PCI-GENERAL™
A MySQL database appliance that enables compliance

The loss of cardholders information can irreparably damage consumer’s trust in the brand and adversely impacts stakeholders, but the loss of patient record information can lead to civil and criminal penalties. PCI-GENERAL™ is a secure MySQL database appliance that has been designed from ground up to enable compliance. The appliance transparently encrypts MySQL data, provides FIPS compliant key management and creates irrevocable logs for audit purposes. Packet General is the market leader in the MySQL data compliance market.

  • A secure MySQL database appliance with guaranteed performance
  • Transparent MySQL data encryption
  • Lifetime key management using FIPS 140-2 Level 2/3 smart cards
  • Protection against a malicious privileged user
  • Cryptographically signed logs
  • Encrypted MySQL database backups
  • Role-based platform management

Available models:

Model #

PG-100

PG-200

PG-300

PG-E50V

PG-150V

Operating System

Secure
PG-OS

Secure
PG-OS

Secure
PG-OS

Secure
PG-OS

Secure
PG-OS

CPU - Quad-core Intel Xeon 2.4GHz 4 x 12M Cache, Turbo, HT, L2 Cache 8MB L3 Cache, 1066MHz Max Mem

1

2

2

SMP Virtual Appliance

SMP Virtual Appliance

Memory - Registered w/ ECC 1333MHz Dual Ranked RDIMMs

12GB

24GB

48GB

Minimum

2GB

Minimum

2GB

Storage - SATA 10000-RPM 16MB Cache 3.0Gb/s

500GB
RAID-5

500GB
RAID-5
w/ Hot Spare

1000GB
RAID-5
w/ Hot Spare

n/a

n/a

Disks

3

4

4

n/a

n/a

NIC/LOM

2x GbE LOM

2x GbE LOM

2x GbE LOM

n/a

n/a

Availability

Hot-swap HDD; 500W Redundant PSU;
Memory
RAS

Hot-swap HDD; 500W Redundant PSU;
Memory
RAS

Hot-swap HDD; 500W Redundant PSU;
Memory
RAS

n/a

n/a

Enclosure

1U

1U

1U

n/a

n/a

Power Supplies

Redundant 500W (80+GOLD)

Auto Ranging 100V ~240V)

Redundant 500W (80+GOLD)

Auto Ranging 100V ~240V)

Redundant 500W (80+GOLD)

Auto Ranging 100V ~240V)

n/a

n/a

Dimensions

1.69 x 17.09

x 24.69 (in)

1.69 x 17.09

x 24.69 (in)

1.69 x 17.09

x 24.69 (in)

n/a

n/a

Weight

35.02lbs (15.9Kg)

35.02lbs (15.9Kg)

35.02lbs (15.9Kg)

n/a

n/a

Operating Environment

50 to 95 °F

10 to 35 °C

50 to 95 °F

10 to 35 °C

50 to 95 °F

10 to 35 °C

n/a

n/a

Number of "sql-bench" encrypted transactions/sec

500*

650*

750*

n/a

n/a

* Performance data represents the maximum capabilities of the system as measured under optimal testing conditions.

Security

Security Specifications

Description

PG-100

Hard Appliance

PG-200

Hard Appliance

PG-300

Hard Appliance

PG-E50V

Virtual Appliance

PG-150V

Virtual Appliance

MySQL data encryption

Transparent data encryption of MySQL data (TDE).

Y

Y

Y

Y

Y

“On-demand” encryption

Encryption can be turned on or off on per MySQL database basis

Y

Y

Y

Y

Y

MySQL client applications

MySQL client applications remain unchanged.

Y

Y

Y

Y

Y

MySQL binary log file protection

Logs are protected via strong encryption.

Y

Y

Y

Y

Y

MySQL backups protection

Encrypted backups with proper key management.

Y

Y

Y

N

Y

MySQL service protection

Only a privileged user (not "root") can start the service - protects against physical loss of an appliance.

Y

Y

Y

Y

Y

Encryption algorithm used

Advanced Encryption Standard (AES) - symmetric-key encryption standard (U.S. FIPS PUB 197 (FIPS 197).

Y

Y

Y

Y

Y

Key length

256 bits

Y

Y

Y

Y

Y

Key storage

Federal Information Processing Standard (FIPS) Publication 140-2/3 based smart cards running EAL4/EAL5 operating system.

Y

Y

Y

N

Y*

Key distribution

Secure distribution conducted during the appliance installation.

Y

Y

Y

n/a

Y

Key revocation

Authenticated revocation - a single step process.

Y

Y

Y

n/a

Y

Key rotation

Built-in key rotation.

Y

Y

Y

Y

Y

Non-repudiation

Cryptographically signed reports stored in an encrypted data vault.

Y

Y

Y

N

Y

Protection against malicious privileged user

The OS “root” user is not allowed to view/alter the MySQL data.

The MySQL “root” user is not allowed to alter the MySQL binary logs.

Y

Y

Y

Y

Y

Firewall

Built-in customized firewall.

Y

Y

Y

Y

Y

Services

Minimal set of services that are needed to run the MySQL server in a secure and controlled environment.

Y

Y

Y

Y

Y

Platform management

Role-based platform management.

Y

Y

Y

Y

Y

Security updates

Automated and tested updates.

Single source for all security updates.

Y

Y

Y

Y

Y

Hardened MySQL appliance

Appliance footprint < 700MB.

Y

Y

Y

Y

Y

Management

Secure web based administration.

Y

Y

Y

Y

Y

* Certain limitations apply

The PCI council consists of American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International. The council describes the PCI data security standard in the following manner: "The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing – including merchants, processors, including acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks. The enforcement of the PCI DSS is carried out by the card brands as well as by the financial institutions that process card transactions. Failure to comply can result in fines or higher transactional fees. 

As the described above, the PCI DSS security measures must be adopted throughout the organization. PCI-GENERAL™ for MySQL appliance, the custodian of the transactional data, has been designed to enable easy compliance with the following PCI DSS mandates:

Requirement 2.2.1 - Implement only one primary function per server.
Requirement 2.2.2 - Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the device’s specified function). 
Requirement 2.2.4 - Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. 
Requirement 3.4 - Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs) by using any of the following approaches:
§ One-way hashes based on strong cryptography 
§ Truncation 
§ Index tokens and pads (pads must be securely stored) 
§ Strong cryptography with associated key-management processes and procedures 
The MINIMUM account information that must be rendered unreadable is the PAN.

 

Requirement 3.4.1.b - Verify that cryptographic keys are stored securely (for example, stored on removable media that is adequately protected with strong access controls). 
Requirement 3.5 - Protect any keys used to secure cardholder data against disclosure and misuse: Note: This requirement also applies to key-encrypting keys used to protect data encrypting keys—such key-encrypting keys must be at least as strong as the data-encrypting key. 

Requirement 3.5.1 - Restrict access to cryptographic keys to the fewest number of custodians necessary. 
Requirement 3.6.2 - Secure cryptographic key distribution 
Requirement 3.6.3 - Secure cryptographic key storage 
Requirement 3.6.4 - Periodic cryptographic key changes 
- As deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically 
- At least annually

Requirement 3.6.5 - Retirement or replacement of old or suspected compromised cryptographic keys 
Requirement 7.1.1 - Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities 
Requirement 7.1.2 - Assignment of privileges is based on individual personnel’s job classification and function 
Requirement 8.5.4 - Immediately revoke access for any terminated users. 
Requirement 8.5.6 - Enable accounts used by vendors for remote maintenance only during the time period needed. 
Requirement 8.5.9 - Change user passwords at least every 90 days. 
Requirement 10.5 - Secure audit trails so they cannot be altered. 
Requirement 10.5.1 - Limit viewing of audit trails to those with a job-related need. 
Requirement 10.5.2 - Protect audit trail files from unauthorized modifications. 
Requirement 10.5.5 - Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). 
Requirement 10.7 - Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up).