PCI DSS Compliance Checklist and HIDS Requirements
October 21, 2019
It doesn’t matter if you’re a global e-commerce giant like Amazon.com, or if you’re a Chinese take-out restaurant that allows customers to place orders from their phones – if you want to handle online payments, then you need to be compliant to PCI DSS (Payment Card Industry Data Security Standard). Additionally, if you’re unaware about Host Intrusion Detection Systems (HIDS) and how they relate to your PCI DSS compliance, then you’ve come to the right place! When working to meet compliance measures, a common requirement is an intrusion detection solution. Using machine learning, Lacework detects anomalies and alerts on potential intrusions. This allows you to use Lacework as a control to meet intrusion detection requirements.
Let’s get started by analyzing the 12 requirements stipulated by the PCI DSS:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
The purpose of a firewall is simple: prevent network traffic that you know ahead of time that shouldn’t be happening. For instance, let’s say that you’re processing credit card data for your customers for your online clothing store, and you’re keeping all customer payment data in an encrypted database. Perfect! You already know ahead of time that the only computer on your entire network (and well, for that matter, on the entire planet) is going to be only one machine which has the encryption keys to encrypt and decrypt the database. Therefore, the firewall is going to block any and all network traffic to your database that isn’t coming from that single machine.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
We’ve all heard of the phrase: “The best offense is a solid defense.” Well, this definitely applies to computer security, and one of the smartest ways to protect your customers is to NOT make them an easy target. By changing the default passwords on your equipment, you make it difficult for hackers to gain superuser access to your computer systems. Additionally, please make sure that your passwords are not in the Wikipedia Common List of Passwords page.
Requirement 3: Protect stored cardholder data
Protecting cardholder data is a simple task if you use a combination of cryptography and hashing. Treat the card data (name, card number, expiration date, CCV) as a single unit and encrypt the unit as a whole. Hashing is important when you want to search for the encrypted card data of a particular customer among the thousands (or millions) of other encrypted records.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
In order to fulfill this requirement, all your public web servers that contain HTML pages that will accept a customer’s credit card data must start with “HTTPS://” instead of “HTTP://”. The extra “S” means that the data transmission is encrypted from the user’s web browser to your web server.
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
We all know the same mantra, “No one cares about backups, until the day your hard drive crashes,” and “No one cares about computer security, until the day that you’re hacked.” Well in order to satisfy requirement #5, you have to care about computer security BEFORE you get hacked. This is one of the reasons to use a HIDS (host intrusion detection system). With HIDS software, you can be alerted when suspicious software is running on your computers.
Requirement 6: Develop and maintain secure systems and applications
In order to satisfy this requirement, you are expected to keep your software systems and operating systems updated to the latest stable releases. You are expected to apply vendor-supplied critical patches within 1-month after they have been released.
Requirement 7: Restrict access to cardholder data by business need to know
Ok, requirement #7 falls under the criteria of “access control.” This requirement stipulates that you should create a secure pool (or group) of users that have direct access to the cardholder data. People are added to that group ONLY if they have a legitimate business purpose to “need to know” the details of the cardholder data.
Requirement 8: Identify and authenticate access to system components
Requirements #7 and #8 go hand-in-hand because if you’re going to create a secure group of users who will have access to the cardholder data, then you have the infrastructure in place to provide 2-factor authentication to identify those users. A system component can be any type of computing infrastructure such as a webserver, database, or firewall.
Requirement 9: Restrict physical access to cardholder data
In traditional computing systems, cardholder data (either from a credit or a debit card) is physically stored in a database. In order to comply with requirement #9, the computer where the database is installed needs to be physically restricted to prevent unauthorized users to get access to the cardholder data. Such restrictions could be (for instance) a secured computer room that has keycard access.
Requirement 10: Track and monitor all access to network resources and cardholder data
Again, this requirement becomes simple when you use a HIDS as a part of your overall computer security system. In order to detect if there is any type of unauthorized access to computer systems, you need software that is capable of detecting intrusions as well as provide the logging and reporting necessary to catalog all types of access to your systems.
Requirement 11: Regularly test security systems and processes
Unfortunately, just because you’ve implemented all of the above PCI DSS security requirements within your computing infrastructure, it doesn’t mean that they’re all working as intended. So, in order to be compliant with #11, you need to implement a system that periodically tests the integrity of your system as a whole.
Requirement 12: Maintain a policy that addresses information security for all personnel
As a part of the final requirement, it is mandatory that your company makes information security as an official part of the company’s policy. As a result, it becomes “everyone’s responsibility” to employ the company’s policies to protect cardholder data.
How Lacework’s Host Intrusion Detection overcomes the limitations of network intrusion detection systems
Lacework enables organizations to strengthen their cloud security with an anomaly-based intrusion detection system that operates at the host-level. Because data is collected at the host level, security teams can more accurately and effectively detect insider attacks that others wouldn’t be identified in network traffic. Instead of using the same signatures and rules that hackers already know about, our host intrusion detection system (HIDS) operates far beyond the limitations of a network-based intrusion detection system to identify all activity happening across all cloud workloads and accounts.
Security of your workloads depends on how well your HIDS solution can detect insider attacks that otherwise won’t be caught in the network traffic, and how well you can investigate an infected host or application based on the data that has been collected.
Host intrusion detection overcomes the limitations of network intrusion detection systems that are traditionally used in an enterprise data center or non-cloud based infrastructure. Intrusion detection originally looked only at ingress and egress traffic on an enterprise’s network. But to address the constantly changing nature of cloud and containerized environments, a new, agile, and far more comprehensive solution is required.
Understand your compliance misconfigurations, anomalies, or hidden threats by taking our Free Cloud Threat Assessment.
Photo by Profit_Image on Shutterstock