PCI Compliance

Free Trial

 

The following document elaborates on how Endpoint Central can help enterprises achieve certain requirements of PCI DSS compliance. To know the detailed list of all Zoho/ManageEngine products that are compliant with PCI DSS and other regulatory standards, refer to Compliance at Zoho.

 Payment Card Industry (PCI) Data Security Standard (DSS)

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.

Under the PCI DSS, there are 12 different requirements concerning the security of cardholder data. All businesses that accept, store, process, or transmit card information online or offline must adhere to the requirements. Please refer to the following summary.

PCI DSS Overview

Requirement Requirement Description
Build and maintain secure network and systems
  • Install and maintain network security controls.
  • Apply secure configurations to all system components.
Protect account data
  • Protect stored account data.
  • Protect cardholder data with strong cryptography during transmission over open, public networks.
Maintain a vulnerability management program
  • Protect all systems and networks from malicious software.
  • Develop and maintain secure systems and software.
Implement strong access control measures
  • Restrict access to system components and cardholder data by business need to know.
  • Identify users and authenticate access to system components.
  • Restrict physical access to cardholder data.
Regularly monitor and test networks
  • Log and monitor all access to system components and cardholder Data.
  • Test security of systems and networks regularly.
Maintain an information security policy
  • Support information security with organizational policies and programs

PCI DSS 4.0.1 Requirements met by Endpoint Central

ManageEngine Endpoint Central,  a unified endpoint management and security solution, can help organizations comply with PCI DSS requirements. This document will help IT team gain an understanding of ManageEngine's Endpoint Central and how it can help to meet PCI DSS requirements.

The following table outlines the PCI DSS control requirements that are fulfilled by Endpoint Central. The requirement description listed is taken from the PCI Security Standards Council website: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf

Note: The requirements marked with # can be fulfilled with the advanced features that are exclusive to the security edition of Endpoint Central.

Requirement Requirement Description How Endpoint Central fulfills the requirement?
1.2.5 (#) All services, protocols, and ports allowed are identified, approved, and have a defined business need. SecOps can do a port audit in their environment and reduce their attack surface to a great extent, in case of zero -day exploit using Endpoint Central.
1.2.6 (#)

Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.

Endpoint Central, with its threat assessment capabilities, identifies vulnerable points of entry (ports, vulnerable software etc.) in your network and applies fixes for the same.


Refer to:
Device Control for port audits (#)
Software audit (#)

1.3.2 (#)

Outbound traffic from the CDE is restricted as follows:

  • To only traffic that is necessary.
  • All other traffic is specifically denied.

Endpoint Central's advanced data loss prevention techniques, with its effective email and cloud upload protection solution, restricts critical enterprise data to be shared only to trusted domains, be it via email or cloud upload.


Refer to:
Email security (#)
Cloud protection (#)

1.4.1  NSCs (Network Security Controls) are implemented between trusted and untrusted networks.
 

Endpoint Central's network neutral architecture allows our admins to manage and secure CDE (Card Data Environment) systems, even if they are isolated from the internet.


Refer to:
Endpoint Central's DMZ architecture
 

1.4.5  The disclosure of internal IP addresses and routing information is limited to only authorized parties. Admins can configure NAT settings for Endpoint Central server so that managed endpoints can contact the server using FQDN (Fully Qualified Domain Name)
1.5.1 (#) Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows:
  • Specific configuration settings are defined to prevent threats being introduced into the entity's network.
  • Security controls are actively running.
  • Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period.

Using the device control module of Endpoint Central, zero trust strategy can be implemented and even automated to ensure the optimal protection and restriction of all endpoint data from unapproved peripheral devices. Endpoint Central also allows you to deploy various security policies and configurations to end-user machines, to impose restrictions that determine if they are allowed to plug in external USB devices or connect to untrusted networks.

Refer to:
Zero trust security (#)
Securing USB devices
Security Policies
Secure Browser Configurations(#)
Malware Protection

2.2.1 (#)

Configuration standards are developed, implemented, and maintained to:

  • Cover all system components.
  • Address all known security vulnerabilities.
  • Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.
  • Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1.
  • Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.
Endpoint Central lets you identify vulnerable attack surfaces in the network and can accordingly apply the required remediation steps in the agent machines. The patching process can be scheduled by the admin based on the severity of the vulnerability detected.

Refer to:
Automated Patch Deployment (#)
Achieve CIS Compliance (#)
2.2.2

Vendor default accounts are managed as follows:

  • If the vendor default account(s) will be used, the default password is changed per the requirements 8.3.6
  • If the vendor default account(s) will not be used, the account is removed or disabled.
Using Endpoint Central, stringent password policies can be applied to end user machines. Accounts that are not in use can be removed.

Refer to:

Password Policy
User Management
User account status report
2.2.4 (#) Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.

Policy-based blocklisting configurations, part of the application control module aids security by restricting unnecessary processes. Secure configurations such as USB protection, Permission management, Security policies, firewall configurations can be applied using Endpoint Central.

Refer to:
Application blocklisting (#)
Securing USB devices
Security Policies
Secure Browser Configurations

2.2.5 If any insecure services, protocols, or daemons are present:
• Business justification is documented.
• Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.
Endpoint Central can help identify security misconfigurations, which includes presence of insecure, legacy protocols.
2.2.6

System security parameters are configured to prevent misuse.

Security parameters such as registry settings, account, file, directory permission settings and settings for functions, ports, protocols, and remote connections can be modified by applying the corresponding configurations from Endpoint Central.


Refer to:
Configuring Registry Settings

 

 

2.2.7 All non-console administrative access is encrypted using strong cryptography Endpoint Central leverages 256-bit Advanced Encryption Standard (AES) encryption protocols during remote troubleshooting operations. Endpoint also can run on FIPS mode, to ensure a safe and secure operation.
3.3.2 SAD (Sensitive Aut that is stored electronically prior to completion of authorization is encrypted using strong cryptography. Endpoint Central can help admins to encrypt end-users Windows devices using its Bitlocker Management and Mac devices with FileVault encryption. Android and iOS devices also could be encrypted using our MDM feature.
3.5.1 PAN (Primary Account Number) is rendered unreadable anywhere it is stored by using any of the following approaches:
• One-way hashes based on strong cryptography of the entire PAN.
• Truncation (hashing cannot be used to replace the truncated segment of PAN).
– If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN.
• Index tokens.
• Strong cryptography with associated key management processes and procedures.
Endpoint Central can help admins to encrypt end-users Windows devices using its Bitlocker Management and Mac devices with FileVault encryption.Android and iOS devices also could be encrypted using our MDM feature.
3.5.1.2  If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows:
• On removable electronic media
OR
• If used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1.
Android and iOS devices and its SD cards could be encrypted using our MDM feature.
3.5.1.3 If disk-level or partition-level encryption is used (rather than file-, column-, or field-level database encryption) to render PAN unreadable, it is managed as follows:
• Logical access is managed separately and independently of native operating system authentication and access control mechanisms.
• Decryption keys are not associated with user accounts.
• Authentication factors (passwords, passphrases, or cryptographic keys) that allow access to unencrypted data are stored securely.
Endpoint Central can help admins to encrypt end-users Windows devices using its Bitlocker Management and Mac devices with FileVault encryption. Our Bitlocker management feature is more granular and could meet the requirements mentioned here. 
3.6.1 Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse that
include:
• Access to keys is restricted to the fewest number of custodians necessary.
• Key-encrypting keys are at least as strong as the data-encrypting keys they protect.
• Key-encrypting keys are stored separately from data-encrypting keys.
• Keys are stored securely in the fewest possible locations and forms.
Endpoint Central's Bitlocker management has provisions for recovery keys 
5.2.1 An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware. Endpoint Central has a built-in next gen antivirus engine (currently available as early access) that proactively detects cyber threats with its AI-assisted, real-time behavior detection and deep learning technology.
5.2.2 The deployed anti-malware solution(s):
• Detects all known types of malware.
• Removes, blocks, or contains all known types of
malware.
Endpoint Central has a built-in next gen antivirus engine that proactively detects cyber threats with its AI-assisted, real-time behavior detection and deep learning technology.

Apart from real-time threat detection, Endpoint Central also actively performs incident forensics so that SecOps analyze the root cause and severity of the threats.

If the next gen antivirus engine detects a suspicious behavior in endpoints, it can quarantine those endpoints and, after a thorough forensic analysis, can be deployed back into production.

Endpoint Central also provides instant, non-erasable backup of the files in your network every three hours by leveraging Microsoft's volume shadow copy service.

If a file is infected with ransomware, it can be restored with the most recent backup copy of the file.

5.3.1 The anti-malware solution(s) is kept current via automatic updates. Endpoint Central is configured to perform automatic updates.
5.3.2 The anti-malware solution(s):
• Performs periodic scans and active or real-time scans.
OR
• Performs continuous behavioral analysis of systems or processes.
Endpoint Central's Next Gen Antivirus can do real-time scan whenever a process is created , when a DLL is loaded ,or when a new file in downloaded or introduced into the endpoints. 

Our NGAV also has behavior engine which analyses the processes in the endpoints for suspicious activities. 
5.3.3 (#)

Performs automatic scans of when the media is inserted, connected, or logically mounted

An automated scanning process is triggered whenever any peripheral device tries to connect with an endpoint, be it via plugging or via bluetooth, and performs the audit scan based on the policy created. This is apart from our NGAV initiating scan to detect any presence of malware.


Refer to:
Device scan and audit (#)

5.3.4

Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1.
 

Based on the time period ( eg: 12 months) configured by the admin, the detected incidents can be retained in the console, till the configured time. Our solution also integrates with SIEM tools like Eventlog Analyzer, Splunk, Rapid 7, etc.

5.3.5

Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period.
 

Our NGAV is Tamper- proof. It cannot be disabled by the end-users.  Endpoint Central also has Role-based access control so that only limited admins have the access to Endpoint Central console.

5.4.1 (#)

Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.
 

Endpoint Central leverge its secure browser configurations, especially phishing filters, to protect the end-users against phishing attacks

6.3.1 (#) Security vulnerabilities are identified and managed as follows:
  • New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs).
  • Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.
  • Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment.
  • Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered.

Endpoint Central identifies security vulnerabilities in the network, listing down the vulnerabilities according to the priority in which they should be addressed. Remediations can then be triggered from the product console accordingly.


Refer to:
Vulnerability Management (#)

6.3.3

All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:

  • Patches/updates for critical vulnerabilities (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.

  • All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity’s assessment of the criticality of the risk to the environment as identified according to the risk ranking process at Requirement 6.3.1.

Using its vulnerability assessment and remediation capabilities, Endpoint Central assures all systems in the network are fully covered against critical threats.

The Automated Patch Deployment (APD) functionality grants sysadmins the ability to automatically update any or all missing patches with zero human intervention.

Refer to:
Patch Deployment Process

7.2.1 (#)

The least privileges required (for example, user, administrator) to perform a job function

The PoLP (Principle of Least Privileges) feature included in the application control module supports the concept of lowering wide array of privileges to bare minimum just about enough to perform the function. This feature is not restricted to users, as systems, applications and services are benefited from the same.


Refer to:
Privilege management (#)

7.3.1 (#)

An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components.

Endpoint Central's Application Control module allows the admins to allowlist/ blocklist software applications in your systems. It enforces conditional access policies, ensuring that only authorized users can access critical business systems and sensitive data.

Endpoint Central also has Just-in-time access so that admins can permit temporary/ specific access privileges to end-users.
 

8.2.5

Access for terminated users is immediately revoked.


Endpoint Central helps admins perform remote wipes to ensure corporate data security

8.2.6

Inactive user accounts are removed or disabled within 90 days of inactivity.

Endpoint Central enables IT admins to find the inactive user accounts and remove them.


Refer to:
User Management
Active Directory User Reports

8.2.8 If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session.

Endpoint Central with its power management configuration can configure the end user machines to perform various activities like dim or turn off the display, prompt the user to enter password when the computer resumes from sleep etc.


Refer to:
Power Management
8.3.1

All user access to system components for users and administrators is authenticated via at least one of the following authentication factors:

  • Something you know, such as a password or passphrase.
  • Something you have, such as a token device or smart card.
  • Something you are, such as a biometric element.

Endpoint Central can aid creating and configuring strong passwords to secure devices and prevent intruders from accessing the organization's endpoints.


Refer to:
Password Policy
MDM Profiles for passcodes
8.3.4 (#)

Invalid authentication attempts are limited by:

  • Locking out the user ID after not more than 10 attempts.
  • Setting the lockout duration to a minimum of 30 minutes or until the user's identity is confirmed.

The vulnerability management features of Endpoint Central lets the IT admin specify the allowed number of password entries, before restricting the account, to prevent unauthorized access. It also enables administrators to set passcode policies for mobile devices running on Android, Apple, and Windows, ensuring end-users create strong passcodes for their devices.

Refer to:
Account Lockout Duration (#)

8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.

Endpoint Central's mobile device management capabilities allows several passcodes to be maintained in the history, which means an IT admin can specify the number of previous passwords to be maintained, so that users do not reuse them.

Refer to:
MDM Passcode

8.3.9

If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either:
• Passwords/passphrases are changed at least once every 90 days,
OR
• The security posture of accounts is dynamically analyzed, and real time access to resources is automatically determined accordingly.

The MDM functionalities of Endpoint Central can be used to configure password policies that lets you establish certain password characteristics like password length, maximum passcode age etc. You can also generate a custom report with the details of the users who's passwords will soon expire.

Refer to:
MDM Passcode

9.2.3 

Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted.

Endpoint Central has Wifi policies, Restrictions and Certificate based authentication (for accesing wireless access points) for mobile devices.

9.4.1 (#)

All media with cardholder data is physically secured.

When data is identified and categorized as sensitive data containing PCI relevant details, Endpoint Central with its data loss prevention techniques restricts the critical enterprise data being exposed or leaked by removable storage media or being printed or even copied using clipboard approach.


Refer to:
Device control (#)
Insider threats (#)

9.4.2 (#)

All media with cardholder data is classified in accordance with the sensitivity of the data.

With Endpoint Central's simplified but effective data rules, identifying enterprise critical data containing bank codes, ABA routing numbers, IBAN (International Bank Account Numbers), and credit card numbers is now more effective and precise.


Refer to:
Data discovery (#)
Data classification (#)

11.3.1 (#) Internal vulnerability scans are performed as follows:
  • At least once every three months.
  • Vulnerabilities that are either high-risk or critical (according to the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
  • Rescans are performed that confirm all high-risk and all critical vulnerabilities (as noted above) have been resolved.
  • Scan tool is kept up to date with latest vulnerability information.
  • Scans are performed by qualified personnel and organizational independence of the tester exists.

 

Endpoint Central identifies security vulnerabilities in the network, listing down the vulnerabilities according to the priority in which they should be addressed. Remediations can then be triggered from the product console accordingly.

Refer to:

Vulnerability Management (#)

12.2.1  Acceptable use policies for end-user technologies are documented and implemented, including:

• Explicit approval by authorized parties.
• Acceptable uses of the technology.
• List of products approved by the company for employee use, including hardware and software.

 

Endpoint Central can enable Terms of use documents to be deployed on your employees' devices, and only on their agreement does Endpoint Central start managing the device, effectively obtaining user consent for device managements.

Admins can also distribute the organization's Acceptable IT use via its content catalogue.

 

12.3.4 (#)

Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following:

  • Analysis that the technologies continue to receive security fixes from vendors promptly.
  • Analysis that the technologies continue to support (and do not preclude) the entity’s PCI DSS compliance.
  • Documentation of any industry announcements or trends related to a technology, such as when a vendor has announced “end of life” plans for a technology.
  • Documentation of a plan, approved by senior management, to remediate outdated technologies, including those for which vendors have announced “end of life” plans.

Endpoint Central constantly monitors the entity's network for EOL of a software and can also apply security fixes for software when necessary.


Refer to:
Audit End-of-Life software (#)

12.5.1 (#)

An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.

Endpoint Central maintains an inventory of IT assets with details mapped to the corresponding IT components. Combined with its advanced data loss prevention techniques, Endpoint Central protects sensitive data against the ever growing number of threat vectors.


Refer to:
Scan, manage and protect data (#)
Inventory Management

The essence of PCI DSS compliance is that vendors must demonstrate stringent security measures for systems and processes to protect cardholder information. The disadvantages of not following PCI DSS requirements are several; the brand and reputation of a business might suffer and the business might have to pay heavy penalties, if a data breach were to affect any customer's payment card data.

Endpoint Central helps businesses stay compliant with PCI DSS. It facilitates monitoring and managing systems & mobile devices and provides granular level reports.

Was this article helpful?

Thank you for your feedback!

Sorry about that!

By clicking "Submit", you agree to processing of personal data according to thePrivacy Policy.
Back to Top