By providing visibility and control of corporate access and data, IS Decisions software solutions help companies ensure compliance with the Payment Card Industry (PCI) Data Security Standard (DSS).
In this article we’ll focus on the stronger access control, enhanced monitoring and detailed reporting that are needed for PCI DSS compliance.
PCI DSS compliance requirements
Simply put, PCI DSS follows common sense steps that mirror best security practices. It applies to all entities that store, process, and/or transmit cardholder data.
A quick guide to the PCI Security Standards can be found here: https://www.pcisecuritystandards.org/documents/pci_ssc_quick_guide.pdf
Implementing Strong Access Control Measures
PCI Requirement 7: Restrict access to cardholder data by business need-to-know
“To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities”.
Restricting Access is therefore crucial!
- Restrict Access to Cardholder Data Environments employing access controls such as RBAC (Role-Based Access Control)
- Limit Access to only those individuals whose job requires such access.
- Formalize an access control policy that includes a list of who gets access to specified cardholder data
- Deny all access to anyone who is not specifically allowed to access cardholder data.
With UserLock (security for network access) and FileAudit (security for file access) you can instantly identify and remediate any access attempts that are not in line with your security and compliance policies.
UserLock protects Windows-based network and all of the data contained within by restricting and controlling access through user logons according to customized user access policies. Working in an innovative interface, you simply specify rules according to user, user group or organizational unit and session type and rely on UserLock to automatically control the ‘when’, ‘where’ and ‘how long’ your users access resources on your network.
FileAudit protects all file servers in their Windows environment by monitoring, archiving and reporting on all file access (and access attempts) to all files and folders. By constantly examining and recording read/write/delete access (or access attempts), file ownership changes and permission modifications, IT can immediately address any inappropriate accesses.
Give Every User a Unique ID
PCI Requirement 8: Assign a unique ID to each person with computer access
“Assigning a unique identification to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, know and authorized users.”
Logins are the first line of defense in protecting data on a Windows network. By preventing concurrent logins, we can ensure access is attributed to an individual employee. Preventing concurrent logins also makes it impossible for a rogue user to use valid credentials at the same time as the legitimate owner and also decreases the likelihood of users sharing passwords as it impacts their own ability to access the network.
Concurrent logins can only be prevented securely with UserLock, ensuring you can identify all users connected to your network environment and deny rogue users who attempt to access the network using shared passwords.
Regularly Monitor and Test Networks
PCI Requirement 10: Track and Monitor all access to network resources and cardholder data
“Organizations must track and monitor all access to cardholder data and related network resources – in stores, regional offices, headquarters and other remote access.”
Both UserLock and FileAudit offer extensive reporting to help your company show proof of compliance during regulatory audits.
Having set and implement your access control policy to restrict and manage users access to the network, UserLock continuously monitors all login and session events, and reports on network access in real-time with detailed, graphical dashboards and alerts. Authorized users across the network are tracked according to session type (workstations, terminal, interactive, Wi-Fi, VPN) to ensure all the network is protected and visibility achieved.
Customized reports according to multiple criteria ensures security for auditing and regulatory compliance. By centralizing and archiving all file access events occurring on one or several Windows systems, FileAudit ensures an always-available, searchable and secure audit trail is achieved.
More on PCI Compliance
A great resource for IT Pros to learn more from discussions related to PCI Compliance is this community on Spiceworks: http://community.spiceworks.com/security/pci-compliance
Want to trial UserLock and FileAudit? A Free 30Day Fully functional trial is available here
Keep up to date with all our news and how IS Decisions Security software can help you ensure regulatory compliance and safeguard your Windows Infrastructure by following us on LinkedIn.