GoToAssist Corporate PCI Compliance

GoToAssist Corporate PCI Compliance
White Paper
Citrix GoToAssist
Corporate and
Payment Card
Industry (PCI)
Compliance
GoToAssist Corporate
provides robust, configurable
security controls that can
be implemented to meet the
intent of PCI requirements.
gotoassist.com
PCI Compliance
Scope and audience
This guide is for Citrix GoToAssist Corporate customers and other stakeholders
who need to understand how GoToAssist Corporate can meet the intent of the
requirements outlined in the Payment Card Industry Data Security Standard
(PCI DSS) or the Payment Application Data Security Standard (PA DSS). This
document solely addresses the GoToAssist Corporate product as it pertains to
the PCI DSS and PA DSS standards. This document is only a guide and not an
authority on validating the GoToAssist Corporate product with either the PCI DSS
or PA DSS standards. It is ultimately up to the merchant, payment application
vendor or Qualified Security Assessor (QSA) whether the GoToAssist Corporate
product would address the PCI DSS or PA DSS requirements as implemented in
the customers unique environment.
Introduction
GoToAssist Corporate is a hosted service that provides a way to deliver remote
support to PC and Mac computers and Android and BlackBerry mobile
devices. GoToAssist Corporate allows a user to request support from a support
representative and then allows that representative to view and optionally control
the end user’s computer remotely.
The Payment Card Industry Data Security Standard (PCI DSS) and the Payment
Application Data Security Standard (PA DSS) were developed to encourage
and enhance cardholder data security and facilitate the broad adoption of
consistent data security measures globally. The PCI DSS and the PA DSS
provide a baseline of technical and operational requirements designed to
protect cardholder data. PCI DSS applies to all entities involved in payment
card processing – including merchants, processors, acquirers, issuers, and
service providers, as well as all other entities that store, process or transmit
cardholder data. The PA DSS applies to software vendors and others who
develop payment applications that store, process, or transmit cardholder data as
part of authorization or settlement, where these payment applications are sold,
distributed, or licensed to third parties.
This document focuses on the information security features of GoToAssist
Corporate as it pertains to the PCI DSS and PA DSS standards. The reader is
assumed to have a basic understanding of the product and its features and the
PCI DSS and PA DSS standards. Additional materials on GoToAssist Corporate
may be found online at www.gotoassist.com or by contacting a Citrix Online
Services representative. Additional information on the PCI DSS and PA DSS
programs can be found at https://www.pcisecuritystandards.org.
The payment card industry standard compliance programs
The GoToAssist Corporate product contains various security and administrative
features that can be used to meet the intent of PCI DSS and PA DSS
requirements. The table below describes some of these features and which PCI
gotoassist.com
White Paper
2
PCI Compliance
White Paper
DSS and PA DSS requirement they may meet in the customer’s environment. The list in the table is
not exhaustive but is used to highlight some of the key controls when looking at the PCI programs.
Detailed information about the security controls in GoToAssist Corporate can be found in the
GoToAssist Corporate Security White Paper.
Key requirements guide
PCI DSS Requirement
PA DSS Requirement
GoToAssist Corporate
2.1 Always change vendorsupplied defaults before
installing a system on the
network, including but not
limited to passwords, simple
network management protocol
(SNMP) community strings,
and elimination of unnecessary
accounts.
10.3.2 If vendors, resellers/
integrators, or customers can
access customers’ payment
applications remotely, the remote
access must be implemented
securely.
• Unique accounts and
passwords must be created at
installation of product.
2.3 Encrypt all non-console
administrative access using strong
cryptography. Use technologies
such as SSH, VPN, or SSL/TLS
for web-based management and
other non-console administrative
access.
5.4 The payment application
must only use or require use of
necessary and secure services,
protocols, daemons, components,
and dependent software and
hardware, including those
provided by third parties, for
any functionality of the payment
application (for example, if
NetBIOS, filesharing, Telnet,
FTP, etc., are required by the
application, then they are secured
via SSH, S-FTP, SSL, IPSec, or
other technology).
4.1 Use strong cryptography and
security protocols (for example,
SSL/TLS, IPSEC, SSH, etc.) to
safeguard sensitive cardholder
data during transmission over
open, public networks.
• Change default settings in
the remote access software
(for example, change default
passwords and use unique
passwords for each customer).
12.1 Instruct customers to encrypt
all non-console administrative
access with strong cryptography,
using technologies such as SSH,
VPN, or SSL/TLS for web-based
management and other nonconsole administrative access.
gotoassist.com
• All GoToAssist Corporate
connections are “end-to-end”
encrypted.
• IETF-standard Secure
Sockets Layer (SSL) and
Transport Layer Security (TLS)
protocols are used to protect
all communication between
endpoints.
• 128-bit AES encryption is used
for session confidentiality.
3
PCI Compliance
White Paper
PCI DSS Requirement
PA DSS Requirement
GoToAssist Corporate
6.1 Ensure that all system
components and software
are protected from known
vulnerabilities by having the latest
vendor-supplied security patches
installed. Install critical security
patches within one month of
release.
7.2 Software vendors must
establish a process for timely
development and deployment of
security patches and upgrades,
which includes delivery of updates
and patches in a secure manner
with a known chain-of-trust, and
maintenance of the integrity of
patch and update code during
delivery and deployment.
• Citrix continuously tests and
improves upon the GoToAssist
Corporate product. Updates are
regularly released to customers.
7.2 Establish an access control
system for systems components
with multiple users that restricts
access based on a user’s need
to know, and is set to “deny all”
unless specifically allowed.
3.1 The payment application
must support and enforce the
use of unique user IDs and
secure authentication for all
administrative access and for all
access to cardholder data. Secure
authentication must be enforced
to all accounts, generated or
managed by the application, by
the completion of installation
and for subsequent changes
after installation.
• A role-based access control
system is enforced.
8.1 Assign all users a unique ID
before allowing them to access
system components or
cardholder data.
gotoassist.com
• Unique user IDs can be created.
4
PCI Compliance
White Paper
PCI DSS Requirement
PA DSS Requirement
GoToAssist Corporate
8.3 Incorporate two-factor
authentication for remote access
(network-level access originating
from outside the network) to
the network by employees,
administrators, and third
parties. (For example, remote
authentication and dial-in service
(RADIUS) with tokens; terminal
access controller access control
system (TACACS) with tokens; or
other technologies that facilitate
two-factor authentication.)
10.2 If the payment application
may be accessed remotely,
remote access to the payment
application must be authenticated
using a two-factor authentication
mechanism.
• Classified as a remote support
technology, not remote access.
Note: Two-factor authentication
requires that two of the three
authentication methods be used
for authentication (see PA-DSS
Req. 10.1 for descriptions of
authentication methods). Aligns
with PCI DSS Requirement 8.3
• Sessions must be initiated by
the remote user. Not designed
for unattended support.
• Remote user is always
prompted for permission before
any screen sharing, remote
control or data transfer is
initiated.
• Remote user can watch what
the representative does at all
times. Remote user can take
10.3 Any remote access into the
back control or terminate
payment application must be done
session at any time.
securely, as follows:
• Typically implemented without
10.3.1 If payment application
access originating outside
updates are delivered via remote
the network. Only authorized
access into customers’ systems,
employees have access.
software vendors must tell
customers to turn on remote• Local security controls on the
access technologies only when
remote user’s computer are
needed for downloads from
never overridden.
vendor, and to turn off immediately
• Network perimeter settings can
after download completes.
restrict only IP and services
Alternatively, if delivered via VPN
required for the GoToAssist
or other high-speed connection,
functionality.
software vendors must advise
customers to properly configure
a firewall or a personal firewall
product to secure “always on”
connections.
10.3.2 If vendors, resellers/
integrators, or customers can
access customers’ payment
applications remotely, the remote
access security features include:
• Allow connections only from
specific (known) IP/MAC
addresses.
gotoassist.com
5
PCI Compliance
PCI DSS Requirement
PA DSS Requirement
10.3.2 If vendors, resellers/
integrators, or customers can
access customers’ payment
applications remotely, the remote
access must be implemented
8.5.9 Change user passwords at
securely.
8.5.8 Do not use group, shared,
or generic accounts and
passwords or other authentication
methods.
least every 90 days.
8.5.10 Require a minimum
password length of at least
seven characters.
8.5.11 Use passwords
containing both numeric and
alphabetic characters.
8.5.12 Do not allow an individual
to submit a new password that
is the same as any of the last
four passwords he or she has
used.
8.5.13 Limit repeated access
attempts by locking out the
user ID after not more than six
attempts.
8.5.14 Set the lockout duration
to a minimum of 30 minutes or
until administrator enables the
user ID.
8.5.15 If a session has been
idle for more than 15 minutes,
require the user to reauthenticate to re-activate the
terminal or session.
Note: Examples of remote access
security features include:
• Change default settings in
the remote access software
(for example, change default
passwords and use unique
passwords for each customer).
• Use strong authentication and
complex passwords for logins
(See PA-DSS Requirements
3.1.1 through 3.1.10)
• Enable account lockout after
a certain number of failed
log-in attempts (See PADSS
Requirement 3.1.8)
• Establish customer passwords
according to PA-DSS
Requirements 3.1.1 through
3.1.10
White Paper
GoToAssist Corporate
• Unique accounts and
passwords are used.
• Password expiration period
is configurable (min: 10 days,
max: 120 days, default: 90
days). If the account holder
logs in and the password has
expired, the account holder
is forced to change his or her
password.
• Passwords are required to be
8-32 characters in length.
• Passwords are required to
contain at least three of the
following four: uppercase
alphabet, lowercase alphabet,
numbers [0-9] and special
symbols. Strong passwords
must not be the same as
the login name or the actual
first name or last name on
the account. Passwords are
checked for strength when
initialized or changed.
• A history of passwords is
maintained. A password cannot
be changed to a password that
exists in the password history.
Password history depth is
configurable (min: 1, max: 5,
default: 3).
• After 3 consecutive failed
log-in attempts, the account
can either be set to unlock at a
configurable amount of time or
configured to be locked out until
the account password is reset.
• Session timeouts are currently
not a configurable option.
However, since the sessions
are attended, sessions can be
monitored and terminated at
the end user or help agents
discretion.
gotoassist.com
6
PCI Compliance
White Paper
PCI DSS Requirement
PA DSS Requirement
GoToAssist Corporate
Requirement 10: Track and
monitor all access to network
resources and cardholder data
10.3.2 If vendors, resellers/
integrators, or customers can
access customers’ payment
applications remotely, the remote
access must be implemented
securely.
• All connection and session
activities are logged and the
screen-sharing and chat
session can be optionally
recorded and played back for
review at a later time.
Note: Examples of remote access
security features include:
• All logging activity can be
securely kept and access
restricted. Screen-sharing
and chat sessions are never
exposed unencrypted.
• Enable the logging function.
Frequently asked questions
Q: Is GoToAssist Corporate compliant with the PCI DSS or PA DSS?
PCI DSS: GoToAssist Corporate is not directly subject to the PCI DSS. If GoToAssist Corporate is
used in the environment that is subject to the PCI DSS, then certain PCI DSS requirements may
need to be met depending on how the product is implemented and the network scope of the PCI
environment. It is up to a PCI Qualified Security Assessor (QSA) and the customer to determine the
scope for their PCI DSS assessment.
PA DSS: GoToAssist Corporate is not designed as a payment application and not subject to the
PA DSS. If GoToAssist Corporate is used to remotely support a payment application then certain
requirements in the PA DSS standard may need to be met. It is up to a PCI Qualified Security
Assessor (QSA) and the customer to determine the scope for their PA DSS assessment.
Q: I am using the GoToAssist Remote Support product instead of GoToAssist Corporate
product: can that meet the intent of the PCI DSS or PA DSS requirements?
It is recommended that GoToAssist Corporate product be used in an environment needing to
comply with the PCI DSS or PA DSS requirements due to the extra configurable security controls and
attended support functionality found in the product. If you are using the GoToAssist Remote Support
product, it is recommended that you review the GoToAssist Remote Support Security White
Paper and determine with your Qualified Security Assessor (QSA) if the product addresses your
unique environment.
North America
Citrix Online, LLC
7414 Hollister Avenue
Goleta, CA 93117
U.S.A.
T +1 805 690 6400
info@citrixonline.com
Europe, Middle East & Africa
Citrix Online, UK Ltd
Chalfont Park House
Chalfont Park, Gerrards Cross
Bucks SL9 0DZ
United Kingdom
T +44 (0) 800 011 2120
europe@citrixonline.com
Asia Pacific
Citrix Online, AUS Pty Ltd
Level 3, 1 Julius Avenue
Riverside Corporate Park
North Ryde NSW 2113
Australia
T +61 2 8870 0870
asiapac@citrixonline.com
About Citrix
Citrix (NASDAQ:CTXS) is the cloud company that enables mobile workstyles—empowering people to work and collaborate from anywhere,
easily and securely. With market-leading solutions for mobility, desktop virtualization, cloud networking, cloud platforms, collaboration and data
sharing, Citrix helps organizations achieve the speed and agility necessary to succeed in a mobile and dynamic world. Citrix products are in use
at more than 260,000 organizations and by over 100 million users globally. Learn more at www.citrix.com.
2013 Citrix Online, LLC. All rights reserved. Citrix, GoToAssist, GoToMeeting, GoToMyPC, GoToTraining, GoToWebinar, Podio and ShareFile
are trademarks of Citrix or a subsidiary thereof, and are or may be registered in the U.S. Patent and Trademark Office and other countries. All
other trademarks are the property of their respective owners.
©
Android is a trademark of Google Inc. Mac, iPad and iPhone are trademarks of Apple, Inc., registered in the U.S. and other countries.
6.18.13/B-89167/PDF
gotoassist.com
7
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising