# PCI Compliance

**The following document elaborates on how Endpoint Central can help enterprises achieve certain requirements of PCI DSS compliance. To know the detailed list of all Zoho/ManageEngine products that are compliant with PCI DSS and other regulatory standards, refer to [Compliance at Zoho](https://www.zoho.com/compliance.html).**

## Payment Card Industry (PCI) Data Security Standard (DSS)

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.

Under the PCI DSS, there are 12 different requirements concerning the security of cardholder data. All businesses that accept, store, process, or transmit card information online or offline must adhere to the requirements. Please refer to the following summary.

**PCI DSS Overview**

| Requirement | Requirement Description |
|---|---|
| Build and maintain secure network and systems | - Install and maintain network security controls.<br>- Apply secure configurations to all system components. |
| Protect account data | - Protect stored account data.<br>- Protect cardholder data with strong cryptography during transmission over open, public networks. |
| Maintain a vulnerability management program | - Protect all systems and networks from malicious software.<br>- Develop and maintain secure systems and software. |
| Implement strong access control measures | - Restrict access to system components and cardholder data by business need to know.<br>- Identify users and authenticate access to system components.<br>- Restrict physical access to cardholder data. |
| Regularly monitor and test networks | - Log and monitor all access to system components and cardholder Data.<br>- Test security of systems and networks regularly. |
| Maintain an information security policy | - Support information security with organizational policies and programs |

**PCI DSS 4.0.1 Requirements met by Endpoint Central**

ManageEngine Endpoint Central, a unified endpoint management and security solution, can help organizations comply with PCI DSS requirements. This document will help IT team gain an understanding of ManageEngine's Endpoint Central and how it can help to meet PCI DSS requirements.

The following table outlines the PCI DSS control requirements that are fulfilled by Endpoint Central. The requirement description listed is taken from the PCI Security Standards Council website:  
https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf

Note: The requirements marked with # can be fulfilled with the advanced features that are exclusive to the [security edition](https://www.manageengine.com/products/desktop-central/endpoint-security-features.html) of Endpoint Central.

| Requirement | Requirement Description | How Endpoint Central fulfills the requirement? |
|---|---|---|
| 1.2.5 (#) | All services, protocols, and ports allowed are identified, approved, and have a defined business need. | SecOps can do a [port audit](https://www.manageengine.com/vulnerability-management/audit-ports-in-use.html) in their environment and reduce their attack surface to a great extent, in case of zero-day exploit using Endpoint Central. |
| 1.2.6 (#) | Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated. | Endpoint Central, with its threat assessment capabilities, identifies vulnerable points of entry (ports, vulnerable software etc.) in your network and applies fixes for the same.<br><br>Refer to:<br>[Device Control for port audits](https://www.manageengine.com/device-control/device-control.html?fea_drop) (#)<br>[Software audit](https://www.manageengine.com/vulnerability-management/high-risk-software-audit.html) (#) |
| 1.3.2 (#) | Outbound traffic from the CDE is restricted as follows:<br>- To only traffic that is necessary.<br>- All other traffic is specifically denied. | Endpoint Central's advanced data loss prevention techniques, with its effective email and cloud upload protection solution, restricts critical enterprise data to be shared only to trusted domains, be it via email or cloud upload.<br><br>Refer to:<br>[Email security](https://www.manageengine.com/endpoint-dlp/email-security-and-outlook.html) (#)<br>[Cloud protection](https://www.manageengine.com/endpoint-dlp/upload-protection.html) (#) |
| 1.4.1 | NSCs (Network Security Controls) are implemented between trusted and untrusted networks. | Endpoint Central's network neutral architecture allows our admins to manage and secure CDE (Card Data Environment) systems, even if they are isolated from the internet.<br><br>Refer to:<br>[Endpoint Central's DMZ architecture](https://www.manageengine.com/products/desktop-central/installing-dc-in-dmz-how-to.html) |
| 1.4.5 | The disclosure of internal IP addresses and routing information is limited to only authorized parties. | Admins can configure [NAT settings](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/nat-settings.html) for Endpoint Central server so that managed endpoints can contact the server using FQDN (Fully Qualified Domain Name). |
| 1.5.1 (#) | Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE. | Using the device control module of Endpoint Central, zero trust strategy can be implemented and even automated to ensure the optimal protection and restriction of all endpoint data from unapproved peripheral devices.<br><br>Refer to:<br>[Zero trust security](https://www.manageengine.com/device-control/zero-trust.html) (#)<br>[Securing USB devices](https://www.manageengine.com/products/desktop-central/help/computer_configuration/securing_usb_devices.html)<br>[Security Policies](https://www.manageengine.com/products/desktop-central/help/misc/windows_security_policies.html)<br>[Secure Browser Configurations](https://www.manageengine.com/browser-security/policy-deployment.html) (#)<br>[Malware Protection](https://www.manageengine.com/products/desktop-central/nextgen-antivirus.html) |
| 2.2.1 (#) | Configuration standards are developed, implemented, and maintained to cover all system components and known vulnerabilities. | Endpoint Central lets you identify vulnerable attack surfaces and apply remediation steps. The patching process can be scheduled based on severity.<br><br>Refer to:<br>[Automated Patch Deployment](https://www.manageengine.com/products/desktop-central/automated_patch_deployment_process.html) (#)<br>[Achieve CIS Compliance](https://www.manageengine.com/vulnerability-management/cis-compliance.html) (#) |
| 2.2.2 | Vendor default accounts are managed appropriately. | Using Endpoint Central, stringent password policies can be applied and unused accounts removed.<br><br>Refer to:<br>[Password Policy](https://www.manageengine.com/products/desktop-central/password_policy.html)<br>[User Management](https://www.manageengine.com/products/desktop-central/help/computer_configuration/managing_users.html)<br>[User account status report](https://www.manageengine.com/products/desktop-central/help/reports/active_directory_account_status_user_reports.html) |
| 2.2.4 (#) | Only necessary services, protocols, daemons, and functions are enabled. | Policy-based blocklisting configurations help restrict unnecessary processes.<br><br>Refer to:<br>[Application blocklisting](https://www.manageengine.com/application-control/application-blocklisting.html) (#)<br>[Securing USB devices](https://www.manageengine.com/products/desktop-central/help/computer_configuration/securing_usb_devices.html)<br>[Security Policies](https://www.manageengine.com/products/desktop-central/help/misc/windows_security_policies.html)<br>[Secure Browser Configurations](https://www.manageengine.com/browser-security/policy-deployment.html) |
| 3.3.2 | Sensitive authentication data stored electronically is encrypted using strong cryptography. | Endpoint Central helps encrypt Windows devices using BitLocker and Mac devices using FileVault. [Android and iOS devices](https://www.manageengine.com/mobile-device-management/how-to/mdm-android-ios-device-data-encryption.html#:~:text=You%20can%20know%20more%20about,save%20and%20publish%20the%20profile.) can also be encrypted using MDM. |
| 5.2.1 | An anti-malware solution is deployed on all system components. | Endpoint Central has a built-in [next gen antivirus engine](https://www.manageengine.com/products/desktop-central/nextgen-antivirus.html) that proactively detects cyber threats with AI-assisted, real-time behavior detection. |
| 6.3.3 | All system components are protected from known vulnerabilities by installing applicable patches/updates. | Automated Patch Deployment enables automatic updating of missing patches.<br><br>Refer to:<br>[Patch Deployment Process](https://www.manageengine.com/products/desktop-central/automated_patch_deployment_process.html) |
| 7.2.1 (#) | The least privileges required to perform a job function are enforced. | The PoLP feature in the application control module enforces minimal privilege access.<br><br>Refer to:<br>[Privilege management](https://www.manageengine.com/application-control/principle-of-least-privilege.html) (#) |
| 8.2.5 | Access for terminated users is immediately revoked. | Endpoint Central helps admins perform [remote wipes](https://www.manageengine.com/mobile-device-management/help/security_management/mdm_security_management.html#wipe) to ensure corporate data security. |
| 8.3.1 | All user access is authenticated via at least one authentication factor. | Endpoint Central aids in configuring strong passwords.<br><br>Refer to:<br>[Password Policy](https://www.manageengine.com/products/desktop-central/password_policy.html)<br>[MDM Profiles for passcodes](https://www.manageengine.com/mobile-device-management/help/profile_management/windows/mdm_windows_passcode.html?passcodewp) |
| 9.4.2 (#) | All media with cardholder data is classified according to sensitivity. | Endpoint Central’s data rules help identify sensitive data such as bank codes and credit card numbers.<br><br>Refer to:<br>[Data discovery](https://www.manageengine.com/endpoint-dlp/data-discovery.html) (#)<br>[Data classification](https://www.manageengine.com/endpoint-dlp/data-classification.html) (#) |
| 11.3.1 (#) | Internal vulnerability scans are performed periodically. | Endpoint Central identifies vulnerabilities and enables remediation from the console.<br><br>Refer to:<br>[Vulnerability Management](https://www.manageengine.com/products/desktop-central/vulnerability-management-integration-home.html) (#) |
| 12.5.1 (#) | An inventory of system components in scope for PCI DSS is maintained. | Endpoint Central maintains an inventory of IT assets mapped to components.<br><br>Refer to:<br>[Scan, manage and protect data](https://www.manageengine.com/endpoint-dlp/data-discovery.html?fea_drop) (#)<br>[Inventory Management](https://www.manageengine.com/products/desktop-central/help/inventory/inventory_asset_management.html) |

The essence of PCI DSS compliance is that vendors must demonstrate stringent security measures for systems and processes to protect cardholder information. The disadvantages of not following PCI DSS requirements are several; the brand and reputation of a business might suffer and the business might have to pay heavy penalties, if a data breach were to affect any customer's payment card data.

Endpoint Central helps businesses stay compliant with PCI DSS. It facilitates monitoring and managing systems & mobile devices and provides granular level reports.