The PCI Compliance Challenge

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to provide a common framework on how companies handling credit card data should protect that information.  PCI security is enforced through annual audits and non-compliant organizations face a broad range of penalties, including large fines.  The standard is made up of 12 requirements for protecting credit card data.  Database monitoring and protection can help enterprises meet 5 of the 12 PCI requirements.

PCI Requirements and database monitoring and protection:

PCI 1:  Install and maintain a firewall configuration
Once a firewall is in place, database monitoring and protection helps ensure that the right IP address are coming through the firewall.  By monitoring network IP addresses, database monitoring can identify un-trusted networks.

PCI 3:  Protect stored cardholder data
To protect cardholder data, enterprises must know what is happening to data at all times.  Database monitoring and protection provides detailed and automated insight into user activity affecting cardholder data.  Database monitoring is also a compensating control in situations where encryption is not practical or possible.

PCI 6.3.3:  Separation of duties between development, test and production environments
Maintaining separation between those who build and maintain database applications; those who create data activity reports for auditors, and those who maintain database content is critical for cardholder data security.  Database monitoring and protection helps enforce separation of duties.

PCI 7:  Implement strong acess controls
Data monitoring helps validate that access controls are working.  If access controls are compromised, database monitoring and protection helps track who accessed data to provide an additional layer of cardholder data security.

PCI 10:  Track and monitor all access to network resources and cardholder data
Requirement 10 mandates the auditing of all accesses to cardholder data, the review of audit logs daily, and the ability to reconstruct a range of events tied to cardholder information—with detailed audit trails for each event.  Controls recommended to address PCI 10 include:  discovering where your sensitive credit card data exists; auditing all database activity; auditing all privileged user activity; and providing regular summary and detailed reports on all data activity.  Database monitoring and protection addresses all of these requirements with no negative impact on existing systems, applications and processes.

Tizor Mantra for PCI Compliance

Mantra is a transparent, high performance network appliance that continuously monitors and audits all data access traffic to and from database servers and file systems.  Mantra reduces business risk and lowers IT costs by enabling the highest level of compliance assurance, data protection, and data privacy.

Mantra is a scalable, intelligent solution for meeting PCI and other database monitoring and protection requirements.  Policy-driven and completely transparent to users, Mantra gives you the ability to:

• Automatically discover where cardholder and other sensitive data resides in your databases
• Determine exactly who is doing what with this data 
• Audit database and file server traffic from a single appliance, without impacting production systems
• Audit all privileged user activity—including DBAs and system administrators—in real time
• Satisfy segregation of duties requirements for DBAs and other compliance or security staff, with no impact on productivity
• Minimize the number of appliances required to audit the often scattered repositories of PCI data
• Employ real-time analytics to identify anomalous user behavior in time to mitigate cardholder data risk
• Generate a broad range of reports for auditors, managers, executives, and other stakeholders

Figure 1: PCI Policy Summary Report

Mantra's unique combination of Data Discovery, Content Scanning and predefined PCI Policy Templates can help you deploy your first PCI policy set in a matter of hours, enabling the auditing of:

• In-flight data that matches any major card issuer's account number pattern
• Read and write access to PCI data
• Changes to user definitions and privileges
• Database schema and file system changes
• Errors and exceptions
• Source locations of data access activity—host names, user IDs, IP addresses, and port numbers
• Time, program name, accessed data size and other parameters for each data access event—including the complete data access command

All audit data is stored securely in the Mantra environment.  Mantra includes advanced forensic tools for analyzing audit data and generating reports for any incident or transaction, to any level of granularity.  Mantra's automated workflow capabilities make it easy for the appropriate stakeholders to review and approve reports and project managers to oversee the workflow process.  In addition, all audit data can be archived for future analysis.

MANTRA ADVANTAGES

Mantra's transparent appliance monitors, alerts, and reports on all critical data, structured or unstructured, wherever it resides, with no impact on systems or processes. 

With Mantra's advanced analytics, enterprises get real-time insight into, and control over, all user activity directed at PCI-related data assets.  Mantra advantages include:

Deploys Faster - Mantra makes it easy to deploy a database monitoring solution.  Every aspect of the product has been designed for ease of use, productivity, and speed of deployment.  With Mantra, your project will be deployed faster and you will use fewer resources.

Discovers Data - Mantra can determine where sensitive cardholder data resides and how it may be vulnerable to theft and misuse.  Mantra identifies the location of all databases, tables, columns, and specific types or classes of data.

Most Intelligent - Event capture, analysis, and storage are rule-driven with pioneering real-time filtering, forensics and analytics—including Fingerprinting® technology.

Most Scalable - Mantra was architected specifically to meet the high-performance requirements of the largest enterprise data centers.  Auditing over 50,000 transactions per second, with no dropped packets, Mantra captures all critical data activity with no impact on networks, databases, or file systems.

Broadest Coverage - Mantra provides the most comprehensive data monitoring coverage today with support for relational databases, file servers and mainframe applications in a wide variety of current and legacy systems—coverage across the largest, most diverse data centers.

Content Scanning - Mantra can scan database and file server traffic for specific data patterns that may represent sensitive data, such as credit card numbers, SSNs, or other site-specific data items.  Content scanning can be combined with Tizor's Behavioral Fingerprinting® technology to detect suspicious user activity in real time.

Three-way Auditing - Mantra offers real-time, policy-based agent-less auditing of network traffic plus the choice of agent-less or agent-based local auditing—depending on what best suits your company's local auditing and privileged user monitoring needs.

English-like Policy Language - Pre-defined PCI policies come with Mantra, but if they are needed, custom policies for PCI and other compliance regulations are easy to create and deploy—without DBA or programming skills.

Workflow and Reporting - Pre-defined PCI reports are built in.  Custom reports are simple to create and schedule.  Automated review and approval functionality makes it easy to generate and manage reports for a wide variety of stakeholders including PCI auditors.