• Install and maintain network security controls.
• Apply secure configurations to all system components.

• Protect stored account data.
• Protect cardholder data with strong cryptography during transmission over open, public networks.

• Protect all systems and networks from malicious software.
• Develop and maintain secure systems and software.

• Restrict access to system components and cardholder data by business need to know.
• Identify users and authenticate access to system components.
• Restrict physical access to cardholder data.

• Log and monitor all access to system components and cardholder Data.
• Test security of systems and networks regularly.

• Support information security with organizational policies and programs

Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.

Endpoint Central, with its threat assessment capabilities, identifies vulnerable points of entry (ports, vulnerable software etc.) in your network and applies fixes for the same.

Refer to:
Device Control for port audits (#)
Software audit (#)

Outbound traffic from the CDE is restricted as follows:

• To only traffic that is necessary.
• All other traffic is specifically denied.

Endpoint Central's advanced data loss prevention techniques, with its effective email and cloud upload protection solution, restricts critical enterprise data to be shared only to trusted domains, be it via email or cloud upload.

Refer to:
Email security (#)
Cloud protection (#)

• Specific configuration settings are defined to prevent threats being introduced into the entity's network.
• Security controls are actively running.
• Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period.

Using the device control module of Endpoint Central, zero trust strategy can be implemented and even automated to ensure the optimal protection and restriction of all endpoint data from unapproved peripheral devices. Endpoint Central also allows you to deploy various security policies and configurations to end-user machines, to impose restrictions that determine if they are allowed to plug in external USB devices or connect to untrusted networks.

Refer to:
Zero trust security (#)
Securing USB devices
Security Policies

Configuration standards are developed, implemented, and maintained to:

• Cover all system components.
• Address all known security vulnerabilities.
• Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.
• Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1.
• Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.

Vendor default accounts are managed as follows:

• If the vendor default account(s) will be used, the default password is changed per the requirements 8.3.6
• If the vendor default account(s) will not be used, the account is removed or disabled.

Refer to:

Policy-based blocklisting configurations, part of the application control module aids security by restricting unnecessary processes. Secure configurations such as USB protection, Permission management, Security policies, firewall configurations can be applied using Endpoint Central.

Refer to:
Application blocklisting (#)
Securing USB devices
Security Policies

System security parameters are configured to prevent misuse.

Security parameters such as registry settings, account, file, directory permission settings and settings for functions, ports, protocols, and remote connections can be modified by applying the corresponding configurations from Endpoint Central.

Refer to:
Configuring Registry Settings

Performs automatic scans of when the media is inserted, connected, or logically mounted

An automated scanning process is triggered whenever any peripheral device tries to connect with an endpoint, be it via plugging or via bluetooth, and performs the audit scan based on the policy created.

Refer to:
Device scan and audit (#)

• New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs).
• Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.
• Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment.
• Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered.

Endpoint Central identifies security vulnerabilities in the network, listing down the vulnerabilities according to the priority in which they should be addressed. Remediations can then be triggered from the product console accordingly.

Refer to:
Vulnerability Management (#)

All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:

• Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.
• All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity (for example, within three months of release).

Using its vulnerability assessment and remediation capabilities, Endpoint Central assures all systems in the network are fully covered against critical threats.

The Automated Patch Deployment (APD) functionality grants sysadmins the ability to automatically update any or all missing patches with zero human intervention.

Refer to:
Patch Deployment Process

The least privileges required (for example, user, administrator) to perform a job function

The PoLP (Principle of Least Privileges) feature included in the application control module supports the concept of lowering wide array of privileges to bare minimum just about enough to perform the function. This feature is not restricted to users, as systems, applications and services are benefited from the same.

Refer to:
Privilege management (#)

Additional requirements for service providers only: Service providers with remote access to customer premises use unique authentication factors for each customer premises.

When Endpoint Central is used to take remote control of a system, a unique authentication key will be created and used and it'll expire immediately after.
 

Inactive user accounts are removed or disabled within 90 days of inactivity.

Endpoint Central enables IT admins to find the inactive user accounts and remove them.

Refer to:
User Management
Active Directory User Reports

Endpoint Central with its power management configuration can configure the end user machines to perform various activities like dim or turn off the display, prompt the user to enter password when the computer resumes from sleep etc.

All user access to system components for users and administrators is authenticated via at least one of the following authentication factors:

• Something you know, such as a password or passphrase.
• Something you have, such as a token device or smart card.
• Something you are, such as a biometric element.

Endpoint Central can aid creating and configuring strong passwords to secure devices and prevent intruders from accessing the organization's endpoints.

Invalid authentication attempts are limited by:

• Locking out the user ID after not more than 10 attempts.
• Setting the lockout duration to a minimum of 30 minutes or until the user's identity is confirmed.

The vulnerability management features of Endpoint Central lets the IT admin specify the allowed number of password entries, before restricting the account, to prevent unauthorized access.

Refer to:
Account Lockout Duration (#)

Endpoint Central's mobile device management capabilities allows several passcodes to be maintained in the history, which means an IT admin can specify the number of previous passwords to be maintained, so that users do not reuse them.

Refer to:
MDM Windows Passcode

If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either:
• Passwords/passphrases are changed at least once every 90 days,
OR
• The security posture of accounts is dynamically analyzed, and real time access to resources is automatically determined accordingly.

The MDM functionalities of Endpoint Central can be used to configure password policies that lets you establish certain password characteristics like password length, maximum passcode age etc. You can also generate a custom report with the details of the users who's passwords will soon expire.

Refer to:
Windows Passcode

Appropriate physical security over access to wireless components and devices.

Via the device control module, apt security can be granted to devices, relevant to their type and usage. This ranges from securing USB ports, to wireless connection for bluetooth devices.

Refer to:
Device Security (#)

Controls for physically securing media are intended to prevent unauthorized persons from gaining access to cardholder data on any media. Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone’s desk.

When data is identified and categorized as sensitive data containing PCI relevant details, Endpoint Central with its data loss prevention techniques restricts the critical enterprise data being exposed or leaked by removable storage devices or being printed or even copied using clipboard approach.

Refer to:
Device control (#)
Insider threats (#)

All media with cardholder data is classified in accordance with the sensitivity of the data.

With Endpoint Central's simplified but effective data rules, identifying enterprise critical data containing bank codes, ABA routing numbers, IBAN (International Bank Account Numbers), and credit card numbers is now more effective and precise.

Refer to:
Data discovery (#)
Data classification (#)

Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following:

• Analysis that the technologies continue to receive security fixes from vendors promptly.
• Analysis that the technologies continue to support (and do not preclude) the entity’s PCI DSS compliance.
• Documentation of any industry announcements or trends related to a technology, such as when a vendor has announced “end of life” plans for a technology.
• Documentation of a plan, approved by senior management, to remediate outdated technologies, including those for which vendors have announced “end of life” plans.

Endpoint Central constantly monitors the entity's network for EOL of a software and can also apply security fixes for software when necessary.

Refer to:
Audit End-of-Life software (#)

An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.

Endpoint Central maintains an inventory of IT assets with details mapped to the corresponding IT components. Combined with its advanced data loss prevention techniques, Endpoint Central protects sensitive data against the ever growing number of threat vectors.