Payment Card Industry (PCI) Solution

2.1 Always change the vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts).

Check Point solutions support and encourage customers to change supplied defaults before full installation. Check Point products, for example VPN-1, force customers to change the default password during the initial installation. It additionally checks to ensure that "weak" passwords are not allowed, thwarting hackers with access to common information.

As required in the sub-requirements to 2.1, UTM-1 Edge Wireless (W) includes Wi-Fi Protected Access (WPA) technology for encryption and authentication of wireless traffic.

Through centralized management and administration, VPN-1 solutions allow enterprises to mandate passwords, keys, and other settings and propagate these settings down to the remote devices deployed across the organization, e.g., in distributed sales offices.

Check Point VARs, SIs, and business partners can provide consulting services to help implement Check Point solutions in an organization's architecture to ensure these security checks are applied in the relevant sections of the network as required to achieve the goals of section 2.1.

2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by the SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).

Check Point VARs, SIs, and business partners can provide consulting services to address the configuration requirements of components as outlined in section 2.2. However, Check Point solutions complement the goals of this section by ensuring that only specific services (DNS, Web, etc.) are allowed to access correct servers and that no unnecessary services are allowed to these servers.

In addition, Check Point's SmartDefense Services, Application Intelligence, and Web Intelligence technologies inspect application-level traffic to protect against misuse of the protocols and services that are allowed to the covered servers. To help defenses stay continuously ahead of today's constantly evolving threat landscape, SmartDefense Services provide ongoing and real-time updates and configuration advisories for defenses and security policies. SmartDefense provides enterprises with the ability to globally update security configurations and defenses from a single, unified interface, ensuring security systems are always up-to-date to defend against new and evolving threats.

2.3 Encrypt all nonconsole administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for Webbased management and other non-console administrative access.

Check Point products encrypt all nonconsole administration for all communications between Check Point products and management consoles using Check Point Secure Internal Communications (SIC), SSH, and SSL to ensure that they remain secure and private. In addition, security gateway solutions, including VPN-1 and Connectra, can add VPN encryption for external systems that do not have their own VPN encryption capabilities for their nonconsole administrative communications.

2.4 Hosting providers must protect each entity's hosted environment and data. These providers must meet specific requirements as detailed in "Appendix A: PCI DSS Applicability for Hosting Providers."

VPN-1 Power VSX is a virtualized security gateway that allows managed service providers and enterprises with virtualized networks to create up to 250 virtual security systems-including firewall, VPN, and intrusion prevention-on a single hardware platform. This allows service providers to isolate each entity's cardholder data from others and restrict access to only their cardholder data as required by Appendix A.1. In addition, VPN-1 Power VSX allows each entity's logs to be stored and reviewed separate from other covered entities.

Check Point VARs, SIs, and business partners can provide consulting services to ensure the network is properly configured to comply with the requirements of Appendix A.1, as well as help define the process that addresses the information retention requirements of section A.1.4.