The following document elaborates on how Endpoint Central can help enterprises achieve certain requirements of PCI DSS compliance. To know the detailed list of all Zoho/ManageEngine products that are compliant with PCI DSS and other regulatory standards, refer to Compliance at Zoho.
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCIDSS can also be used to protect against threats and secure other elements in the payment ecosystem.
Under the PCI DSS, there are 12 different requirements concerning the security of cardholder data. All businesses that accept, store, process, or transmit card information online or offline must adhere to the requirements. Please refer to the following summary.
PCI DSS Overview
Requirement | Requirement Description |
---|---|
Build and maintain secure network and systems |
|
Protect account data |
|
Maintain a vulnerability management program |
|
Implement strong access control measures |
|
Regularly monitor and test networks |
|
Maintain an information security policy |
|
PCI DSS 4.0 Requirements Met by Endpoint Central
Let us see how enterprises can use ManageEngine Endpoint Central, the desktop and mobile device management solution, to comply with PCI DSS requirements. This document will help IT team gain an understanding of ManageEngine's Endpoint Central and how it can help to meet PCI DSS requirements.
The following table outlines the PCI DSS control requirements that are fulfilled by Endpoint Central. The requirement description listed is taken from the PCI Security Standards Council website: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
Note: The requirements marked with # can be fulfilled with the advanced features that are exclusive to the security edition of Endpoint Central.
Requirement | Requirement Description | How Endpoint Central fulfills the requirement? |
---|---|---|
1.2.6 (#) |
Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated. |
Endpoint Central, with its threat assessment capabilities, identifies vulnerable points of entry (ports, vulnerable software etc.) in your network and applies fixes for the same.
|
1.3.2 (#) |
Outbound traffic from the CDE is restricted as follows:
|
Endpoint Central's advanced data loss prevention techniques, with its effective email and cloud upload protection solution, restricts critical enterprise data to be shared only to trusted domains, be it via email or cloud upload.
|
1.5.1 (#) | Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows:
|
Using the device control module of Endpoint Central, zero trust strategy can be implemented and even automated to ensure the optimal protection and restriction of all endpoint data from unapproved peripheral devices. Endpoint Central also allows you to deploy various security policies and configurations to end-user machines, to impose restrictions that determine if they are allowed to plug in external USB devices or connect to untrusted networks. |
2.2.1 (#) |
Configuration standards are developed, implemented, and maintained to:
|
Endpoint Central lets you identify vulnerable attack surfaces in the network and can accordingly apply the required remediation steps in the agent machines. The patching process can be scheduled by the admin based on the severity of the vulnerability detected. Refer to: Automated Patch Deployment (#) Achieve CIS Compliance (#) |
2.2.2 |
Vendor default accounts are managed as follows:
|
Using Endpoint Central, stringent password policies can be applied to end user machines. Accounts that are not in use can be removed.
Refer to: Password PolicyUser Management User account status report |
2.2.4 (#) | Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled. |
Policy-based blocklisting configurations, part of the application control module aids security by restricting unnecessary processes. Secure configurations such as USB protection, Permission management, Security policies, firewall configurations can be applied using Endpoint Central. |
2.2.6 |
System security parameters are configured to prevent misuse. |
Security parameters such as registry settings, account, file, directory permission settings and settings for functions, ports, protocols, and remote connections can be modified by applying the corresponding configurations from Endpoint Central.
|
5.3.3 (#) |
Performs automatic scans of when the media is inserted, connected, or logically mounted |
An automated scanning process is triggered whenever any peripheral device tries to connect with an endpoint, be it via plugging or via bluetooth, and performs the audit scan based on the policy created.
|
6.3.1 (#) | Security vulnerabilities are identified and managed as follows:
|
Endpoint Central identifies security vulnerabilities in the network, listing down the vulnerabilities according to the priority in which they should be addressed. Remediations can then be triggered from the product console accordingly.
|
6.3.3 |
All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:
|
Using its vulnerability assessment and remediation capabilities, Endpoint Central assures all systems in the network are fully covered against critical threats. The Automated Patch Deployment (APD) functionality grants sysadmins the ability to automatically update any or all missing patches with zero human intervention. Refer to: |
7.2.1 (#) |
The least privileges required (for example, user, administrator) to perform a job function |
The PoLP (Principle of Least Privileges) feature included in the application control module supports the concept of lowering wide array of privileges to bare minimum just about enough to perform the function. This feature is not restricted to users, as systems, applications and services are benefited from the same.
|
8.2.3 |
Additional requirements for service providers only: Service providers with remote access to customer premises use unique authentication factors for each customer premises. |
When Endpoint Central is used to take remote control of a system, a unique authentication key will be created and used and it'll expire immediately after. |
8.2.6 |
Inactive user accounts are removed or disabled within 90 days of inactivity. |
Endpoint Central enables IT admins to find the inactive user accounts and remove them.
|
8.2.8 | If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session. |
Endpoint Central with its power management configuration can configure the end user machines to perform various activities like dim or turn off the display, prompt the user to enter password when the computer resumes from sleep etc. Refer to: Power Management |
8.3.1 |
All user access to system components for users and administrators is authenticated via at least one of the following authentication factors:
|
Endpoint Central can aid creating and configuring strong passwords to secure devices and prevent intruders from accessing the organization's endpoints. Refer to: Password Policy MDM Profiles for passcodes |
8.3.4 (#) |
Invalid authentication attempts are limited by:
|
The vulnerability management features of Endpoint Central lets the IT admin specify the allowed number of password entries, before restricting the account, to prevent unauthorized access. |
8.3.7 | Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used. |
Endpoint Central's mobile device management capabilities allows several passcodes to be maintained in the history, which means an IT admin can specify the number of previous passwords to be maintained, so that users do not reuse them. Refer to: |
8.3.9 |
If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either: |
The MDM functionalities of Endpoint Central can be used to configure password policies that lets you establish certain password characteristics like password length, maximum passcode age etc. You can also generate a custom report with the details of the users who's passwords will soon expire. Refer to: |
9.2.3 (#) |
Appropriate physical security over access to wireless components and devices. |
Via the device control module, apt security can be granted to devices, relevant to their type and usage. This ranges from securing USB ports, to wireless connection for bluetooth devices.
|
9.4.1 (#) |
Controls for physically securing media are intended to prevent unauthorized persons from gaining access to cardholder data on any media. Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone’s desk. |
When data is identified and categorized as sensitive data containing PCI relevant details, Endpoint Central with its data loss prevention techniques restricts the critical enterprise data being exposed or leaked by removable storage devices or being printed or even copied using clipboard approach.
|
9.4.2 (#) |
All media with cardholder data is classified in accordance with the sensitivity of the data. |
With Endpoint Central's simplified but effective data rules, identifying enterprise critical data containing bank codes, ABA routing numbers, IBAN (International Bank Account Numbers), and credit card numbers is now more effective and precise.
|
12.3.4 (#) |
Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following:
|
Endpoint Central constantly monitors the entity's network for EOL of a software and can also apply security fixes for software when necessary.
|
12.5.1 (#) |
An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current. |
Endpoint Central maintains an inventory of IT assets with details mapped to the corresponding IT components. Combined with its advanced data loss prevention techniques, Endpoint Central protects sensitive data against the ever growing number of threat vectors. Refer to: Scan, manage and protect data (#) Inventory Management |
The essence of PCI DSS compliance is that vendors must demonstrate stringent security measures for systems and processes to protect cardholder information. The disadvantages of not following PCI DSS requirements are several; the brand and reputation of a business might suffer and the business might have to pay heavy penalties, if a data breach were to affect any customer's payment card data.
Endpoint Central helps businesses stay compliant with PCI DSS. It facilitates monitoring and managing systems & mobile devices and provides granular level reports.