PCI Compliance

This document talks about how Endpoint Central helps you stay compliant with the below regulatory standards by fulfilling the necessary requirements.

Ensuring Endpoint Central Compliance to Payment Card Industry (PCI) Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) was developed to enhance cardholder data security. It facilitates the adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. It also applies to entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Under the PCI DSS, there are 12 different requirements concerning the security of cardholder data. All businesses that accept, store, process, or transmit card information online or offline must adhere to the requirements. Please refer to the following summary.

PCI DSS Overview

Requirement Requirement Description
Build and Maintain Secure Network and Systems
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public network
Maintain a Vulnerability Management Program
  • Protect all systems against malware and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Restrict access to cardholder data by business need to know
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
Maintain an Information Security Policy
  • Maintain a policy that addresses information security for all personnel

PCI DSS 3.2 Requirements Met by Endpoint Central

Let us see how enterprises can use ManageEngine Endpoint Central, the desktop and mobile device management solution, to comply with PCI DSS requirements. This document will help IT team gain an understanding of ManageEngine's Endpoint Central and how it can help to meet PCI DSS requirements.

The following table outlines the PCI DSS control requirements that are fulfilled by Endpoint Central. The requirement description listed is taken from the PCI Security Standards Council website: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf

Requirement Requirement Description How Endpoint Central fulfills the requirement?
1.4

Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network.

Endpoint Central’s software deployment helps IT admin install any kind of .exe or .msi applications, including firewall software. It will allow the IT admin to manage and monitor applications. This feature is supported for both Windows and Mac.

For mobile devices, Endpoint Central Mobile Device Management provides the ability to install firewall applications and allows IT admins to monitor the status of applications through an inventory console. Also, application management will restrict users from uninstalling applications deployed by Endpoint Central, regardless of whether they are employee-owned or corporate-owned devices.

Please refer to these links:
Software Installation
MDM App Management

2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.

Endpoint Central allows creating and configuring strong passwords to secure devices and prevent intruders from hacking the devices.

Refer here:
Password Policy

2.3

Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or TLS for web-based management and other non-console Administrative access.

Endpoint Central enables IT admins to secure the communication between Endpoint Central server and agent. You can even import third party security certificates and disable earlier versions of TLS.

Please refer to these links:
Forwarding Server
Import SSL Certificates

2.4

Maintain an inventory of system components that are in scope for PCI DSS.

Endpoint Central scans desktops/servers/mobile devices in the network periodically to collect hardware and software details and stores them in the database. Then, IT admins will be able get up-to-date asset/inventory information in the form of reports with granular level details.

Refer here:
Hardware Software Inventory 

5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).

Endpoint Central's automated software installation tool assists IT admins to distribute anti-virus application across all network devices, ensuring system security.

Please refer to these links:
Software Installation 
Antivirus Updates

5.1.2

For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.

Endpoint Central helps streamline the anti-virus definition update process and keeps a check on associated bandwidth costs. It also automates definition updates, which saves the administrator's time. These anti-virus definition updates include malwares and spywares in addition to traditional malicious software like viruses, trojans, and worms.

Please refer to these links:
Patch Deployment Process
Antivirus Updates

5.2

Ensure that all anti-virus mechanisms are maintained as follows:

Are kept current

Perform periodic scans

Generate audit logs which are retained per PCI DSS Requirement 10.7.

 

Endpoint Central can detect and update outdated anti-virus software or patches.

Also, Endpoint Central provides exclusive support for MS Forefront Client Security Definitions.

Please refer to these links:
Antivirus Audit
High Risk Software Audit

6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.

Endpoint Central's powerful security features help analyze vulnerability trends through constant monitoring for early identification of critical threats and vulnerabilities, while assisting the delivery of appropriate remediation.

Refer here:
Vulnerability Management

6.2

Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

Using its vulnerability assessment and remediation capabilities, Endpoint Central assures all systems in the network are fully covered against critical threats.

The Automated Patch Deployment (APD) functionality grants Sysadmins the ability to automatically update any missing patches with zero human intervention.

Refer here:
Patch Deployment Process

7.1.1

Define access needs for each role, including:

System components and data resources that each role needs to access for their job function

Level of privilege required (for example, user, administrator, etc.) for accessing resources.

Endpoint Central’s RBAC (Role Based Access Control) lets IT personnel to delegate routine activities to chosen users with well-defined permission levels. The IT manager can tailor make any number of roles and assign permissions based on policy needs and then associate these roles with Endpoint Central Users.

Please refer to these links:
Managing Windows Local Users
Role Based Administration

8.1.4

Remove/disable inactive user accounts at least every 90 days.

Endpoint Central notifies IT admins if the system is not active for the specified number of days. This notification ensures that the IT admin is updated about the status of the system in the enterprise network. The inactive users information can be viewed in the form of reports.

Please refer to these links:
Scope Of Management
Active Directory User Reports

8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts.

Endpoint Central’s Mobile Device Management helps the IT admin set permissible limits for the number of password attempts for the user. If the number of password attempt exceeds the limitation, the data present in the device will be wiped; this is only to maintain data confidentiality.

Also, Endpoint Central helps trace the number of failed password attempts.

Refer here:
Endpoint Central User Management

8.1.7

Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.

Endpoint Central Mobile Device Management lets the IT admin specify the time limit for the device screen to be locked. If the device is idle for more than the allowed time, the system gets locked automatically.

Refer here:
Account Lockout Duration

8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.

Endpoint Central’s power management helps configure systems by enabling an option to prompt for password when the system is on Standby. The user can authenticate when the system resumes. The set configurations can be deployed to multiple systems from a central location, which gives the IT admin complete control.

Also, remote session settings allow IT admin to configure maximum idle session time out, i.e. if the session exceeds the idle time, the session is disconnected, and the remote machine is locked automatically.

Refer here:
Power Management

8.2.3

Passwords/phrases must meet the following:

Require a minimum length of at least seven characters

Contain both numeric and alphabetic characters.

Endpoint Central Mobile Device Management lets IT admins define parameters to create a passcode policy and configure passcode settings, such as numeric, alphabetic, password length, etc.

For systems, Endpoint Central provides an option to read the complexity of passwords.

Refer here:
MDM Passcode Policy

8.2.4 Change user passwords/passphrases at least every 90 days.

Endpoint Central Mobile Device Management provides an option to specify the number of days for the passcode to be reset.

For systems, the IT admin can configure alerts at specified dates in Endpoint Central to notify the IT team based on which the team can take actions.

Refer here:
MDM Windows Passcode

8.2.5

Do not allow an individual to submit a new password /phrase that is the same as any of the last four passwords /phrases he or she has used.

Endpoint Central Mobile Device Management allows several passcodes to be maintained in the history, which means an IT admin can specify the number of previous passwords to be maintained, so that users do not reuse them.

Refer here:
MDM Windows Passcode

8.3.1 and 8.3.2

Addresses multi-factor authentication for all personnel with non-console administrative access/remote access to the CDE.

Endpoint Central lets you enable two-factor authentication to prompt the user to enter the One Time Password (OTP) along with their default password. Endpoint Central supports two-factor authentication in two modes, using email and Google authenticator.

Refer here:
Two Factor Authentication

9.7.1

Properly maintain inventory logs of all media and conduct media inventories at least annually.

Endpoint Central's device control and file access management capability gives detailed reports of all file actions. Ensures effective management by providing clear audit reports, usage data of connected device, user and file activities.

Refer here:
Configure Audit Settings

11.2.1

Perform quarterly internal
vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities
(As identified in requirement 6.1) are resolved. Scans must be performed by qualified personnel.

Patch Manager can perform system scanning with Endpoint Central; it scans the entire system for missing patches in the operating system. The level of vulnerability is reported with details such as system vulnerability level, missing and applicable patches, task status, etc.

Refer here:
Vulnerability Assessment 

12.2

Implement a risk assessment process that:
Is performed at least annually and upon significant changes to the environment.

Identifies critical assets, threats, and vulnerabilities, and Results in a formal risk assessment.

Endpoint Central provides vulnerability scanning and Patch Management solution. The scanning results are also available as reports, which help to identify threats and keeps administrator updated.

Refer here:
Vulnerability Assessment

12.3

Develop usage policies for critical technologies and define proper use of these technologies.

Endpoint Central lets IT admin implement policies such as configuring password and restricting the usage of Camera, YouTube, Safari Browser, etc. It also provides access to corporate accounts like email, Wi-Fi, VPN, and much more.

Endpoint Central helps secure and standardize desktops and devices across the network.

Refer here:
MDM Profile Management

12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices)

Endpoint Central has a provision to manage custom asset properties through its Custom Fields functionality for asset categorization and determining non-technical information in an efficient manner.

Refer here:
Creating Custom Fields

12.3.8

Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.

Endpoint Central’s Idle session settings in the remote control tool can enhance security by specifying idle session time out.

An IT admin can specify the maximum time limit for the remote session to be idle. When the idle time limit exceeds the specified time, the session gets disconnected and the remote machine will be locked automatically.

Refer here:
Remote Desktop Sharing

12.3.9 Activation of remote access technologies for vendors and business partners only when needed vendors and business partners, with immediate deactivation after use.

With Endpoint Central, IT admins can confine system access to an authorized user, like giving complete privilege to invoke a remote desktop connection. It helps define a scope for users, limiting permission to a specific set of computers.

Please refer to these links:
User Management
Role Based Administration

12.5.2

Monitor and analyze security alerts and information, and distribute to appropriate personnel.

Endpoint Central allows IT admins to notify an end user via e-mail alerts on detection of new hardware or software. Alerts are also sent when a prohibited application is detected in the network. Any other security events can be alerted via e-mail.

Please refer to these links:
Viewing Inventory Alerts
Scheduled Reports

12.5.4

Administer user accounts, including additions, deletions, and modifications.

Endpoint Central gives IT admins the ability to manage and customize user access, be it adding/removing a user or changing their password. It allows the provisioning of target devices to users with specific permissions.

Using the Role management feature routine activities can be delegated to chosen users and define their scope to manage particular devices.

Please refer to these links:
Managing Windows Local Users
User Management

12.5.5

Monitor and Control all access to data.

To mitigate any kind of threats against data breaches, Endpoint Central helps regulate access permissions by restricting the usage of removable devices.

Refer here:
Block USB

The essence of PCI DSS compliance is that vendors must demonstrate stringent security measures for systems and processes to protect cardholder information. The disadvantages of not following PCI DSS requirements are several; the brand and reputation of a business might suffer and the business might have to pay heavy penalties, if a data breach were to affect any customer's payment card data.

Endpoint Central helps businesses stay compliant with PCI DSS. It facilitates monitoring and managing systems & mobile devices and provides granular level reports.