PCI Requirements

PCI Data Security Audit Procedures and Reporting

The Payment Card Industry Data Security Standard (PCI DSS) outlines 12 major security requirements that an organization must adhere to in order to protect customer payment card data.  Validation of compliance with the PCI DSS is required on an annual basis either by a Qualified Security Assessor (QSA) or through self-reporting using a Self-Assessment Questionnaire. In addition to satisfying certain requirements directly, Tenable Network Security can help monitor networks that are subject to PCI DSS requirements in the following areas.

  1. Install and maintain a firewall configuration to protect cardholder data
    The Tenable Log Correlation Engine (LCE) can analyze and normalize logs from perimeter devices such as firewalls. Using distributed scanning and passive analysis, Tenable SecurityCenter can  audit access from various points in the network. Firewall rule changes which open or shut down ports can be audited by comparing multiple scans, analyzing passive network data, and analyzing logs from the firewalls themselves.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
    The Tenable Nessus® vulnerability scanner can attempt logins for various  applications and devices to test for vendor default passwords.
  3. Protect stored cardholder data
    Tenable solutions can assess the security of systems protecting stored data. Access to the secured data can also be audited with LCE.
  4. Encrypt transmission of cardholder data across open, public networks
    The Tenable Passive Vulnerability Scanner (PVS) can be used to monitor network traffic in real time to ensure credit card numbers are encrypted during transmission.
  5. Use and regularly update anti-virus software or programs
    SecurityCenter can log into hosts to ensure anti-virus software is configured and functioning properly. In addition, PVS can be used to identify systems running virus signature updates.
  6. Develop and maintain secure systems and applications
    SecurityCenter can use both active and passive vulnerability checks which monitor for vulnerabilities, patch levels, and insecure configurations to aid in developing and maintaining secure systems. In addition, LCE can perform real-time change detection along with file integrity checking.
  7. Restrict access to cardholder data by business need to know
    SecurityCenter can monitor access to information by business units on a need-to-know basis through traffic analysis and distributed scanning. With SecurityCenter's asset-centric network view, it is easy to see which assets connect to other assets and identify network links or ports in use.
  8. Assign a unique ID to each person with computer access
    Any system which logs user activity by user name also produces access control (login and login failures) logs. These can be used by LCE for log analysis, raw pattern searches, and anomaly detection. If a user changes IP addresses, LCE also provides the ability to associate an IP address with a user name and log.
  9. Restrict physical access to cardholder data
    LCE can monitor any device which generates logs files for specific user data. LCE can also monitor Windows servers for USB device usage.
  10. Track and monitor all access to network resources and cardholder data
    All access to cardholder data systems can be tracked. LCE can track logins, login failures, system logs, and network activity for cardholder data systems. These logs are centralized, normalized, and correlated. Using SecurityCenter, reports about incidents or security events can be created for specific asset groups.
  11. Regularly test security systems and processes
    SecurityCenter can automate regular security testing of the systems managing credit card data. SecurityCenter offers many types of assessments, such as vulnerability scanning, patch audits, configuration audits, as well as passive vulnerability analysis. Tenable Network Security is an Approved Scanning Vendor (ASV) for PCI compliance. Tenable’s Nessus Perimeter Service including the Tenable PCI Scanning Service can perform PCI ASV validation as an external, hosted service. Tenable LCE can detect unauthorized and malicious processes running on PCI relevant systems.
  12. Maintain a policy that addresses information security for all personnel
    Tenable's products can help detect and measure violations to an established configuration management policy. SecurityCenter can be used to assess specific asset classes of servers or network devices with specific audits. Similarly, real-time network analysis can discover new hosts, as well as hosts operating outside of configuration guidelines. SecurityCenter and Nessus are certified to perform FDCC and Center for Internet Security (CIS) audits.

More Information

For detailed information on how Tenable's solutions can be leveraged to achieve PCI compliance, download the "Real-time PCI Compliance Monitoring" whitepaper.