PCI DSS

Payment Card Industry – Data Security Standard (PCI DSS v3.2.1)

The Payment Card Industry is a private industry group set up by the major credit card companies to define standards for companies that process credit card transactions. The Data Security Standard was defined to prevent credit card fraud, hacking and other security issues. A company processing, storing, or transmitting credit card numbers must be PCI DSS compliant or they risk losing the ability to process credit card payments. The PCI DSS includes requirements covering network security, data protection, vulnerability management, access control, monitoring and testing, and information security.

According to the PCI data security standard, an organization must be able to monitor, report, and alert on attempted or successful access to systems and data security for those applications that contain sensitive cardholder data, and explicitly calls for the collection and monitoring of event logs.

Using EventTracker to meet PCI DSS v3.2.1 Requirements

Requirement Solution
PCI DSS 1: Install and Maintain a Firewall Configuration to Protect Data
Collect logs from firewall devices to ensure and validate compliance. Monitors all used services, protocols and ports, validates inbound and outbound traffic, and captures and alarms on event data related to network and firewall specific activity.
PCI DSS 2: Do Not Use Vendor-supplied Defaults for System Passwords & Other Security Parameters.
Monitor the network for indications of improper behavior and signs of insufficient security configuration. Provides a record of all services used and can alarm on the use of non-encrypted protocols.
PCI DSS 3: Protect Stored Cardholder Data.
Monitoring of changes in the cardholder environment and alarm on changes to security critical resources. Alarm on actions that affect specific files or objects, such as the details of who, when and where if a cryptographic key is altered.
PCI DSS 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks.
Monitor network use to ensure that only the proper protocols are being used in the cardholder data environment. Monitors and alerts on unauthorized or unencrypted services being used, and can report on detected wireless networks to help control access points.
PCI DSS 5: Protect All Systems Against Malware and Regularly Update Anti-Virus Software or Programs.
Collect log data from antivirus solutions and can alarm on detected malware and compromises in the cardholder data environment. Identifies operational errors from antivirus and antimalware applications, detects and incorporates new signatures, and alerts on malware detected within the cardholder data environment.
PCI DSS 6: Develop and Maintain Secure Systems and Applications.
Collect and alarm on detected vulnerabilities and software update activity to help organizations to develop and maintain secure systems and applications. Monitors and reports on when and if critical patches are installed, and reports on the security posture of commercial, custom and web applications in conjunction with other security devices.
PCI DSS 7: Restrict Access to Cardholder Data by Business Need to Know.
Monitor access privilege assignments and suspicious data accesses. Collects relevant data from access control systems, monitoring and validating access to cardholder data and system components through account creation, object access, and privilege assignment and revocation.
PCI DSS 8: Identify and Authenticate Access to System Components.
Identify shared account usage in the network, including unobvious accounts with more than one user. Reports on all user-account activity from account creation and activity to account removal. Alarming on default and shared account usage provides real-time validation.
PCI DSS 9: Restrict Physical Access to Cardholder Data.
Monitor physical access control devices for access attempts to card holder data areas. Provides alarms for physical access failures and details on other physical access activity via investigations and reports.
PCI DSS 10: Track and Monitor All Access to Network Resources and Cardholder Data.
Automate collection, centralization and monitoring of logs from servers, applications, security and other devices. Collects all access-related logs, ensures that all log data has a synchronized time-stamp and maintains a digital chain-of-custody to protect audit trails against unauthorized modifications.
PCI DSS 11: Regularly Test Security Systems and Processes.
Collect logs from IDS/IPS devices to help ensure and validate compliance. File Integrity Monitoring capabilities directly meet requirement 11. Risk-based prioritization and altering on IDS/IPS and monitors intrusion-related activity in real-time. File Integrity Monitoring tracks reads and modifications for critical files and directories.
PCI DSS 12: Maintain a Policy that Addresses Information Security for All Personnel.
Provide centralized intelligence to support organizational security policies, including incident handling and response. Enterprise-class systems and expands beyond the cardholder data environment to support other areas of the organization.