Home » Features » Ensure patch compliance

Ensuring Patch Manager Plus Compliance to Payment Card Industry (PCI) Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) was developed to enhance cardholder data security. It facilitates the adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. It also applies to entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Under the PCI DSS, there are12 different requirements concerning the security of cardholder data. All businesses that accept, store, process, or transmit card information online or offline must adhere to the requirements. Please refer to the following summary.

PCI DSS Overview

Requirement Requirement Description
Build and Maintain Secure Network and Systems
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public network
Maintain a Vulnerability Management Program
  • Protect all systems against malware and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Restrict access to cardholder data by business need to know
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
Maintain an Information Security Policy
  • Maintain a policy that addresses information security for all personnel

PCI DSS 4.0 Requirements met by Patch Manager Plus

Let us see how enterprises can use ManageEngine Patch Manager Plus, an all-round patch management solution, to comply with PCI DSS requirements. This document will help IT team gain an understanding of ManageEngine's Patch Manager Plus and how it can help to meet PCI DSS requirements.

The following table outlines the PCI DSS control requirements that are fulfilled by Patch Manager Plus. The requirement listed below have been sourced from the PCI Security Standards Council website

Requirement Requirement Description How does Patch Manager Plus fulfil the requirements?
1.5.1

Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows:

  • Specific configuration settings are defined to prevent threats from being introduced into the entity's network.
  • Security controls are actively running.
  • Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period.
 Patch Manager Plus scans the endpoints in the network regularly for software vulnerabilities and zero-days and deploys patches to mitigate them.

Refer to:

Patch Scanning
2.2.1

Configuration standards are developed, implemented, and maintained to:

  • Cover all system components.
  • Address all known security vulnerabilities.
  • Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.
  • Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1.
  • Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.

Patch Manager Plus lets you identify vulnerable attack surfaces in the network and can accordingly apply the required patches in the agent-installed systems to mitigate them.

The patching process can be scheduled by the admin based on the severity of the vulnerability detected.

Refer to:

Automated Patch Management
5.2.3 Any system components that are not at risk for malware are evaluated periodically to include the following:
  • A documented list of all system components not at risk for malware.
  • Identification and evaluation of evolving malware threats for those system components.
  • Confirmation whether such system components continue to not require anti-malware protection.

Using Patch Manager Plus, periodic vulnerability scans can be performed, automatically via scheduling them or manually.

This helps in the instant detection of vulnerabilities present in the network.
5.3.2

The anti-malware solution(s):

  • Performs periodic scans and active or real-time scans.

    or
  • Performs continuous behavioral analysis of systems or processes.

Patch Manager Plus allows periodic patch scans to be carried out in the network, to determine the vulnerable systems/applications.

The latest status of the scan and the patch reports can be accessed from the console of Patch Manager Plus.
6.3.1

Security vulnerabilities are identified and managed as follows:

  • New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from International and National Computer Emergency Response Teams (CERTs).
  • Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.
  • Risk rankings identify, at a minimum, all vulnerabilities considered to be high-risk or critical to the environment.
  • Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered.

Patch Manager Plus identifies the security vulnerabilities in the network and lists them down, based on the priority in which they should be addressed.

The security vulnerabilities are identified and the severity is calculated based on CVSS 2.0 and CVSS 3.0.

Remediation for the vulnerabilities can then be triggered from the product console accordingly.

Refer to:

System Health Policy
6.3.3

All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:

  • Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.
  • All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity (for example, within three months of release).

Using its vulnerability assessment and remediation capabilities, Patch Manager Plus assures all systems in the network are fully secure against critical vulnerabilities.

The Automated Patch Deployment (APD) functionality grants sysadmins the ability to automatically update any missing patches with zero manual intervention.

In addition, patches can also be deployed to the systems manually.

Refer to:
11.3.1

Internal vulnerability scans are performed as follows:

  • At least once every three months.
  • High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) is resolved.
  • Rescans are performed that confirm all high-risk and critical vulnerabilities (as noted above) have been resolved.
  • Scan tool is kept up to date with the latest vulnerability information.
  • Scans are performed by qualified personnel and organizational independence of the tester exists.

Patch Manager Plus detects vulnerabilities and remediates them with an in-built patching mechanism. It also helps in performing risk-based assessments of vulnerabilities to prioritize and eliminate threats.

In addition, Patch Manager Plus can also be integrated with third-party vulnerability scanners such as Tenable.

Refer to:
12.3.4

Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following:

  • Analysis that the technologies continue to receive security fixes from vendors promptly.
  • Analysis that the technologies continue to support (and do not preclude) the entity’s PCI DSS compliance.
  • Documentation of any industry announcements or trends related to a technology, such as when a vendor has announced “end of life” plans for a technology.
  • Documentation of a plan, approved by senior management, to remediate outdated technologies, including those for which vendors have announced “end of life” plans.

Patch Manager Plus constantly monitors the network for End Of Life software and can also apply security fixes (patches) for them, when necessary.

Refer to:

Upgrade Windows 10 End of Life versions (EOL)

The essence of PCI DSS compliance is that vendors must demonstrate stringent security measures for systems and processes to protect cardholder information. The disadvantages of not following PCI DSS requirements are several; the brand and reputation of a business might suffer and the business might have to pay heavy penalties, if a data breach were to affect any customer's payment card data.

Patch Manager Plus helps businesses stay compliant with PCI DSS. It facilitates patching and securing systems along with granular level reporting.