PCI Case Studies

Customer Challenge

Learn More - Download The PCI Kit • Forrester:The Top 10 Things You Should Know About PCI Compliance • Aberdeen:Protecting Card Holder Data • Xceedium:PCI Compliance - Technical Note Xceedium Resources • Xceedium:GateKeeper PCI Brochure • Xceedium:LeapFrog Prevention Whitepaper

A large retail chain was faced with the necessity of complying with PCI requirements. This was especially challenging in regard to required access rights provided to their privileged users. The network and Point of Sale equipment at the company's stores is mostly legacy equipment that uses clear text protocols, such as Telnet, for administrator users connecting to these devices. This equipment did not support the unique IDs and strong authentication requirements mandated by the PCI standards. Furthermore these systems and their existing access methods did not provide any logging of access events/activities or full sessions recording that would allow a greater degree of accountability for their privileged and external users (IT administrators and support personnel.) Due to these non-existent data points and decentralized access, they lacked the ability to provide audit and compliance reports for their internal and external compliance auditors.

Xceedium Solution

Xceedium implemented a PCI solution for this customer that solved their PCI challenges surrounding IT administrator and IT support access to their legacy equipment in the field. The solution involved the installation of the Xceedium GateKeeper Cluster (active/active) at the customer's primary data center. The customer's device and user objects were loaded into the Xceedium GateKeeper using CSV files; the appropriate policies giving users access to the Xceedium GateKeeper's integrated access applets and authorized devices were configured from the Xceedium GateKeeper's web-based administration interface. The legacy client applications that used clear text protocols were removed from the users' workstations. All users then used a Java enabled browser to connect to the SSL web interface of the Xceedium GateKeeper Cluster using a Virtual IP (VIP) provided by the Xceedium GateKeeper. Now, when each user logs in to the Xceedium GateKeeper with strong passwords, they are presented with a list of their authorized devices that they may access as needed. User sessions are now encrypted and tied to unique IDs. All access events are logged and full session recording is automatically invoked for these user access sessions.

Customer Satisfaction

The audit and compliance users are now able to log in to the Xceedium GateKeeper and access the "logs" and "reporting" areas of the Xceedium GateKeeper. They can generate custom audit reports on the fly using real time data captured in the Xceedium GateKeeper's logs. They also have the log data sent to a centralized "syslog" server for correlation and alerting. The full session recording data can be used for periodic review of the access session activities or to search on demand for specific forensics and investigative purposes.

The end result is that the privileged IT users are more efficiently and securely able to perform their job functions. At the same time, the security and compliance operations teams are able to properly demonstrate compliance with the PCI requirements with regard to their privileged user community. The reduction of risk, avoidance of fines and protection of brand are all achieved with a single comprehensive solution. Additionally, the customer will be able to leverage their investment in the Xceedium GateKeeper for other security, risk management, governance and compliance projects in the future.

Home | Products | Solutions | Case Studies | Partners | News & Events | About Us

Toll Free: 877-636-5803 | info@xceedium.com
© 2008 Xceedium, Inc. Privacy Policy | Terms of Service