PCI DSS COMPLIANCE SOLUTIONS
The Payment Card Industry Data Security Standard (PCI DSS) is designed to secure financial operations with credit cards. Major card brands such as Visa, Mastercard, American Express, Discover, and JCB impose PCI DSS compliance requirements on any company using their services.
PCI DSS compliance software such as Ekran System ensures the security of payment systems and monitors all access to data associated with credit cards and cardholders.
Who needs to comply with PCI DSS?
Any merchant that stores, transmits, or processes credit card data must be PCI DSS compliant. In the modern world, that means any company accepting digital payments. Even if your company employs a third-party vendor to process payments, you still need to secure data transmitted by your website.
PCI DSS requirements are a set of cybersecurity best practices and procedures that help to prevent data breaches. From 2016 through 2018, no fully PCI DSS compliant organizations suffered a data breach. However, only 37% of organizations are compliant with PCI DSS according to Verizon’s 2019 Payment Security Report. Non-compliance with this standard can cost up to $100,000 per month for a single violation.
PCI DSS consists of 12 requirements. Each contains a set of controls and procedures which you need to implement to bring your security up to the standards. Ekran System can help you with the following requirements:
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Requirement 7: Restrict access to cardholder data by business need to know
- Requirement 8: Identify and authenticate access to system components
- Requirement 10: Track and monitor all access to network resources and cardholder data
Let’s take a closer look at these requirements and ways to comply with them.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Changing default settings and passwords is a must. PCI DSS requirement 2.1 demands all default credentials be changed after the first login and before a device is connected to the organization’s network.
Ekran System ensures secure credential storage and rotation with password management functionality. Ekran System can manage:
- Privileged user credentials
- Local Windows admin passwords
- Windows Active Directory secrets
- SSH/Telnet keys for Unix environments
- And more
Requirement 7: Restrict access to cardholder data by business need to know
PCI DSS requirements 7.1 and 7.2 state that a compliant organization must:
- Provide access to cardholder data only to users who need to know it
- Establish controls to deny all access unless it’s specifically allowed
- Define levels of privilege and user roles to access credit card information
Ekran System privileged access management (PAM) covers these requirements in full with the following features:
- One-time passwords — Create temporary credentials to provide granular access to the most secure assets.
- Access requests — Allow security officers to manually process access requests to the most critical resources.
- Privileged account and session management — Manage PRD sessions to control remote access to data and resources. With this functionality, you can limit access time, manage user credentials, specify endpoints available for particular groups of users, and more.
- Ticketing systems integration — Add a ticket to access requests to validate that a user has a reason to access data or resources.
Requirement 8: Identify and authenticate access to system components
PCI DSS requirements 8.1, 8.2, 8.3, 8.5, and 8.7 define the following identity and access management rules:
- All users must have a unique access ID
- Use a strong authentication method and encrypt passwords
- Secure administrative and remote access with multi-factor authentication
- Restrict the use of group and shared accounts
- Restrict all non-administrative direct access to databases
Ekran System has several tools to manage identities and authenticate users:
- Secondary authentication — Check the credentials of each user trying to log in to a shared or group account.
- Multi-factor authentication — Positively authenticate users trying to access data by checking two factors of identification.
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirements 10.1 to 10.7 define PCI DSS monitoring controls such as:
- Creating audit trails to link access attempts and users
- Reconstructing any attempts at accessing cardholder data or audit logs
- Recording trails for each event with system components
- Securing audit trails so they can’t be altered
- Reviewing logs to identify suspicious activity
- Storing audit trails for events for one year and making data for events in the past three months instantly available
Ekran System allows for complete visibility into all access attempts by using its robust user activity monitoring module equipped with the following features:
- Session recording — Record all user screen actions, audio input and output, and a set of metadata to track each access attempt and all actions involving cardholder data. Records can be viewed in the built-in YouTube-like video player.
- User behavior analytics — Use an AI-powered tool to analyze normal user behavior, detect anomalies, and predict security violations.
- USB monitoring — Control all connected USB devices, from keyboards to smartphones. Create whitelists and blacklists of devices, or approve each connection manually.
- Real-time alerting — Create security rules and get alerts and notifications when a user breaks these rules. With online activity monitoring, a security officer can view the session, establish the context of user actions, display a warning message, or block suspicious activity.
- Reporting and statistics — Gather audit trails, provide reports for internal and external security audits, and export data in a protected format for forensic activities.
See details on meeting the particular compliance requirements of PCI DSS and other IT security standards with Ekran System in our white paper.
Case study: Privileged User Monitoring and Auditing for a US-Based Financial Services Company [PDF]
Ekran System is a flexible and scalable PCI DSS compliance solution that provides continuous user monitoring on Windows, Linux, and Citrix servers and desktops. It can also help you comply with NIST, HIPAA, GDPR, and other requirements.