温馨提示:本站仅提供公开网络链接索引服务,不存储、不篡改任何第三方内容,所有内容版权归原作者所有
AI智能索引来源:http://www.ssh.com/academy/compliance/pci
点击访问原文链接

Access using SSH keys & PCI DSS compliance

进入原网站 导航首页
Access using SSH keys & PCI DSS compliance About us Investors Partners Careers Solutions SOLUTIONS Zero Trust Suite Quantum-Safe Cryptography (QSC) SalaX Secure Collaboration Security Risk Assessment, Quantification & Mitigation By Topic Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & multi-cloud access management Interactive tour: Privileged Access in the Cloud M2M connections IT Audits & Compliance Secure file transfer By Industry Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Products SECURE ACCESS & SECRETS MANAGEMENT SECURE FILE TRANSFER & ENCRYPTION NQX™ quantum-ready encryption Tectia™ SSH Client/Server Tectia™ z/OS SalaX Secure Collaboration Secure Mail 2024 Secure Messaging 2024 SalaX Secure Collaboration Solutions SOLUTIONS PrivX Zero Trust Suite SalaX Secure Collaboration Strong ID-based access with Entra ID & Zero Trust Suite Quantum-Safe Cryptography (QSC) Security Risk Assessment, Quantification & Mitigation Device trust & access and identity verification Identity-based authentication & converged IAM and PAM TOPICS Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & Multi-Cloud Access Management Interactive tour: Privileged Access in the Cloud M2M Connections Management IT Audits & Compliance Secure File Transfer INDUSTRIES Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Healthcare Data Security OT Security IT/OT convergence of data & systems Zero Trust Access and ZSP Workflow approvals Secure remote access  Secure patch management  OT Compliance Discovery and threat intelligence Phishing-resistant MFA & device trust Products SalaX SECURE COLLABORATION Secure Mail Secure Messaging Secure Sign SalaX Secure Collaboration FQX File Encryptor SECURE ACCESS & SECRETS MANAGEMENT PrivX™ PAM PrivX™ OT Edition PrivX Key Manager SECURE FILE TRANSFER & ENCRYPTION Tectia™ SSH Server Tectia™ SSH Server for IBM z/OS PrivX Desktop NQX™ quantum-safe encryption Services SSH Risk Assessment™ Professional Services Support Contact us Customer cases PrivX Zero Trust PAM Enterprise Key Management UKM Tectia SFTP for servers & mainframes SSH Secure Collaboration Resources SSH Academy Content library Blog References Press releases Downloads Manuals Events & Webinars Media Legal Report a vulnerability Solutions SOLUTIONS PrivX Zero Trust Suite SalaX Secure Collaboration Strong ID-based access with Entra ID & Zero Trust Suite Quantum-Safe Cryptography (QSC) Security Risk Assessment, Quantification & Mitigation Device trust & access and identity verification Identity-based authentication & converged IAM and PAM TOPICS Just-in-Time Access Secure vendor access Credentials & Secrets Management Hybrid & Multi-Cloud Access Management Interactive tour: Privileged Access in the Cloud M2M Connections Management IT Audits & Compliance Secure File Transfer INDUSTRIES Managed Service Providers (MSP) Operational Technology (OT) Federal Government Security Healthcare Data Security OT Security IT/OT convergence of data & systems Zero Trust Access and ZSP Workflow approvals Secure remote access  Secure patch management  OT Compliance Discovery and threat intelligence Phishing-resistant MFA & device trust Products SalaX SECURE COLLABORATION Secure Mail Secure Messaging Secure Sign SalaX Secure Collaboration FQX File Encryptor SECURE ACCESS & SECRETS MANAGEMENT PrivX™ PAM PrivX™ OT Edition PrivX Key Manager SECURE FILE TRANSFER & ENCRYPTION Tectia™ SSH Server Tectia™ SSH Server for IBM z/OS PrivX Desktop NQX™ quantum-safe encryption Services SSH Risk Assessment™ Professional Services Support Contact us Customer cases PrivX Zero Trust PAM Enterprise Key Management UKM Tectia SFTP for servers & mainframes SSH Secure Collaboration Resources SSH Academy Content library Blog References Press releases Downloads Manuals Events & Webinars Media Legal Report a vulnerability About us Investors Partners Careers SSH Academy Cloud Cloud Access Management Cloud Applications Cloud Computing Cloud Computing Models Cloud Computing Pros and Cons Cloud Computing Security Cloud Computing Services: Characteristics Cloud Infrastructure Entitlement Management (CIEM) Cloud Security Buyer's Guide Cloud Security Maturity Model Cloud Service Providers IaaS Immutable Infrastructure in Modern IT PaaS SaaS Virtualization Technology Compliance Cybersecurity Compliance Basics of SSH Compliance Basics of SSH Key Compliance Basel III Digital Operational Resilience Act (DORA) Ensuring ISO 27001 with PAM Fips 200 GDPR HIPAA ISACA ISO 27001 NIS Directive A Guide to NIS2 Directive NIST Cybersecurity Framework NIST 2.0 Cybersecurity Framework NIST 7966 NIST 800-53 PCI-DSS Sans Top 20 Sarbanes Oxley Understanding PAM Standards Cryptography Cryptography Explained Cryptography and the Quantum Threat Encryption Key Management Private & Public Keys Quantum Computing & Post-Quantum Algorithms What is File Encryption? Identity and Access Management (IAM) What is Identity and Access Management (IAM)? What is IAM Zero Trust Framework? What is Zero Trust Network Access (ZTNA)? A Guide to Zero Trust Architecture Active Directory Entra ID by Microsoft Ephemeral Certificates & Ephemeral Access Gartner CARTA How PAM Complements Existing IAM IAM vs PAM Identity Governance and Administration (IGA) Identity Management Jump Server Just-in-Time Access Just-in-Time Security Tokens Key IAM Concepts for IT Professionals Multi-Factor Authentication (MFA) OpenID Connect (OIDC) Privileged Identity Management (PIM) Radius Sudo User Account Types User IDs Unified IAM-PAM solution Internet of Things (IoT) IoT Security IoT: Accessing IoT devices for SSH What is IIoT? Operational Technology What is OT Security? Best OT Security Solutions Best Practices for Secure Remote OT Access Critical Infrastructure Cybersecurity: Key Concepts Explained How to Safeguard Your OT Network Without Separate IT/OT Solutions How to Secure IoT and OT Systems: A Practical Guide ICS OT Security Industrial Automation Cybersecurity: Key Considerations and Risks IT vs OT Navigating OT Security Standards OT, ICS, SCADA explained OT Risk Management: What It Is and Why You Need It OT Security Assessment OT Security Best Practices OT Security Essentials OT Governance: Key Principles for Effective Implementation PAM and IACS Integration PAM & IEC 62443 Access Control Standards PAM for Energy Sector PAM for Manufacturing PrivX for Energy Sector PrivX for Forestry Industry Remote Diagnostics for Ships Remote Maintenance of Pulp&Paper Machines SCADA Security Essentials: Your Need-to-Know Guide What Is OT Monitoring and Why Is It Important? What is the IT/OT Convergence? Why Is Zero Trust Access Important in OT? Password and Secrets Management A Guide to Passwordless and Keyless Authentication Break-Glass Access Credential Management System Password and Key Rotation Password Attack Types Password Generator Password Strength Best Practices Password Vaults Passwordless Authentication - Advantages Passwordless Authentication - Implementation Passwordless Explained pt. 1 Passwordless Explained pt. 2 Secrets Management Guide Secrets Vault Zero Standing Privileges (ZSP) Privileged Access Management AI in PAM for Predictive Security Automating PAM Best PAM Solutions 2025 Comparing PAM Solutions Challenges in Cross-Platform PAM Integrating PAM with SIEM KPIs for PAM Least Privilege PAM Best Practices PAM Checklist PAM Enhances Remote Work Security PAM Lifecycle Management PAM Vendors: Must-Have Capabilities for Effective Access Control Privileged Access Management (PAM) Privileged Access Management (PAM) in the Cloud PrivX MFA The Strategic Role of PAM PAM - IT Benefits for Different Industries PAM for Pharmaceuticals Data Security PAM for Healthcare PrivX PA; for Financial Industry Data PrivX PAM for Government and Public Sector PrivX PAM for Healthcare Industry PrivX PAM for Manufacturing PrivX PAM for Media and Entertainment Industry PrivX PAM for Pharmaceutical and Biotechnology Data Privileged Accounts and Sessions Privilege Elevation and Delegation Management Privileged Account PrivX Against Privileged Account Hijacking Privileged Account and Session Management (PASM) Root Accounts Public Key Infrastructure (PKI) What is Public Key Infrastructure (PKI)? PKI Background PKI Certificates X.509 Certificates Secure Information Sharing (SIS) Business Email Compromise (BEC) Business Email Compromise: How to Prevent BEC Attacks Digital Signatures Email Phishing Enterprise Email Security Secure Data Sharing Secure Email Gateways (SEGs) Secure Shell (SSH) What is Secure Shell (SSH)? What is the Secure Shell (SSH) Protocol? Automated M2M Connections Network Monitoring OpenSSH OpenSSH Server Process (SSHD) Port 22 Remote File Copy (RCP) Remote Login (rlogin) Remote Shell (RSH) Secure File Copy (SCP) Session Key Single Sign-On (SSO) Using SSH Agent SSH Command SSH Configuration SSH for Windows SSH Software Downloads SSH Server SSH Server Configuration Tectia SSH Server Telnet WinSCP SSH protocol Vs Microsoft: A Comprehensive Guide Security Orchestration Basics of Security Orchestration Data Loss Prevention (DLP) Security Information and Event Management (SIEM) Security Operations Center (SOC) Security Orchestration, Automation, and Response (SOAR) SFTP & Secure Remote Access File Transfer Protocol (FTP) Clients File Transfer Protocol (FTP) Legacy File Transfer Protocol (FTP) Servers Obsolescent Secure File Transfer Protocol (FTPS) Secure Remote Access (SRA) SSH File Transfer Protocol (SFTP) SSH Clients What are SSH Clients? Tectia SSH Client PuTTY Background PuTTY Download PuTTY for Linux PuTTY for Mac PuTTY for Windows PuTTY for Windows Installation PuTTY Public Keys PuTTYgen for Linux PuTTYgen for Windows SSH Keys A Basic Overview of SSH Keys Authorized Key Authorized Keys File Authorized Keys in OpenSSH CAC and PIV Smartcards Copy ID Passphrase Passphrase Generator Public Key Authentication SSH Host Key SSH Key SSH Key Identities SSH Key Management SSH Key Proliferation SSH Keys for SSO SSH Keygen SSH Tunneling SSH Tunneling SSH Tunneling Example Hacks, Threats & Vulnerabilities BothanSpy & Gyrafalcon Breaches in Operational Technology Breaches Involving Passwords & Credentials GoScanSSH Malware Man-in-the-Middle Prevent Data Exfiltration with PrivX PAM PrivX PAM Against Malware & Ransomware Password Sniffing Access using SSH keys & PCI DSS compliance Payment Card Industry (PCI) Security Standards Council (SSC) was founded in 2006 by major credit card companies American Express, Visa, MasterCard, Discover, etc., with the following two priorities:

Helping merchants and financial institutions understand and implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data.

Helping vendors understand and implement standards for creating secure payment solutions.

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The standard provides a baseline of technical and operational requirements designed to protect account data.

With the new version 3.2 of the standard, it has become apparent that security requirements are added, changed or removed mostly based on mitigating current vulnerabilities identified in breach reports. The changes are also intended to help organizations maintain an effectively test compliance between security assessments.

Contents SSH and PCI DSS Ramifications of non-compliance or consequences of breaches PCI compliance SSH mapping guidance Visa non-compliance penalty table Next steps Further information SSH and PCI DSS The SSH protocol is the de facto gold-standard for securing data transfers and remote system administration in enterprises of all types and sizes. To automate the authentication process of application-to-application data transfers and interactive administrator access over SSH, it is an industry best practice to use public-key authentication, which relies on the use of SSH keys.

Given the purpose of the standard, which is to secure the handling of credit card transactions, the SSH protocol:

Encrypts traffic and file transfers between two endpoints and protects of cardholder data (CHD) in transit.

Is a secure alternative/replacement for obsolete tools such as telnet, FTP, rsh, etc. SSH prevents unauthorized CHD access that could lead to a security breach.

Provides strong authentication of users and devices.

Provides secure access to the cardholder data environment (CDE) for application developers and system/network administrators.

Secures mission critical backups and business continuity processes.

Secures the thousands of automated processes that drive day-to-day IT operations, including moving CHD within and between enterprises that are in scope of PCI DSS.

Prevents man-in-the-middle attacks and protects CHD.

Ramifications of non-compliance or consequences of breaches As with any non-compliance or breach scenario, organizations may be impacted by any of the following:

Customers lost confidence resulting in loss of business

Sales may be impacted which would impact the bottom line

Revenue and sales impacts will surely lead to loss of jobs

Typical costs incurred from a breach such as attorneys, fees, issuing new credit cards, etc.

Become an auditor target for almost every PCI DSS requirement applicable to your merchant level

The ability to process card payments may be terminated

And last but not least, potentially going out of business

Organizations must be diligent and continuously assessing their compliance with PCI DSS. Regularly conduct risk assessments when standards or infrastructures change is critical to ensure ongoing compliance.

PCI compliance SSH mapping guidance Below we highlight some of the key requirements the standard puts forth and shed some light on how we can help pave the way to compliance:

Requirement Guidance 1.1.2 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks. SSH keys create connections, access, and data transfer routes between systems that must be documented. 1.1.5 Description of groups, roles, and responsibilities for management of network components. The network diagram will identify the connectivity for all components. This will assist in identifying all communications requiring SSH. A scan of authorized keys is recommended to confirm deployment specs - see SSH Risk Assessment. Deploying Universal SSH Key Manager in your cardholder data enviroment (CDE) will further assist and confirm authorized access as dictated by roles and responsibilities. 2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure - for example, use secured technologies such as SSH, SFTP, FTPS, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc. Tectia SSH provides secure encrypted file transfers and can tunnel legacy applications inside an encrypted tunnel. Universal SSH Key Manager controls access within and across the boundary of the CDE. CryptoAuditor prevents tunneling into the CDE. 3.5.1 Restrict access to cryptographic keys to the fewest number of custodians necessary. SSH keys can provide access to cryptographic keys used for encrypting cardholder data (CHD) and should be restricted accordingly on any system that stores keys used to secure stored CHD against misuse. At the minimum, it must be understood who (including what processes or systems) has access to the encryption keys (including access using commercial SSH user authentication keys). 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Properly configured and deployed Our products will further enhance your logical access controls. It can support your defined roles and responsibilities and only grant access based on approved roles. 8.3 Requires multi-factor authentication for all personnel with non-console administrative access to the CDE. New requirement 8.3.2 addresses multi-factor authentication for all personnel with remote access to the CDE (incorporates former requirement 8.3). Our products are critical in supporting privileged access controls. They support three basic principles of privileged access: Approval, logging and monitoring and the post activity reviews. 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). SSH Communications Security exceeds this requirement with out of the box configuration. Visa non-compliance penalty table The following table is an example of a time-cost schedule which Visa uses:

Month Level 1 Level 2 1 to 3 $10,000 monthly $5,000 monthly 4 to 6 $50,000 monthly $25,000 monthly 7 and on $100,000 monthly $50,000 monthly Next steps Exploiting data security weaknesses in the cardholder data environment remains a popular tactic for cyber criminals. With the added risks associated with ineffective access controls along with the most common threat – human error – organizations must remain diligent in enforcing and continuously monitoring their security controls whether driven by PCI compliance or simply to protect what is important.

We provide services and tools to address compliance in relation to SSH keys and encrypted access. We also provide tools to prevent SSH tunneling from the Internet into the internal network.

We recommend that you contact us for:

An assessment of the use of SSH and related risks and compliance violations.

Introduction to Universal SSH Key Manager, the leading solution for managing access to servers using SSH keys.

Organizations are also simultaneously facing other IT challenges and transformations into cloud and IoT. We play into several aspects of the ongoing transformation.

Migrating servers into the cloud and adopting agile development processes to react faster and save costs.

Using 3rd parties such as managed services providers and offshore services to lower costs. This requires proper monitoring and control.

Keping up with the rapid expansion of IoT.

Ensuring effective cybersecurity controls, including application of the US Cybersecurity Framework in critical infrastructure.

Controlling who/what has access to critical and sensitive information.

The offering of SSH Communications Security is a compliance enabler for all of the above. Conversely, lack of visibility into how SSH is deployed and who has access to what data using SSH keys in the cardholder data environment and otherwise exposes an organization to grave risks and liabilities. For example, the Sarbanes-Oxley law for public companies even has criminal penalties for negligent or fraudulent certifications by the CEO and CFO.

What is the best way to prepare for a PCI DSS audit? Be your own auditor first! This can be accomplished by conducting a thorough control gap assessment which will pave the way for an easier audit and an achievable compliance attestation.

Further information PCI DSS Documents

SSH Risk Assessment

Universal SSH Key Manager®

Preventing tunneled access into a cardholder data environment

Compliance White Paper - SSH and PCI-DSS

PCI-DSS Standard

Malware and hackers are using SSH keys to spread

Cybersecurity Framework

NIST IR 7966 guidance on SSH key management

Other regulatory compliance requirements

 

SSH is a leading defensive cybersecurity company that secures communications between humans, systems, and networks. We specialize in Zero Trust Privileged Access Controls and Quantum Safe Network Security. Our customers include a diverse range of enterprises, from multiple Fortune 500 companies to SMBs across various sectors such as Finance, Retail, Technology, Industrial, Healthcare, and Government. 25% of Fortune 100 companies rely on SSH’s solutions. Recent strategic focus has expanded SSH business to Defence, Critical Infrastructure Operators, Manufacturing OT Security and Public Safety.

Leonardo S.p.A invests 20.0 million EUR in SSH, becoming the largest shareholder of the company. SSH solutions form a Center of Excellence for Zero Trust privileged access management and quantum-safe network encryption in Leonardo - a global industrial group that creates multi-domain technological capabilities in the Aerospace, Defence and Security sector with 17.8 billion EUR revenue in 2024. SSH company’s shares (SSH1V) are listed on Nasdaq Helsinki.

 

Solutions Zero Trust Suite Zero Trust Suite & Entra ID Integration Quantum-Safe Cryptography (QSC) SalaX Secure Collaboration Security Risk Mitigation OT security MSP Security Device Trust Monitoring & Threat Intelligence Credentials & Secrets Management IT Audits & Compliance Products PrivX™ Hybrid PAM PrivX Key Manager Tectia SSH Client/Server™ Tectia™ z/OS Secure Messaging Secure Mail Secure Sign NQX™ Quantum-Safe Services SSH Risk Assessment™ Professional Services Support Resources Careers References Downloads Manuals Events & Webinars Blog Company About us Contact Investors Partners Press Stay on top of the latest in cybersecurity Be the first to know about SSH’s new solutions, product updates, new features, and other SSH news!

Thanks for submitting the form. © Copyright SSH • 2025 • Legal

智能索引记录