PCI Compliance

The following document elaborates on how Endpoint Central can help enterprises achieve certain requirements of PCI DSS compliance. To know the detailed list of all Zoho/ManageEngine products that are compliant with PCI DSS and other regulatory standards, refer to Compliance at Zoho.

Ensuring Endpoint Central Compliance to Payment Card Industry (PCI) Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCIDSS can also be used to protect against threats and secure other elements in the payment ecosystem.

Under the PCI DSS, there are 12 different requirements concerning the security of cardholder data. All businesses that accept, store, process, or transmit card information online or offline must adhere to the requirements. Please refer to the following summary.

PCI DSS Overview

Requirement Requirement Description
Build and maintain secure network and systems
  • Install and maintain network security controls.
  • Apply secure configurations to all system components.
Protect account data
  • Protect stored account data.
  • Protect cardholder data with strong cryptography during transmission over open, public networks.
Maintain a vulnerability management program
  • Protect all systems and networks from malicious software.
  • Develop and maintain secure systems and software.
Implement strong access control measures
  • Restrict access to system components and cardholder data by business need to know.
  • Identify users and authenticate access to system components.
  • Restrict physical access to cardholder data.
Regularly monitor and test networks
  • Log and monitor all access to system components and cardholder Data.
  • Test security of systems and networks regularly.
Maintain an information security policy
  • Support information security with organizational policies and programs

PCI DSS 4.0 Requirements Met by Endpoint Central

Let us see how enterprises can use ManageEngine Endpoint Central, the desktop and mobile device management solution, to comply with PCI DSS requirements. This document will help IT team gain an understanding of ManageEngine's Endpoint Central and how it can help to meet PCI DSS requirements.

The following table outlines the PCI DSS control requirements that are fulfilled by Endpoint Central. The requirement description listed is taken from the PCI Security Standards Council website: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf

Note: The requirements marked with # can be fulfilled with the advanced features that are exclusive to the security edition of Endpoint Central.

Requirement Requirement Description How Endpoint Central fulfills the requirement?
1.2.6 (#)

Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.

Endpoint Central, with its threat assessment capabilities, identifies vulnerable points of entry (ports, vulnerable software etc.) in your network and applies fixes for the same.


Refer to:
Device Control for port audits (#)
Software audit (#)

1.3.2 (#)

Outbound traffic from the CDE is restricted as follows:

  • To only traffic that is necessary.
  • All other traffic is specifically denied.

Endpoint Central's advanced data loss prevention techniques, with its effective email and cloud upload protection solution, restricts critical enterprise data to be shared only to trusted domains, be it via email or cloud upload.


Refer to:
Email security (#)
Cloud protection (#)

1.5.1 (#) Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows:
  • Specific configuration settings are defined to prevent threats being introduced into the entity's network.
  • Security controls are actively running.
  • Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period.

Using the device control module of Endpoint Central, zero trust strategy can be implemented and even automated to ensure the optimal protection and restriction of all endpoint data from unapproved peripheral devices. Endpoint Central also allows you to deploy various security policies and configurations to end-user machines, to impose restrictions that determine if they are allowed to plug in external USB devices or connect to untrusted networks.

Refer to:
Zero trust security (#)
Securing USB devices
Security Policies

2.2.1 (#)

Configuration standards are developed, implemented, and maintained to:

  • Cover all system components.
  • Address all known security vulnerabilities.
  • Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.
  • Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1.
  • Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.
Endpoint Central lets you identify vulnerable attack surfaces in the network and can accordingly apply the required remediation steps in the agent machines. The patching process can be scheduled by the admin based on the severity of the vulnerability detected.

Refer to:
Automated Patch Deployment (#)
Achieve CIS Compliance (#)
2.2.2

Vendor default accounts are managed as follows:

  • If the vendor default account(s) will be used, the default password is changed per the requirements 8.3.6
  • If the vendor default account(s) will not be used, the account is removed or disabled.
Using Endpoint Central, stringent password policies can be applied to end user machines. Accounts that are not in use can be removed.

Refer to:

Password Policy
User Management
User account status report
2.2.4 (#) Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.

Policy-based blocklisting configurations, part of the application control module aids security by restricting unnecessary processes. Secure configurations such as USB protection, Permission management, Security policies, firewall configurations can be applied using Endpoint Central.

Refer to:
Application blocklisting (#)
Securing USB devices
Security Policies

2.2.6

System security parameters are configured to prevent misuse.

Security parameters such as registry settings, account, file, directory permission settings and settings for functions, ports, protocols, and remote connections can be modified by applying the corresponding configurations from Endpoint Central.


Refer to:
Configuring Registry Settings

 

 

5.3.3 (#)

Performs automatic scans of when the media is inserted, connected, or logically mounted

An automated scanning process is triggered whenever any peripheral device tries to connect with an endpoint, be it via plugging or via bluetooth, and performs the audit scan based on the policy created.


Refer to:
Device scan and audit (#)

6.3.1 (#) Security vulnerabilities are identified and managed as follows:
  • New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs).
  • Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.
  • Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment.
  • Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered.

Endpoint Central identifies security vulnerabilities in the network, listing down the vulnerabilities according to the priority in which they should be addressed. Remediations can then be triggered from the product console accordingly.


Refer to:
Vulnerability Management (#)

6.3.3

All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:

  • Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.
  • All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity (for example, within three months of release).

Using its vulnerability assessment and remediation capabilities, Endpoint Central assures all systems in the network are fully covered against critical threats.

The Automated Patch Deployment (APD) functionality grants sysadmins the ability to automatically update any or all missing patches with zero human intervention.

Refer to:
Patch Deployment Process

7.2.1 (#)

The least privileges required (for example, user, administrator) to perform a job function

The PoLP (Principle of Least Privileges) feature included in the application control module supports the concept of lowering wide array of privileges to bare minimum just about enough to perform the function. This feature is not restricted to users, as systems, applications and services are benefited from the same.


Refer to:
Privilege management (#)

8.2.3

Additional requirements for service providers only: Service providers with remote access to customer premises use unique authentication factors for each customer premises.

When Endpoint Central is used to take remote control of a system, a unique authentication key will be created and used and it'll expire immediately after.
 

8.2.6

Inactive user accounts are removed or disabled within 90 days of inactivity.

Endpoint Central enables IT admins to find the inactive user accounts and remove them.


Refer to:
User Management
Active Directory User Reports

8.2.8 If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session.

Endpoint Central with its power management configuration can configure the end user machines to perform various activities like dim or turn off the display, prompt the user to enter password when the computer resumes from sleep etc.


Refer to:
Power Management
8.3.1

All user access to system components for users and administrators is authenticated via at least one of the following authentication factors:

  • Something you know, such as a password or passphrase.
  • Something you have, such as a token device or smart card.
  • Something you are, such as a biometric element.

Endpoint Central can aid creating and configuring strong passwords to secure devices and prevent intruders from accessing the organization's endpoints.


Refer to:
Password Policy
MDM Profiles for passcodes
8.3.4 (#)

Invalid authentication attempts are limited by:

  • Locking out the user ID after not more than 10 attempts.
  • Setting the lockout duration to a minimum of 30 minutes or until the user's identity is confirmed.

The vulnerability management features of Endpoint Central lets the IT admin specify the allowed number of password entries, before restricting the account, to prevent unauthorized access.

Refer to:
Account Lockout Duration (#)

8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.

Endpoint Central's mobile device management capabilities allows several passcodes to be maintained in the history, which means an IT admin can specify the number of previous passwords to be maintained, so that users do not reuse them.

Refer to:
MDM Windows Passcode

8.3.9

If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either:
• Passwords/passphrases are changed at least once every 90 days,
OR
• The security posture of accounts is dynamically analyzed, and real time access to resources is automatically determined accordingly.

The MDM functionalities of Endpoint Central can be used to configure password policies that lets you establish certain password characteristics like password length, maximum passcode age etc. You can also generate a custom report with the details of the users who's passwords will soon expire.

Refer to:
Windows Passcode

9.2.3 (#)

Appropriate physical security over access to wireless components and devices.

Via the device control module, apt security can be granted to devices, relevant to their type and usage. This ranges from securing USB ports, to wireless connection for bluetooth devices.


Refer to:
Device Security (#)

9.4.1 (#)

Controls for physically securing media are intended to prevent unauthorized persons from gaining access to cardholder data on any media. Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone’s desk.

When data is identified and categorized as sensitive data containing PCI relevant details, Endpoint Central with its data loss prevention techniques restricts the critical enterprise data being exposed or leaked by removable storage devices or being printed or even copied using clipboard approach.


Refer to:
Device control (#)
Insider threats (#)

9.4.2 (#)

All media with cardholder data is classified in accordance with the sensitivity of the data.

With Endpoint Central's simplified but effective data rules, identifying enterprise critical data containing bank codes, ABA routing numbers, IBAN (International Bank Account Numbers), and credit card numbers is now more effective and precise.


Refer to:
Data discovery (#)
Data classification (#)

12.3.4 (#)

Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following:

  • Analysis that the technologies continue to receive security fixes from vendors promptly.
  • Analysis that the technologies continue to support (and do not preclude) the entity’s PCI DSS compliance.
  • Documentation of any industry announcements or trends related to a technology, such as when a vendor has announced “end of life” plans for a technology.
  • Documentation of a plan, approved by senior management, to remediate outdated technologies, including those for which vendors have announced “end of life” plans.

Endpoint Central constantly monitors the entity's network for EOL of a software and can also apply security fixes for software when necessary.


Refer to:
Audit End-of-Life software (#)

12.5.1 (#)

An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.

Endpoint Central maintains an inventory of IT assets with details mapped to the corresponding IT components. Combined with its advanced data loss prevention techniques, Endpoint Central protects sensitive data against the ever growing number of threat vectors.


Refer to:
Scan, manage and protect data (#)
Inventory Management

The essence of PCI DSS compliance is that vendors must demonstrate stringent security measures for systems and processes to protect cardholder information. The disadvantages of not following PCI DSS requirements are several; the brand and reputation of a business might suffer and the business might have to pay heavy penalties, if a data breach were to affect any customer's payment card data.

Endpoint Central helps businesses stay compliant with PCI DSS. It facilitates monitoring and managing systems & mobile devices and provides granular level reports.