The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. It also applies to other entities that accept, store, or transmit payment card information, cardholder data, or sensitive authentication data.
ManageEngine DataSecurity Plus — our PCI compliance software — helps address the requirements of PCI DSS by:
And much more.
This table lists the various requirements of the PCI DSS that are addressed by DataSecurity Plus.
|What the PCI requirements are
|What you should do
|How DataSecurity Plus helps you
Remove all unnecessary functions, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
|Identify all system components including scripts and file systems, and remove the ones that are not in use.
Locate unused files:
Receive reports on files, scripts, batch files, and more that have not been accessed or modified for extended periods of time. These reports simplify redundant, outdated, and trivial (ROT) file management and reduce the number of vulnerable files with outdated permissions or data.
Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures, and processes that include at least the following for all cardholder data storage:
PCI and cardholder data discovery
Use built-in data discovery rules to locate PCI and cardholder data stored by your organization. Create an inventory of what data is stored, where, by whom, and for how long. This allows administrators to ensure that only necessary data is stored.
Do not store sensitive authentication data after authorization.
Sensitive authentication data includes cardholder name, primary account number (PAN), card verification code, personal identification number (PIN), and more.
It is permissible for issuers and companies that support issuing services to store sensitive authentication data if:
|Examine data sources and verify that sensitive authentication data is not stored after authorization.
PCI data discovery
Implement effective data discovery with a combination of keyword-matching and pattern-matching. Together, these will help you locate card verification values (CVV), PIN, PAN, and other authentication data.
Verify the context of potential matches to determine the certainty of a match being a True Positive instead of a False Positive.
Automate the deletion or quarantining of detected card data, or limit its use by carrying out a customized action using scripts.
Restrict access to cryptographic keys to the fewest number of custodians necessary.
|Examine the permissions associated with key files and ensure that access is restricted to the fewest number of custodians necessary.
NTFS and share permissions reporting
Receive detailed reports on the NTFS and share permissions of files and folders to know which user has what permission to them.
Limit access to system components and cardholder data to only those individuals whose job requires such access.
7.1.1 Define access needs for each role
7.1.2 Restrict access to privileged user IDs
7.1.3 Assign access based on individual personnel's job classification and function.
Note: System components include network devices, servers, computing devices, and applications.
|Verify that the privileges assigned to privileged and non-privileged users are:
NTFS permission reportingList users who have access to files containing cardholder data along with details on what actions each user can perform on them.
Ensure the confidentiality of cardholder data by analyzing and reporting on effective permissions. Verify that users do not have more privileges than required for their role.
Immediately revoke access for any terminated users.
|Ensure that users who have been terminated from your organization have been removed from file access lists.
Analyze file ownership
Identify orphaned files and files owned by stale, disabled, or inactive users to prevent malicious file change attempts by terminated employees.
Implement audit trails to link all access to system components to each individual user.
|Generate audit logs that provide the ability to trace suspicious activity back to a specific user.
Detailed audit trail
Track critical file accesses, web app usage, USB usage, printer usage, and more with a centralized access audit log.
Root cause analysis
Leverage granular report filtering options to expedite root cause analysis and identify the extent of a breach.
Implement automated audit trails for all system components to reconstruct the following events:
10.2.1 All individual user accesses to cardholder data
10.2.2 All actions taken by any individual with root or administrative privileges
File activity monitoring
Track all file and folder events—read, create, modify, overwrite, move, rename, delete, and permission change events—happening in your PCI and cardholder data storage environment.
Privileged user monitoring
List users with privileged access to sensitive files and customize reports to monitor all file changes made by them.
Record at least the following audit trail entries for each event:
10.3.1 User identification
10.3.2 Type of event
10.3.3 Date and time
10.3.4 Success or failure indication
10.3.5 Origination of event
10.3.6 Identity or name of affected data
|Collect detailed logs on user activity in your CDE.
Real-time change auditing
Get complete information on every file access, including details on who attempted what change, in which file, when, from where, and whether they were successful.
Secure audit trails so they cannot be altered.
10.5.5 Use file integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
|Implement file integrity monitoring or change detection systems to check for changes to critical files, and send notifications when such changes are noted.
PCI file integrity monitoring
Audit every successful and failed file access attempts in real time. Maintain a detailed audit trail for analysis.
Review logs and security events for all system components to identify anomalies or suspicious activity.
|Regular log reviews can identify and proactively address unauthorized access to the cardholder data environment. It also reduces the time taken to detect a potential breach.
Scheduled delivery of PCI compliance reports
Deliver scheduled reports to stakeholders' mailboxes in PDF, HTML, CSV, or XLSX format.
Retain audit trail history for at least one year with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from a backup).
|It often takes a while to notice a compromise, which is why retaining logs for at least a year ensures that investigators have sufficient log history to determine the length of time of a potential breach and its impact.
Long-term audit log retention
Retain audit data for long periods. You can also archive older logs and upload them at a later date to analyze file accesses.
Deploy a change detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the tool to perform critical file comparisons at least weekly.
Audit changes made to application and OS-critical binaries, configuration files, application files, log files, and more.
For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storing of cardholder data on local hard drives and removable electronic media, unless explicitly authorized for a defined business need.
|Prohibit users from storing or copying cardholder data on their local personal computers or other media unless they have been explicitly authorized to do so.
File copy protection
Monitor file copy actions in real time and prevent the unwarranted transfer of critical data across local and network shares.
Blocklist suspicious USB devices and prevent users from exfiltrating sensitive data.
Implement a data discovery methodology to confirm the scope of PCI DSS and to locate all sources and locations of clear-text PAN at least quarterly and upon significant changes to the cardholder environment or processes.
A188.8.131.52Data discovery methods must be able to discover clear-text PAN on all types of system components and file formats in use.
Implement response procedures to be initiated upon the detection of clear-text PAN outside of the CDE to include:
Schedule-based PCI data discovery
Identify and document PCI data (including clear-text PAN) across enterprise storage.
Implement mechanisms for detecting and preventing clear-text PAN from leaving the CDE via an unauthorized channel, method, or process, including generation of audit logs and alerts.
Implement response procedures to be initiated upon the detection of attempts to remove clear-text PAN from the CDE via an unauthorized channel, method, or process.
|Implement data loss prevention (DLP) solutions to detect and prevent leaks via emails, removable media, and printers.
Unified data loss prevention platform
Classify sensitive data and prevent its leakage via external storage devices, Outlook, and printers.
Control peripheral device usage
Restrict the use of USB devices, wireless access points, and CD/DVD drives using central device control policies to protect against data exfiltration.
Prevent data leaks via USBs
Block USB devices in response to anomalous data transfers and attempts to exfiltrate sensitive data.
Review user accounts and access privileges to in-scope system components at least every six months to ensure user accounts and access remain appropriate based on job function.
PCI DSS reference: Requirement 7
|Review users' access privileges at least every six months and verify that they are appropriate for their job functions.
Security permission analysis:
Track permission changes, list effective permissions, identify files that can be accessed by every employee, find users with Full control privileges, and more to help ensure that the principle of least privilege is followed.
These reports can be mailed on a set schedule to multiple stakeholders.
Implement a methodology for the timely identification of attack patterns and undesirable behavior across systems—for example, using coordinated manual reviews and/or centrally managed or automated log-correlation tools—to include at least the following:
PCI DSS reference: Requirements 10, 12
|Set up a solution that can identify undesirable events—such as critical file changes, and intrusions—and notify administrators instantly.
Identify user activity anomalies such as file accesses after business hours, an excessive number of failed access attempts, and more.
Configure alerts for unwarranted changes in critical files, discovery of sensitive data outside the CDE, and more.
Threat detection and response
Detect ransomware intrusions and execute scripts to quarantine infected machines and prevent the spread of malware.
Disclaimer: Fully complying with the POPIA requires a variety of solutions, processes, people, and technologies. This page is provided for informational purpose only and should not be considered as legal advice for POPI Act compliance. ManageEngine makes no warranties, express, implied, or statutory, about the information in this material.
Note: The content provided above applies only to PCI DSS version 3.2.1. Some requirements may or may not accurately reflect the latest version, PCI DSS 4.0. We are currently reworking the content and it will be updated soon.