Manualshelf

PCI-DSS Compliance for an HP-UX Host

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
12345678910
3
Disclaimer
This whitepaper must be used as a guide in planning compliance related tasks and not as a checklist to verify the
same. The suggestions given may not be suitable for all environments and reader’s discretion is advised in
implementing the same.
Intended Audience
This whitepaper is for personnel who have an underlying knowledge of Payment Card Industry Standard and an
awareness of HP-UX Security and Enterprise products. This whitepaper discusses solutions as applied to the
Payment Card Industry Data Security Standard (PCI-DSS) industry. This whitepaper is prepared for the PCI
compliance perspective of HP-UX OS and is applicable to map the PCI-DSS requirements with the HP-UX Security
Solutions and HP Enterprise products portfolio. In addition, the whitepaper provides guidance for considering HP
products or solutions and how they simplify compliance efforts with the PCI-DSS.
PCI-DSS Compliance for a HP-UX Host
PCI-DSS is a collaborative effort by various international credit card companies to achieve a common set of security
standards for use by entities that store, process or transport payment card data. PCI-DSS defines a set of 12
requirements with a view to protect cardholder data from theft and misuse.
HP-UX is widely deployed by financial institutions that deal with cardholder data. There is no off the shelf, one-step
solution to ensure compliance to this standard. A wide mix of tools and processes are generally deployed for the
purpose. The goal of this whitepaper is to examine which of the requirements laid down by PCI-DSS version 2.0 can
be achieved at a host-level using products supplied by HP and suggest ways in which they can be used.
Scope of the document
The scope of this whitepaper is mainly to recommend products or solutions at a host-level. HP Enterprise products
are mentioned wherever applicable. Detailed information about these products can be obtained at the individual
product webpage, references to which are provided.
Table 1.1 Maps the products on HP-UX to the PCI-DSS requirements
Req# Requirement Products
1 Install and maintain a firewall configuration to protect cardholder data. HP-UX IPFilter
2 Do not use vendor-supplied defaults for system passwords and other
security parameters.
HP-UX Bastille, HP-UX Secure Shell
3 Protect stored cardholder data. HP-UX EVFS
4 Encrypt transmission of cardholder data across open, public networks. OpenSSL, HP-UX IPSec, HP-UX HIDS
5 Use and regularly update anti-virus software or programs. Not available
6 Develop and maintain secure systems and applications. HP-UX Software Assistant
7 Restrict access to cardholder data by business need to know. HP-UX RBAC
8 Assign a unique ID to each person with computer access. HP-UX AAA Server, HP-UX Directory
Server, OpenSSL, HP-UX IPSec
9 Restrict physical access to cardholder data. Not in the purview of this document
10 Track and monitor all access to network resources and cardholder data. HP-UX RBAC, HP-UX Audit, NTP
11 Regularly test security systems and processes. HP-UX HIDS, HP-UX IPFilter
12 Maintain a policy that addresses information security for all personnel. Not in the purview of this document