3 PCI Compliance Requirements Solved with Change Auditing
:: By Orin Thomas, Netwrix Corporation
The PCI (Payment Card Industry) DSS (Data Security Standard) is a proprietary standard for information security for organizations that manage credit, debit and other types of payment cards. The current version of PCI DSS 3.0 is active from January 2013 to December 2016 and includes the following 12 requirements :
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Protect all systems against malware and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder by business need to know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.
Change auditing allows you to track what was changed, who changed it, and when they made that change. While many of the PCI DSS requirements involve authenticating users and controlling access to systems and data, only by implementing a change auditing solution you ensure that the restrictions you have put in place actually work. More specifically, it allows you to partially or fully address the following three PCI DSS requirements:
Requirement 7. Restrict access to cardholder data by business need to know
To meet this, it’s necessary to configure permissions so that only people that need access to cardholder data have that access. While configuring permissions is not something you do with a change auditing solution, you can only verify that the permissions have been configured correctly, and that access is limited to people that needed it. A comprehensive change auditing solution will tell you who had access to sensitive cardholder data and what they have changed, allowing you to verify that the restrictions that you have put in place meet your organization’s compliance responsibility.
Requirement 8. Identify and authenticate access to system components
Auditing access to the systems that protect sensitive data is as important as auditing access to the sensitive data itself. To use an analogy: If you want to make sure that the money in a bank vault is secure, not only do you need to keep an eye on the money, but you need to keep an eye on the person that comes to maintain the lock on the bank vault itself.
A comprehensive change auditing solution doesn’t authenticate access to system components, but it does allow you to record precisely who entered the system, which system resources they have entered, what changes they may have made there.
Requirement 10. Track and monitor all access to network resources and cardholder data
Change auditing helps to meet this requirement directly. By design, it tracks and monitors access to sensitive objects, be they network resources, or sensitive data such as payment cardholder data. A change auditing solution provides you with more than a simple access log, but instead provides you with a trustworthy tamper resistant record of any changes made.
Solving the PCI Compliance Puzzle
A robust change auditing solution can function as a critical piece of the puzzle in ensuring that your organization meets its PCI DSS compliance obligations. While you use other technologies to authenticate users and control access to systems and data, change auditing solution helps you to have a complete visibility into what is happening in your IT system streamlining compliance and strengthening security.
Orin Thomas is the convener of the Melbourne System Center, Security, and Infrastructure Group, a Microsoft Security MVP, and a technical expert for Netwrix Corporation, the #1 provider of change and configuration auditing software.