Overview
PCI DSS is a set of security standards established by major credit card companies to protect cardholder data and ensure secure payment transactions. It applies to organizations that handle, process, or store payment card data. Achieving PCI DSS compliance is essential for safeguarding sensitive cardholder information, maintaining customer trust, and avoiding costly penalties.
For more information, refer to the PCI DSS guide.
Netsurion Managed XDR for PCI DSS Compliance
Netsurion Managed XDR combines SIEM, log management, proactive threat hunting, and guided incident response to effectively meet the requirements outlined in PCI DSS compliance. With comprehensive monitoring, analysis, and reporting capabilities organizations can identify and manage their assets, establish access controls, protect resources, and respond promptly to incidents.
By leveraging Netsurion Managed XDR, businesses can streamline their PCI DSS compliance efforts, reduce risks associated with payment card data, and enhance overall security posture, all while maintaining operational efficiency.
Using Netsurion Managed XDR to meet PCI DSS Requirements
Requirement 1: Install and Maintain a firewall configuration to protect data
1.1.1 – A formal process for approving and testing all network connections and changes to the firewall and router configuration.
Netsurion Open XDR supports 1.1.1 by providing details of firewall and router configuration or policy changes via investigations and reports.
1.1.5 – Description of groups, roles, and responsibilities for management of network component.
Netsurion Open XDR supports 1.1.5.a by providing details of allowed or denied, secure or insecure network protocols and ports within the organizational network infrastructure via investigations and reports.
1.1.6 – Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.
Netsurion Open XDR supports testing procedure 1.1.6.b by providing details of allowed or denied network protocols and ports within the organizational network infrastructure.
1.2.1 – Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
Netsurion Open XDR supports 1.2.1.a and 1.2.1.b by providing details of allowed or denied inbound or outbound network traffic to the cardholder data environment via investigations and reports. This will allow for verification that inbound and outbound traffic is being restricted or allowed.
1.2.2 – Secure and synchronize router configuration files.
Netsurion Open XDR supports 1.2.2 by providing alarms on firewall synchronization critical or error conditions and also by providing details of firewall synchronization conditions via investigations and reports.
1.3.1 – Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
Netsurion Open XDR supports procedure 1.3.1 by providing details of allowed or denied network protocols or ports between the DMZ environment and the organization’s internal network environment via investigations and reports.
1.3.2 – Limit inbound Internet traffic to IP addresses within the DMZ.
Netsurion Open XDR supports 1.3.2 by being able to detect and alert on allowed or denied network traffic between the external Internet and the organizations internal network environment via investigations and reports.
1.3.3 – Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network. (For example, block traffic originating from the Internet with an internal source address.).
Netsurion Open XDR supports 1.3.3 by providing details of allowed or denied network traffic that is inbound or outbound between the external Internet and cardholder data environment via investigations and reports.
1.3.5 – Permit only “established” connections into the network.
Netsurion Open XDR supports for 1.3.5 by providing details of allowed or denied network traffic outbound from the cardholder data environment to the external Internet via investigations and reports.
1.4 – Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE. Firewall (or equivalent) configurations include:
- Specific configuration settings are defined.
- Personal firewall (or equivalent functionality) is actively running.
- Personal firewall (or equivalent functionality) is not alterable by users of the portable computing devices.
Netsurion Open XDR provides alarms, investigations, and reports to support PCI DSS control requirement 1.4.a. Netsurion Open XDR supports for procedure 1.4.a by providing alarms on host firewall critical or error conditions and also by providing details of host firewall conditions via investigations and reports.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
2.1 – Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
Netsurion Open XDR provides supports investigations, and reports to support PCI-DSS control requirement 2.1. Netsurion Open XDR supports 2.1 by providing alarms and details of known vendor default account authentication failures or successes via investigations and reports.
2.2 – Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to:
- Center for Internet Security (CIS).
- International Organization for Standardization (ISO).
- SysAdmin Audit Network Security (SANS) Institute.
- National Institute of Standards Technology (NIST).
Netsurion Open XDR provides host activity monitoring that monitors running processes and services in support of 2.2.2.a and 2.2.2.b. Verification that only necessary services are enabled and justification for insecure services is still required.
2.3 – Encrypt all non-console administrative access using strong cryptography.
Netsurion Open XDR supports procedure 2.3.b by providing details of insecure network protocols or ports that are allowed or denied within the organizational network infrastructure and insecure processes are starting or stopping via investigations and reports.
Requirement 3: Protect stored cardholder data
3.6.7 – Prevention of unauthorized substitution of cryptographic keys.
Netsurion Open XDR supports for 3.6.7 by providing details of key integrity activity via investigations and reports on Netsurion Open XDR’s change audit agent. Netsurion Open XDR’s change audit can be configured to monitor key file or directory activity, deletions, modification, and permission changes. The change audit capability is completely automated; the agent can be configured to either scan for files/directory changes on a schedule can automatically detect file integrity activity in realtime.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
4.1 – Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
- Only trusted keys and certificates are accepted.
- The protocol in use only supports secure versions or configurations.
- The encryption strength is appropriate for the encryption methodology in use.
Netsurion Open XDR supports 4.1 by providing details of insecure network protocols or ports that are allowed or denied within the organizational network infrastructure and insecure processes that are starting or stopping via investigations and reports. Netsurion Open XDR is capable of alarming on conditions where a system observes unencrypted information passed when encrypted traffic is expected.
Requirement 5: Use and regularly update anti-virus software or programs
5.1 – Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
Netsurion Open XDR supports 5.1 by verifying that the service is running on the systems commonly affected malware and detecting or alerting on changes to the service.
5.2 – Ensure that all anti-virus mechanisms are maintained as follows:
- Are kept current.
- Perform periodic scans.
- Generate audit logs which are retained per PCI DSS Requirement 10.7.
Netsurion Open XDR supports 5.2.b by providing alarms on antivirus critical or error conditions and also provides detailed information on malware and antivirus detection via investigations and reports. Detection for when new signatures are installed is also supported.
Netsurion supports for 5.2.c by providing visibility to antivirus signature updates and scanning activities, successes and failures via alarms, investigations, and reports.
Netsurion Open XDR’s centralized log collection, management, and archival functionality directly supports PCI-DSS control requirement 5.2.d by automating the process of collecting and retaining the antivirus software audit trails. Open XDR creates archive files of all collected antivirus log entries which are organized in a directory structure by day making it easy to store, backup, and destroy log archives based on retention policy.
Requirement 6: Develop and maintain secure systems and applications
6.1 – Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.
Netsurion Open XDR supports 6.1.a by providing alarms on software update critical or error conditions and also by providing details on software update conditions via investigations and reports. Netsurion is able
to support 6.1.b by running reports and showing that specific patches are deployed within one month.
6.3.1 – Remove development, test and/or custom application accounts, user IDs, and passwords before applications become active or are released to customers.
Netsurion Open XDR supports for 6.3.a by providing an intelligence system for logs to be sent to rules that can be created to provide proper alarming, reporting, and enhancement to the abilities of any custom application to be used in the cardholder data environment.
6.4.1 – Separate development/test environments from production environments, and enforce the separation with access controls.
Netsurion supports for 6.4.1 by providing details on allowed or denied network protocols or ports between the test network environment and all other internal production network environments via investigations and reports.
6.4.2 – Separation of duties between development/test and production environments.
Netsurion Open XDR supports 6.4.2 by providing details on allowed or denied network traffic between the test network environment and all other internal network environments via investigations and reports.
6.5.1 – Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.
6.5.2 – Buffer overflows.
6.5.3 – Insecure cryptographic storage.
6.5.4 – Insecure communications.
6.5.5 – Improper error handling.
6.5.7 – Cross-site scripting (XSS).
6.5.8 – Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions.
6.5.9 – Cross-site request forgery (CSRF).
Netsurion Open XDR supports 6.5 by providing alarms and investigation details on all detected vulnerabilities.
6.6 – For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes.
Netsurion Open XDR supports for 6.6 by providing alarms and investigation details on detected vulnerabilities. Netsurion Open XDR can address either solution by working in conjunction with web exploit systems, such as Intrusion Detection Systems, Web-Application Firewalls, Stateful Inspection Firewalls, Web Servers, and other log sources to analyze detected potential abuses as well as provide a way to investigate suspected breaches.
Requirement 7: Restrict access to cardholder data by business need to know
7.1.1 – Define access needs for each role, including:
- System components and data resources that each role needs to access for their job function.
- Level of privilege required (for example, user, administrator, etc.) for accessing resources.
7.1.2 – Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
Netsurion Open XDR supports 7.1.1 and 7.1.2 by providing details on privileged access, host authentication, application access via investigations and reports. Access to cardholder data can be monitored by the custodian(s) of the data in real-time by collecting access control system data. Account creation, privilege assignment and revocation, and object access can be validated using Netsurion.
Requirement 8: Assign a unique ID to each person with computer access
8.1 – Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components.
8.1.1 – Assign all users a unique ID before allowing them to access system components or cardholder data.
8.1.2 – Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
8.1.3 – Immediately revoke access for any terminated users.
8.1.4 – Remove/disable inactive user accounts within 90 days.
8.1.5 – Manage IDs used by third parties to access, support, or maintain system components via remote access as follows:
- Enabled only during the time period needed and disabled when not in use.
- Monitored when in use.
8.1.6 – Limit repeated access attempts by locking out the user ID after not more than six attempts.
8.1.7 – Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.
Netsurion Open XDR supports for procedure 8.1 by providing details on account management activity such as account creation, account deletion, and account modification via reports. Account creation can be monitored through reporting and investigations of logs pertaining to the creation and modification of accounts.
8.5 – Do not use group, shared, or generic IDs, passwords, or other authentication method as follows:
- Generic User IDs are disabled or removed.
- Shared user IDs do not exist for system administration and other critical functions.
- Shared and generic user IDs are not used to administer and system components.
8.5.1 – Additional requirement for service providers only: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
Netsurion Open XDR supports procedure 8.5 by providing alarms on database account access granting or revocation and details on account management, account granting or revocation, and authentication activity via investigations and reports. Netsurion Open XDR also provides details on vendor account management and authentication activity via investigations and reports.
Requirement 9: Restrict physical access to cardholder data
9.1 – Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
9.1.1 – Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.
Netsurion Open XDR provides alarms, investigations, and reports to support PCI-DSS control requirement 9.1. Netsurion Open XDR supports 9.1 and 9.1.1.c by providing alarms for physical access failures and details on other physical access activity via investigations and reports.
Requirement 10: Track and monitor all access to network resources and cardholder data
10.2 – Implement automated audit trails for all system components to reconstruct the following events:
10.2.1 – All individual user accesses to cardholder data.
10.2.2 – All actions taken by any individual with root or administrative privileges.
10.2.3 – Access to all audit trails.
10.2.4 – Invalid logical access attempts.
10.2.5 – Use of and changes to identification and authentication mechanisms-including but not limited to creation of new accounts and elevation of privileges and all changes, additions, or deletions to accounts with root or administrative privileges.
10.2.6 – Initialization, stopping, or pausing of the audit logs.
10.2.7 – Creation and deletion of system level objects.
Netsurion Open XDR supports 10.2 by providing the core function of centralized log collection, management, and archival. Netsurion Open XDR provides alarms on authentication failures from default, disabled, terminated, privileged accounts, object disposal failures and audit log initializations.
Netsurion Open XDR provides details of user access failures or successes to audit log files, cardholder data files, system-level objects, and applications via investigations and reports.
Netsurion Open XDR provides details of privileged account management such as creation, deletion, modification, authentication failures and successes, granting or revoking of access, privilege escalation and failures or successes to access files, objects, and applications via investigations and reports. Open XDR also provides details on the creation and deletion of system level objects and audit log initializations via investigations and reports.
10.3.1 – User identification.
10.3.2 – Type of event.
Netsurion Open XDR supports 10.3 by parsing account and login information, assigning each log event a specific classification type, specifying a centralized time stamp, extracting success or failure information, identifying the host, IP, application, login originating each event, identifying affected data, components, resources and other details useful for forensic investigation of the audit logs.
10.3.3 – Date and time.
10.3.4 – Success or failure indication.
10.3.5 – Origination of event.
10.3.6 – Identity or name of affected data, system component, or resource.
Netsurion Open XDR supports 10.3.3 by independently synchronizing the timestamps of all collected log entries, ensuring that all log data is time-stamped to a standard time regardless of the time zone and clock settings of the log source.
10.4 – Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.
Netsurion Open XDR supports 10.4 by independently synchronizes the timestamps of all collected log entries, ensuring that all log data is time-stamped to a standard time regardless of the time zone and clock settings of the logging hosts.
10.5.1 – Limit viewing of audit trails to those with a job related need.
10.5.2 – Protect audit trail files from unauthorized modifications.
10.5.3 – Promptly back up audit trail files to a centralized log server or media that is difficult to alter.
10.5.4 – Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.
10.5.5 – Use file-integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
Netsurion Open XDR supports 10.5 by using discretionary access controls which allow restriction of the viewing of audit logs to individuals based on their role and Need-To-Know. Netsurion Open XDR protects audit trails from unauthorized modification by immediately archiving, hashing and storing collected logs in a secure central repository. Netsurion Open XDR includes an integrated change audit which can ensure that the collection infrastructure is not tampered with.
Netsurion Open XDR servers utilize access controls at the operating system and application level to ensure log data cannot be modified or deleted. Alerts are customizable to prevent or allow alarms on a case-by-case basis, including not causing an alert with new data being added. Netsurion securely collect logs from the entire IT infrastructure including external-facing technologies for storage on an internal LAN Network where a Netsurion Open XDR sensor resides.
10.6 – Review logs and security events for all system components to identify anomalies or suspicious activity.
Netsurion Open XDR supports 10.6 by supplying a one stop repository from which to review log data from across the entire IT infrastructure. Reports can be generated and distributed automatically on a daily basis which provides an audit trail of who did what within Netsurion Open XDR and proof of log data review.
10.7 – Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).
Netsurion Open XDR supports 10.7 by automating the process of retaining audit trails. Netsurion Open XDR creates archive files of all collected log entries which are organized in a directory structure by day making it easy to store, backup, and destroy log archives based on retention policy.
Requirement 11: Regularly test security systems and processes
11.1 – Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.
Netsurion Open XDR supports procedure 11.1.d by providing alarms on the detection of rouge access points and also by providing details of detected rouge access points via investigations and reports.
11.4 – Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.
Netsurion Open XDR provides alarms, investigations and reports to support PCI-DSS control requirement 11.4. Collecting logs from network and host based IDS/IPS systems, its risk-based prioritization and alerting reduce the time and cost associated with monitoring and responding to IDS/IPS alerts. Netsurion provides built-in alarms which can alert on IDS/IPS detected events such as attacks, compromises, denial of services, malware, reconnaissance activity, suspicious activity, and IDS/IPS signature update failures. Netsurion provides details around these critical IDS/IPS events via investigations and reports.
11.5 – Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
Netsurion Open XDR supports 11.5 by providing details of key integrity activity via investigations and reports on Netsurion Open XDR’s Change Audit Agent. Netsurion Open XDR’s Change Audit can be configured to monitor key file or directory activity, deletions, modification, and permission changes. The file integrity capability is completely automated, the agent can be configured to either scan for files or directory changes can automatically detect file integrity activity in real-time.
Requirement 12: Maintain a policy that addresses information security for employees an contractors
12.3.8 – Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.
12.3.9 – Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.
Netsurion Open XDR provides investigations and reports to support PCI-DSS control requirement 12.3 Netsurion Open XDR supports for 12.3 by providing alarms on vendor authentication failures and on vendor account accounts access granting.
Netsurion Open XDR provides details on vendor account management activity, vendor authentication successes or failures, and remote session timeouts via investigations and reports.
Netsurion Open XDR supports by providing real-time enterprise detection intelligence to address issues quickly to prevent damage and exposure. Open XDR provides alarms and detail on security events such as attacks, compromises, denial of services, malware, reconnaissance activity, suspicious activity, and IDS/IPS signature update failures via investigations and reports.