PCI DSS Compliance
Additional manual configuration is required.
This chapter describes PCI DSS Compliance and how each issue is addressed.
PCI DSS Compliance Overview
PCI DSS (Payment Card Industry Data Security Standard) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council, an organization founded by the key electronic payment providers including, American Express, Visa, Inc, and MasterCard Worldwide. The standard aims to reduce or prevent credit card fraud by requiring that organizations in the payment card industry implement increased controls around cardholder data, thereby minimizing its exposure to compromise.
Certification as “PCI DSS compliant” is mandatory for a large number of organizations in the credit card payment industry; the standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the PCI SSC members.
Compliance Features
We support full compliance with the following relevant PCI DSS directives:
Control Objectives | PCI DSS Requirements | V 9.x |
|---|---|---|
Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect cardholder data. | N/A |
2. Do not use vendor-supplied defaults for system passwords and other security parameters. | Supported | |
Protect Cardholder Data | 3. Protect stored cardholder data. | Supported |
4. Encrypt transmission of cardholder data across open, public networks. | Supported | |
Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software on all systems commonly affected by malware. | N/A |
6. Develop and maintain secure systems and applications. | Supported (ongoing) | |
Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need-to-know. | Supported |
8. Assign a unique ID to each person with computer access. | Supported | |
9. Restrict physical access to cardholder data. | Supported | |
Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data. | Supported |
11. Regularly test security systems and processes. | Supported | |
Maintain an Information Security Policy | 12. Maintain a policy that addresses information security. | N/A |
Firewall
By default, access to data is restricted to a specific list of 'permitted' web and API requests. Web access is secured via restrictive user credentials. Administrative access is restricted to responsible individuals, and access rights can be revoked for any user.
Resolution: None required
Vendor-Supplied Default Passwords Are Not Used
By default the first time the system administrator logs in to the system (after installation) using the default login credentials, the administrator is required to change the administrator password.
Resolution: Installation dependent.
Locally created users are prompted to change their passwords. If users are federated from an external source, the external source defines the password management policy. Eleveo does not store or administer such passwords or the password policy of those integrations.
Pause/Resume Functionality Is Enabled
This functionality is currently available via the Pause/Resume and RMI API for third-party applications in hybrid deployments (not supported in combination with all recording methods).
Resolution: Installation dependent
Key Manager Is Active and Keys Are Valid for No Longer than 12 Months
PCI-DSS Compliance requires the authenticated and encrypted transmission of data across networks (see Encrypt Tool) – which includes between clients and servers in distributed systems like Eleveo. One of the functions of the Key Manager is to manage this secure transmission, including automatic transparent renewal of authentication certificates when they expire.
Resolution: Install authentication and encryption certificates and activate Key Manager. See Activating Key Manager.
Self-Signed or Commercial Certificates
For standard production environments, use commercially signed authentication certificates with Key Manager. “Commercial certificates” are authentication certificates that are signed by a trusted commercial CA (Certificate Authority, such as, Thawte or Verisign).
Self-signed certificates are quick to create. However, self-signed certificates are not as secure or trusted as commercial certificates, so they can provoke warnings and security errors, particularly when used with web technologies. Only use them for testing purposes.
Activating Key Manager
Administrators can configure the Key Manager.
Resolution: Install authentication and encryption certificates and activate Key Manager. See Activating Key Manager.
Audio Files Are Encrypted
Once Key Manager activates, audio encryption is enabled automatically.
Resolution: None required
Video Files Are Encrypted
Once Key Manager activates, mixed video file (Screen Capture) encryption for Mp4 files is enabled automatically.
Resolution: None required
Web Access Is Encrypted
The Tomcat web server installed and configured for the Quality Management applications utilizes secure-socket layer (SSL) encryption. This is a requirement for PCI Compliance.
Resolution: None required.
Audit Logs Are Collected
By default, audit logs are collected by Eleveo and can be viewed from within the Web UI.
Regular Testing
Eleveo regularly tests the systems and processes for security risks.
Resolution: None required if default settings are kept.
Restrictive Access Controls
No physical access to cardholder data is allowed.
Resolution: None required if default settings are kept.
Password Management Is Enforced
Please note that in this version there are multiple distinct areas or applications where password policies should be set. Policies for Eleveo Applications are controlled from external applications (if users are imported, or from within User Management. More details are listed on the page GDPR Compliance in the section Security.
The following settings are required to be modified from the default values in order for passwords to be marked as PCI Compliant in the web interface.
Minimum characters: at least 8
Minimum capital characters: at least 1
Minimum numbers: at least 1
Details related to the password configuration settings available are listed below - click the links to see more.
Other Applications - User Management Interface
User Management supports strong password enforcement policies for locally created users, as well as blocking users after multiple unsuccessful login attempts.
Default Passwords
In the new installation, only the following default users are present:
eleveo.admin – user who is assigned default administrative rights in User Management
eleveotrain – user who is used for Eleveo trainings purposes
The default users are strongly recommended to change their default passwords. A default password can be changed by a user in User Profile as described on the page Configuring User Profile and Password.
Temporary User Passwords
If the password for any user is set by eleveo.admin to be temporary, a password change is enforced when the user logs in for the first time. Setting a password to be temporary is described here: Changing Passwords for Users.
Additionally, users can change their own password using the instruction provided here: Configuring User Profile and Password.
Complex Passwords Required
By design the system requires that enhanced complex passwords be used.
Passwords must be elaborate in nature.
Eleveo default settings require that new passwords must meet the following Complexity Requirements:
at least 8 characters
with at least one character a number (0-9)
at least one character a lowercase letter (a-z)
at least one character an upper case letter (A-Z)
Regular Password Change
All locally created users are requested to change their passwords after one year.
Unsuccessful Logins Before Lockout
After 30 unsuccessful login attempts, the status of a user will change to locked. For details, refer to the section Unlocking a Locked User.
Resolution: Update the Password configuration settings in the User Management interface.
Brute-Force Protection Is Enforced
In addition to the minimum password configuration settings above PCI Compliance also requires protection against brute-force attacks, when a hacker makes use of automated password generation techniques to repeatedly attempt entry.
To safeguard against these attacks the following two settings in the Password configuration section are required to be active (they are PCI Compliant by default):
Unsuccessful logins before lockout: 6 or under.
Time for which account is blocked (minutes): 30 or more.
Resolution: None required if default settings are kept
Data Retention Policies Are Enforced
The Delete media lifecycle management (MLM) tools need to be configured and operational. It is critical that settings are configured according to the MLM requirements.
Handling encryption of archived files
If your media files are encrypted with the Key Manager the files are archived as encrypted.
You need to retain the respective encryption keys for decrypting the encrypted and archived media files even after the encryption key expiration date.
Resolution: Enable and configure the Delete MLM tool.
Password Storage in Eleveo
Passwords are stored securely by Eleveo. However, some limitations apply:
Locally created users have their passwords stored and hashed in SHA256.
Users imported from external sources (for example, webexCC) are authenticated against the source from which they are imported.
HTTPS Configuration
Resolution: None required if default settings are kept.