Navigation Menu Contact Us About NetVision Customer Support
Blocks NetVision: Policing the Power of Identity.

 




Product Overview

NetVision Reporting Console

NVAssess

NVMonitor

Product Line Datasheet

View 3-Minute Tour


Signup for a free product demonstration


Solution for
Microsoft
Active Directory

Solution for
Novell eDirectory
on Linux

Solution for
PCI Compliance

Solution for
ISO 27002



Contact Us
or call
877-828-9180

NetVision Solution for PCI Compliance

PCI-DSS (Payment Card Industry Data Security Standards) is a set of information security requirements proposed by members of the payment card industry including Visa, MasterCard, American Express, Discover, and others. Often referred to simply as PCI, this set of requirements is not mandated by law. Rather, it is an attempt by the payment card industry to self-regulate in an effort to avoid intervention by the federal government as has happened in other industries (e.g. GLBA and HIPAA). Fines and penalties related to PCI non-compliance are imposed and/or enforced by the PCI members themselves. For example, Visa could impose a fine on a retailer for non-compliance and may eventually discontinue service to that retailer if requirements are not met by given deadlines. MasterCard or American Express may choose to levy different fines or fines with different terms than Visa. For more information on PCI, visit the PCI web site [www.pcisecuritystandards.org].

There are twelve (12) PCI-DSS requirements organized in six (6) groups known as control objectives. The table below outlines the control objectives and associated requirements and provides detail on how NetVision solutions can be applied to meet PCI requirements. This document presents the combined capabilities of NetVision NVAssess (state-based reporting) and NetVision NVMonitor (real-time activity event tracking, monitoring, alerting, and reporting of transient events).

Please contact NetVision to learn more about how NetVision solutions can be implemented to support your organization's PCI compliance efforts!



Control Objective: Build and Maintain a Secure Network

Requirement 1:
Install and maintain a firewall configuration to protect cardholder data.

NetVision does not report on, monitor or audit firewall technologies.

Requirement 2:
Do not use vendor-supplied defaults for system passwords and other security parameters.

For payment card systems that leverage Active Directory or eDirectory as the authentication store, NetVision NVAssess provides reports on many system security parameters. NetVision policies can be configured to report on vendor-supplied defaults. Some supported parameters include:

  • Active Directory Group Policy Objects (including non-default or extended GPO objects).
  • Windows and Netware file system Access Control Lists (ACLs). [SUSE Linux available Q4 2007]
  • Active Directory and eDirectory objects and attributes (admin group memberships, account status, etc.)
    i.e.) this requirement may be interpreted to mean that the AD administrator user should be disabled after appropriate users are granted administrative privileges. NetVision can report on the accounts and groups that ship by default to ensure that they have been changed.
  • eDirectory Universal Password Snap-in settings.
    •

NetVision NVMonitor can be deployed to monitor settings and alert and/or report on attempts to change set values. Through NetVision event consumer extensibility, NetVision customers can remediate change attempts to ensure that security parameters are not set back to default or other out-of-policy value.

Control Objective: Protect Cardholder Data

Requirement 3:
Protect stored cardholder data.

NetVision does not provide data encryption solutions.
If cardholder data is stored on a supported file system or as an attribute in a supported directory, the combination of NetVision NVAssess and NVMonitor could provide reporting and real time monitoring of access and/or changes to that information or the rights applied to that information.

Requirement 4:
Encrypt transmission of cardholder data across open, public networks.

NetVision does not provide data encryption solutions.

Control Objective: Maintain a Vulnerability Management Program

Requirement 5:
Use and regularly update anti-virus software or programs.

NetVision does not provide anti-virus solutions.

Requirement 6:
Develop and maintain secure systems and applications.

NetVision does not provide systems management, maintenance or application change control solutions.

Control Objective: Implement Strong Access Control Measures

Requirement 7:
Restrict access to cardholder data by business need-to-know.

The combination of NetVision NVAssess and NVMonitor can report on and monitor power (rights and privileges) granted via Active Directory or eDirectory group memberships, account attributes or file system ACLs on supported platforms. NVAssess and NVMonitor also report-on and monitor file system access on supported file systems. Monitoring for access on additional platforms (Unix/Linux varieties, database content, Identity & Access Management systems) is on NetVision's near-term and long term product roadmap.

Requirement 8:
Assign a unique ID to each person with computer access.

8.2 – Specific to this requirement, NetVision NVAssess can report on the users who do or do not have the smart card required option selected. This setting is important in an environment that requires two-factor authentication via smart card logons.

8.5.1 – NetVision NVAssess and NVMonitor can report-on and monitor Active Directory user accounts; account creation and deletion, account status and account attributes. The monitoring capability of NVMonitor can alert an organization if an account is created outside of a defined provisioning process.

8.5.4 - 8.5.6 – NetVision NVAssess can report on disabled accounts and inactive accounts (within a specified time period) which can help verify that terminated employees no longer have system access.

8.5.7, 8.5.9 - 8.5.14 – The combination of NetVision NVAssess and NVMonitor can report-on and monitor AD and eDirectory Universal Password Snap-In which identify password complexity requirements, password duration, password history and lockout requirements. These reports can be used to verify configuration and document requirements for employee notification.

8.5.15 – NetVision NVAssess can report on the current settings of the Active Directory GPO determining account lockout duration. NetVision NVMonitor can monitor changes to the GPO and ensure that changes aren't made outside of policy. In addition to providing the GPO object that has been changed NVMonitor also provides the user that perpetrated the change.

8.5.16 – NetVision NVMonitor can record and track all logon attempts and/or specific failed logon types against AD or eDirectory.

Requirement 9:
Restrict physical access to cardholder data.

NetVision does not specifically support physical access restriction unless physical restriction is automated with a solution that relies on Active Directory or eDirectory as the data store. In that scenario, NetVision would be able to report on and monitor physical access attempts – including providing alerts when an access attempt happens during specified time periods (e.g. 11pm – 6am) or by user accounts with specified attributes or group memberships.

Control Objective: Regularly Monitor and Test Networks

Requirement 10:
Track and monitor all access to network resources and cardholder data.

NetVision NVMonitor can report on and monitor authentication attempts by user name and success status.
10.2.3, 10.5.1 – NetVision NVMonitor can track access to audit trail log files assuming audit trail files are stored in a supported file system.

Additional access attempts that are written to the Active Directory event log can be captured as well.

Requirement 11:
Regularly test security systems and processes.

NetVision can assist in the regular testing of system controls and user empowerment. NetVision NVMonitor goes a step further to enable 24x7 real time monitoring of user accounts, group membership changes, domain group policy changes and file system ACLs

Specifically, NetVision NVMonitor can monitor file system changes and alert personnel when unauthorized file modifications occur (11.5). File comparisons are outside of our scope. Through NetVision event consumer extensibility, NetVision customers can remediate change attempts to ensure that security parameters remain set according to policy thereby minimizing unexpected results during scheduled system tests..

Control Objective: Maintain an Information Security Policy

Requirement 12:
Maintain a policy that addresses information security for employees and contractors.

Through NetVision's unique partnership with Compliance Spectrum, NetVision offers NVPRC and Spectra. These products assist organizations with understanding regulatory requirements and developing appropriate internal policies. Spectra provides specific mappings from evidence collected by NetVision NVAssess and NVMonitor solutions back to ISO 27002 (formerly ISO 17799) and ultimately to governmental or industry regulations.

Three Gray Blocks