NetIQ | An Attachmate Business

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) establishes standard requirements protecting cardholder information. It applies to all entities that store, process or transmit cardholder data, such as retail merchants, payment processors and banks. PCI DSS took effect in January 2005 after being co-written by VISA and MasterCard and endorsed by other leading card providers.

There are 12 requirements for PCI DSS compliance, grouped into six IT control objectives. Each outlines a different area of security best practices, ranging from information security policy development to assessment and monitoring of threats, vulnerabilities and misconfigurations.

In September 2006, version 1.1 of PCI DSS was released by the PCI Security Standards Council. This release modified the language of several requirements and added an appendix for compensating controls.

Some examples of the language and key challenges in PCI DSS v1.1 include:

  • Requirement 2.2. Develop configuration standards for all systems components.
  • Requirement 6.1. Ensure that all system components and software have the latest security patches installed.
  • Requirement 8.5. Ensure proper user authentication and password management for non-consumer users and administrators on all system components.
  • Requirement 10.5. Secure audit trails so they cannot be altered.
  • Requirement 11.5. Deploy file integrity monitoring software to alert personnel of unauthorized modification of critical system or content files.

The NetIQ Solution

NetIQ's award winning and industry-recognized solutions can help in establishing and ensuring the 12 requirements of PCI DSS v1.1 are met on a continuing basis. Specific products that assist with PCI DSS compliance efforts include:

    Individual solutions from NetIQ can be purchased separately and include:

Key PCI Related Features

PCI Control Objective PCI Requirement How NetIQ Can Help
Build & Maintain a Secure Network 1. Install and maintain a firewall configuration
  • Publish firewall configuration policies on the intranet and track who has read them.
  • Monitor for changes or unauthorized access to Cisco-IOS based routers & switches.
2. Do not use vendor-supplied defaults for passwords
  • Automatically assess systems and user accounts for compliance with password policies.
Protect Cardholder Data 3. Protect stored cardholder data
  • Determine if proper security controls are in place to protect sensitive data.
  • Develop, distribute and enforce data retention and disposal policies.
4. Encrypt transmission of cardholder data across open, public networks
  • Safely transmit sensitive data and ensure transfers are complete.
  • Develop, distribute and enforce data cryptographic policies.
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software
  • Evaluate the status of antivirus applications, including virus signature date, last scan date and scanning engine version.
  • Monitor antivirus system services and restart if required.
6. Develop and maintain secure systems and applications
  • Audit to ensure the latest security patches are installed and to identify the latest vulnerabilities.
  • Report user access entitlements to ensure separation of duties.
  • Enable granular access control to reduce the number of privileged accounts.
  • Alert on unmanaged changes to Active Directory objects.
Implement Strong Access Control Measures 7. Restrict access to cardholder data
  • Reduce administrative privileges through secure privilege delegation on Windows and Active Directory.
  • Alert on failed administrator/user access and AD/Group Policy object changes.
  • Publish data control policies; track receipt and test understanding.
8. Assign a unique ID to each person
  • Report on usernames across domains to ensure uniqueness.
  • Verify that user accounts are protected by strong passwords or smart card authentication.
  • Enforce naming conventions in Active Directory.
  • Monitor user activity to identify potential concurrent logins or for the illicit use of service accounts.
9. Restrict physical access to cardholder data
  • Develop, distribute and enforce security policies on restricting physical access.
Regularly Monitor & Test Networks 10. Track and monitor all access to network resources and cardholder data
  • Monitor and log actions taken by privileged users, as well as the creation/deletion of system objects.
  • Analyze event logs in real-time, then archive for trending and forensics reporting.
  • Log and report on changes to Active Directory as well as Windows, Unix, Linux and iSeries systems.
  • Generate reports to verify auditing (e.g., event logging, syslog) is enabled.
11. Regularly test security systems and processes
  • Automate routine system integrity analysis to ensure controls are implemented effectively.
  • Continuously monitor critical files and directories with alerting on changes.
  • Monitor host-based threats in real-time and leverage automated responses.
Maintain an Information Security Policy 12. Maintain a policy that addresses information security
  • Develop, publish, and track security policies to your user community.
  • Test security awareness through on-line quizzes and surveys.
  • Facilitate rapid incident response via workflow and an extensible knowledge base for operational procedures.

 

 Search