Manualshelf

PCI-DSS Compliance for an HP-UX Host

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
12345678910
7
2.3 Encrypt all non-console administrative access using strong
cryptography. Use technologies such as SSH, VPN, or SSL or TLS for web-
based management and other non-console administrative access
It is generally safe to carry out administrative functions through a console
1
because one must have physical access
to the device. It is not practical though, to limit administrative access to the physical port. In general administrators
are allowed to access the console over the network. In such cases the PCI-DSS version 2 mandates that secure
sessions be used.
Secure Shell (SSH) is a secure protocol for remote logins and is widely adopted through the industry. SSH provides
secure remote shell services and is available with the Base OE on HP-UX. It can be used by users or administrators
connecting to machines over the network.
Any administrative access via web interfaces (for example, SMH) must use the SSL or TLS protocol. OpenSSL, the
industry standard implementation of these protocols is available with HP-UX.
For more Information about HP-UX Secure Shell Support Manuals, see Appendix A.
Requirement 3: Protect stored cardholder data
Sub Req# Requirement Products
3.1
Data Retention and Disposal policies HP-UX EVFS
3.2 Do not store Sensitive Authentication Data Not in Scope
3.3 Mask Primary Account Number (PAN) when displayed Not in Scope
3.4
Render PAN unreadable wherever it is stored HP-UX EVFS
3.5
Protect Keys against disclosure and misuse Not Available
3.6 Document and implement key-management processes Not in Scope
3.1 Keep cardholder data storage to a minimum by implementing data
retention and disposal policies, procedures, and processes
This requirement deals with data retention and disposal policies. It mandates limiting of data storage amounts to
what is strictly necessary, ensuring that data is securely deleted when it is no longer needed, specific retention
requirements for cardholder data and putting in place a quarterly process, either manual or automatic, to identify
cardholder data that exceeds retention requirements. Most of the data retention requirements fall in the scope of
the particular application that process cardholder data and must be taken care of by the concerned application. The
requirement for “secure deletion” though can be addressed effectively on a HP-UX host by EVFS.
EVFS supports data encryption at the volume level and at the file level. The data stored in an EVFS protected volume
or file is safe from data recovery products as it is encrypted. Even if data is recovered from a disk protected with
EVFS, without a decryption key, the data are meaningless.
3.4 Render PAN unreadable anywhere it is stored (including on portable
digital media, backup media, and in logs) by using any of the following
approaches
One-way hashes based on strong cryptography (hash must be of the entire PAN)
Truncation (hashing cannot be used to replace the truncated segment of PAN)
Index tokens and pads (pads must be securely stored)
Strong cryptography with associated key-management processes and procedures
The PAN is a very sensitive piece of information and must be safeguarded while in storage. As a rule, the complete
PAN is never stored and never so in clear text.
1
“console” refers to the terminal attached to the built-in serial port located on the device.