Video Screencast Help

PCI DSS Compliant ?

Created: 16 Apr 2012 | 4 comments

I was told by my Local Vendor that Symantec DLP is a PCI Compliant Application .Can  anyone send me some more details in this regards  such as

  • If the database is encrypted ,how are the Keys maintained
  • How the credit card number is stored in the database .Is it stored as full PAN or truncated 

When we will do a discovery ,chances are the DLP will find a lof of credit card numbrs from various sourcese so our concerns is that how these card numbers will be dealt with in the system .If someone from Symantec can answer the simple queries mentioned below ..

  • Does the system receive full card numbers (Y/N)?
  • Does the system send full card numbers (Y/N)?
  • Does the system store full card numbers (Y/N)?
  • Does the system display full card numbers (Y/N)?
  • Does the system process full card numbers (Y/N)?

All of above is very important as it will help us decide whether or not to deploy our standards PCI DSS Controls on DLP Oracle database .

 

Comments 4 CommentsJump to latest comment

ShawnM's picture

Subhani,

Yes we are PCI compliant in the regard that sensitive content is in fact encrypted inside the Oracle DB that is used. We don't create secondary copies of sensitive data. There are differences in handling data found by Data in Motion (Network) vs Data at Rest (Discover) though.

With regard to Network incidents, we see the traffic copy (SPAN or Proxy Integration) and we grab a copy of the data on the Network Monitor or Prevent server. From here, we have the capability to use only encrypted communications between the Monitor/Prevent server and the Enforce server which places the data into the DB. On top of this, the attachment (or sensitive file captured) is encrypted in the DB.

With regard to the Discover scans, we follow the same above for how the connectiosn are handled, but we don't actually take a copy of the sensitive file over. We actually use a link to the original file. This prevents the creation of more sensitive content on your network, reduces storage of incidents, and enables only those with proper permissions to see the files.

An additional safeguard we have for this type of use case, is role based access controls. The level of control on who can see what information within an incident, allows you to set the users to not even see the sensitive content in the incident (aka the PCI card data). This will ensure only the proper users should be seeing that information if at all.

In regard to your questions:

 

  • Does the system receive full card numbers (Y/N)? - yes we see full card numbers and place them into the incident in the DB in an encrypted format
  • Does the system send full card numbers (Y/N)? - no we don't send anything out, unless a report is generated from an incident where the sensitive information is seen, which is a admin controlled option
  • Does the system store full card numbers (Y/N)? - yes in an encrypted format
  • Does the system display full card numbers (Y/N)? - yes/no - this is controlled by the admin of users/groups to what information can be seen
  • Does the system process full card numbers (Y/N)? - not sure what you mean by process. We don't actually process any information really with regard to the sensitive content inside an incident.

Symantec Corporation | Sr Systems Engineer | CISSP, CCSK, VCP

If a post solves your problem, please flag it as solved.

If you like an item, please give it a thumbs up vote.

Subhani's picture

Thanks a lot Shawn for the Update .Is it possible for you to dig out some Official document with the encryption details . We need this for our upcoming PCI Audit since our DLP Database will be under PCI Scope so we need to answer questions such as

  • If the database is encrypted ,how are the Keys maintained
  • What is the Algorithm used
  • what is Key Strength
  • How the credit card number is stored in the database .Is it stored as full PAN or truncated
jjesse's picture

Subhani,

Have you tried reaching out to the partner or Symantec Sales Person to get this information from?  

I believe this link: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2011.htm#1615 references the certification of the crypto portion of DLP and can also help answer some of the items you might have around encryption?

Jonathan Jesse Practice Principal ITS Partners

ShawnM's picture

Subhani, jjesse is correct. This kind of information should be provided by your Symantec Account Manager or Partner.

Symantec Corporation | Sr Systems Engineer | CISSP, CCSK, VCP

If a post solves your problem, please flag it as solved.

If you like an item, please give it a thumbs up vote.