Comply with Encryption, Key Management and Logging Requirements of the PCI DSS (Payment Card Industry Data Security Standard)
nuBridges offers software solutions to bring you into
compliance with the encryption, encryption key management
and logging provisions of the Payment Card Industry Data
Security Standard. Join the many prominent brands that trust
nuBridges Protect™ software to encrypt millions of credit
card numbers, centrally manage the associated encryption
keys throughout their lifecycle and pass audits.
While PCI DSS compliance covers a broad set of requirements
to assure that merchants meet minimum levels of security,
encryption is one of the most powerful elements of the
standard. Why?
If credit card information is encrypted at rest and in motion, and the keys are adequately protected,
even if a breach occurs, it’s a non-event (and doesn’t need to be reported!) – the thieves have taken gibberish.
Whether you’re in the retail, insurance, banking, brokerage, education, hospitality, entertainment, healthcare or transportation business;
nuBridges can make it easier to comply with PCI DSS – and protect your brand using best practices for securing data at rest and in transit.
“nuBridges has proved to be more than
just a software company. They have been a valuable partner
in developing a secure eBusiness strategy for our company.”
“Their knowledge of PCI compliance combined with the company’s technical
solutions has allowed us to quickly establish a framework
that will protect our customers and meet our compliance
objectives.”
Bernie Rominski, IT
Security Officer, Regis Corporation
nuBridges is also an ideal choice for software application vendors who are getting pressure from their customers to demonstrate
compliance with the Payment Application Security Mandates that kick-in in 2008.
Designed to Minimize IT Disruption
nuBridges Protect is designed to make it easier for IT to make your operations PCI DSS compliant. Here are just a few examples:
- No database or file layout changes required —
encrypt a 16-digit credit card number without
changing your pre-defined file layout, your
application screens, your reports
- No database downtime during encryption,
encryption processes run in the background, allows
high availability systems to remain active
- Distributed encryption with centralized key
management that does not require a persistent
connection between the hub and the spokes – the
optimum in performance and availability
Designed to Pass PCI DSS Compliance Audits
At nuBridges we take responsibility for monitoring the PCI
DSS standard and building ongoing compliance into our
products. As a participating organization on the PCI Data
Security Council, we take an active role in reviewing and
recommending changes to the PCI DSS. This involvement
enables us to help our customers pass their annual security
audits and maintain PCI compliance year after year.
Auditors perform a gap analysis across your information
supply chain to identify where credit card data resides
throughout the process and assess if it is protected in
compliance with the PCI DSS.
Simply encrypting data is not enough to pass PCI DSS audits.
The mandates require that keys are rotated (at least)
annually, and specify how keys need to be handled (unsafe
keys equal unsafe data). Most home-grown or simple
encryption solutions don’t support compliant encryption key
lifecycle management. nuBridges has it all covered.
Another reason organizations fail audits is because they do
not have a DMZ buffer zone between computers that contain
credit card numbers and external systems that exchange
information with those computers for any reason. Under PCI DSS, it is not acceptable to transmit information to
business partners from an internal computer that contains
credit card data. This is meant to protect that credit card
data from theft.
While it is standard practice for encryption solutions to
protect data at rest, only nuBridges also protects data in
motion—data that is being transmitted between, for example,
a point-of-sale system to the store network server and back
to corporate headquarters.
nuBridges solutions integrate with numerous
point of sale, loss prevention & fraud detection, enterprise logging,
merchandizing, customer relationship management and loyalty
information systems to protect data at rest and in motion.
Background
If you process, store or transmit credit card numbers, you
must comply with the requirements of the PCI DSS or risk
fines and revocation of your ability to process credit card
payments.
The PCI DSS was developed by a coalition of credit card
companies that founded the PCI Security Standards Council,
including American Express, Discover Financial Services, JCB
International, MasterCard Worldwide and Visa. Its goal is to
help organizations proactively protect customer credit card
data using measures that are consistent on a global basis.
Larger merchants and payment card service providers must
validate their compliance with the PCI DSS periodically via
Qualified Security Assessors (PCI Security Council-approved
auditors). Smaller merchants are allowed to perform a
self-assessment questionnaire describing the protections
they have in place.
Today, nuBridges is an active member of the PCI Security
Standards Council so that we have early visibility into
changes in the PCI DSS requirements, and proactively enhance
our products to keep our customers compliant.
The PCI DSS comprises 12 mandates clustered into 6 subject
areas. The checkmarks indicate areas where nuBridges can
help:
|
Build and Maintain a Secure Network |
1 |
Install and
maintain a firewall configuration to protect
cardholder data |
 |
| |
2 |
Do not use
vendor-supplied defaults for system passwords and
other security parameters |
|
|
Protect Cardholder Data |
3 |
Protect stored
cardholder data |
|
| |
4 |
Encrypt
transmission of cardholder data across open, public
networks |
|
|
Maintain a Vulnerability Management Program |
5 |
Use and regularly
update anti-virus software |
|
| |
6 |
Develop and
maintain secure systems and applications |
|
|
Implement Strong Access Control Measures |
7 |
Restrict access to
cardholder data by business need-to-know |
|
| |
8 |
Assign a unique ID
to each person with computer access |
|
| |
9 |
Restrict physical
access to cardholder data |
|
|
Regularly Monitor and Test Networks |
10 |
Track and monitor
all access to network resources and cardholder data |
|
| |
11 |
Regularly test
security systems and processes |
|
|
Maintain an Information Security Policy |
12 |
Maintain a policy that
addresses information security |
|
nuBridges also offers complementary
solutions for managed
file transfer to protect all your sensitive data in motion –
because all industries are getting better at protecting data
at rest, thieves are targeting data in transit. nuBridges
can provide end-to-end protection for your data at rest and
in transit. More specifically,
nuBridges Exchange™ helps you
meet the PCI DSS requirement to protect credit card data in
transit by creating a DMZ buffer zone between the Internet
and your internal systems.
 |
nuBridges Protect
