PCI DSS Compliance Solutions
Monitor insider activity. Detect anomalies. Respond to incidents. ALL-IN-ONE
The Payment Card Industry Data Security Standard (PCI DSS) is a global data security standard designed for securing financial operations with credit and debit cards. Adhering to PCI DSS requirements is crucial for protecting cardholder account data, including the primary account number (PAN).
Major bank card issuers require PCI DSS compliance for any company using their services.
What’s new in PCI DSS version 4.0?
The newest PCI DSS version 4.0 was introduced in March 2022 but will only replace the existing version 3.2.1 on March 31, 2024, giving businesses time to adjust.
The key changes that have been implemented to enhance security measures in PCI DSS v4.0 include:
- Access privileges now require biannual reviews to ensure up-to-date permissions.
- All passwords used for payment systems must be changed annually, and additionally in the event of suspicious activity or a data breach.
- Multi-factor authentication (MFA) is now mandatory for all accounts accessing sensitive card data.
- Third-party accounts must only be used when necessary. Also, they must be regularly monitored to mitigate potential security risks.
- Account passwords must adhere to stricter criteria: they must be both strong and unique, consisting of a minimum of 15 alphanumeric characters (both letters and numbers).
Adopting these changes is crucial, as they can help your organization build a stronger PCI DSS compliance program, implement effective PCI DSS compliant software, and achieve sustainable and effective control over cardholder data.
How Ekran System solutions help ensure PCI DSS compliance
Ekran System is a comprehensive insider risk management platform that can help merchants, processors, acquires issuers, and other service providers monitor access to cardholder data, mitigate security risks, and meet industry requirements.
Benefits of using Ekran System for PCI DSS compliance
Enhance organizational security
Monitor access to sensitive data
Detect insider threats
Promptly respond to incidents
Prevent data breaches
Avoid fines and penalties
Who needs PCI DSS compliance?
Any entity that stores, transmits, or processes credit card data must be PCI DSS compliant. That means any company processing financial transactions should meet PCI DSS requirements. Even if your company employs a third-party vendor to process payments, you still need to secure data transmitted by your website.
PCI DSS requirements are a set of cybersecurity best practices and procedures that help to prevent data breaches and ensure the secure processing, storage, and transmission of cardholder data. No fully PCI DSS compliant organizations suffered a data breach from 2018 through 2020 according to Verizon’s 2022 Payment Security Report. The same report states that only 43.4% of organizations were compliant with PCI DSS in 2020.
PCI DSS compliance level
< % non compliant
2018
2019
2020
According to the Verizon 2022 Payment Security Report
PCI DSS compliance requirements
PCI DSS consists of 12 requirements. Each contains a set of controls and procedures which you need to implement to bring your financial data security up to standards. Ekran System can help you adhere to the following requirements:
- Requirement 2: Apply secure configurations to all system components.
- Requirement 3: Protect stored account data.
- Requirement 7: Restrict access to system components and cardholder data by business need to know.
- Requirement 8: Identify users and authenticate access to system components.
- Requirement 10: Log and monitor all access to system components and cardholder data.
Non-compliance within organizations
Requirement 2
Requirement 3
Requirement 7
Requirement 3
Requirement 10
According to the Verizon 2022 Payment Security Report
PCI DSS statistics aside, let’s take a closer look at these requirements and ways to comply with them.
Requirement 2: Apply secure configurations to all system components
Both external and internal malicious actors frequently exploit default passwords and vendors’ default settings to get access to critical systems. By implementing secure configurations, organizations can significantly reduce the potential attack surface.
Meeting PCI DSS requirements with Ekran System
Security measures required
PCI DSS requirement 2.2:
- All system components must be configured and managed securely.
- All default passwords must be changed after the first login and before a device is connected to the organization’s network.
- An account must be removed or disabled once the vendor’s default accounts are no longer used.
PCI DSS requirement 2.3:
- Wireless environments must be configured and managed securely.
- All wireless vendor defaults must be changed at installation or confirmed to be secure.
Corresponding Ekran System functionality
Ekran System ensures secure credential storage and rotation with password management functionality.
Ekran System can manage:
- Password vault
- Password rotation
- Privileged user credentials
- Password checkout procedure
- Access request and approval workflow
- Just-in-time access
- Access to secrets via jump server
Requirement 3: Protect stored account data
Security techniques such as encryption and masking are essential for protecting account data. Even if an intruder manages to access encrypted account data, critical information will remain unreadable and useless to the malicious actor. In addition, organizations should consider alternative ways of protecting stored data to mitigate potential risks.
Meeting PCI DSS requirements with Ekran System
Security measures required
PCI DSS requirement 3.6:
- Cryptographic keys used to protect stored account data must be secured and accessed only by individuals with a defined business need.
PCI DSS requirement 3.7:
- Wherever cryptography is used to protect stored account data, the main management processes and procedures covering all aspects of the key lifecycle must be defined and implemented.
Corresponding Ekran System functionality
Ekran System ensures that:
- All data in the database is encrypted
- Connections between the application server and agents are encrypted
- Each application server has its own RSA-2048 certificate
- All session data can be anonymized, including screenshots, user data, and metadata
- Advanced types of authentication are implemented (including but not limited to multi-factor authentication, one-time passwords, secondary authentication, and ticketing system integration)
Requirement 7: Restrict access to system components and cardholder data by business need to know
PCI DSS requirement 7 emphasizes the importance of limiting rights for users to access systems, applications, and data. Need to know in PCI DSS requirement 7 refers to providing access to only the minimum amount of data needed to perform a job.
Meeting PCI DSS requirements with Ekran System
Security measures required
PCI DSS requirement 7.1:
- Access to system components and cardholder data must be provided only to users who need to know it.
PCI DSS requirement 7.2:
- Access to system components and data must be appropriately defined and assigned.
PCI DSS requirement 7.3:
- Access to system components and data must be managed via an access control system.
Corresponding Ekran System functionality
Ekran System privileged access management (PAM) functionality covers these requirements in full with the following features:
- One-time passwords — Create temporary credentials to provide granular access to the most secure assets.
- Access requests — Allow security officers to manually process access requests for the most critical resources.
- Privileged account and session management — Manage RDP sessions to control remote access to data and resources. With this functionality, you can limit access time, manage user credentials, specify endpoints available for particular groups of users, and more.
- Just-in-time access to secrets — Give manual access approval for determining who can access what and when. The security team can then monitor, record, and manage user activity in all sessions started under temporary credentials.
- Time-based user access restrictions — Enhance the protection of critical data and systems by limiting the time a user can assess it.
- Proactive alerts for suspicious activity — Use template rules or set custom alerts for detecting abnormal user behavior. Block users, terminate applications, and send real-time notifications to immediately pinpoint privileged access abuse.
- Ticketing systems integration — Add a ticket to access requests to validate that a user has a reason to access data or resources.
Requirement 8: Identify users and authenticate access to system components
Requirement 8: Identify users and authenticate access to system components
1. Establishing the identity of an individual or process on a computer system
2. Verifying that users associated with an identity are who they claim to be
Meeting PCI DSS requirements with Ekran System
Security measures required
PCI DSS requirements 8.2–8.6:
- User identification and related accounts for users and administrators must be strictly managed throughout an account’s lifecycle.
- All users must have a unique access ID.
- Strong authentication methods are required for users and administrators.
- For shared accounts, individual user identities must be confirmed before account access is granted.
- The use of group and shared accounts must be strictly managed.
- MFA systems must be configured to prevent misuse.
- Passwords/passphrases must be protected against misuse for any app and system accounts.
- MFA must be implemented to secure access to the Cardholder Data Environment (CDE).
- Use of application and system accounts and associated authentication factors must be strictly managed.
Corresponding Ekran System functionality
Ekran System offers useful tools to manage identities and authenticate users:
- Secondary authentication — Check the credentials of each user trying to log in to a shared or group account.
- Multi-factor authentication – Authenticate users trying to access data by checking two factors of identification.
- One-time passwords — Grant temporary access to specific endpoints.
- Access requests — Grant access approval upon request to determine who can access what and when.
- Integration with ticketing systems including SysAid and ServiceNow for double-checking and validating the reasons for privileged access requests.
- Continuous management and monitoring of privileged accounts — A large set of tools allowing security officers to control access permissions, get a clear view of every user action, detect potential security threats, analyze user sessions, and perform user access reviews to define actual access rights and privileges.
Requirement 10: Log and monitor all access to system components and cardholder data
Organizations must track and monitor all access to cardholder data and related network resources in stores, regional offices, headquarters, and via remote access.
System activity logs are important for determining the root cause of data compromise. The implementation of robust logging tools and monitoring of user activity plays a critical role in preventing, detecting, or mitigating the consequences of a data breach.
Meeting PCI DSS requirements with Ekran System
Security measures required
PCI DSS requirements 10.2–10.7:
- User identification must be strictly managed throughout the account lifecycle.
- Users’ and administrators’ accounts must be strictly managed throughout their lifecycle.
- All users must have a unique access ID.
- Strong authentication methods must be employed for users and administrators.
- In shared accounts, individual user identities must be confirmed before account access is granted.
- Use of group and shared accounts should be strictly managed.
- MFA systems must be configured to prevent misuse.
- Passwords/passphrases for any app and system accounts must be protected against misuse.
- MFA must be implemented to secure access to the Cardholder Data Environment (CDE).
- Use of application and system accounts and associated authentication factors must be strictly managed.
Corresponding Ekran System functionality
Ekran System provides complete visibility into all access attempts by using its robust user activity monitoring module equipped with the following features:
- Session recording — Record all user screen actions, audio input and output, and metadata to track each access attempt and all actions involving cardholder data. Records can be viewed in the built-in YouTube-like video player.
- User and entity behavior analytics — Use an AI-powered UEBA tool to analyze normal user behavior, detect anomalies, and predict security violations.
- USB monitoring — Control all connected USB devices, from keyboards to smartphones. Create device whitelists and blacklists, or approve each connection manually.
- Real-time alerting — Create security rules and get alerts and notifications when a user breaks them. With online activity monitoring, a security officer can view the session, establish the context of user actions, display a warning message, or block suspicious activity.
- Reporting and statistics — Gather audit trails, provide reports for internal and external security audits, and export data in a protected format for forensic activities.
Ekran System – your solution for PCI DSS Compliance
Ekran System can help you address key PCI DSS requirements such as:
- secure configuration management
- protection of stored account data
- restriction of access to system components
- user identification and authentication
- activity logging
Ekran System is a flexible and scalable PCI DSS solution that provides continuous user monitoring on Windows, Linux, and Citrix servers and desktops.
Meet other IT security requirements with Ekran System
Let’s get the conversation started
Contact our team to learn how our insider risk management software can safeguard your organization’s data from any risks caused by human factors. Book a call with us at a time that suits you best, and let’s explore how we can help you achieve your security goals.
