The Payment Card Industry Data Security Standard revision (PCI DSS v1.1) was published on September 7, 2006. As a result of low compliance levels with the initial PCI release and the increase in high-profile credit card data theft cases, this revision was introduced with a timeline for merchants to apply the appropriate level of security controls to protect customer data.
Industry experts expect that PCI DSS v.1.1 will drive compliance levels to double between December, 2006 and December, 2007 (from 33% to 66%, respectively). Additionally, state legislatures are hoping to do their part to force compliance. At the time of this publication, Massachusetts is debating and Texas is considering codifying PCI into law.
Any organization that accepts credit cards or handles credit card information is subject to PCI compliance. This includes retailers, banks, and others that process a significant number of credit card transactions daily. Higher data processing levels translates into greater audit scrutiny.
NetIQ solutions can help you establish and ensure the requirements of PCI DSS v1.1 are met on a continuing basis. In this white paper you will learn more about the key challenges of PCI DSS v1.1 and how NetIQ Security Management, Configuration Control and Enterprise Administration solutions help you demonstrate PCI compliance.
Introduction
The Payment Card Industry Data Security Standard (PCI DSS) was created to establish a standard set of requirements for governing the safekeeping of cardholder information throughout the credit card transaction process. It applies to all entities that store, process or transmit cardholder data. PCI DSS took effect in January, 2005 after being co-written by VISA and MasterCard and endorsed by other leading card providers.
There are 12 requirements for PCI DSS compliance, grouped into six categories called IT control objectives. Each outlines a different area of security best practices, ranging from information security policy development to assessment and monitoring of threats, vulnerabilities and mis-configurations.
There have been several changes since the initial release that have impacted the PCI DSS regulation, including a new standards body and a new version of the regulation itself. After the initial release of PCI DSS, a PCI Security Standards Council was formed to oversee updates to the regulation, along with audits and enforcement. The Council trains, tests and certifies qualified security assessors and approved scanning vendors. In September, 2006, version 1.1 of PCI DSS was released by the Council. While there were some additions, the changes were more of a consolidation and clarification effort and not a loosening of the requirements. This latest release modified the language of several of the requirements, including the requirement that companies should implement configuration best practices consistent with system-hardening standards such as those from NIST, SANS and CSI. Two appendices were added for service providers and compensating controls for encryption. The next deadline for PCI DSS v1.1 is September, 2007, when merchants accepting 1,000,000 to 2,000,000 transactions per year must demonstrate compliance.
Some examples of the key challenges companies face in demonstrating compliance to PCI DSS v1.1 include:
- Developing configuration standards for all system components
- Ensuring that all system components and software have the latest security patches installed
- Ensuring proper user authentication and password management for non-consumer users and administrators on all system components
- Securing audit trails so they cannot be altered
- Deploying file integrity monitoring software to alert personnel of unauthorized modification of critical system or content files
In the next several sections, this paper provides examples of how NetIQ solutions help organizations with tough PCI challenges, including system assessments, compliance reporting, change monitoring and log management.
Assess PCI Compliance with NetIQ Built-In Templates
NetIQ provides built-in security knowledge to help customers assess their systems and demonstrate compliance with the requirements outlined in PCI DSS v1.1. The table below outlines the specific policy templates contained in NetIQ Secure Configuration Manager that are available out of the box for a “start fast, start simple” approach to compliance. Each template contains multiple security checks that assess individual settings and summarize the results in easy to understand reports.
