PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) was developed to issue standards that ensure cardholder data security. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers and also entities that store, process, or transmit cardholder data (CHD).

What is PCI?

Under the PCI DSS, there are 12 different requirements concerning the security of cardholder data. All businesses that accept, store, process, or transmit card information online or offline must adhere to the requirements. Please refer to the following summary for the requirements.

Requirement Requirement Description
Build and Maintain Secure Network and Systems
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public network
Maintain a Vulnerability Management Program
  • Protect all systems against malware and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Restrict access to cardholder data by business need to know
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
Maintain an Information Security Policy
  • Maintain a policy that addresses information security for all personnel

How does Mobile Device Manager Plus help?

Mobile Device Manager Plus takes care of the requirements that pertain to mobile devices being used in businesses, whereas Endpoint Central can be used to achieve compliances with respect to desktops and servers that are used.

Requirement Requirement Description How Mobile Device Manager Plus achieves it?
1.4

Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network.

Mobile Device Manager Plus provides the ability to install firewall applications and allows IT admins to monitor the status of applications through an inventory console. Also, application management will restrict users from uninstalling applications deployed by Mobile Device Manager Plus.

2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.

Mobile Device Manager Plus allows the creation and configuration of stringent passwords to secure devices and prevent intruders from hacking the devices.

2.4

Maintain an inventory of system components that are in scope for PCI DSS.

Mobile Device Manager Plus scans mobile devices in the network periodically to collect hardware and software details and stores them in the database. Then, IT admins will be able get up-to-date asset/inventory information in the form of reports. 
7.1.1

Define access needs for each role, including:

System components and data resources that each role needs to access for their job function

Level of privilege required (for example, user, administrator, etc.) for accessing resources.

Mobile Device Manager Plus' RBAC (Role Based Access Control) lets IT personnel to delegate routine activities to chosen users with well-defined permission levels. The IT manager can designate any number of roles and assign permissions based on policy needs.

8.1.4

Remove/disable inactive user accounts at least every 90 days.

Mobile Device Manager Plus notifies IT admins if the device is not active for the specified number of days. This notification ensures that the IT admin is updated about the status of the device in the enterprise network. 

8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts.

Mobile Device Manager Plus helps the IT admin set permissible limits for the number of password attempts for the user. If the number of password attempts exceeds the limitation, the data present in the device will be wiped.

8.1.7

Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.

Mobile Device Manager Plus lets the IT admin specify the time limit for the device screen to be locked. If the device is idle for more than the allowed time, the system gets locked automatically.

8.2.3

Passwords/phrases must meet the following:

Require a minimum length of at least seven characters

Contain both numeric and alphabetic characters.

Mobile Device Manager Plus lets IT admins define parameters to create a passcode policy and configure passcode settings, such as numeric, alphabetic, password length, etc.

8.2.4 Change user passwords/passphrases at least every 90 days.

Mobile Device Manager Plus provides an option to specify the number of days for the passcode to be reset.

8.2.5

Do not allow an individual to submit a new password /phrase that is the same as any of the last four passwords /phrases he or she has used.

Mobile Device Manager Plus allows passcodes to be maintained in the history, which means an IT admin can specify the number of previous passwords to be maintained, so that users do not reuse them.

12.3

Develop usage policies for critical technologies and define proper use of these technologies.

Mobile Device Manager Plus lets IT admin implement policies such as configuring password and restricting the usage of Camera, YouTube, Safari Browser, etc. It also provides access to corporate accounts like email, Wi-Fi, VPN, and much more.

12.3.9 Activation of remote access technologies for vendors and business partners only when needed vendors and business partners, with immediate deactivation after use.

With Mobile Device Manager Plus, a remote session can be initiated with the permission on the device by the end user. After the required troubleshooting or session is completed, the session can be deactivated.

12.5.4

Administer user accounts, including additions, deletions, and modifications.

Mobile Device Manager Plus' RBAC (Role Based Access Control) will enable to configure user roles, which includes role creation, modification, and deleting.

12.5.5

Monitor and Control all access to data.

Mobile Device Manager Plus enables the IT admin to apply restrictions and policies that control the access to the data on the mobile devices.

Refer this document to learn how to get PCI compliant with Endpoint Central.