This chapter defines PCI compliance and Application Configuration Console's role in supporting it.
Payment Card Industry Data Security Standard or PCI DSS is the result of a mandate by major credit card brands such as VISA, MasterCard, and American Express to improve security of credit card data. The standard stipulates compliance with a set of account protection mechanisms by taking actions such as the following:
Maintain an information security policy.
Use and update anti-virus software.
Encrypt transmission of cardholder data.
Maintain firewall configuration.
Take physical access control measures.
Prevent insecure configuration management.
Track system configurations.
Monitor file and directory permissions to ensure that only authorized personnel ve access.
Monitor access changes to system services, ensuring that all unnecessary and insecure services and protocols are disabled.
Monitor user account policies such as password aging, and password complexity.
While aimed at merchants, processors, point-of-sale vendors, financial institutions, and payment companies, the spirit of the standard is geared to securing sensitive data, something every business and private citizen can identify with. In this case, the result of the action taken holds significance, even if the codified rule that requires it doesn't. In other words, the fact that you take steps to ensure proper user authentication and password management is what's important, not that you satisfy PCI requirement 8.5.
Application Configuration Console is in the business of automating configuration, change, and release management processes. Monitoring changes to operating system security settings is a natural extension of this core competence.
The Application Configuration Console PCI Compliance Automation Module extends Application Configuration Console by providing the tools for creating assets that capture operating system security settings. The tools then provide for these assets to be audited for compliance with recommended standards. Once you have a baseline for your environment, Application Configuration Console's tracking capabilities take over to monitor for any changes and to ensure remediation of detected differences.
The Security Standards Council does not avow a single-sourced solution to its mandate. PCI compliance covers a broad spectrum of initiatives, some of which exist outside the reach of Application Configuration Console software influence.
Table 1-1 revisits the previously referenced list of account protection mechanisms identified by the Security Standards Council, this time noting which are supported by the Application Configuration Console PCI Compliance Automation Module.
Table 1-1 PCI Requirements Supported by Application Configuration Console
| PCI Requirement | Supported |
|---|---|
|
Maintain an information security policy |
No |
|
Use and update anti-virus software |
No |
|
Encrypt transmission of cardholder data |
No |
|
Maintain firewall configuration |
No |
|
Take physical access control measures |
No |
|
Prevent insecure configuration management |
Yes |
|
Track system configurations |
Yes |
|
Monitor file and directory permissions to ensure that only authorized personnel have access |
Yes |
|
Monitor access changes to system services, ensuring that all unnecessary and insecure services and protocols are disabled |
Yes |
|
Monitor user account policies such as password aging, and password complexity |
Yes |
This book describes use of the PCI Compliance Automation Module to achieve compliance with recommended operating system security settings. Its focus is on Application Configuration Console functionality in that limited context. For detailed information on system features and how to use them, consult the Application Configuration Console Online Help.