Monitoring critical system files, configuration files, and content files for unusual or unauthorized activity is one of the core requirements of the PCI-DSS, the payment card industry’s security standard. As such, file integrity monitoring (FIM) is a necessary activity for companies that process or store credit card data. Security teams can choose from any number of endpoint security tools to handle FIM for PCI compliance, but some solutions do more than others.
In this article we’ll highlight the basic FIM requirements of PCI, and explain how you can meet multiple PCI compliance standards—including FIM—with one powerful endpoint security tool.
What Do PCI & DSS Stand for?
A set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express, PCI and DSS stands for Payment Card Industry Data Security Standard.
What Does PCI DSS Apply to?
Applying to all entities that store, process, and/or transmit cardholder data, and all technical and operational system components included or connected to cardholder data, if you are a merchant who accepts or processes payment cards, you must comply with PCI DSS.
What Are the 4 PCI Standards?
There are 4 levels to PCI DSS compliance that determine which compliance category an organization pertains to based on the volume of card transactions it handles per year. As for standards, there are 12 security requirements that comprise the PCI DSS data security standard for the payment card industry that is maintained by the PCI Security Standards Council.
FIM: A PCI Requirement
To protect cardholder data, the PCI-DSS outlines a set of 12 requirements that apply to all businesses which store, process, or transmit payment card data. While some of these requirements have to do with physical processes, two of them—requirements 10 and 11—provide specific guidelines on how to protect the data stored within computer networks:
- Requirement 10.5.5 requires businesses to “use file integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).”
- Requirement 11.5 requires businesses to “deploy a change detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.”
To address these PCI requirements, security teams employ file integrity monitoring software, or other security software with embedded FIM capability.
FIM tools monitor all file modifications—including additions (new files being created), changes, and deletions—and alert specified personnel when unauthorized changes to files and directories occur. (Tweet this!)
If not properly implemented, unauthorized changes can result in other security controls being rendered ineffective and cardholder data being stolen with no other perceptible impact.
What Is a PCI DSS Framework?
PCI DSS is a compliance framework and an industry-mandated set of standards to keep consumers’ card data safe when it is used with merchants and service providers.
PCI DSS Compliance Checklist
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use default passwords.
- Protect cardholder data.
- Encrypt the transmission of cardholder data.
- Protect against malware.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Monitor access to network resources and cardholder data.
- Regularly test security systems and processes.
- Create and maintain an information security policy.
PCI DSS Control Objectives
Protecting cardholder data wherever it is processed, stored, or transmitted is the goal of PCI DSS. The PAN - primary account number printed on the front of a payment card is an example of a security control and process required by PCI DSS vital to protecting cardholder account data.
What Is a PCI DSS Framework?
PCI DSS is a compliance framework and an industry-mandated set of standards to keep consumer's card data safe when it is used with merchants and service providers.
PCI DSS Compliance Checklist
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use default passwords.
- Protect cardholder data.
- Encrypt the transmission of cardholder data.
- Protect against malware.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Monitor access to network resources and cardholder data.
- Regularly test security systems and processes.
- Create and maintain an information security policy.
PCI DSS Control Objectives
Protecting cardholder data wherever it is processed, stored, or transmitted is the goal of PCI DSS. The PAN - primary account number printed on the front of a payment card is an example of a security control and process required by PCI DSS that is vital for protecting cardholder account data.
Using Uptycs as a PCI-Compliant FIM
Finding the right file integrity monitoring software can be a challenge, particularly when you’re managing a hybrid of cloud and on-premises infrastructure across macOS, Linux, and Windows. FIM is a key capability of Uptycs, an osquery-powered security analytics platform.
It allows you to manage file integrity across complex networks, so that instead of relying on several platforms to monitor Windows, Mac, and Linux, you can monitor all file activity in one unified environment. The Uptycs FIM module provides full visibility across operating systems with continuous file monitoring, flexible configuration options, file change analysis, and contextual alerts. As a result, security engineers, site reliability engineers, incident response teams and IT professionals are better equipped to secure and monitor endpoint fleet and server workloads.
When using Uptycs as a PCI-compliant FIM software, simply identify which files or paths you want to monitor, and Uptycs will look for changes as they occur. If you’ve requested alert notifications, Uptycs will notify you in real time, sending a message via email, Slack, or an incident management platform like PagerDuty. Uptycs also integrates with your SOAR and SIEM solutions.
Our file integrity monitoring solution leverages the versatility of the open source agent osquery. Using over 200 system tables, Uptycs can provide detailed insight around which file was modified, the process name and ID, the date, time, and user that performed the action, and more, allowing security team members to quickly respond to potential breaches and unauthorized modifications.
The Uptycs file integrity monitoring solution also provides the ability to analyze historical data, recreating an asset at a given point in time to reveal exactly what happened to critical files, and how the incident occurred.
Using Uptycs for Other PCI-DSS Compliance Requirements
As an endpoint security analytics platform, Uptycs can also be used to meet other endpoint-focused PCI requirements:
Vulnerability Detection
Vulnerability detection is a way for security teams to identify potential vulnerabilities in the software running within their environments; it’s also another core requirement of the PCI-DSS. PCI-DSS Requirement 11 calls for organizations to regularly test security systems and processes, while 11.2 requires vulnerability scanning. The Uptycs platform provides out-of-the-box Linux vulnerability detection capabilities that allow organizations to meet this requirement.
Login Auditing
Login auditing can help organizations meet Requirement 10.6, which calls for monitoring of security logs. To ensure compliance, there should be a limited set of users logging into the servers that fall under PCI requirements. Uptycs can provide greater visibility into logins, monitoring and alerting when unusual or unexpected users access the servers and infrastructure.
Ready to explore other compliance ideas with osquery? Watch the video “Thou Shalt Query: Compliance Ideas with Osquery.”