Achieving Payment Card Industry (PCI) DSS Compliance with
Aladdin Security Solutions

The Payment Card Industry Data Security Standard (PCI DSS) was created by the world’s major credit card companies to protect customer data. The primary purpose of PCI DSS is the protection of credit card data by reducing fraud and theft. PCI DSS mandates that any merchants or service providers that handle, transmit, store or process information concerning the major credit cards, or related card data, are required to meet PCI standards or face penalties and/or severance by the credit card companies.

PCI DSS is a proactive security standard that defines requirements for security management, policies, procedures, network architecture, software design and other security measures. Aladdin is highly suited to meet and exceed PCI DSS requirements by providing unique and effective security solutions for merchants and service providers that must meet PCI standards.

As illustrated in the following table, there are six primary areas covered by PCI DSS, divided into 12 requirements, with each being met by Aladdin’s eSafe and eToken solutions:

1. Build and maintain a secure network
   • Install and maintain firewall configurations
     eSafe acts like an X-Ray machine behind the firewall by inspecting the content being sent, and not just the sender. Firewalls allow access only to secure connections, but even safe connections can transfer harmful content, which eSafe can filter.
   • Do not use vendor-supplied or default passwords
     eToken replaces weak passwords with strong, two-factor authentication and also eliminates the need for risky and costly password maintenance schemes with eToken Single Sign-On.
2. Protect cardholder data
   • Protect stored data
     eSafe protects computers and networks at the Web gateway from random and intentional attacks intended to alter, destroy, or steal stored data by blocking both known and unknown threats, as well as unauthorized inbound and outbound traffic. eToken ensures that only authorized users are able to access the network and thus access to stored data. It also seamlessly integrates with all third-party disk encryption providers, enhancing security by ensuring that encryption keys are not exposed to untrusted and vulnerable PC environments.
   • Encrypt transmissions of cardholder data across public networks
     eToken enables email encryption and digital signing, with on-board generation and secure storage of PKI keys and certificates.
3. Maintain a vulnerability management program
   • Use and regularly update anti-virus software
     eSafe is a CheckMark and ICSA-certified antivirus solution with its own AV engine, providing proactive protection against unknown threats and exploits, and 100% protection against "in-the-wild" viruses. Regular automatic updates are provided through built-in autoupdate mechanisms.
   • Develop and maintain secure systems and applications
     eToken helps organizations apply security controls by ensuring that users are who they say they are, whether within the network or remotely. eSafe allows organizations to tightly enforce security policy and maintain secure networks by protecting against spyware, keyloggers, and attempts to bypass security using anonymous proxies.
4. Implement Strong Access Control Measures
   • Restrict access to "need-to-know"
     eToken provides strong authentication support for role-based access control solutions, ensuring the highest possible level of control over who is accessing data. The eToken Token Management System (TMS) links users, devices, organizational rules, and security applications in a single automated and fully configurable system, making the implementation of token-based security solutions easily manageable.
   • Assign unique IDs to each person with computer access
     eToken provides a unique ID for users, based on the high security of two-factor authentication: users must not only know their username and password, but also have possession of their physical eToken to gain access.
   • Restrict physical access to cardholder data
     eToken can be shipped with all market-leading RFID coils to deliver both physical and logical access controls in one device.
5. Regularly monitor and test networks
   • Monitor and track all access to network resources and cardholder data Equipped with auditing and reporting capabilities, the eToken Token Management System enables the monitoring and control of data access. eSafe features a comprehensive reporting module that provides pre-set, customizable, and graphical reports on attempted network attacks as well as any unauthorized outbound communications that may contain cardholder data or network access credentials.
   • Regularly test security systems and processes
     The eSafe Web Threat Analyzer (WTA) security audit helps easily identify web-borne threats – which make up the vast majority of malware today -- that often bypass traditional security solutions such as firewalls, gateway antivirus, and intrusion prevention systems. The eSafe WTA also identifies any machine on a network that is infected with spyware and is “calling home” by sending organizational information to an unauthorized recipient outside the organization.
6. Maintain an Information Security Policy
   • Maintain a policy that addresses information security
     Aladdin solutions provide strong controls over network access and content security, and eliminate common methods used to bypass organizational security – allowing organizations to more easily enforce their security policy.

• Download the eToken PCI Datasheet
• Download the eSafe PCI Datasheet

For more information on how Aladdin can help your organization meet the Payment Card Industry Data Security Standard, contact an Aladdin representative.