Zerto and Payment Card Industry Data Security Standard (PCI DSS)
Review the following:
Then continue with Deployment Considerations for PCI DSS Compliance.
Executive Summary
Organizations looking to virtualize their mission-critical applications have a number of considerations to take into account:
| • | How virtualization of these mission-critical applications will impact their security and compliance with the Payment Card Industry Data Security Standard (PCI DSS). |
| • | How to ensure that their business continuity (BC) and disaster recovery (DR) plans are implemented within the virtual environment. |
Zerto provides a BC/DR solution in a virtual environment, enabling the replication of mission-critical applications and data as quickly as possible and with minimal data loss. This document describes the considerations required when deploying Zerto for PCI DSS compliance.
This document assumes that readers are familiar with the basics of virtualization and Zerto. Specifically, this paper focuses on solutions and configuration settings that address PCI requirements and will cover Zerto components products such as Zerto Virtual Managers, Virtual Replication Appliances, etc.
PCI DSS Basics and Zerto
The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. The keystone is the PCI Data Security Standard (PCI DSS), which provides guidelines for developing a robust payment card data security process, including prevention, detection, and appropriate reaction to security incidents.
The Payment Card Industry Data Security Standard (PCI DSS) is intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information. The PCI DSS with Zerto can be summarized by the following:
Network Security: Transactions must be conducted in a secure network. This requirement involves not only application network security but also replication network security. Replication must take place within secure networks within well authenticated sites.
Password Security and Policy: Authentication credentials such as usernames and passwords must not be the defaults supplied by Zerto and should be changed frequently. All cardholder data, whether production or DR data, must be protected and encrypted at rest and when replicating over the wire. Zerto does not encrypt data so adequate network transport layer encryption must be deployed. Networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date.
End-point and Server Security: Systems should use frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions. All applications should safeguard against the possibility that cardholder data could be stolen or altered. Patches offered by software and operating system vendors should be regularly installed to ensure the highest possible level of vulnerability management.
Access Controls: Access to information and operations should be restricted and controlled whether in production or in DR. While performing DR tests, the same control measures must also be implemented. Every person who uses a computer in the system must be assigned a unique and confidential identification name or number. Cardholder data should be protected physically as well as electronically.
Security Policy: A formal data security policy must be defined, maintained, and followed at all times and by all participating entities.