protect data in transit and at rest. To meet the needs of Government and corporate bodies the DESlock+ software is certified in the UK by CESG - the UK national technical authority for information, assurance under its Claims Tested Mark (CCTM) scheme. DESlock+ also meets the rigorous FIPS-140-2 standard in the US and is validated by the National Institute of Standards and Technology (NIST). Available as DESlock Standard or DESlock PRO  

Secure Remote Access and SSL-VPN Partners

At Castleforce we are partnered with several leading SSL-VPN vendors and we can provide pre and post technical assistance with all the products listed. 

Juniper-Networks-Performance-and-Networking-SecurityNetworking and security solutions from Juniper Networks helps consolidate network security issues for small, medium and large enterprises

Stonesoft Securing Information Flow Stonesoft specialise in High Availability Security Appliances including Firewalls, IDS/IPS and SSL VPN in both hardware and virtual appliances. 

Sonicwall Protection at the speed of business SonicWALL provides firewall products with unified threat management services such as network anti-virus, anti-spyware, virtual private networking (VPN), content filtering and other security services.

Celestix Networks is the premier developer of Microsoft Windows-based managed security appliances The MSA security appliance from Celestix is specifically designed for network security, running a hardened version of Microsoft ISA Server 2006.

AEP-Networks-for-SSL-VPN-terminal-services-Windows-remote-access for Secure Communications, Secure Networking, Secure Application Access, SSL VPN, terminal services, Windows remote access, public key infrastructure, hardware security module and PKI HSM products 

Protect Card Holder Data

nuBridges protect data at rest & in transit nuBridges Protect is designed to make it easier for IT to make your operations PCI DSS compliant. Here are just a few examples:

  • No database or file layout changes required — encrypt a 16-digit credit card number without changing your pre-defined file layout, your application screens, your reports
  • No database downtime during encryption, encryption processes run in the background, allows high availability systems to remain active

Supports two data protection methods:

  1. Distributed encryption with centralized key management that does not require a persistent connection between the hub and the spokes – the optimum in performance and availability;
  2. Format Preserving Tokenization™ with central data vault

Contact Castleforce for help with PCI DSS

PCI DSS Core Principles

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organised:

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 

Requirement 3: Protect stored cardholder data

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Requirement 12: Maintain a policy that addresses information security

Wireless LAN (WLAN) Security

Aruba Networks secure wireless LAN products and services   Aruba's integrated policy-enforcement firewall, high-security encryption, standards-based authentication, wireless intrusion detection/prevention, and compliance audit reporting assistance meet or exceed the wireless LAN-specific security requirements in PCI DSS. Merchants using an Aruba solution can cost-effectively implement the security controls required for PCI compliance without compromising the performance of business applications or upgrading legacy networks. 

Extricom Wireless LAN infrastructure  The Extricom WLAN product family is purpose-built to deliver robust, reliable connectivity. Extricom innovation makes the All-Wireless Enterprise possible by delivering voice (VoWLAN), data, video, and location services with an always-on, consistent, and mobile Wi-Fi connection to any client, in any environment. 

4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (e.g., IEEE 802.11i) to implement strong encryption for authentication and transmission.
  • For new wireless implementations, it is prohibited to implement WEP after March 31, 2009.
  • For current wireless implementations, it is prohibited to use WEP after June 30, 2010.
Assuria Compliance and Vulnerability assessment, change detection, file integrity monitoring, Server Hardening and Log Management NETASQ-UTM-EAL4-Network-Security-appliances Credant we protect what matters DESlock+ FIPS-140-2 CESG CCTM Full disk Encryption, Removable Media Encryption, Email Encryption, Folder Encryption Stonesoft produce high availability multi link ISP firewalls to help reduce single point of failure Sourcefire-3D System and masters of SNORT and CLAMAV InfoGov helps you to achieve compliance, manage risk and demonstrate good governance now, and into the future. Swivel-PINsafe-CESG-CCTM-the-power-of-knowing Lumension-Security-Patch-Management-and-end-point-protection Imprivata OneSign Single Sign-On (SSO) appliance Check Point firewalls and Pointsec Encryption software Wallix-AdminBastion-and-LogBastion-provide-access-control-and-monitoring-solutions

© Copyright Castleforce 2007-2012. Web design by Theme Group