The Payment Card Industry Data Security Standard, or PCI DSS, is still confusing for card payment merchants in 2010.
A recent survey of PCI DSS knowledge and understanding revealed the following facts
• 35% of retail/hospitality/entertainment organisations surveyed still do not understand compliance requirements
• Whilst there is a strong understanding within Tier 1 merchants (6 million transactions per year), 44% of Tier 2 and Tier 3 merchants do not understand the PCI DSS requirements
• 90% are either still working on implementing PCI DSS compliance measures identified in pre-audit surveys, or are not compliant and doing nothing about it, or are leaving it to the last minute
What do you need to do as an IT Service Provider to your Organization?
A number of automated 'compliance auditing' solutions for PCI DSS are available that typically provide the following functions
Compliance Auditing (aka Device Hardening) - typically, 'out of the box' PCI DSS as well as 'made to order' reports allow you quickly test critical security settings for windows servers and desktops, unix servers, linux servers and network devices, including wireless devices, and firewalls. The best solutions will provide details on your administrative procedures, technical data security services, and technical security mechanisms. Generally, these reports will probably identify some security vulnerabilities within the configuration settings to begin with. Once repaired though, you can generate these reports again to prove to auditors that your servers are compliant. Using inbuilt change tracking you can ensure systems remain compliant.
Change Tracking - once your firewalls, servers, workstations, switches, routers etc are all in a compliant state for PCI DSS you need to ensure they remain so. The only way to do this is to routinely verify the configuration settings have not changed because unplanned, undocumented changes will always be made while somebody has the admin rights to do so! The PCI DSS compliance software solution will alert when any unplanned changes are detected for server software using file-integrity monitoring, or firewalls and intrusion protection systems, and any other network device within your 'Compliant Infrastructure'.
Planned Change Audit Trail - when changes do need to be made to a PCI DSS server, firewall or network device, you need to ensure that changes are approved and documented. An automated software solution for PCI DSS makes this easy and straightforward, reconciling all changes made with the RFC or Change Approval record
Device Hardening must be enforced and audited. A good PCI DSS compliance auditing solution will provide automated templates for a hardened (secured & compliant) configuration for servers and desktops and network devices to show where work is needed to get compliant, and thereafter, will track all planned and unplanned changes that affect the hardened status of your infrastructure. The state of the art in compliance auditing software covers registry keys and values, file integrity monitoring, host integrity monitoring, service and process whitelisting/blacklisting, user accounts, installed software, patches, access rights, password ageing and much more.
Audit Log Management - All audit and event logs from all windows servers, Unix servers, Linux servers, firewalls and intrusion protection devices must be analyzed, filtered, correlated and escalated appropriately. Audit Log and Event log messages must be stored in a secure, integrity-assured, repository for the required retention period which for PCI DSS is 12 months.
Correlation of Security Information and Audit Logs - in addition you should implement Audit Log and Event Log Gathering from all devices with correlation capabilities for security event signature identification and powerful 'mining' and analysis capabilities. This provides a complete PCI DSS compliance safety net to ensure, for example to name just a few, virus updates complete successfully, host intrusion protection is enabled at all times, firewall rules are not changed, user accounts, rights and permissions are not changed without permission and patches are implemented.