DataPower and the PCI DSS (Data Security Standard)

DataPower ideal solution for many requirements:

•Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
–Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
•Protect Cardholder Data
–Requirement 3: Protect stored cardholder data
–Requirement 4: Encrypt transmission of cardholder data across open, public networks
•Maintain a Vulnerability Management Program
–Requirement 5: Use and regularly update anti-virus software
–Requirement 6: Develop and maintain secure systems and applications
•Implement Strong Access Control Measures
–Requirement 7: Restrict access to cardholder data by business need-to-know
–Requirement 8: Assign a unique ID to each person with computer access
–Requirement 9: Restrict physical access to cardholder data
•Regularly Monitor and Test Networks
–Requirement 10: Track and monitor all access to network resources and cardholder data
–Requirement 11: Regularly test security systems and processes
•Maintain an Information Security Policy
–Requirement 12: Maintain a policy that addresses information security

Red – Complete Solution with Datapower
Blue – Partial Solution with Datapower


  1. Mike J says:

    Thys, In your experience, how should Datapower be segregated for PCI vs. non-PCI functions?


    1. There is a dedicated “PCI network” available if needed and
    2. New Datapower services would be created that front end an encryption and tokenziation services.

    Main considerations:

    1. Cost of building a new separate Datapower environment dedicated to the PCI functions described above and
    2. Complying w/ the PCI DSS in a somewhat conservative interpretation.

    Trying to figure out the best way to implement a new data obfuscation (encryption + tokenization) enterprise service.

    Thank you,

  2. Thys Michels says:

    Hi Mike, thanks for your comment. PCI has become a real issue with most customers as they are getting fined for not being PCI complaint. Datapower is a very good way to easily satisfy some of the PCI requirements as specified in my post.

    Looking at your assumption I agree that Datapower will be used for all incoming message from external parties to your backend. It will provide the encryption, decryption, tokenization services for messages moving from external parties to your backend and vica versa.

    The best way to do this is to create generic PCI services on the appliance. What this means is that if you have multiple users that will be using the same encryption algorithms and certificates over different protocols to access your backend. Also with the tokenization the same will apply that you will create generic services for all tokenized data.

    The cost involved in doing PCI with Datapower is really fast and easy to do depending on your current environment. The reason for this is that you can create an PCI services that will frontend all your internal services and then offload the verified, decrypted message to your current ESB or Applications/Systems.

    So in a nutshell, the best way to apply PCI is to consolidate most of your interaction with external parties by specifying the encryption algorithms and also the tokeizatation standard to be used. This will minimize the effort to create PCI compliant services for each external parties that would like to use your services.

    If you have any more questions around this send me a message in my Contact menu and I will be able to supply you with some documentation around doing this.

    I hope it answers your questions and helps you be more PCI complaint.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s