Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) establishes standard requirements protecting cardholder information. It applies to all entities that store, process or transmit cardholder data, such as retail merchants, payment processors and banks. PCI DSS took effect in January 2005 after being co-written by VISA and MasterCard and endorsed by other leading card providers.

There are 12 requirements for PCI DSS compliance, grouped into six IT control objectives. Each outlines a different area of security best practices, ranging from information security policy development to assessment and monitoring of threats, vulnerabilities and misconfigurations.

In September 2006, version 1.1 of PCI DSS was released by the PCI Security Standards Council. This release modified the language of several requirements and added an appendix for compensating controls.

Some examples of the language and key challenges in PCI DSS v1.1 include:

Requirement 2.2. Develop configuration standards for all systems components.
Requirement 6.1. Ensure that all system components and software have the latest security patches installed.
Requirement 8.5. Ensure proper user authentication and password management for non-consumer users and administrators on all system components.
Requirement 10.5. Secure audit trails so they cannot be altered.
Requirement 11.5. Deploy file integrity monitoring software to alert personnel of unauthorized modification of critical system or content files.

The NetIQ Solution

NetIQ's award winning and industry-recognized solutions can help in establishing and ensuring the 12 requirements of PCI DSS v1.1 are met on a continuing basis. Specific products that assist with PCI DSS compliance efforts include:

Individual solutions from NetIQ can be purchased separately and include:

Secure Configuration Manager – Configuration assessment, compliance reporting and IT risk management for heterogeneous environments
Security Manager – Integrated security information and event management to protect critical data and streamline incident response
Change Guardian for Windows – User activity and change monitoring across Windows systems
VigilEnt Policy Center – Automated creation, distribution and testing of written security policies
Security Solutions for iSeries – Simplified auditing, intrusion protection, vulnerability management and security administration for the IBM System i (formerly IBM iSeries or AS/400) platform
Attachmate Reflection for Secure IT – Complete encryption, authentication and data integrity to protect data in motion

Key PCI Related Features

PCI Control Objective	PCI Requirement	How NetIQ Can Help
Build & Maintain a Secure Network	1. Install and maintain a firewall configuration	Publish firewall configuration policies on the intranet and track who has read them. Monitor for changes or unauthorized access to Cisco-IOS based routers & switches.
Build & Maintain a Secure Network	2. Do not use vendor-supplied defaults for passwords	Automatically assess systems and user accounts for compliance with password policies.
Protect Cardholder Data	3. Protect stored cardholder data	Determine if proper security controls are in place to protect sensitive data. Develop, distribute and enforce data retention and disposal policies.
Protect Cardholder Data	4. Encrypt transmission of cardholder data across open, public networks	Safely transmit sensitive data and ensure transfers are complete. Develop, distribute and enforce data cryptographic policies.
Maintain a Vulnerability Management Program	5. Use and regularly update anti-virus software	Evaluate the status of antivirus applications, including virus signature date, last scan date and scanning engine version. Monitor antivirus system services and restart if required.
Maintain a Vulnerability Management Program	6. Develop and maintain secure systems and applications	Audit to ensure the latest security patches are installed and to identify the latest vulnerabilities. Report user access entitlements to ensure separation of duties. Enable granular access control to reduce the number of privileged accounts. Alert on unmanaged changes to Active Directory objects.
Implement Strong Access Control Measures	7. Restrict access to cardholder data	Reduce administrative privileges through secure privilege delegation on Windows and Active Directory. Alert on failed administrator/user access and AD/Group Policy object changes. Publish data control policies; track receipt and test understanding.
	8. Assign a unique ID to each person	Report on usernames across domains to ensure uniqueness. Verify that user accounts are protected by strong passwords or smart card authentication. Enforce naming conventions in Active Directory. Monitor user activity to identify potential concurrent logins or for the illicit use of service accounts.
	9. Restrict physical access to cardholder data	Develop, distribute and enforce security policies on restricting physical access.
Regularly Monitor & Test Networks	10. Track and monitor all access to network resources and cardholder data	Monitor and log actions taken by privileged users, as well as the creation/deletion of system objects. Analyze event logs in real-time, then archive for trending and forensics reporting. Log and report on changes to Active Directory as well as Windows, Unix, Linux and iSeries systems. Generate reports to verify auditing (e.g., event logging, syslog) is enabled.
Regularly Monitor & Test Networks	11. Regularly test security systems and processes	Automate routine system integrity analysis to ensure controls are implemented effectively. Continuously monitor critical files and directories with alerting on changes. Monitor host-based threats in real-time and leverage automated responses.
Maintain an Information Security Policy	12. Maintain a policy that addresses information security	Develop, publish, and track security policies to your user community. Test security awareness through on-line quizzes and surveys. Facilitate rapid incident response via workflow and an extensible knowledge base for operational procedures.