PCI

PCI DSS

Any organisation - large or small; who accepts credit, debit, and cash cards while offering their services, need to comply with PCI DSS Act. Payment card information, throughout the world is considered a high-value target for cyber crime. Hence, a need to reduce risk for businesses and protect misuse of personal information of cardholders emerged. This led to the creation of PCI DSS Act that puts forth a set of accepted policies and procedures to ensure security of transactions.

PCI DSS or Payment Card Industry Data Security Standard is an information security standard that demonstrates secure handling of customer card information on the part of businesses. Result of a collaborative effort of four major credit-card companies, namely, MasterCard, Visa, Discover and American Express, PCI DSS became operational since 2004.

Who Need to Comply

Any industry that accept cards as one of their mode of payments on a regular basis require compliance to this standard. However, some specific industries that need to pay heed to this Act include:

  • Financial Institutions
  • Merchants
  • Services and Professionals
  • Hardware and Software

Consequence of Non-Compliance

Compliance to PCI DSS Act is mandatory for every above mentioned industry. Failure to do so may evoke consequences that prove disastrous for an enterprise. These can be:

  • Lawsuits
  • Government fines
  • Insurance claims
  • Payment card issuer fines
  • Cancelled accounts
  • Loss of sales, relationships and reputation

Basic Requirements for PCI DSS Compliance

This data security standard is known for its clarity. Following are requirements, enterprises need to fulfil to comply with PCI DSS:

  1. Installing and maintaining a firewall configuration to protect data.
  2. Avoiding use of vendor-supplied defaults for both system passwords and other security factors.
  3. Safeguarding stored data.
  4. Encrypting cardholder’s data and sensitive information and preventing transmission of the same across public networks.
  5. Using and updating antivirus software on a regular basis.
  6. Developing and maintaining security of systems and applications.
  7. Restricting access to data by business.
  8. Assigning a unique ID to each person with computer access.
  9. Restricting physical access to cardholder’s data.
  10. Tracking and monitoring all access to network resources and cardholder’s data.
  11. Testing security systems and processes regularly.
  12. Maintaining a policy that addresses information security.

PCI DSS Active Directory auditing with our solutions

Following are some of our solutions for the HIPAA Active Directory auditing. For detailed information, check the below table.

Solution Product
  • Audit (WHO/WHAT/WHEN/WHERE) for the changes done by workforce on the systems such as Active Directory, Group Policy Object, Exchange Server and File Server.
  • Audit the security permission changes in Active Directory, Group Policy Object, Exchange Server and File Server.
  • Track the logon failures in the workstations and servers.
  • Track the access failures in the file servers.
  • Track user logon activity
  • Track the user access all over the file servers.
  • Archive the audit reports and restore the audit data whenever needed in the future.
 JiJi AuditReporter
Automate the user termination process. Clean-up the inactive users and computers. JiJi Active Directory Cleaner
Track and send the password and account expiration remainder email. JiJi Password Expiration Notification
Manage user password reset and unlock JiJi Password Reset Suite

Below table explains the HIPAA requirements said in part 164 of CFR 45 and explains how our solution can address each of the requirement.
PCI DSS Requirements Purpose Solution
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Determine that whether access privilege is assigned according to the job role. And if by default, users are set with "Deny-all" setting. Schedule and generate reports on
  • Security report on access permissions for users over the Active Directory objects.
  • File permission report for users on the files/folders.

Create alerts for security permission changes on Active Directory and File Server
7.2 Establish an access control system for systems components that restricts access based on a user’s need to know, and is set to "deny all" unless specifically allowed.
8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data. Ensure each user is assigned with unique ID instead of several users sharing same ID. Schedule and generate the logon activity report to monitor if same user ID is used for login in from more than one machine.
8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. Ensure that the access privilege is assigned according to the job role while performing the user creation and modification. Schedule and generate the audit reports on newly created user accounts with their permissions on Active Directory and File Server.

Create alerts for security permission changes on Active Directory and File Server.
8.1.3 Immediately revoke access for any terminated users. To prevent unauthorized access, user’s permissions are to be revoked during termination. Schedule to generate audit reports on disabled user accounts and inactive user accounts.

Automated workflow process to disable the user account in Active Directory and archive the disabled user account for specific number of days and remove the disabled user account after retention period.
8.1.4 Remove/disable inactive user accounts at least every 90 days. Inactive user accounts are often the target of attacks.
8.1.5 Manage IDs used by vendors to access, support, or maintain system components via remote access as follows:
- Enabled only during the time period needed and disabled when not in use.
- Monitored when in use. 		Assure that the vendors access the required systems only on the necessary time on approved time frames. Schedule and generate logon activity reports for the vendor user ID.
8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts. Automated account lockout mechanism is needed to prevent attackers to guess the password through automated scripts or by manual process. Generate report on all the available Account Lockout policies in GPO for audit.
8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.
8.2.2 Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys. Authenticate the user before performing help desk password reset. With JiJi Password Reset Suite, users can be authenticated using multi-factor authentication such as Security Question/Answer, Email Verification, and Mobile Verification when they forget password to unlock their account.
8.2.3 Passwords/phrases must meet the following:
- Require a minimum length of at least seven characters.
- Contain both numeric and alphabetic characters. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above 		Strong password policy needs to be enforced for better security. Generate report on all the available Password Policies for audit.
8.2.4 Change user passwords/passphrases at least every 90 days.
8.2.5 Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used.
8.2.5 Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used.
8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:
- Generic user IDs are disabled or removed.
- Shared user IDs do not exist for system administration and other critical functions.
- Shared and generic user IDs are not used to administer any system components. 		If same user ID is shared by multiple users, then it is difficult to trace the activities of the individual. Schedule and generate the logon activity report to monitor if same user ID is used for login to more than one machine.
10.1 Implement audit trails to link all access to system components to each individual user. Need to trace back the user and activity from system generated logs. JiJi AuditReporter has the capability to trace back the user and activity from the generated system logs.
10.2 Implement automated audit trails for all system components to reconstruct the following events:
10.2.1 All individual user accesses to cardholder data
10.2.2 All actions taken by any individual with root or administrative privileges
10.2.3 Access to all audit trails Attackers try to the hide them by disabling the audit trails. Generate the report audit settings and alert during audit settings change.
10.2.4 Invalid logical access attempts Invalid logical access attempts might be the attempts from the attackers. Generate access failed report from File Servers.

Generate logon failure report from Active Directory.
10.2 5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges Generate audit report on user creation, modification, deletion.

Generate the user logon activity.
10.2.6 Initialization, stopping, or pausing of the audit logs Disabling the audit logs is a practice done before performing illicit activity. Generate alerts on disabling the audit logs in Active Directory, File Server.
10.2.7 Creation and deletion of system level objects Malwares generally replace the system objects to get control of the systems. Generate alerts when important AD Objects are deleted or modified.
10.3 Record at least the following audit trail entries for all system components for each event:
10.3.1 User identification
10.3.2 Type of event
10.3.3 Date and time
10.3.4 Success or failure indication
10.3.5 Origination of event
10.3.6 Identity or name of affected data, system component, or resource. 		With JiJi AuditReporter all the changes are documented with the information WHO/WHEN/WHERE/WHAT.
10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). Retaining the audit logs is important to do for any forensic analysis. In JiJi AuditReporter, all the audit information can be archived and retrieved later at any time for report generation.