PCI DSS Compliant with 2X RAS - Overview
PCI DSS Compliant - One of the major challenges organizations accepting credit card payments and dealing with card holder information are facing nowadays is that of building PCI DSS (Payment Card Industry Data Security Standard) compliant systems and networks.
The challenges of having a PCI DSS compliant network are many and depend on several different factors, for example the type of software used, the network setup, and also the operations. If organizations which process credit card payments and store cardholder details fail to have PCI DSS compliant networks and computer systems, they run the risk of receiving fines of up to $25,000 per month or have their trading licence revoked.
This whitepaper explains the PCI DSS Standard and its requirements, and how, by using 2X Remote Application Server, organizations can build PCI DSS compliant scalable networks and data processing systems with a fraction of the cost and with minimum administration overhead requirements.
What is PCI DSS?
PCI DSS is a security standard developed by the PCI Security Standards Council, which businesses who accept credit card payments have to adhere to in order to ensure the privacy and security of their customers’ payment records, such as credit card details and cardholder data.
The set of standards defined in PCI DSS are the minimum required level of computer systems security that must be in place when processing credit card data, hence applying to merchants, processors, financial institutions, service providers and any other entity that stores, processes or transmits credit card and cardholder information. Below is a summary of the requirements:
Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need to know.
Requirement 8: Identify and authenticate access to system components.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel.
It is evident that the PCI DSS requirements cover all aspect of the business, i.e. physical access to servers, maintaining an information security policy, personnel training and much more. Therefore, each business should invest in building up and maintaining an information security policy to ensure that employees are trained and made aware of all the dangers that exist today. To deal with the remaining requirements, organizations can use 2X Remote Application Server.
Introduction to 2X Remote Application Server
2X Remote Application Server is a server software solution developed by 2X Software that enables organizations to build their own private secure cloud and provide vendor-independent virtual desktop and application delivery from a single centralized platform.
2X Remote Application Server extends Windows Terminal Services by using a customized shell and virtual channel extensions over the Microsoft RDP protocol. It supports all major hypervisors from Microsoft, VMware, Citrix and others, enabling the publishing of virtual desktops and applications to the 2X Client. Apart from cutting down on costs, organizations using 2X Remote Application Server will also improve their productivity by being able to easily deliver applications, desktops and data to anyone, anywhere.
Basic 2X Remote Application Server Implementation
All published applications and desktops run on servers inside the data center, therefore users accessing these resources are considered as remote users. Users can access the published applications and desktops using native clients, such as the 2X Client, or via web-based solutions. Since the user experience is provided via clients, the data and published resources never leave the private cloud.
Build PCI DSS Compliant Networks with 2X Remote Application Server
2X Remote Application Server enables organizations to easily build secure private clouds and PCI DSS compliant networks without spending a fortune. This section goes through each software-, network- and security-related PCI DSS requirement and explains how - by installing 2X Remote Application Server - organizations can provide access to cardholder data in a secure and compliant way. By implementing 2X Remote Application Server on the network and creating a secure private cloud you are automatically building a secure network. All the sensitive data and servers will be in one centralized location and segregated from the rest of the network, ensuring the security of the data.
PCI DSS Compliant - Protect Cardholder Data
With 2X Remote Application Server all the sensitive data are stored in the secure private cloud and can only be accessed via applications and virtual desktops published through 2X Remote Application Server. Therefore, sensitive data such as cardholder data never leave the data center, even if the user is accessing the data via a published application from a remote location.
Administrators can also enable SSL encryption on the 2X SecureClient Gateway (the connection point where users connect) to ensure that all communication between the end user and the 2X Remote Application Server is encrypted over an SSL channel.
PCI DSS Compliant - Maintain a Vulnerability Management Program
Systems administrators know very well that applying security patches is a problematic task. Compatibility issues, software crashes, user permissions problems, unsupported hardware and several other issues are just a few of the issues administrators encounter when applying security patches. There is no way to avoid this: administrators have to install the vendor-released security patches to ensure the security of their network and sensitive data.
By using 2X Remote Application Server, the process of applying security patches and ensuring that everyone is using the latest and most secure software becomes easy. Administrators only have to update the instance of the application running on the cloud, which is accessed by everyone. Administrators can also use the Thin Client Manager to convert their Windows XP machines into secure and reliable user terminals, or use the 2X OS operating system on thin clients to reduce the administration overhead of applying patches.
PCI DSS Compliant - Implement Strong Access Control Measures
Microsoft’s Active Directory, which is used by businesses and organizations, is a directory service that uses one of the strongest authentication mechanisms: Kerberos. If your business is using Microsoft’s Active Directory, 2X Remote Application Server automatically uses Microsoft’s Active Directory authentication to authenticate users. This means that systems administrators do not have to worry about weak third party authentication services or credentials.
Apart from authenticating users with Active Directory, Administrators can use 2X Remote Application Server filtering rules to restrict access to sensitive data based on business need to know. Filtering rules allow administrators to restrict access to sensitive data such as cardholder details by user or group, MAC address, IP address and several other criteria.
Two factor authentication has become really common, especially in financial institutions such as banks and investment companies. 2X Remote Application Server supports two factor authentication as well; it can be integrated with a radius server, or other authentication servers such as SafeNet server, to enable administrators to authenticate users against these authentication services before they access any of the sensitive data stored in the private cloud.
PCI DSS Compliant - Regularly Monitor and Test Networks
Since with 2X Remote Application Server all of the user access is centralized, it is easier for administrators to monitor who is accessing which data. By default, 2X Remote Application Server keeps an audit log where administrators can find all the details of each user connection, for example it reports the authenticated user, the source from where the user is connecting, the time, and what the user is accessing.
Apart from the default audit log, several other types of logs can be enabled in the 2X Remote Application Server farm, and several monitoring features such as the monitoring report or the client manager can be used to help administrators keep track of all the activity happening on their network, servers and private cloud, and spot any suspicious behaviour immediately.
PCI DSS Compliant Local Network Implementation
The diagram below highlights how 2X Remote Application Server can be implemented in a LAN environment to build a PCI DSS compliant network. Some of the features organizations can benefit from when using this scenario are listed below:
- Applications used to access cardholder data are segregated from the LAN.
- The credit card details database is segregated from the LAN.
- PCI applications are only available through a central location: 2X Remote Application Server.
- All sensitive data are stored in a central location.
- Users access PCI applications over an SSL encryption.
- Sensitive cardholder data never leave the private cloud.
- Only publishing data are transferred between the user and the private cloud.
PCI DSS Compliant Network with Remote Access Implementation
The diagram below highlights how 2X Remote Application Server can be implemented to build a PCI DSS compliant network and provide access to remote users. These are some of the features organizations can benefit from when using this scenario:
- All of the benefits that apply to the local area network implementation mentioned in the previous section.
- Remote users can access PCI applications by using the 2X Client, which can run on any modern operating system and mobile device.
- Remote users can access PCI applications from a standard HTML5 browser over an HTTPS session.
- Multiple firewalls allow for segregation of private cloud, local area network, DMZ and corporate network.
PCI DSS Compliant - Other 2X Remote Application Server Benefits
Apart from meeting the PCI DSS requirements, there are several other features organizations can benefit from when using 2X Remote Application Server on their networks.
Centralized Configuration Console and Multisite Support
When using 2X Remote Application Server, administrators can build, expand, manage and maintain their private clouds in different remote locations through a single configuration console. Since it is very easy to use, there is no steep learning curve.
PCI DSS Compliant - Multiple Administrators and Roles Make Delegation Easier
Delegating administrative tasks has never been easier. Administrators can assign different 2X Remote Application Server roles to Active Directory users so that each administrator account can configure and maintain a specific function. For example, an administrator can manage the publishing of applications and other resources for a specific site.
PCI DSS Compliant - Improve BYOD Policies and Productivity
The 2X Client can run on every modern operating system and mobile devices such as iPhones, iPads and Android devices, therefore users can use any device they want to connect to the private cloud and access applications to do their work.
PCI DSS Compliant - Conclusion
2X Remote Application Server allows administrators to build a secure private cloud where they can centralize all sensitive data, allow access through published applications and virtual desktops, and have a PCI DSS compliant network.
Since all the data are centralized and accessed only via published resources on the 2X Remote Application Server, it is easier to manage, maintain and audit the network, and since only publishing data are exchanged between the user and the 2X Remote Application Server, the security of the network is drastically improved.
The PCI Security Standards Council is composed of the five global payment brands: American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. https://www.pcisecuritystandards.org/
2X Remote Application Server solution guide for banks and other financial institutions - URL: http://www.2x.com/banking-application-virtualization/
More 2X Remote Application Server solution guides for other industries can be found at the following URL: http://www.2x.com/learn/solutions/