In this article, you will discover:
- What is PCI DSS and File Integrity Monitoring
- Who PCI DSS applies to and how to achieve compliance
- File Integrity Monitoring requirements for PCI DSS
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a security framework aims at reducing payment card fraud by strengthening security controls around cardholder data.
PCI DSS is administered and managed by the PCI Security Standards Council, an independent body established through collaboration among prominent payment card companies like Visa, MasterCard, American Express, Discovery, and JCB. Each of these payment brands maintains its own compliance program and holds the responsibility for enforcing compliance.
Who does PCI DSS apply to?
PCI DSS compliance is obligatory for merchants and service providers of all sizes who process, store, transmit, or potentially compromise the security of cardholder data. If you accept or handle payment cards, PCI DSS applies to you.
While not a legal requirement, PCI DSS is a part of a contractual relationship between acquiring banks and payment card companies. Acquiring banks bear responsibility for non-compliance by card brands, leading them to dictate how their merchants should report PCI DSS compliance and potentially passing down any associated penalties to them.
Moreover, select states like Nevada, Minnesota, and Washington have incorporated portions of PCI DSS into their state laws.
What is PCI DSS compliance and how can it be achieved?
PCI DSS compliance involves collaborating with customers or acquiring banks to assess the impact of your service on cardholder data, identifying your organization’s specific PCI DSS obligations, and adhering to the relevant security requirements outlined in the PCI DSS framework. Non-compliance can result in fines, increased vulnerability to data breaches, and loss of merchant license.
There are 12 requirements:
1. Install and maintain a firewall configuration
Secure the cardholder data network, establish firewall rules to allow only business-required traffic, and implement security measures like network segmentation and personal firewall software.
2. Do not use vendor-supplied defaults for system password and other security parameters
Configure networks, servers, and other resources that are implemented into the network securely prior to implementation, using configuration standards such as Center for Internet Security (CIS) or vendor documentation.
3. Protect stored cardholder data
Safeguard stored cardholder data by complying with encryption requirements, encryption key management including key custodian responsibilities and secure data disposal practices.
4. Encrypt transmission of cardholder data across open, public networks
Ensure strong encryption for cardholder data during transmission over public networks, end-user messaging technologies and wireless networks.
5. Protect all systems against malware and regularly update anti-virus software or programs
Use anti-virus software on servers and workstations, monitor systems for malware, enforce controls for scanning, logging anti-virus software and restricting users from disabling the anti-virus software.
6. Develop and maintain secure systems and applications
Implement secure software development practices, protect web applications from common vulnerabilities, and timely install critical security patches.
7. Restrict access to cardholder data by business need-to-know
Allow access based on business requirements, employing a default deny-all approach for any access lacking explicit approval.
8. Identify and authenticate access to system components
Enforce authentication controls, such as access reviews, promptly revoking access when needed, and specifying password criteria. Set up configurations such as session timeout, password complexity, and user access restrictions for shared accounts.
9. Restrict physical access to cardholder data
Secure physical access to cardholder data environments, including offices, data centers, and media handling.
10. Track and monitor all access to network resources and cardholder data
Monitor and log security metrics and resource access, responding promptly to security events.
11. Regularly test security of systems and processes
Establish a vulnerability management process, conduct quarterly scans and annual penetration tests. More information about penetration testing can be found in this article.
12. Maintain a policy that addresses information security for all personnel
Maintain operational security policies covering information security, risk assessment, and incident response.
What is File Integrity Monitoring?
File Integrity Monitoring (FIM), or File Integrity Management, is a security process monitoring and assessing the integrity of critical assets, such as file systems, directories, databases, network devices, the operating system (OS) and software applications.
FIM tools employ two verification methods to check the integrity of critical files: reactive or forensic auditing (helps companies suffering from a breach understand what happened); and proactive or rules-based monitoring (detects an unauthorized or malicious change before it can lead to a breach). In both approaches, the FIM tool compares the current state of a file with a baseline and creates an alert if any alterations or updates to the file violate the company’s predetermined security policies.
Importance of File Integrity Monitoring
In recent years, cybercriminals have become more adept at using malware and other tactics to manipulate vital system components. The rapid rise in remote work due to COVID-19 and the proliferation of IoT devices have also significantly expanded the attack surface for cybercriminals, offering numerous entry points for these malicious actors. FIM plays a vital role in safeguarding sensitive assets like files, data, applications, and devices by regularly scanning, monitoring, and verifying their integrity. This helps speed up the detection of potential security issues and improves the accuracy of incident responses.
File Integrity Monitoring for PCI DSS
File Integrity Monitoring is essential for fulfilling certain key requirements within PCI DSS, with the most recent version being PCI 4.0.
- Requirement 10.3.4 – File integrity monitoring or change-detection mechanisms are used on audit logs to ensure that existing log data cannot be changed without generating alerts.
- Monitor critical files for alterations and report changes.
- Focus and detect potential attacks on files that do not change regularly but can compromise the system security if altered.
- Newly added data should not trigger an alert to avoid generating continuous alerts.
- Requirement 11.5.2 – Deploy a change detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, content files, and configure the software to perform critical file comparisons at least weekly.
- If the FIM is not configured correctly or its alerts are not checked, a malicious person can add, remove, or replace configuration files, disable existing security controls and steal the cardholder data.
- Critical files monitored for change detection are typically those that infrequently change but could compromise system security if altered.
- FIM tools usually come with predefined critical files for the operating system. For special applications, critical files should be evaluated and identified by the manufacturer or delivery provider.
- Companies should establish a response process for alerts generated by the FIM tools.
- Critical files subject to monitoring include:
- System and application executable files
- Configuration and parameter files
- Centrally stored, past or archived, log and audit files
- Additional critical files determined by the organization