PCI DSS COMPLIANCE STATEMENT
PROXY PRO’S ROLE IN A PCI COMPLIANT ENVIRONMENT
The Payment Card Industry Data Security Standard (PCI DSS) consists of 12 high-level requirements put in place to enhance cardholder data security. It applies to all entities involved in payment card processing. It also applies to any other entity that stores, processes or transmits cardholder data. Proxy Networks is not a payment solution and does not deal directly with any credit card data. Therefore, the PROXY Pro software falls outside of the scope for PCI review. Note that no particular software product can be deemed PCI compliant by itself as compliance requires an evaluation of the complete environment, taking into account such things as physical restrictions, business practices, all software components etc. PROXY Pro software provides secure remote access that, when configured properly, can easily support an organization's PCI compliant environment. Please see the PCI Security Standards Council website (https://www.pcisecuritystandards.org/) for more information about PCI DSS.
REQUIREMENTS - HIGH LEVEL OVERVIEW
Listed below are the 12 High Level Requirements presented in the PCI DSS “Requirements and Security Assessment Procedures version 3.2” and Proxy Networks’ relationship to them. Note that the full document is available on the PCI Security Standards Council Website in this library: https://www.pcisecuritystandards.org/document_library (See document: “PCI DSS”).
Given these requirements, here are 12 ways PROXY Pro software can help organizations comply with PCI DSS.
1. Install and maintain a firewall configuration to protect cardholder data
PROXY Pro software is an on premise solution. All components can be located safely behind an organizations managed firewall in their PCI compliant data center. Depending upon the specific edition of PROXY Pro software, communications can be configured so that all remote control sessions require an outbound connection from the Host computer to the RAS Server.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
All accounts and passwords are managed by the end user. Account credentials can be maintained using Windows Active Directory or other identity providers depending upon the edition. Standard Microsoft Windows security best practices are recommended.
3. Protect stored cardholder data
As an on premise solution, Proxy Networks does not have or collect any data from remote computers. In editions of PROXY Pro that support screen recording, screen data (recordings) are stored in a proprietary format on the on premise server. Screen recording is an option that can be turned off completely if so desired.
4. Encrypt transmission of cardholder data across open, public networks
PROXY Pro software uses end-to-end AES 256-bit encryption. All sessions are encrypted by default regardless of protocol chosen (UDP/TCP/SSL).
5. Protect all systems against malware and regularly update anti-virus software or programs
Since the PROXY Pro solution is an on premise deployment, this falls under the control of the end user and their IT practices.
6. Develop and maintain secure systems and applications
PROXY Pro software’s service accounts have limited privileges and the system is designed with security in mind. Updates to the software are released promptly when there is an update to OpenSSL.
7. Restrict access to cardholder data by business need to know
PROXY Pro software offers many layers of security and customization regarding who has access to any particular resource. In addition, the software can be configured to allow attended remote access only if so desired. Machines can be placed in groups and users can be assigned granular permissions to Host machines in those groups. Please see https://www.proxynetworks.com/proxy-security-whitepaper for more information.
8. Identify and authenticate access to system components
PROXY Pro software can be configured to use Windows authentication. Accounts can be managed in Windows Active Directory or other identity providers depending upon the edition. This includes an option to require Multifactor Authentication (MFA).
9. Restrict physical access to cardholder data
PROXY Pro software does not store any cardholder data. Screen recordings can be disabled or stored on a secure on premise server.
10. Track and monitor all access to network resources and cardholder data
Depending upon the edition, PROXY Pro software will log remote control connections in the Windows Eventlog on the remote machine and also keep a centralized audit log of all access to remote computers. This includes who connected to which machine and at what time and for how long. The Web Console (Private Cloud Edition) allows for activity reports to be generated.
11. Regularly test security systems and processes
Proxy Networks is committed to staying on top of any security issues that may arise. We monitor Microsoft Windows updates and OpenSSL releases. We provide updates to our software promptly when necessary.
12. Maintain a policy that addresses information security for all personnel
As an on premise solution, no data is ever transmitted back to Proxy Networks servers or personnel. Proxy Networks personnel has no access to any customers' machines unless explicitly granted.
LET'S FIND OUT IF PROXY PRO IS A GOOD FIT FOR YOU!
DOWNLOAD PROXY NETWORKS PCI COMPLIANCE STATEMENT