Payment Card Industry (PCI) Solution

6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release.

In addition to enforcing the use of up-to-date antivirus solutions, Check Point Endpoint Security can ensure that all enterprise endpoints have the Windows service packs and patches and application patches that your administrators require before granting network access to PCs. As with antivirus, Check Point Endpoint Security can automatically send a missing patch to noncompliant company PCs and install them in the background. Check Point Endpoint Security also provides detailed log data and filterable reports on patch-rule violations and remediation that support audits and forensic analysis.

With SmartUpdate, part of the SMART management system, you are provided the ability to view, download, schedule, and push the latest software packages to Check Point security solutions, ensuring that all Check Point systems are always up to date with the latest protection.

In addition, SmartDefense Services give administrators the ability to globally update software, security configurations, and defenses from a single, unified interface, ensuring security systems are always up to date to defend against new and evolving threats. With SmartDefense Services, enterprise administrators will know which updates were downloaded as well as which gateways are enforcing those updates.

Check Point VARs, SIs, and business partners can provide consulting services to ensure that organizational processes and technology solutions address the best practices and documentation requirements outlined in section 6.1.

6.2 Establish a process to identify newly discovered security vulnerabilities  (for example, subscribe to alert services freely available on the Internet). Update standards to address new vulnerability issues.

SmartDefense Services maintain the most current preemptive security for the Check Point security infrastructure. To help defenses stay continuously ahead of today's constantly evolving threat landscape, SmartDefense Services provide ongoing and real-time updates and configuration advisories for defenses and security policies. SmartDefense Services provide real-time security updates and alert customers to new vulnerabilities and configuration policies, as well as providing information on possible risks to their networks and, as such, to protected cardholder information. Advisories include best practices to defend against security threats.

Check Point VARs, SIs, and business partners can provide consulting services to ensure that organizational processes and technology solutions address the best practices and documentation requirements outlined in section 6.2.

6.3 Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle.

6.4 Follow change control procedures for all system and software configuration changes.

6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities.

6.3-6.5 These sections are requirements for secure software development and testing not directly related to Check Point solutions.

However, while section 6.5 addresses Web-based software and application deployment and coding, Check Point solutions can add an additional layer by way of a network device to help achieve the aims of this section. Web Intelligence, an optional solution integrated with VPN-1, can provide the input validation, access control, scripting and injection protection, and other subrequirements covered by this section.

Check Point VARs, SIs, and business partners can provide consulting services to help an organization develop and maintain secure systems and applications as required by the process, best practices, and documentation outlined in section 6.

6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

• Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
• Installing an application layer firewall in front of web-facing applications.

Note: This method is considered a best practice until June 30, 2008, after which it becomes a requirement.

Check Point Web Intelligence is a Web application firewall technology that provides complete protection for the entire Web environment. Supported on VPN-1 UTM, VPN-1 Power, UTM-1 Edge, and Connectra, it provides a multi-layer defense for the network, operating systems, Web servers, and backend systems it protects. When used on the Check Point gateway in front of the application, Web Intelligence provides application layer firewalling outlined in this requirement.