PCI Compliance Solutions from Quest Software

Payment Card Industry Data Security Standard

A consortium of financial institutions are now requiring all merchants who accept popular payment cards such as credit cards and signature debit cards to comply with a new standard for securing their customers’ payment card data. The standard, Payment Card Industry Data Security Standard (PCI DSS), has been mandated by all members of the PCI Security Standards Council, which currently includes Visa International, MasterCard Worldwide, American Express, Discover Financial Services and JCB.

All banks that process the payment transactions associated with these cards, are responsible for ensuring their merchants meet the standard and penalties for failing to comply with the standard can be severe.

For merchants and banks who use Microsoft Activity Directory as part of their identity and access management solution Quest Software can help satisfy a significant portion of PCI’s DSS requirements on not only Windows-based computers but also Unix, Linux and Mac computers. Many institutions are struggling with this task’s magnitude as well as looking for ways to automate their compliance efforts since they are subject to periodic (quarterly in some cases) audits.

PCI – So What Is Inside?

There are a total of twelve (12) high level requirements and two (2) special requirement appendices that comprise the PCI DSS. These range from physical server security to very specific IT control objectives. These requirements detail how organizations must secure, handle, retain and manage their data. You can read the full standard here.

PCI –How Quest Can Help

As the 2007 Microsoft Global ISV Partner of the year, Quest's award winning software can provide the assurance you expect to provide the systematic efficiency and audit-proof systems you need to help meet key IT Control components of the PCI DSS requirements. Only from industry leading Quest can you obtain a comprehensive solution from a single vendor with the breadth and experience that comes with more than 50,000 customers worldwide. 

If you are already familiar with the PCI DSS, then you can refer to the chart below to help you quickly access the Quest solution by product. If you are in the process of becoming more familiar with the individual requirements of the standard, there is a more detailed table below the chart that will guide you through the requirements.

PCI Mapping Summary
Quest SolutionPCI Requirement Sections
123456789101112App AApp B
Compliance Suite
ReporterXXXXXXXX
InTrust with ChangeAuditor for Active DirectoryXXXXX
ActiveRoles ServerXXXXXX
Additional Solutions
Authentication Services XXXXXXX
GPOADmin XXXXX
Password ManagerX
DefenderX
Privilege Manager for UnixXXXXXXX
Single Sign-on for JavaXXXXXX
Access ManagerXXX

                             

PCI –How Quest Can Help - by PCI DSS Requirement

The below chart details the Quest products that assist your PCI compliance, referenced by Requirement section:

RequirementSectionHow Quest Can Help
Requirement 2: Do not use vendor-supplied default security parameters2.1

Reporter provides the ability to report on null passwords, last date passwords changed, SNMP settings, etc.

 

2.2 -

2.2.4

By creating a system settings change management environment where Group Policy Objects are versioned & tracked GPOADmin allows system administrators to set up a system settings test, rollout, rollback, and reporting environment (augmented by  Reporter for CIS-benchmarked servers) for safe deployment of system configuration setting changes to conform with industry benchmark configurations. With Reporter configuration baselining feature, system administrators can compare the settings of their AD and Windows Server configurations with both internally developed and industry standard security benchmarks.  Reporter is CIS certified.

 2.3

With Reporter configuration baselining feature, System Administers can determine which services and login methods are running for critical servers.  Quest provides Unix users a version of OpenSSH that is linked to the Authentication Services security libraries.

Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks4.1

With Reporter configuration baselining feature, System Administers can determine which encryption services, if any, are running for Windows servers that transmit and receive cardholder data.

Requirement 5: Use and regularly update anti-virus software5.1

Reporter configuration baselining feature can ensure AV software is installed and configured on all Windows systems. In addition, InTrust provides AV event log information and reports on AV event data.

Requirement 6: Develop and maintain secure systems and applications6.3

As part of a system configuration change test environment GPOADmin can support testing of GPO changes which could include system configuration setting changes.

Requirement 7: Restrict access to data by business need-to-know

7.1 -

7.2

Active Roles Server provides a full featured solution that greatly enhances the access controls available in Active Directory (AD) while Privilege Manager for Unix offers root delegation and granular privilege access management on Unix systems.  Access Manager enables identification and management of user and group access to resources across the Windows enterprise.  Single Sign-on for Java enhances and extends AD’s access controls for users of web-based application servers and Authentication Services can extend the access restriction functionality of AD’s group memberships to Unix, Linux and Mac systems that compose the organization’s cardholder data environment.  Finally GPOADmin can manage the GPOs that contain "deny all" settings for file systems, applications, and system resources that could enable protected cardholder data access.

Requirement 8: Assign a unique ID to each person with computer access8.1

Privilege Manager for Unix helps to enforce unique User IDs by checking the rule sets based on userids and can be used to prevent people from sharing user accounts.  In addition, Authentication Services supports corporate policies implemented in AD that require unique user names. Identity Migration Wizard for Unix also provides tools to consolidate existing non-unique user accounts in AD.

 8.2

Defender enables users to authenticate using both hardware and software tokens. Privilege Manager for Unix has the ability to make additional authentication calls to any PAM-enabled system or security mechanism. Single Sign-on for Java extends AD’s Kerberos password authentication for users of web-based application servers while Authentication Services provides Kerberos-based authentication of Unix/Linux systems (or PAM-enabled Unix-based biometric applications) via password or smart card log in.

 8.3

Defender leverages Active Directory to provide two-factor RADIUS authentication for any system, application or resource.  In addition, an optional feature of Authentication Services is available to support multi-factor authentication of Unix/Linux systems using smart cards. Also, Reporter can report on users that are leveraging smart cards.

8.4

AD offers this functionality natively within Windows.  Authentication Services extends this basic functionality to Unix, Linux and Mac systems while Single Sign-on for Java extends this functionality for users of web-based application servers.

Ensure proper user authentication and password management for non-consumer users and administrators, on all system components8.5

AD offers basic user ID, computer ID and password administration. Active Roles Server enhances AD’s user provisioning functionality by providing an automated change approval environment for all user changes including user rights, permissions, modification, creation and deletion. GPOADmin can support testing GPO changes which could include user group attributes.  Single Sign-on for Java extends AD’s basic user account management functionality to users of web-based application servers while Authentication Services permits Unix-enabled user IDs and passwords in AD to be administered either using standard AD tools or with the vastool utility. Privilege Manager for Unix provides for the management of user IDs and credentials of Unix users regardless of whether they are also managed within AD.   Reporter can report on user access to validate access is in accordance with corresponding authorization form.

 8.5.2

Authentication Services extends AD’s basic functionality such that Unix, Linux and Mac users are required to log in with existing credentials before resetting passwords in response to password re-set requests.  Single Sign-on for Java does the same for users of web-based application servers Password Manager provides additional self-service password re-set and change capabilities for users managed in AD as well as administrative password reset and management. For example, Password Manager enables organizations to setup a series of security questions before a user can change or update their password. Privilege Manager for Unix verifies the identity of Unix users regardless of whether they are also managed within AD. 

 8.5.3

AD offers this functionality natively within Windows. Authentication Services extends this basic functionality to Unix, Linux and Mac systems while Single Sign-on for Java does the same for users of web-based application servers.

 8.5.4

The definitive record of terminated employees and contractors is stored within the HR database. This often requires an additional step of revoking of access within AD. Authentication Services enforces revoked access for users disabled in or removed from AD on Unix, Linux and Mac systems and Single Sign-on for Java does the same for users of web-based application servers. However, Quest’s ActiveRoles Server, which provides extra user provisioning and de-provisioning controls, can empower one designated authority (such as HR) to make termination and access revocation an immediate one-step process with ActiveRoles Quick Connect.  Reporter can report on users that have not logged in within a period of time such as 180 days and through action enabled reporting, easily disable or remove them from Active Directory.

 8.5.5

Reporter can report on users that have been inactive for 90 days.  Authentication Services works with AD such that administrators can know which Unix-enabled accounts are inactive for 90 days or more. Single Sign-on for Java does the same for users of web-based application servers.  ActiveRoles Server product automates this control and serves as a complete de-provisioning solution.

 8.5.6

Active Directory offers basic management of vendor accounts.  Authentication Services works with AD to allow administrators to disable and re-enable (or enable only during specified log-on hours) any Unix-enabled AD account used by vendors on demand. Single Sign-on for Java does the same for users of web-based application servers. ActiveRoles Server and ChangeAuditor for Active Directory crisply define, delegate, automate, track, log, audit and easily manage vendor accounts in AD.  Privilege Manager for Unix can manage Unix users performing remote maintenance within pre-defined time windows.

 8.5.7

This requirement must be satisfied by merchant’s own data security communication and awareness program

 8.5.8

InTrust can be configured to report on activity by Generic Accounts. ChangeAuditor for Active Directory can help identify who is using Generic Accounts by providing source IP address. Authentication Services supports corporate policies that prohibit group, shared or generic accounts and passwords. Single Sign-on for Java does the same for users of web-based application servers. Privilege Manager for Unix supports all such policies for Unix users regardless of whether they are also managed within AD.

 8.5.9-14

Reporter can report on user accounts that have not had a password change within 90 days.  Reporter can also report on these password related settings to ensure they are actually applied and in effect.  Active Roles Server and Password Manager combine to automate all of these password policies. Authentication Services extends and enforces AD’s password policies (or password policies implemented through an AD-based tool such as Password Manager) for users of Unix, Linux and Mac systems. Single sign-on for Java does the same for users of web-based application servers.  GPOADmin can support testing of GPO changes including these password policy settings. Also, GPOADmin provides an automated way to ensure that all security options are set correctly throughout the domain.

 8.5.15

Reporter can report on this setting to ensure it is accurate and in effect.  GPOADmin can support testing of GPO changes including password reentry for idle time policy settings. Authentication Services can be used to deploy screensaver configurations through Windows Group Policy to Unix, Linux and Mac systems. This assumes the company has the additional capability to remotely control root access on end-user computers such that their screensaver configurations are not locally alterable

 8.5.16

Authentication Services provides authentication of Unix, Linux, and Mac operating system (OS) users and certain application users (e.g., users of SAP and Oracle). Single Sign-on for Java does the same for users of a broader range of popular web-based application servers.

Requirement 10: Track and monitor all access to network resources and cardholder data10.1

ActiveRoles Server links cardholder access to individual users by allowing delegation and tracking of administrative privileges for users managed in Active Directory. Access Manager links user access to specific files, folders, and share across the Windows enterprise. Privilege Manager for Unix links cardholder access to individual users by enabling carefully controlled privilege access management (e.g. root delegation) for Unix and Linux users regardless of whether they are also managed within Active Directory. InTrust enables organizations to forensically analyze all user activity whether it is from a general user or administrator. Changes can be tracked and point to a specific user

Implement automated audit trails to reconstruct the following events, for all system components.10.2.1

InTrust can track and report on individual user access to the cardholder data stored on Windows file servers and database systems. Privilege Manager for Unix can do the same for cardholder data stored on Unix and Linux systems

 10.2.2

InTrust can track, report and alert on users activity with elevated user privileges throughout the organization. Privilege Manager for Unix offers carefully controlled privilege access management (e.g. root delegation) and even keystroke logging for Unix and Linux users regardless of whether they are also managed within AD.

 10.2.3

InTrust is an enterprise audit log solution which enables organizations to connect, collect, store and report on enterprise audit information including all attempts to access event log (and even its own “raw” audit log) data . Privilege Manager for Unix offers carefully controlled privilege access management (e.g. root delegation) and even keystroke logging for Unix and Linux users regardless of whether they are also managed within AD.

Requirement 12: Maintain a policy that addresses information security for employees and contractors12.4

ActiveRoles Server, Access Manager, Authentication Services  and Privilege Manager for Unix can assist in automating and enforcing this policy.

Appendix A, Requirement A.1: Hosting providers protect cardholder data environmentA.1.1

ActiveRoles Server and Single Sign-on for Java can be used by a hosting service provider to help ensure each hosted entity only has access to its own cardholder data environment.

Appendix B, Compensating Controls for Requirement 3.4B.2 (a)

Privilege Manager for Unix can to restrict access to cardholder data based on IP address and/or MAC address

Getting Started