Six Best Practices Every Entity Need to Know to Assure PCI Compliance
IRVINE, CA, July 24, 2014—Recent PCI DSS (Payment Card Industry Data Security Standard) compliance incidents have cost companies millions of dollars in fines and associated losses and inflicted extensive damage to valuable brand reputations. A recent eBay breach forced the company to advise 145 million active users to change their passwords to avoid financial information loss. The Target breach resulted in 40 million stolen credit card numbers and the compromise of the personal information of more than 70 million customers. Neiman Marcus additionally suffered a breach where 1.1 million customers’ credit card numbers were stolen.
To help organizations avoid data breaches and their devastating consequences, Netwrix Corporation, the #1 provider of change and configuration auditing software, shares six essential best practices every company processing payment cards should follow to safeguard themselves against a security incident:
1) Separate Environments–Minimize your risks by reducing PCI scope within your systems and enforce separation of environments by continuously auditing access and changes to the systems where cardholder data is stored.
2) Audit Access Control–Ensure that permissions are adequate and access to sensitive data is limited only to people that need it. Change and configuration auditing can help by giving you precise information about the state of access rights and all changes to it, alerting you to critical issues, and helping with investigation in the event of unauthorized access.
3) Audit Provisioning and De-Provisioning of Users–Organizations should establish control over user creations and removals. A comprehensive change and configuration auditing solution will provide daily and on-demand reports as well as real-time alerts on these critical modifications.
4) Audit of Privileged Users’ Activities–A particular emphasis should be placed on changes made by administrative accounts: changes to user access rights, elevation of privileges, mistakenly changed permissions, and other security related events. Daily and on-demand reports and real-time alerts provided by change auditing solutions will help organizations to stay secure.
5) Document Everything–You never know what part of your system activities or during what period you would be required to demonstrate to the auditor, so you would better keep it all. In addition to a complete audit trail, some of the more advanced change and configuration auditing solutions allow you to record video of user activities on critical systems, along with metadata, and provide search and replay capabilities. A regular review of the audit trails may also assist in preventing breaches before they occur.
6) Monitor and Test–Change and configuration auditing solution will provide a complete audit trail with detailed information on access and changes with who, what, where, and when details including after and before values for each event, simplifying the root-cause analysis, and allowing to proactively prevent malicious activities.
“Recent examples show that it is not enough to align your processes and policies with PCI DSS guidance,” said Alex Vovk, President of Netwrix. “You must also establish mechanisms to verify these processes actually work and be able to prove that to all stakeholders: IT management, executives, and auditors. Essentially, change auditing is what makes your compliance efforts provable.”
About Netwrix Corporation
Netwrix Corporation, the #1 provider of change and configuration auditing solutions, delivers complete visibility into who did what, when and where across the entire IT infrastructure. This streamlines compliance, strengthens security and simplifies root cause analysis. Founded in 2006, Netwrix is ranked in the Top 100 US software companies in the Inc. 5000 and Deloitte Technology Fast 500. Netwrix software is used by 160,000 users worldwide. For more information, visit www.netwrix.com.