Gigamon AMI and PCI 4.0 DSS Compliance

Businesses that accept or process credit card information must comply with the Payment Card Industry Data Security Standard (PCI DSS, or PCI for short). PCI is a set of global standards that establishes a technical and operational baseline for protecting account data used in credit card and payment transactions. PCI calls for very explicit actions that are easier to solve for with Gigamon Application Metadata Intelligence (AMI).

What Is PCI, and How Does Gigamon Help?

PCI, in its simplest form, states that systems that process credit card transactions must be segmented away from systems that don't. This includes physical and electronic separation.

Many systems today rely on MELT (metrics, events logs, traces) and information from EDR (endpoint detection and response), which form two pillars of PCI. Gigamon can offer a third pillar - network metadata.

All of these systems are critical, but network metadata makes solving some aspects of PCI easier, which can in turn lead to better strategic outcomes.

How Gigamon Can Assist PCI Compliance

Gigamon AMI has broad applications for PCI requirements R1 through R12. For example, AMI can help:

• Enable sizing and continuous visibility into PCI scope
• Reduce planning and deployment times through better understanding of system interaction
• Verify continuous operation of controls, especially in challenging and dynamic environments

In addition, PCI has periodic audits of security controls with continuous visibility compliance reports, and Gigamon can make these checks easier to produce.

Here are some tactical examples of benefits Gigamon AMI provides and the corresponding PCI requirements addressed:

• Detect old or outdated ciphers and monitor all certificates in use that are applicable to PCI controls
  • 4.2.1 - Strong cryptography and security protocols4.2.1.1 - An inventory of the entity's trusted keys and certificates4.2.2 - PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies8.3.2.c - Examine data transmissions to verify that authentication factors are unreadable during transmission
  • 12.3.3 - Cryptographic cipher suites and protocols in use are documented and reviewed

• Gain visibility into vulnerable protocols and specific ports
  • 1.2.6 - Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated
  • 6.2.4 - Detect vulnerable protocols in bespoke and custom software

A comprehensive list of PCI controls can be found here.

Other Considerations That Are Not PCI Mandated

While not directly called out in PCI standards, other considerations that organizations must contend with can have effects on PCI. These include:

Performance

Organizations that accept and process credit card transactions often have an SLO or SLA by which those transactions must be processed. Failure to meet that SLO/SLA could cause them to lose the business or incur a penalty or fine. As a network packet broker, Gigamon is well suited to see the same conversations in various parts of the network. This external observation can detect the source of network slowdowns.

Shadow IT

Although PCI DSS does not directly call out shadow IT, a security architect could consider any unwanted software malicious. Shadow IT apps could expand the vulnerability surface of organizations' networks by introducing unknown and unmeasured risks.

Conclusion

Gigamon AMI can add a third pillar of visibility that complements the two more common pillars of MELT and EDR data. This can assist with many aspects of PCI deployment and verification by better providing information about which systems are communicating, confirming whether they are communicating securely, and aiding in compliance reports with continuous visibility.