You are on page 1of 12

1

In today’s competitive world every company wants to give


the best service to their customers to make their life easy.
One of the most popular facility in today’s world are credit
card through which user can borrow money for payment to
merchants or as a cash advance to the users.

To secure the cardholder’s data is a critical concern for


merchants & service providers. For getting the customer’s
trust & giving them satisfaction the five major credit card
companies (Discover Financial Services, American
Express, Visa International JCB, Master-Card Worldwide)
united to support the latest independent body recognized
as the Payment Card Industry Security Standards Council
(PCI SSC), to make stronger security controls among their
members.

If the business process transmits credit card holder’s data,


Payment Card Industry (PCI)
then the business should comply with PCI compliance
security standards. No matter how many credit cards Payment Card Industry data Security Standard (PCI
company processes or handles, it must comply with all DSS) is an international information security
Payment Card Industry Data Security standards (PCI DSS)
standard assembled by the Payment Card Industry
and if the businesses fail to comply with PCI DSS
Security Standards Council (PCI SSC). The
compliance then they may be imposed by stiff fines and
standard was created to help organizations that
penalties. process card payments to prevent credit card fraud
through increased controls around data and its
So how can the business achieve these stringent new PCI exposure to compromise.
DSS compliance requirements on time, without
overburdening IT staff or wasting valuable resources?
Why should you be concerned?
Secure Auditor can help, with a strategic, identity based A most important priority to the card associations is
approach to PCI DSS compliance that addresses the assuring that cardholder information is handled in a
complete range of requirements. This allows the business
secure manner. All merchants will be required to
to simplify and automate PCI DSS compliance and
meet compliance guidelines. Failure to comply with
enhance overall IT Security and operations.
these regulations can result in significant fines for
merchants and the possible cancellation of payment
Benefits of Secure Auditor PCI Compliance processing capabilities.
• Improve Network Security & Business PCI DSS compliance Requirements
• Create a safer environment for the customers
• Protect servers and systems • Build and maintain a secure IT network
• Comprehensive reports • Protect cardholder’s data
• Up-to-date security • Maintain a vulnerability management program
• Get Customers trust & satisfaction • Implement strong access control measures
• Secure from penalties • Regularly monitor and test networks
• Safe and easy-to-use • Maintain an information security policy

Secure Auditor Compliance Statement for PCI DSS compliance


2

Secure Auditor’s Purposed Solution Matrix


Secure Auditor with over 30 embedded utilities has been designed to help organizations to comply PCI DSS Compliance.

PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS Requirement 1 ( Install and maintain a firewall configuration to protect cardholder data

PCI/DSS 1.1.5 Documentation and business 1.1.5.b Identify insecure services, Secure Auditor’s port scanner allow users to
justification for use of all protocols, and ports allowed; and check insecure ports like FTP, HTTP, TFTP
services, protocols, and ports verify they are necessary and that and SNMP it also identifies Peer to Peer data
allowed, including security features are documented sharing application (P2P), Voice over IP
documentation of security and implemented by examining (VoIP), Games Ports and Trojan Ports on the
features implemented for those firewall and router configuration host system or network. This helps in checking
protocols considered to be standards and settings for each if the host computer is running any software
insecure. service. An example of an insecure against policy and to find the Trojans present
service, protocol, or port is FTP, on the host computer. It also provides
which passes user credentials in information about the Trojan ports to the end
clear-text. users, which they can use to double check
whether it is a Trojan port or not and if yes then
how to remove the Trojan.

PCI/DSS 1.2.2 Secure and synchronize router Verify that router configuration files Secure Auditor’s Cisco configuration Manager
configuration files. are secure and synchronized for utility allows the user to download ‘Startup’ and
example, running configuration files ‘Running’ configurations of Cisco Routers and
(used for normal running of the change/compare the configurations of different
routers) and start-up configuration routers on the network. This utility not only
files (used when machines are allows the users to change or compare
rebooted), have the same, secure configurations but also creates a date-wise
configurations. backup each time a configuration is uploaded
into a router. This allows the user to have a
complete trail of changes made on each router
with dates and fulfill compliance requirements.
Users can also use embedded TFTP server
provided with this utility to save configurations.

PCI/DSS 1.3.6 Implement stateful inspection, Verify that the firewall performs Secure Auditor’s port scanner provides option
also known as dynamic packet stateful inspection (dynamic packet to check all TCP ports along with UDP ports.
filtering. (That is, only filtering). [Only established
”established” connections are connections should be allowed in,
allowed into the network. and only if they are associated with
a previously established session
(run a port scanner on all TCP ports
with “syn reset” or ”syn ack” bits
set—a response means packets are
allowed through even if they are not
part of a previously established
session).

PCI/DSS 1.4 Install personal firewall software Verify that the personal firewall Secure Auditor conducts audit on Windows
on any mobile and/or employee software is configured by the based machines in which it detects whether
owned computers with direct organization to specific standards desktop firewall software is installed or not. It
connectivity to the Internet (for and is not alterable by mobile verifies the presence of personal firewalls on
example, laptops used by computer users. both office and mobile users.
employees), which are used to
access the organization’s
network.

Secure Auditor Compliance Statement for PCI DSS compliance


3

PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS Requirement 2 ( Do not use vendor-supplied defaults for system passwords and other security parameters

PCI/DSS 2.1 Always change vendor-supplied Choose a sample of system Secure Auditor provides multiple tools to
defaults before installing a components, critical servers, and identify default passwords in a system. Secure
system on the network—for wireless access points, and attempt Auditor embedded tools like Oracle password
example, include passwords, to log on (with system administrator Auditor, MSSQL Password Auditor, Oracle
simple network management help) to the devices using default Default Password Tester, MSSQL Default
protocol (SNMP) community Vendor-supplied accounts and Password Tester, MSSQL Password Auditor
strings, and elimination of passwords, to verify that default and Windows Password Auditor, all these tools
unnecessary accounts. accounts and passwords have been identify the existence of default passwords in
changed. (Use vendor manuals and the system and facilitate compliance with PCI
sources on the Internet to find clause. With the help of SNMP Browser, user
vendor-supplied counts/passwords.) can easily view the entire list of default SNMP
enabled devices. SNMP Scanner identifies the
default community string enabled on the
network. All of these tools facilitate the
compliance tasks of an organization with ease
of use.

PCI/DSS 2.1.1 For wireless environments Default SNMP community strings on SNMP Browser identifies the default SNMP
connected to the cardholder data wireless devices were changed. community names on the machines. SNMP
environment or transmitting Brute Force attacker clearly shows that SNMP
cardholder data, change wireless default community strings are changed or not.
vendor defaults, including but not
limited to default wireless
encryption keys, passwords, and
SNMP community strings.
Ensure wireless device security
settings are enabled for strong
encryption technology for
authentication and transmission.

PCI/DSS 2.2 Develop configuration standards Examine the organization’s system Secure Auditor examines the overall health of
for all system components. configuration standards for all types an organization through its audit process in
Assure that these standards of system components and verify the which it identifies system components and
address all known security system configuration standards are configuration settings. Secure Auditor follows
vulnerabilities and are consistent consistent with industry-accepted standards of NIST and contains profiles
with industry accepted system hardening standards—for example, according to guidelines of PCI DSS, SANS,
hardening standards. SysAdmin Audit Network Security SOX, CIS etc. According to these profiles audit
(SANS), National Institute of is conducted on specified machines.
Standards Technology (NIST), and
Center for Internet Security (CIS).

PCI/DSS 2.2 .2 Disable all unnecessary and For a sample of system Secure Auditor checks registry and
insecure services and protocols components, inspect enabled unnecessary or insecure services or protocols
(services and protocols not system services, daemons, and which are enabled, It is also capable to identify
directly needed to perform the protocols. Verify that unnecessary or security flaws in it.
device’s specified function) insecure services or protocols are
not enabled, or are justified and
documented as to appropriate use of
the service. For example, FTP is not
used, or is encrypted via SSH or
other technology.

Secure Auditor Compliance Statement for PCI DSS compliance


4

PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS 2.2.3 Configure system security 2.2.3.b Verify that common security Secure Auditor contains embedded profiles
parameters to prevent misuse. parameter settings are included in the that are based on common security
system. parameters defined by international
institutions and compliance standards like PCI
DSS, SANS, SOX, ISACA, CIS etc. Once an
audit is conducted against these standards,
systems are verified according to common
security parameters.

2.2.3.c For a sample of system In Secure Auditor multiple profiles are


components, verify that common embedded that define security parameters of
security parameters are set particular industry. By using these security
appropriately standards user can clearly check that security
parameters are set appropriately or not.

PCI/DSS 2.2.4 Remove all unnecessary For a sample of system components, Secure Auditor checks default registry
functionality, such as scripts, verify that all unnecessary settings that can facilitate in identification of
drivers, features, subsystems, functionalities (for example, scripts, unnecessary functions, configured and
file systems, and unnecessary drivers, features, subsystems, file allowed on a system.
web servers. systems, etc.) are removed. Verify
enabled functions are documented
and support secure configuration, and
that only documented functionality is
present on the sampled machines.

PCI/DSS 2.3 Encrypt all non-console 2.3 For a sample of system Secure Auditor after conducting an audit
administrative access. Use components, verify that no console informs you about the access control for all
technologies such as SSH, VPN, administrative access is encrypted by users and also shows services, encryption,
or SSL/TLS for web based :-Observing an administrator log on to remote log-in and parameter files on systems.
management and other non- each system to verify that a strong By using the Secure Auditor's Event Log
console administrative access. encryption method is invoked before Viewer utility all logs of administrative access
the administrator’s password is can be checked.
requested; - Reviewing services and
parameter files on systems to
determine that Telnet and other
remote log-in commands are not
available for use internally; and –
Verifying that administrator access to
the web based management
interfaces.

Secure Auditor Compliance Statement for PCI DSS compliance


5

PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS Requirement 3: (Protect stored cardholder data)

PCI/DSS 3.5.1 Restrict access to cryptographic 3.5.1 Examine user access lists to Secure Auditor’s Access rights auditor inform
keys to the fewest number of verify that access to keys is restricted about access privileges to tables which
custodians necessary. to very few custodians. contain cryptographic keys.

PCI/DSS 3.6 Fully document and implement 3.6.a Verify the existence of key- Secure Auditor by conducting, an audit
all key-management processes management procedures for keys according to PCI DSS, SANS, SOX, ISACA
and procedures for cryptographic used for encryption of cardholder and CIS helps in indentifying key
keys used for encryption of data. Note: Numerous industry management from different resources
cardholder data, including the standards for key management are including NIST.
following. available from various resources
including NIST, which can be found at
http://csrc.nist.gov.

5.2.c For a sample of system Secure Auditor's Software Inventory viewer


components including all operating helps to identify all installed software on the
system types commonly affected by system according to the company policy and
malicious software, verify that also indentifies all extra or malicious Installed
automatic updates and periodic scans software’s. Secure Auditor also informs
are enabled. whether periodic scan and automatic updates
are enabled or not.

PCI/DSS Requirements 4 ( Encrypt transmission of cardholder data across open, public networks)

PCI/DSS 4.2 Never send unencrypted PANs 4.2.b Verify the existence of a policy Secure Auditor's port scanner identifies open
by end-user messaging stating that unencrypted PANs are ports which uses plain text data like FTP,
technologies (for example, e- not to be sent via end-user HTTP, TFTP and SMTP software, because
mail, instant messaging, chat). messaging technologies. the data should be encrypted on both public
and private networks, usage should be limited
only to those protocol and software's that
support encryption.

Secure Auditor Compliance Statement for PCI DSS compliance


6

PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS Requirements 5 ( Use and regularly update anti-virus software)

PCI/DSS 5.1 Deploy anti-virus software on all For a sample of system Secure Auditor checks for
systems commonly affected by components including all antivirus software and its last
malicious software (particularly operating system types updated file. Making it easily
personal computers and servers.) commonly affected by malicious verifiable through Secure Auditor
software, verify that anti-virus whether Antivirus is deployed and
software is deployed if applicable up to dated.
anti-virus technology exists

PCI/DSS 5.1.1 Ensure that all anti-virus 5.2.c For a sample of system Secure Auditor's Software
programs are capable of components including all Inventory viewer helps to identify
detecting, removing, and operating system types all installed software on the
protecting against all known types commonly affected by malicious system according to company
of malicious software. software, verify that automatic policy and also indentifies all
updates and periodic scans are extra or malicious software’s.
enabled. Secure Auditor also informs
whether periodic scan and
automatic updates are enabled.

PCI/DSS 5.2 Ensure that all anti-virus 5.2.a Obtain and examine the Secure Auditor performs checks
mechanisms are current, actively policy and verify that it requires to identify that an anti virus is
running, and capable of updating of antivirus software and running on a windows based
generating audit logs. definitions. machine. It also keeps a check on
its updated definitions file are
informs the user about the last
update of the antivirus on a
particular system.

PCI/DSS Requirements 6 ( Develop and maintain secure systems and applications)

PCI/DSS 6.1 PCI DSS Requirements Ensure 6.1.a For a sample of system Secure Auditor regularly checks
that all system components and components and related software, patches installed on Windows,
software have the latest vendor compare the list of security Oracle and MSSQL. It compares
supplied security patches patches installed on each system the list of security patches
installed. Install critical security to the most recent vendor security installed on each system to the
patches within one month of patch list, to verify that current most recent vendor security patch
release. vendor patches are installed. list, to verify that current vendor
patches are installed or not. It
clearly indicates patches that are
yet to be installed.

6.1.b Examine policies related to Secure Auditor checks patches


security patch installation to verify and depicts their date for the last
they require installation of all file update that makes it possible
critical new security patches for cross check policy
within one month. requirements of updating security
patch installation within 1 month.

Secure Auditor Compliance Statement for PCI DSS compliance


7

PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS 6.2 6.2.b Verify that processes to 6.2.b Verify that processes to Secure Auditor conducts an audit
identify new security identify new security according to predefined
vulnerabilities include using vulnerabilities include using embedded profiles that are based
outside sources for security outside sources for security on common security parameters
vulnerability information and vulnerability information and defined by international
updating the system configuration updating the system configuration institutions and compliance
standards reviewed in standards reviewed in standards like PCI DSS, SANS,
Requirement 2.2 as new Requirement 2.2 as new SOX, ISACA and CIS. After
vulnerability issues are found. vulnerability issues are found. auditing it identifies vulnerabilities
and provides the description and
step by step solution for Identified
vulnerabilities.

PCI/DSS 6.3.6 Removal of custom application Custom application accounts, Secure Auditor detects default
accounts, user IDs, and user IDs and/or passwords are passwords in Oracle MSSQL and
passwords before applications removed before system goes into Oracle based applications, during
become active or are released to production or is released to the enumeration phase default
customers customers. password in windows can be
checked .With the help of Secure
Auditor default passwords can be
checked easily which should
removed, before going to
customers or before starting
production.

PCI/DSS 6.4 Follow change control procedures 6.4 b. For a sample of system System component and security
for all changes to system components and recent patches changes defined in
components changes/security patches, trace change control documents can be
those changes back to related verified through identification by
change control documentation. Secure Auditor with the help of
For each change examined. audit and enumeration.

PCI/DSS Requirements 7 ( Restrict access to cardholder data by business need to know )

PCI/DSS 7.1.1 Assignment of privileges is based Confirm that privileges are Access Rights auditor conducts
on individual personnel’s job assigned to individuals based on an audit on role based access
classification and function. job classification and function rights granted on oracle and
(also called “role-based access MSSQL server.
control” or RBAC).

PCI/DSS 7.1.4 Implementation of an automated 7.1.4 Confirm that access Secure Auditor provides the
access control system controls are implemented via an information about the file and
automated access control folder permission. It checks the
system. user rights and privileges on the
system.

PCI/DSS 7.2.2 Assignment of privileges to Confirm that access control Access rights auditor clearly
individuals based on job systems are configured to enforce audits and demonstrates that
classification and function. privileges assigned to individuals access rights and privileges are
based on job classification and assigned in accordance with the
function. needs and requirements of job
functions.

Secure Auditor Compliance Statement for PCI DSS compliance


8

PCI Clause Illustration Compliance statement


PCI Clause No

PCI/DSS Requirements 8 ( Assign a unique ID to each person with computer access)

PCI/DSS 8.5.3 Set first-time passwords to a 8.5.3 Examine password Secure Auditor's Password
unique value for each user and procedures and observe security Auditor tools helps identify
change immediately after the first personnel to verify that first-time default, common easily guessable
use. passwords for new users are set passwords. It can help you to
to a unique value for each user identify whether a user changed
and changed after first use. their default password provided
by the administrator. Secure
Auditor also checks password
policy according to the
Company’s Standards.

PCI/DSS 8.5.5 Remove/disable inactive user Verify that inactive accounts over Secure Auditor shows in its audit
accounts at least every 90 days. 90 days old are either removed or results the number of inactive
disabled. accounts for over 90 days.

PCI/DSS 8.5.6 Enable accounts used by vendors 8.5.6 Verify that any accounts Secure Auditor Checks the
for remote maintenance only used by vendors to support and default accounts which exist in
during the time period needed. maintain system components are the system and also respective
disabled, enabled only when informs whether the account is
needed by the vendor, and enabled or disabled. The
monitored while being used. activities of user accounts can be
traced by using Secure Auditor’s
Event Log Viewer tool,
furthermore one can use default
password tester to test the
accounts with default passwords.

PCI/DSS 8.5.8 Do not use group, shared, or 8.5.8. A. For a sample of system Secure Auditor’s audit process
generic accounts and passwords. components, examine user ID identifies generic user IDs and
lists to verify the following shared user IDs which are
Generic user IDs and accounts present in the system. Secure
are disabled or removed. * Auditor also depicts privileges
Shared user IDs for system given to the particular shared
administration activities and other account and determines whether
critical functions do not exist. privileges for system activities
Shared and generic user IDs are and other critical functions exist.
not used to administer any Event log viewer verify this
system components. Audit, feature in much detail by showing
password audit, logs that generic user Ids are
used by someone as it is not
possible for anyone to use
disabled IDs . Password Auditor
fetches passwords and
usernames for a particular system
that determines user enabled IDs
on a system.

PCI/DSS 8.5.9 Change user passwords at least For a sample of system Secure Auditor identifies the
every 90 days. components, obtain and inspect passwords that are 90 days old or
system configuration settings to more. It also checks the
verify that user password password policy to make sure
parameters are set to require password parameters are set in a
users to change passwords at way that requires users to change
least every 90 days. passwords at least every 90 days.

Secure Auditor Compliance Statement for PCI DSS compliance


9

PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS 8.5.10 Require a minimum password For a sample of system Secure Auditor verifies
length of at least seven components, obtain and inspect implemented password policy on
characters. system configuration settings to a system or database and checks
verify that password parameters whether the password policy
are set to require passwords to parameters are set to accept a
be at least seven characters long. minimum of at least seven
characters.

PCI/DSS 8.5.11 Use passwords containing both For a sample of system Secure Auditor also checks
numeric and alphabetic components, obtain and inspect password policy to determine that
characters. system configuration settings to password policy is set to use
verify that password parameters strong passwords that contain
are set to require passwords to numerical and alphabetical
contain both numeric and characters. It also identifies and
alphabetic characters. For service fetches weak passwords on a
providers only, review internal system that verifies extend of
processes and customer /user implications on password policy.
documentation to verify that
customer passwords are required
to contain both numeric and
alphabetic characters.

PCI/DSS 8.5.12 Do not allow an individual to For a sample of system Secure Auditor checks the
submit a new password that is the components, obtain and inspect password policy and checks if the
same as any of the last four system configuration settings to password history is properly set
passwords he or she has used. verify that password parameters according to the PCI standards.
are set to require that new
passwords cannot be the same
as the four previously used
passwords.

PCI/DSS 8.5.13 Limit repeated access attempts For a sample of system Secure Auditor checks account
by locking out the user ID after components, obtain and inspect lockout policy set on a system
not more than six attempts. system configuration settings to according to the PCI standards.
verify that password parameters This feature will verify that
are set to require that a user’s password parameters are set to
account is locked out after not require that a user’s account is
more than six invalid logon locked out after not more than six
attempts. invalid logon attempts.

PCI/DSS 8.5.14 Set the lockout duration to a For a sample of system Secure Auditor checks the
minimum of 30 minutes or until components, obtain and inspect account lock out duration
administrator enables the user ID. system configuration settings to according to the PCI standards.
verify that password parameters These auditing processes verify
are set to require that once a user that account will remain locked for
account is locked out, it remains 30 minutes or until administrator
locked for a minimum of 30 enables the user ID.
minutes or until a system
administrator resets the account.

Secure Auditor Compliance Statement for PCI DSS compliance


10

PCI Clause Illustration Compliance statement


PCI Clause No

PCI/DSS Requirements 10 ( Track and monitor all access to network resources and cardholder data )

PCI/DSS 10.2.2 All actions taken by any individual Verify actions taken by any Event log viewer clearly verifies
with root or administrative individual with root or actions taken by any individual
privileges administrative privileges are with root or administrative
logged. privileges. It fetches Oracle,
MSSQL and Windows log and
displays them in a readable
manner in the form of a report
that demonstrate all active made
by users having administrative
privileges.

PCI/DSS 10.2.3 Access to all audit trails Verify access to all audit trails is Secure Auditor checks whether
logged. audit trail is being logged or not. It
checks whether audit trail logging
is enabled or disabled on the
system.

PCI/DSS 10.2.4 Invalid logical access attempts Verify invalid logical access Event log viewer generates
attempts are logged. separate report to provide lists of
logical access attempts made on
a particular system.

PCI/DSS 10.2.5 Use of identification and Verify use of identification and Event Log viewer provides logs
authentication mechanisms authentication mechanisms is related to initialization and
logged. authentication mechanisms
defined for a particular system.

PCI/DSS 10.2.6 Initialization of the audit logs Verify initialization of audit logs is With the help of Event Log viewer
logged. user can verify initialization of
audit logs.

PCI/DSS 10.2.7 Creation and deletion of system Verify creation and deletion of With the help of event log viewer
level objects system level objects is logged. user can verify the creation and
deletion of system level objects
with details that who has
performed. Such actions on a
certain time at a particular
instance.

PCI/DSS 10.3.1 User identification Verify user identification is Event Log Viewer provides facility
included in log entries. to view logs of a particular user
that helps in verifying log entries
according to a particular user

PCI/DSS 10.3.2 Type of event Verify type of event is included in Event type is clearly mentioned in
log entries. event log viewer reports.

PCI/DSS 10.3.3 Date and time Verify date and time stamp is Event log viewer represents log
included in log entries. entries along with date and time.
It helps user in verifying time and
date of a particular query

Secure Auditor Compliance Statement for PCI DSS compliance


11

PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS 10.3.4 Success or failure indication Verify success or failure Event log viewer generates
indication is included in log reports about successful or failed
entries. log in attempts made by different
users that help in determining the
number of successful and failed
log entries on a particular system.

PCI/DSS 10.3.5 Origination of event Verify origination of event is Whenever an event is occurred, it
included in log entries. is logged. Event log viewer
provides the user an ability to
trace the origination of events
along with the related machine
name and IP address.

PCI/DSS 10.3.6 Identity or name of affected data, Verify identity or name of affected Secure Auditor provides exact
system component, or resource data, system component, or instance details of infected data
resources is included in log along with name, system
entries. components and resources
through event log reports and fine
grained audit report viewable
through the Event log viewer.

PCI/DSS 10.4 Synchronize all critical system 10.4. Obtain and review the Secure Auditor checks the time
clocks and times. process for acquiring and settings that could be verified
distributing the correct time within through cross check with policy
the organization, as well as the that whether system is following
time-related system-parameter defined time related parameter
settings for a sample of system settings.
components. Verify the following
is included in the process and
implemented

10.4 .a. Verify that a known, Secure Auditor checks Network


stable version of NTP (Network time protocol that could be
Time Protocol) or similar compared a with system time to
technology, kept current per PCI check that NTP technology is
DSS Requirements 6.1 and 6.2, kept current and synchronized
is used for time synchronization. according to PCI requirements.

PCI/DSS 10.7 Retain audit trail history for at 10.7.b Verify that audit logs are Secure Auditor checks if the
least one year, with a minimum of available for at least one year and Auditing is enabled according to
three months immediately processes are in place to restore company’s policy and Secure
available for analysis (for at least the last three months’ Auditor's Event Log Viewer tool
example, online, archived, or logs for immediate analysis. can show the previous log which
restorable from backup). may be required. Logs can be
maintained by saving logs on
monthly or yearly basics.

Secure Auditor Compliance Statement for PCI DSS compliance


12

PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS 11.2 Run internal and external network 11.2. A Inspect output from the Secure Auditor conducts
vulnerability scans at least most recent four quarters of vulnerability scanning on
quarterly and after any significant internal network, host, and networks, hosts and database
change in the network (such as application vulnerability scans to assets to identify loopholes in
new system component verify that periodic security testing them. Its report facilitates
installations, changes in network of the devices within the comparison and contrast result of
topology, firewall rule cardholder data environment multiple audits conducted over a
modifications, product upgrades). occurs. Verify that the scan period of time.
process includes rescans until
passing results are obtained

11.2.b Verify that external Secure Auditor provides facilities


scanning is occurring on a to scan vulnerabilities. Automated
quarterly basis in accordance with audits can be scheduled on
the PCI Security Scanning defined dates and their reports
Procedures, can be compared to ensure
quarterly dates of audits.

11.2.c Verify that internal and/or Secure Auditor can help in


external scanning is performed verifying significant changes in
after any significant change in the the network by comparing
network, by inspecting scan variation within the reports. User
results for the last year. Verify can compare results of two years
that the scan process includes through an archive reports facility
rescans until passing results are embedded in Secure Auditor.
obtained

PCI/DSS 11.3 Perform external and internal Obtain and examine the results Secure Auditor provides
penetration testing at least once a from the most recent penetration penetration testing tools that
year and after any significant test to verify that penetration facilitate users in performing
infrastructure or application testing is performed at least penetration tests. So using
upgrade or modification annually and after any significant Secure Auditor ensures that
changes to the environment. penetration testing is performed
at least annually to fulfill the
requirement.

PCI/DSS 11.3.1 Network-layer penetration tests 11.3.1 Verify that the penetration Secure Auditor contains utilities
test includes network-layer that provide facilities to conduct
penetration tests. These tests network penetration tests like
should include components that SNMP browser, SNMP brute
support network functions as well force attacker, Port Scanner, FTP
as operating systems. and HTTP attackers etc. their
reports are also generated so the
user can compare them to identify
significant changes to the
environment and fulfill compliance
clause requirements as well.

PCI/DSS Requirement 12: Maintain a policy that addresses information security for employees and contractors.

PCI/DSS 12.1.1 Addresses all PCI DSS 12.1.1 Verify that the policy PCI DSS requirements are
requirements. addresses all PCI DSS included in Secure Auditor which
requirements. helps an organization to comply
with PCI DSS.

Secure Auditor Compliance Statement for PCI DSS compliance