A PCI-DSS Compliance Overview: What You Should Know
The Payment Card Industry Digital Security Standards (PCI DSS) were first introduced in late 2004. Since then, there have been several revisions culminating in the latest standard 3.1.
The standards focus on specific requirements in twelve areas of a payment card system. The requirements are applicable to any entity that holds, processes, or transfers payment card information. Each of the twelve covered areas focuses on a specific section of the PCI environment.
The 12 Requirements of PCI DSS
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
Staying PCI DSS Compliant
There are a large variety of products available that promise to assist with your PCI compliance efforts—the sheer volume of products can be overwhelming. Given the complexity of PCI DSS, no one product can ensure compliance. However, many products claim to keep you PCI compliant—can they?
Given that breaches have occurred at firms that at one point in time had been certified as PCI compliant, the answer is certainly no. So how do you ensure the security of your PCI environment given this reality?
Compliance with PCI DSS should be viewed as a temporary condition, a “snapshot” of your systems at a given moment. PCI Compliance is subject to change at any moment. Much to their chagrin, many organizations have learned this lesson the hard way.
PCI solutions often fall short because while they can show that the environment is compliant at one point in time, they have no ability to assure that the compliance in continual. Once you have employed various tools to get your PCI environment into a known good state, the key is to do everything possible to detect and prevent changes that will alter that state.
How CimTrak Helps With PCI Compliance
While CimTrak can help you achieve compliance with a number of PCI DSS requirements, two sections, PCI 10.5.5 and PCI 11.5, specifically call for a file integrity monitoring solution such as CimTrak to be deployed.
PCI-DSS Requirement 10.5.5 | File Integrity Monitoring
Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
PCI-DSS Requirement 11.5 | Change Detection Mechanisms
Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
CimTrak Exceeds PCI DSS Standards
The goal of PCI 10.5.5 and PCI 11.5 is to ensure the integrity of critical logs from the PCI environment and to ensure that changes to files do not allow a breach of PCI data. While PCI 11.5 calls for file-integrity monitoring software such as CimTrak to look for file changes at least weekly, true integrity of your PCI environment requires much more frequent monitoring. CimTrak provides real-time file integrity monitoring (FIM) without taxing your system resources.
This allows you to exceed the minimum frequency for file-integrity monitoring called for in PCI 11.5 and gives you added piece of mind that your PCI environment is secure and in a state of constant integrity. PCI 11.5 also discusses the importance of regularly monitoring the output of your file integrity monitoring (FIM) solution. CimTrak makes it easy by providing complete reporting on changes, as well as critical configurations.
CimTrak covers a broad array of systems in PCI environments, including servers, network devices, critical workstations, and even point of sale (POS) systems. Whether you’re a small retailer or a large payment processor, CimTrak can help you!
Next Steps Toward PCI Compliance
If you've downloaded the PCI DSS Compliance Checklist, you will be able to see how File Integrity Monitoring can fit into your compliance strategy. We recommend getting a Demo of CimTrak so you can see exactly how it accomplishes critical elements of the PCI DSS Compliance Standards.