Tenable Provides Continuous Monitoring for Adherence to PCI Security Controls
All businesses that are involved in the transmission, processing, or storage of payment card data, including third party service providers that may impact the security of the data, are required by the major credit card companies to adhere to the requirements set forth in the PCI DSS and demonstrate ongoing compliance on an annual basis.
Tenable offers a variety of solutions that help your company meet certain PCI DSS requirements, monitor your cardholder data environment to maintain a secure and compliant state, assure that critical security processes are followed, and provide evidence of compliance for annual validation assessments. Tenable's continuous monitoring capabilities enable entities to track the "Business as Usual" activities stipulated in the latest version of the PCI DSS.
SecurityCenter CV: Maintain Ongoing Compliance
Tenable SecurityCenter Continuous View™ (SecurityCenter CV™) is the only comprehensive vulnerability, threat and compliance management platform that alleviates the arduous and time-consuming process of performing forensic analysis and threat or incident response. SecurityCenter CV secures your IT environment of physical and virtual systems as well as across mobile devices, virtual machines, and cloud services. Tenable's SecurityCenter CV incorporates unlimited Nessus® and Passive Vulnerability Scanner™ (PVS™), and the Log Correlation Engine™ (LCE™) in a SecurityCenter CV platform. Security Center CV offers large merchants continuous monitoring and centralized intelligence for maintaining an ongoing posture of compliance with the PCI standards.
Meet: Use SecurityCenter CV to continuously detect the presence of malware that infiltrated your network and is running malicious programs in your environment. SecurityCenter CV provides secure log normalization, aggregation, and storage, and facilitates a daily review of logs.
Drive: Use SecurityCenter CV to continuously monitor and discover new devices on the network that may impact the security of your cardholder data environment.
Guard: Use SecurityCenter CV to identify PCI-relevant assets and focus vulnerability scans on those assets, reducing time and resources required for periodic scanning. SC CV also enables you to create a single view of risk exposure that includes Internet-facing web application vulnerabilities.
Prove: The SecurityCenter CV platform offers merchants or service providers continuous monitoring and centralized intelligence for maintaining and demonstrating an ongoing posture over time of adherence to the PCI DSS standards.
PVS: Enforce your Cardholder Data Environment
Passive Vulnerability Scanner™ (PVS™) provides continuous scanning of network security supported by pre-configured scanning scripts (“plug-ins”) and the ability to customize plug-ins for an organization's unique scanning requirements. Continuous scanning provides real-time analysis of the state of an organization's security. PVS is available as an individual product subscription or as an integrated component of SecurityCenter CV.
Drive: Use PVS to detect internal data flows where cardholder data is involved. Of particular concern are undocumented processes not included in the scoping of the cardholder data environment for adhering to PCI DSS requirements.
Guard: PVS detects unprotected transmissions of Primary Account Numbers (PANs) outbound from the network or cardholder data environment.
Nessus Enterprise Cloud: Meet ASV Scan Requirements
Tenable's Nessus Enterprise Cloud provides quarterly external network scans to fulfill PCI external scanning requirements for all merchants and service providers. Nessus Enterprise Cloud is a PCI-Certified Approved Scanning Vendor (ASV) solution.
Meet: Use Nessus Enterprise Cloud to perform official PCI ASV scans and submit them for quarterly validation and attestation. Nessus Enterprise Cloud may also be used to protect public-facing web applications by providing automated application vulnerability security assessments on a periodic basis or after any changes are made to the web application.
Prove: Tenable’s PCI-certified professionals will review up to 2 PCI ASV scans per calendar quarter and upon approval will provide detailed and executive summary findings reports and the required Attestation of Compliance form.
Nessus: Meet PCI Requirements
Meet: Use Nessus to meet all PCI DSS internal scanning requirements. Nessus also tests web applications for secure coding to OWASP specifications and performs web application vulnerability assessments.
Drive: Use Nessus to baseline your in-scope systems for initial PCI compliance activities. Perform configuration and compliance audits to determine whether systems are adhering to build standards, hardening guides, access controls, user account management, and are current with anti-virus/anti-malware and patch protections.
Guard: Nessus identifies sensitive data subject to PCI compliance requirements such as credit or debit primary account numbers. Nessus performs these searches without an agent and only requires valid credentials to scan a remote computer. Identify and validate your cardholder data environment based on these results.
Prove: Nessus results can be used during the PCI compliance assessment to demonstrate periodic and ongoing processes were maintained throughout the assessment period as required by numerous PCI DSS requirements.
"Straight Talk about PCI" - the PCI Discussion Forum
Tenable hosts a discussion forum devoted to PCI called "Straight Talk about PCI". This forum is a “safe” place where you can ask questions related to any and all aspects of PCI. The Forum is intended to be a resource for accurate information regarding the PCI Data Security Standards, particularly in the areas of defining terminology, scoping your cardholder data environment, properly navigating the compliance process, and providing interpretation, guidance, and advice on the best ways to satisfy the PCI compliance validation requirements faced by your organization. The PCI Discussion Forum is moderated by Tenable’s resident PCI subject matter expert who shares insights and lessons-learned from nearly ten years of experience as a Qualified Security Assessor (QSA). The forum allows our PCI Expert to share extensive knowledge and experience with the larger segment of the PCI Community that does not ordinarily have access to QSA experiences or insights.