What is PCI-DSS? It stands for Payment Card Industry Data Security Standard. PCI-DSS applies to all business that accepts credit card information, stores credit card information , or any information about the cardholder. Yes, even Mom and Pop operations fall under PCI-DSS regulations.
What is good to know that there are 4 different levels that can apply to you. Almost everyone stats off at level 4 if you process less than 20,000 transactions per year. The more transactions your company does, the higher your level will rise. At bare minimum as a level 4 merchant or company, you must complete a Self Assessment Questionnaire, and may have to pass a can of your network by a A.S.V. (Approved Scanning Vendor)
There are 12 different requirements you need to be aware of:
1: You must install and maintain a firewall to protect cardholder data
2:Do not use vendor provided defaults for system passwords
3: Use and regularly update antivirus software
4: Encrypt transmission of cardholder data across open public networks
5: Protect stored cardholder data
6: Develop and maintain secure systems
7: Restrict access to cardholder data on a need to know basis
8: Assign a unique ID to each person with computer access
9: Restrict physical access to cardholder data
10: Regular testing of security systems and processes
11: Track and monitor all access to network resources and cardholder data
12: Maintain an information security policy for employees and contractors
It’s good to understand there is not one single piece of software or hardware that you can purchase that will do each and everyone of these things.The best way to think of securing your network is using a layered approach. By using a combination of powerful software tools with rich functionality and strong reporting capabilities.
When working with many of my clients who happen to be in the financial services sector, I like to focus on Event Log Management. These logs can be generated by Windows Servers, Windows workstations, W3C logs from Windows based web servers, Syslogs from devices such as routers, firewalls and other devices.
As an example, whenever users login into a network, access files, uses applications , certain windows events are recorded. However windows for example also logs normal behavior from it’s normal processes as well. These logs can contain millions of entries, and become impossibly huge. Searching and filtering on these events is a mind boggling task for any sysadmin. Furthermore, there are no warnings of certain events sent to the sysadmin for things like account lockouts.
When dealing with PCI-DSS problems my clients face
At my business FrugalBrothers, I work with banks, and credit unions every day to help them protect the customer information as well as pass audits, including PCI-DSS. Because I work with so many such organizations, there are several tools that I resell that I know and trust.
One of the tools that we recommended to our clients is EventsManager. With this tool, you can do the following:
– Monitor changes in network configuration
– Scan antivirus software logs
– Monitor changes to user accounts and groups, and security rights
– Monitor account management events
– Monitor user account disabled and user account removed
– Monitor user account activity
– Monitor and alert failed logins
– Monitor and Audit SQL Server database access and usage
– Alert and report on events relating to the administrator
– Monitor events based on “out of sync” errors
Having had over 8 years experience with this one tool alone, has given me the ability to help my clients save valuable time, and enjoy a considerable R.O.I. on their investment .
If you would like to discuss PCI-DSS concerns you have, please email me at bruce.naylor@frugalbrothers.com