Automating network PCI DSS monitoring and reporting
For any merchant accepting credit, debit or prepaid cards, the organization must prove compliance with the Payment Card Industry Data Security Standards (PCI DSS). These standards were implemented by the brands and acquirers to reduce the risk of credit card fraud. As a merchant, you must either prove compliance via a Qualified Security Assessor (QSA) or a Self-Assessment Questionnaire (SAQ) audit.
The organization must decipher the broad components of the standards and determine which aspects impact components such as routers, switches and firewalls. Once those elements are defined, the IT staff needs to verify that every device meets the standard and then compile reports to prove the process, documentation, monitoring and control factors have been followed. Most IT organizations do not get additional staff for PCI DSS audits, and they are forced to add it to their existing workload.
Infoblox delivers solutions to automate and control compliance requirements for PCI DSS. Infoblox completed detailed research on the standards and developed specific rules and policies that impact network devices such as routers, switches and firewalls. Leveraging embedded rules and expertise, the solution identifies any violations, provides the ability to remediate issues within the same tool and generates a report with a single click to verify compliance for PCI DSS audits.
PCI DSS’s impact on the network infrastructure
PCI DSS poses unique challenges for a network manager or director. Often a security team is focused on the bigger picture of PCI DSS, but requires the network team to sign off saying the infrastructure meets the standards. However, the networking team has little knowledge of the standards or exactly what compliance elements impact the devices.
Now the networking team must decide if they just sign the report and hope they are within standards (risking PCI fines) or pull their staff off their day-to-day responsibilities and spend weeks or months digging into each requirement, ensuring the requirements are followed and completing the report. PCI DSS adds new challenges including:
- Understanding the elements - With hundreds of individual elements, the networking team must figure out the intent of the requirements and determine how each device is impacted.
- Defining rules - Once the element impact is defined, rules or policies must be created to compare current configurations with the standard templates.
- Identifying violations - The IT organization looks at individual devices and manually compares each line to see if there is a violation to the standard.
- Remediating violations - Once a violation is detected, the IT organization must have the process to remediate and get it back within compliance.
- Proactive monitoring - The intent of the PCI DSS standard is compliance 365 days a year, so the IT team needs a way to ensure the network is compliant today as well as tomorrow.
- Reporting - Whether it’s for the QSA or SAQ audit, the networking team must provide proof that standards, process, control factors and documentation are met.
Automation and control of PCI DSS Compliance with Infoblox
Without the expertise and correct tools, PCI DSS can be a major headache for network teams. Infoblox helps our customer not only prove compliance for the auditors once a year, but also provides proactive monitor and remediation options for network infrastructure devices. Instead of going device to device, collecting and compiling information manually, Infoblox automates the tedious, repetitive process and helps ensure you meet the requirements.
Instead of reassigning critical staff members just for PCI DSS reviews, which can take weeks or months, Infoblox provides the control factors and automation to prove compliance across the network infrastructure. Infoblox provides critical capabilities to meet typical PCI DSS challenges including:
- Understanding the elements - Infoblox scoured the standards to understand how each element and requirement impacts the network infrastructure devices.
- Defining rules - Infoblox pre-built and embedded specific rules and policies for PCI DSS so users don’t have to be experts with the requirements or build their own scripts.
- Identifying violations - Instead of manually looking for differences, the Infoblox solution automatically compares configurations and flags any violations.
- Remediating violations - If a violation is detected, the Infoblox solution can make the changes to remediate it, all within a single interface and system.
- Proactive monitoring - While most audits focus on the periodic report requirements, the automation continuously monitors compliance so users know everything is up to date and correct.
- Reporting - Instead of cobbling together information and manually compiling a report, the reporting interface has single-click PCI DSS compliance reports as well as many standard and customizable options.