Payment card industry (PCI) data security standard

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

The Payment Card Industry Security Standards Council (http://www.pcisecuritystandards.org/) created DSS to reduce credit card fraud by increasing controls around cardholder data.

This table summarizes the 12 DSS requirements for compliance, organized into six logical groups called “control objectives”.

Build and maintain a secure network and systems

  1. Install and maintain a firewall configuration to protect cardholder data.

  2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data

  1. Protect stored cardholder data.

  2. Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management program

  1. Protect all systems against malware and regularly update anti-virus software or programs.

  2. Develop and maintain secure systems and applications.

Implement strong access control measures

  1. Restrict access to cardholder data by business need to know.

  2. Identify and authenticate access to system components.

  3. Restrict physical access to cardholder data.

Regularly monitor and test networks

  1. Track and monitor all access to network resources and cardholder data.

  2. Regularly test security systems and processes.

Maintain an information security policy

  1. Maintain a policy that addresses information security for all personnel.

Does Dynatrace NAM hold a PCI DSS compliance certificate?

No. As the PCI DSS Control Objectives and PCI DSS Requirements indicate, PCI compliance relates to business management processes and environments, not to individual products and tools used in these environments. Similarly to CMM or ISO, PCI is a process, not a product certification.
NAM is a tool - a product that measures end-user experience with the application, measures application performance, and triages causes of performance degradation.

Important

To avoid confusion, be aware of the following product and component name changes that were introduced with Dynatrace NAM 2018:

DC RUM 2017 May release Dynatrace NAM 2018 release
RUM Console NAM Console
Central Analysis Server (CAS) NAM Server
Advanced Diagnostic Server (ADS) Advanced Diagnostics on Demand feature of NAM Server
Agentless Monitoring Device (AMD) NAM Probe
You will see these name changes reflected in the help.

Does Dynatrace NAM have insight into personal data?

Yes. Because of its vantage point and advanced technology, Dynatrace NAM can theoretically have visibility into personal data that is transferred over the network. Although Dynatrace NAM does not process this data, it presents a point where this data can be accessed.
The NAM Probe (old AMD), much like an SSL accelerator appliance or load balancer, could be used to acquire insight into streams of data flowing between systems that process and store personal information.

PCI DSS applicability to Dynatrace NAM

PCI DSS requirements, which go well beyond what Dynatrace could provide, concern processes implemented internally by the customer to control IT system access and use. Dynatrace has no influence on those processes. Dynatrace can, however, provide tools and means to help enable proper implementation of those processes.

1. Install and maintain a firewall configuration to protect cardholder data.

Dynatrace NAM architecture exposes clearly defined inspection points. Use a PCI firewall to examine data that leaves the NAM Probe (old AMD) – this is the data that contains measured entity identification (such as a web page name) and measurement numbers (such as page load time). The format of this data is text-based and documented, so you can set up examination rules to track cases of unwanted data leaving the security zone.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Use NAM security features as well as deployment security recommendations such as modifying default users, replacing pre-installed and self-signed certificates, and removing unnecessary compilers. See Deployment Security Guide and Password policy.

3. Protect stored cardholder data.

The Dynatrace NAM monitoring solution does not store customer's personal information or any employee or business information - unless it is configured to do so.

  • Manage monitoring configuration
    If your monitoring configuration implies that data like user names and transaction parameters shall be stored - make sure that your configuration stores the pieces of data you intended to store for performance management reason. Configure user recognition and transaction attributes recognition being conscious of the application data fields in the heads, POST parameters, JSON constructs etc. Be selective in configuration of what you need to see in Dynatrace NAM to troubleshoot monitored application performance. See Monitoring Configuration options for details on how to configure URL and POST parameters monitoring in a selective manner.
  • Control access to the persistent data storage
    The monitoring data is persistently stored in the NAM’s SQL database. If your monitoring configuration requires insight into semi-sensitive or sensitive fields like user names - be aware that this data persists in the NAM SQL database and thus this database access shall be under control.
  • Control access to the NAM Probe (old AMD) and NAM Server (old CAS) disks
    Monitoring data is temporarily stored on the network probe’s disk. Access to the network probe should generally be controlled and limited. Be aware that If your monitoring configuration requires insight into semi-sensitive or sensitive fields like user names, there would be recorded on the NAM Probe’s disk. 
    Please have in mind that both NAM Probe disk and SQL database store only those elements of the potentially personal data that you configured the system to pick up as the transaction and user identifiers. Full network transaction data is never stored on disk while analyzing application performance.
  • Use network packet recording with caution
    Dynatrace NAM provides an option to capture and analyze network packets on demand, for troubleshooting purposes. When this option is used, a network packet record is created on the NAM Probe disk and is available on the CAS disk for packet analysis tools to pick it up. When this option is used, network packets are stored as-is, recorded to the disk. If your network transmission is encrypted, stored packet record will be encrypted. If your network transmission is unencrypted, packet record will contain unencrypted data. Therefore this feature should be used with caution in the PCI DSS-controlled environments. It can also be disabled completely and removed from the product by configuration means.

4. Encrypt transmission of cardholder data across open, public networks.

All inter-NAM modules transmission occurs over SSL connections. Since Dynatrace NAM does not need to process and store cardholder data to deliver its measurements, there is no cardholder data exchanged between Dynatrace NAM components.

5. Protect all systems against malware and regularly update anti-virus software or programs.

Customers can install, together with our software, any software they deem necessary to achieve compliance with security regulations. However, Dynatrace cannot guarantee that 3rd-party tools won't interfere with the NAM operation. Should such interference occur, our support engineers may ask that the interfering software be temporarily disabled before our engineers can proceed with their investigation of the issue that initiated the support call.

6. Develop and maintain secure systems and applications.

Because the NAM Probe (network probe) offers insight into customer data, it must be protected the way the network and server equipment is protected on the customer data processing path. Secure access to the NAM Probe (old AMD) includes restriction and auditing of the management connection to the NAM Probe.
The depth of measurements provided by Dynatrace NAM may require insight into SSL-encrypted data streams. Protection of SSL keys is a basic requirement of personal data security, and all SSL-related operations performed by Dynatrace NAM use equipment certified compliant to the FIPS 140-2 and FIPS 140-3 cryptographic standards.

7. Restrict access to cardholder data by business need to know.

The Dynatrace NAM user management system restricts access to NAM components. For more information on NAM user management, see Users and Creating and managing user groups.

8. Identify and authenticate access to system components.

Dynatrace NAM authenticates all users who log on to the system and identifies user access rights to specific system functions (view reports, create reports, alter configuration). Dynatrace NAM provides a log of the user activity on the system, including both monitoring data access (report views) and the configuration data access and configuration changes.

9. Restrict physical access to cardholder data.

The physical deployment of Dynatrace NAM components is governed by data center access policies. This requirement is not applicable to any of the Dynatrace NAM software.

10. Track and monitor all access to network resources and cardholder data.

Dynatrace NAM provides a log of the monitoring configuration changes, which reflects changes that may have altered types of information that the Dynatrace NAM collects from the monitored traffic.
Use system access auditing to monitor who connects to the NAM Probe (old AMD), and when and what is sent and received over the network. 
Some customers may require a full audit trail of all NAM Probe and CAS access attempts and operations performed by the console user. We have these capabilities, to the level that Linux and Windows have them, with our application activity logs on top. However, the process of log harvesting and review must be defined by customers, since it requires alignment with customer internal processes and procedures. We can help integrate our logs with tools used for accounting as a part of the implementation assurance process.

11. Regularly test security systems and processes.

Dynatrace NAM is not an element in any business information processing chain. By design, the Dynatrace NAM system does not interfere with the customer's personal data. It is a monitoring solution only. However, in order to make sure that Dynatrace NAM, as a part of the broader IT system, complies with security standards, Dynatrace uses Nessus and Qualys security scanning tools in the Dynatrace NAM product development cycle. The same tools used by many corporations as part of their PCI Compliance testing processes (http://www.tenable.com/products/nessus). Additionally we employ independent 3rd-party companies, accredited by recognized government bodies, to periodically conduct penetration tests on the properly set up Dynatrace NAM system. For more information on performing security audits, see Auditing.

12. Maintain a policy that addresses information security for all personnel.

Dynatrace NAM provides extensive documentation on the system operation, configuration, access control and solution architecture. Available documentation can be used as a source or referenced in any IS or operations policies that the customers require to adhere to the security standards. Dynatrace Expert Services would be happy to help with setting up run books and operator manuals for the Dynatrace NAM implementation in your specific environment, including advice on security procedures related to operating the Dynatrace NAM data.