PCI Compliance with Netwrix Auditor

Integrated PCI DSS compliance solution for companies that accept credit cards

Anyone who accepts credit, debit or prepaid cards over the internet, telephone, or terminals as payment; stores card data, or processes card transactions is responsible to be PCI compliant. Failure to comply with PCI may result in fines, loss of reputation, and inability to accept major credit cards.

PCI SCC (Security Standards Council) Requirements include three major components:

  • PCI Data Security Standard (DSS) - It covers technical and operational system components included in or connected to cardholder data. (this is the core standard of PCI compliance)
  • PIN Transaction Security (PTS) Requirements - The PCI PTS (formerly PCI PED) is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities.
  • Payment Application Data Security Standard (PA-DSS) - The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties.

Of all the PCI standards Netwrix primarily focuses on the PCI DSS, our products however can assist with implementation of other PCI compliance standards as well.

PCI DSS Requirements:

Netwrix provides minimal or zero assistance:

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Requirement 9: Restrict physical access to cardholder data

Netwrix helps indirectly:

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Requirement 11: Regularly test security systems and processes
Requirement 12: Maintain a policy that addresses information security for all personnel

Netwrix is designed to help:

Requirement 3: Protect stored cardholder data
Requirement 6: Develop and maintain secure systems and applications
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify and authenticate access to system components
Requirement 10: Track and monitor all access to network resources and cardholder data

Please note that the suggested mechanisms to support PCI compliance efforts may vary in different organizations depending on their systems configuration, internal procedures, nature of business, and other factors. Capabilities of Netwrix platform, administrative efforts, and physical security should supplement each other in the organization in order to ensure continuous compliance with PCI Requirements.

The following table summarizes relevant requirements of PCI DSS v3.0 and provides guidelines for usage of Netwrix products that help organization to achieve and maintain PCI compliance.

More detailed reference guide is available here: PCI Compliance with Netwrix

PCI DSS Requirement Netwrix Provides
Requirement 3: Protect stored cardholder data
3.1 Keep cardholder data storage to a minimum by implementing data-retention and disposal policies, procedures and processes. Auditing of designated locations in file servers, SQL databases and SharePoint data structures for data deletions.
3.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.
Requirement 6: Develop and maintain secure systems and applications
6.4.1 Separate development/test environments from production environments, and enforce the separation with access controls. Auditing all access rights changes and activities of users with development/test user access rights, across all infrastructure.
Requirement 7: Restrict access to cardholder data by business need to know
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Auditing user access rights, files folders and their permissions across the entire IT infrastructure for early detection of unauthorized changes to security settings (e.g. granting of new permissions, elevation of privileges, etc.) will ensure PCI Compliance.
7.2 Establish an access control system for systems components that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed.
Requirement 8: Identify and authenticate access to system components
8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data. Complete auditing of user accounts and logons to analyze violations and prevent usage of the same ID by multiple persons (e.g. from different computers).
8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. Full auditing of user account creations, deletions, password resets, and modifications to all user account attributes in Active Directory, SQL Server, Windows server.
8.1.3 Immediately revoke access for any terminated users. Auditing of disabled accounts, automated de-provisioning of inactive user accounts.
8.1.4 Remove/disable inactive user accounts at least every 90 days. Automated disabling and removal with full reporting.
8.1.5 Manage IDs used by vendors to access, support, or maintain system components via remote access. Support PCI compliance by auditing user access and all operations with accounts (creation, enabling, disabling, and deletion) in order to establish and maintain control to system components that allow remote access.
8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts. Auditing of account lockout policy changes to prevent non-compliant policy changes.
8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.
8.2.2 Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys. Challenge-response system based on highly configurable password, questions and authentication policies. With alerts, notifications and optional web interface for users, administrators and help-desk staff.
8.2.3 Passwords/ phrases must meet the following:
Require a minimum length of at least seven characters.
Contain both numeric and alphabetic characters.
Complimentary to the auditing of built-in password complexity requirements in Active Directory, Netwrix Password Manager minimizes administrative burden with additional features and its ease of use.
8.2.4 Change user passwords/passphrases at least every 90 days. Auditing Active Directory account policies states and changes to ensure that the requirements of PCI compliance are met.
8.2.5 Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. Auditing of the built-in password policy in Active Directory extended by the use of Password Manager that allows to configure questions policy (e.g. number of required correct answers).
8.2.6 Set passwords/phrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use. Auditing of all newly created user accounts, logons and password changes to prevent violations.
8.4 Document and communicate authentication procedures and policies to all users. Automatic customizable reminders for expiring passwords, redirection to password requirements document if user enters "weak" password during reset.
8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods. Audit actions done under a shared account(e.g. same user/different workstations) and help to eliminate its usage.
Requirement 10: Track and monitor all access to network resources and cardholder data
10.1 Implement audit trails to link all access to system components to each individual user. Fully featured auditing and reporting of all user activities including access to sensitive files, across the entire IT infrastructure and recording of who changed what, when, and where helps to achieve and sustain PCI compliance.
10.2.1 All individual user accesses to cardholder data.
10.2.2 All actions taken by any individual with root or administrative privileges. Audit status of built-in administrative groups' membership and all activities by users with administrative rights.
10.2.3 Access to all audit trails. All interactive user activity on the critical systems (e.g. SQL servers, Netwrix Auditor platform, etc.) can be recorded, indexed, archived and made readily available for review.
10.2.4 Invalid logical access attempts. Audit failed logon attempts.
10.2.5 Use of and changes to identification and authentication mechanisms - including but not limited to creation of new accounts and elevation of privileges - and all changes, additions, or deletions to accounts with root or administrative privileges. Auditing of all user logons, activities and changes to account policies and modifications to user accounts including elevation of privileges.
10.2.6 Initialization, stopping, or pausing of the audit logs. Monitor changes to auditing policies on critical systems within the PCI compliance scope and additionally recording of all interactive user activities.
10.2.7 Creation and deletion of system-level objects. Audit all modifications to critical files, database tables, AD objects, registry keys, etc.
10.3 Record at least the following audit trail entries for all system components for each event: User identification; Type of event; Date and time; Success or failure indication; Origination of event. Full information of every change: who changed what, when, where, across the entire IT infrastructure.
10.5 Secure audit trails so they cannot be altered. Securable file-based storage with optional SQL Server storage. Granular access permissions to all reports. Centralized collection, archiving, and consolidation of event logs to secure file-based storage.
10.6 Review logs and security events for all system components to identify anomalies or suspicious activity. Fully-featured reporting functionality with real time alerts, predefined reports and ability to apply customized filters and analyze data for PCI compliance violations. Out-of-the box reports scheduled daily and sent via e-mail for review.
10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis. Unlimited storage capabilities with efficient storage use to store up to 10 years and more of past audit trails and history of changes to system components and security settings. Full-featured reporting for immediate access to all required data.
Download Free Trial One-to-One Demo Request Quote

See how Netwrix Auditor helps meet requirements of other regulations, such as HIPAA, SOX, FISMA and GLBA.

Disclaimer: This information is not intended to provide legal advice or substitute for the advice of an attorney.