|
The following document elaborates on how Endpoint Central can help enterprises achieve certain requirements of PCI DSS compliance. To know the detailed list of all Zoho/ManageEngine products that are compliant with PCI DSS and other regulatory standards, refer to Compliance at Zoho.
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.
Under the PCI DSS, there are 12 different requirements concerning the security of cardholder data. All businesses that accept, store, process, or transmit card information online or offline must adhere to the requirements. Please refer to the following summary.
PCI DSS Overview
Requirement | Requirement Description |
---|---|
Build and maintain secure network and systems |
|
Protect account data |
|
Maintain a vulnerability management program |
|
Implement strong access control measures |
|
Regularly monitor and test networks |
|
Maintain an information security policy |
|
PCI DSS 4.0.1 Requirements met by Endpoint Central
ManageEngine Endpoint Central, a unified endpoint management and security solution, can help organizations comply with PCI DSS requirements. This document will help IT team gain an understanding of ManageEngine's Endpoint Central and how it can help to meet PCI DSS requirements.
The following table outlines the PCI DSS control requirements that are fulfilled by Endpoint Central. The requirement description listed is taken from the PCI Security Standards Council website: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf
Note: The requirements marked with # can be fulfilled with the advanced features that are exclusive to the security edition of Endpoint Central.
Requirement | Requirement Description | How Endpoint Central fulfills the requirement? |
---|---|---|
1.2.5 (#) | All services, protocols, and ports allowed are identified, approved, and have a defined business need. | SecOps can do a port audit in their environment and reduce their attack surface to a great extent, in case of zero -day exploit using Endpoint Central. |
1.2.6 (#) |
Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated. |
Endpoint Central, with its threat assessment capabilities, identifies vulnerable points of entry (ports, vulnerable software etc.) in your network and applies fixes for the same.
|
1.3.2 (#) |
Outbound traffic from the CDE is restricted as follows:
|
Endpoint Central's advanced data loss prevention techniques, with its effective email and cloud upload protection solution, restricts critical enterprise data to be shared only to trusted domains, be it via email or cloud upload.
|
1.4.1 | NSCs (Network Security Controls) are implemented between trusted and untrusted networks. |
Endpoint Central's network neutral architecture allows our admins to manage and secure CDE (Card Data Environment) systems, even if they are isolated from the internet.
|
1.4.5 | The disclosure of internal IP addresses and routing information is limited to only authorized parties. | Admins can configure NAT settings for Endpoint Central server so that managed endpoints can contact the server using FQDN (Fully Qualified Domain Name) |
1.5.1 (#) | Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows:
|
Using the device control module of Endpoint Central, zero trust strategy can be implemented and even automated to ensure the optimal protection and restriction of all endpoint data from unapproved peripheral devices. Endpoint Central also allows you to deploy various security policies and configurations to end-user machines, to impose restrictions that determine if they are allowed to plug in external USB devices or connect to untrusted networks. |
2.2.1 (#) |
Configuration standards are developed, implemented, and maintained to:
|
Endpoint Central lets you identify vulnerable attack surfaces in the network and can accordingly apply the required remediation steps in the agent machines. The patching process can be scheduled by the admin based on the severity of the vulnerability detected. Refer to: Automated Patch Deployment (#) Achieve CIS Compliance (#) |
2.2.2 |
Vendor default accounts are managed as follows:
|
Using Endpoint Central, stringent password policies can be applied to end user machines. Accounts that are not in use can be removed.
Refer to: Password PolicyUser Management User account status report |
2.2.4 (#) | Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled. |
Policy-based blocklisting configurations, part of the application control module aids security by restricting unnecessary processes. Secure configurations such as USB protection, Permission management, Security policies, firewall configurations can be applied using Endpoint Central. |
2.2.5 | If any insecure services, protocols, or daemons are present: • Business justification is documented. • Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons. |
Endpoint Central can help identify security misconfigurations, which includes presence of insecure, legacy protocols. |
2.2.6 |
System security parameters are configured to prevent misuse. |
Security parameters such as registry settings, account, file, directory permission settings and settings for functions, ports, protocols, and remote connections can be modified by applying the corresponding configurations from Endpoint Central.
|
2.2.7 | All non-console administrative access is encrypted using strong cryptography | Endpoint Central leverages 256-bit Advanced Encryption Standard (AES) encryption protocols during remote troubleshooting operations. Endpoint also can run on FIPS mode, to ensure a safe and secure operation. |
3.3.2 | SAD (Sensitive Aut that is stored electronically prior to completion of authorization is encrypted using strong cryptography. | Endpoint Central can help admins to encrypt end-users Windows devices using its Bitlocker Management and Mac devices with FileVault encryption. Android and iOS devices also could be encrypted using our MDM feature. |
3.5.1 | PAN (Primary Account Number) is rendered unreadable anywhere it is stored by using any of the following approaches: • One-way hashes based on strong cryptography of the entire PAN. • Truncation (hashing cannot be used to replace the truncated segment of PAN). – If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN. • Index tokens. • Strong cryptography with associated key management processes and procedures. |
Endpoint Central can help admins to encrypt end-users Windows devices using its Bitlocker Management and Mac devices with FileVault encryption.Android and iOS devices also could be encrypted using our MDM feature. |
3.5.1.2 | If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows: • On removable electronic media OR • If used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1. |
Android and iOS devices and its SD cards could be encrypted using our MDM feature. |
3.5.1.3 | If disk-level or partition-level encryption is used (rather than file-, column-, or field-level database encryption) to render PAN unreadable, it is managed as follows: • Logical access is managed separately and independently of native operating system authentication and access control mechanisms. • Decryption keys are not associated with user accounts. • Authentication factors (passwords, passphrases, or cryptographic keys) that allow access to unencrypted data are stored securely. |
Endpoint Central can help admins to encrypt end-users Windows devices using its Bitlocker Management and Mac devices with FileVault encryption. Our Bitlocker management feature is more granular and could meet the requirements mentioned here. |
3.6.1 | Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse that include: • Access to keys is restricted to the fewest number of custodians necessary. • Key-encrypting keys are at least as strong as the data-encrypting keys they protect. • Key-encrypting keys are stored separately from data-encrypting keys. • Keys are stored securely in the fewest possible locations and forms. |
Endpoint Central's Bitlocker management has provisions for recovery keys |
5.2.1 | An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware. | Endpoint Central has a built-in next gen antivirus engine (currently available as early access) that proactively detects cyber threats with its AI-assisted, real-time behavior detection and deep learning technology. |
5.2.2 | The deployed anti-malware solution(s): • Detects all known types of malware. • Removes, blocks, or contains all known types of malware. |
Endpoint Central has a built-in next gen antivirus engine that proactively detects cyber threats with its AI-assisted, real-time behavior detection and deep learning technology.
Apart from real-time threat detection, Endpoint Central also actively performs incident forensics so that SecOps analyze the root cause and severity of the threats. If the next gen antivirus engine detects a suspicious behavior in endpoints, it can quarantine those endpoints and, after a thorough forensic analysis, can be deployed back into production. If a file is infected with ransomware, it can be restored with the most recent backup copy of the file. |
5.3.1 | The anti-malware solution(s) is kept current via automatic updates. | Endpoint Central is configured to perform automatic updates. |
5.3.2 | The anti-malware solution(s): • Performs periodic scans and active or real-time scans. OR • Performs continuous behavioral analysis of systems or processes. |
Endpoint Central's Next Gen Antivirus can do real-time scan whenever a process is created , when a DLL is loaded ,or when a new file in downloaded or introduced into the endpoints. Our NGAV also has behavior engine which analyses the processes in the endpoints for suspicious activities. |
5.3.3 (#) |
Performs automatic scans of when the media is inserted, connected, or logically mounted |
An automated scanning process is triggered whenever any peripheral device tries to connect with an endpoint, be it via plugging or via bluetooth, and performs the audit scan based on the policy created. This is apart from our NGAV initiating scan to detect any presence of malware.
|
5.3.4 |
Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. |
Based on the time period ( eg: 12 months) configured by the admin, the detected incidents can be retained in the console, till the configured time. Our solution also integrates with SIEM tools like Eventlog Analyzer, Splunk, Rapid 7, etc. |
5.3.5 |
Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period. |
Our NGAV is Tamper- proof. It cannot be disabled by the end-users. Endpoint Central also has Role-based access control so that only limited admins have the access to Endpoint Central console. |
5.4.1 (#) |
Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks. |
Endpoint Central leverge its secure browser configurations, especially phishing filters, to protect the end-users against phishing attacks |
6.3.1 (#) | Security vulnerabilities are identified and managed as follows:
|
Endpoint Central identifies security vulnerabilities in the network, listing down the vulnerabilities according to the priority in which they should be addressed. Remediations can then be triggered from the product console accordingly.
|
6.3.3 |
All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:
|
Using its vulnerability assessment and remediation capabilities, Endpoint Central assures all systems in the network are fully covered against critical threats. The Automated Patch Deployment (APD) functionality grants sysadmins the ability to automatically update any or all missing patches with zero human intervention. Refer to: |
7.2.1 (#) |
The least privileges required (for example, user, administrator) to perform a job function |
The PoLP (Principle of Least Privileges) feature included in the application control module supports the concept of lowering wide array of privileges to bare minimum just about enough to perform the function. This feature is not restricted to users, as systems, applications and services are benefited from the same.
|
7.3.1 (#) |
An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components. |
Endpoint Central's Application Control module allows the admins to allowlist/ blocklist software applications in your systems. It enforces conditional access policies, ensuring that only authorized users can access critical business systems and sensitive data. |
8.2.5 |
Access for terminated users is immediately revoked. |
|
8.2.6 |
Inactive user accounts are removed or disabled within 90 days of inactivity. |
Endpoint Central enables IT admins to find the inactive user accounts and remove them.
|
8.2.8 | If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session. |
Endpoint Central with its power management configuration can configure the end user machines to perform various activities like dim or turn off the display, prompt the user to enter password when the computer resumes from sleep etc. Refer to: Power Management |
8.3.1 |
All user access to system components for users and administrators is authenticated via at least one of the following authentication factors:
|
Endpoint Central can aid creating and configuring strong passwords to secure devices and prevent intruders from accessing the organization's endpoints. Refer to: Password Policy MDM Profiles for passcodes |
8.3.4 (#) |
Invalid authentication attempts are limited by:
|
The vulnerability management features of Endpoint Central lets the IT admin specify the allowed number of password entries, before restricting the account, to prevent unauthorized access. It also enables administrators to set passcode policies for mobile devices running on Android, Apple, and Windows, ensuring end-users create strong passcodes for their devices. |
8.3.7 | Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used. |
Endpoint Central's mobile device management capabilities allows several passcodes to be maintained in the history, which means an IT admin can specify the number of previous passwords to be maintained, so that users do not reuse them. Refer to: |
8.3.9 |
If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either: |
The MDM functionalities of Endpoint Central can be used to configure password policies that lets you establish certain password characteristics like password length, maximum passcode age etc. You can also generate a custom report with the details of the users who's passwords will soon expire. Refer to: |
9.2.3 |
Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted. |
Endpoint Central has Wifi policies, Restrictions and Certificate based authentication (for accesing wireless access points) for mobile devices. |
9.4.1 (#) |
All media with cardholder data is physically secured. |
When data is identified and categorized as sensitive data containing PCI relevant details, Endpoint Central with its data loss prevention techniques restricts the critical enterprise data being exposed or leaked by removable storage media or being printed or even copied using clipboard approach.
|
9.4.2 (#) |
All media with cardholder data is classified in accordance with the sensitivity of the data. |
With Endpoint Central's simplified but effective data rules, identifying enterprise critical data containing bank codes, ABA routing numbers, IBAN (International Bank Account Numbers), and credit card numbers is now more effective and precise.
|
11.3.1 (#) | Internal vulnerability scans are performed as follows:
|
Endpoint Central identifies security vulnerabilities in the network, listing down the vulnerabilities according to the priority in which they should be addressed. Remediations can then be triggered from the product console accordingly. Refer to: |
12.2.1 | Acceptable use policies for end-user technologies are documented and implemented, including: • Explicit approval by authorized parties. • Acceptable uses of the technology. • List of products approved by the company for employee use, including hardware and software. |
Endpoint Central can enable Terms of use documents to be deployed on your employees' devices, and only on their agreement does Endpoint Central start managing the device, effectively obtaining user consent for device managements. |
12.3.4 (#) |
Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following:
|
Endpoint Central constantly monitors the entity's network for EOL of a software and can also apply security fixes for software when necessary.
|
12.5.1 (#) |
An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current. |
Endpoint Central maintains an inventory of IT assets with details mapped to the corresponding IT components. Combined with its advanced data loss prevention techniques, Endpoint Central protects sensitive data against the ever growing number of threat vectors. Refer to: Scan, manage and protect data (#) Inventory Management |
The essence of PCI DSS compliance is that vendors must demonstrate stringent security measures for systems and processes to protect cardholder information. The disadvantages of not following PCI DSS requirements are several; the brand and reputation of a business might suffer and the business might have to pay heavy penalties, if a data breach were to affect any customer's payment card data.
Endpoint Central helps businesses stay compliant with PCI DSS. It facilitates monitoring and managing systems & mobile devices and provides granular level reports.
Thank you for your feedback!
Sorry about that!