Like many people, I sometimes work on my own car if the need arises, which means I have to use tools. Humanity has used tools for thousands of years, and some people, like engineers, get satisfaction from using different types of tools to accomplish a goal. Tools are pervasive in our everyday lives. I’ve been in garages where there were so many, you would wonder if someone could ever use all of them. But to me, it’s just a tool. We need tools in practically everything we do. Look at your smart phone, it’s a toolbox full of apps that help you stay organized, communicate, gain knowledge and keep you on schedule. Many of my friends say they can’t go without their phone; that it has become an indispensable tool in their everyday lives.
In a similar way, PCI DSS compliance requires the use of tools.
There’s the obvious ones explicitly spelled out in the PCI DSS:
- Firewalls/Routers - required to satisfy requirement 1
- Antivirus – required to satisfy requirement 5
- Identity management – required to satisfy requirements 7 and 8
- Multifactor authentication – required to satisfy requirement 8.3
- Video recording – required to satisfy requirement 9.1
- Logging – required to satisfy requirement 10
- Intrusion Detection Systems/Intrusion Prevention Systems – required to satisfy requirement 11.4
- Change Detection (File Integrity Monitoring) – required to satisfy requirement 11.5
And there are some that are not explicitly stated that would make your compliance life easier.
I’m going to touch briefly on some here to spark your interest, but keep in mind there are a myriad of tools out there. It all depends on how much money you can spend, and what you’re trying to accomplish.
- Governance, Risk and Compliance tool –
- These tools can help you organize your assessment evidence gathering. They typically have a workflow engine that will perform the critical steps of distributing the request for documentation, track if someone has responded, and escalate if necessary.
- Governance, Risk and Compliance tools also make for a good place to store/manage your security policy so that the staff can easily get to it, and your assessor can see you are properly distributing policy.
- Data Loss Prevention – Aside from the contribution to protecting your sensitive data, Data Loss Prevention tools have a story to tell in your scope determination. If you can show your assessor that you’ve employed Data Loss Prevention tools to look for cardholder data outside the CDE, it makes for a convincing argument that you know the scope of the environment.
- Database security tools like Trustwave’s DbProtect – The same story as Data Loss Prevention in that Database security tools help define scope by knowing where sensitive data is and where it is not, which supports your statement of scope.
- Configuration Management Database/Inventory tools
- These tools are helpful for requirement 2 where you need to manage defaults.
- They help keep systems in a specific configuration and I’ve seen many with a PCI compliance module.
- They provide an inventory of your environment for requirement 2.4.
- Hardware Security Modules – They come in handy for protecting and managing encryption keys which is in requirement 3.
- Certificate management tools – Keeping up with your certificates makes your life simpler in that you won’t have service disruptions due to an expired certificate.
- Vulnerability management – These make it easy to keep up with the myriad of vulnerabilities out there which supports compliance to requirement 6.1.
- Patch management tool – You will need to manage patches for requirement 6.2. Patch management tools simplify the process and free your time spent in management of the infrastructure.
- Code Review Tool – There are two schools of thought in inspecting custom code for vulnerabilities in requirement 6.3, one is automation and the other is peer reviews. Automation does support better but some people argue a code reviewer is going to catch more things than a tool. I’ve seen both applied effectively.
- Change management tool – You really need one for requirement 6.4. Keeping up with changes can be fairly resource intensive if you start having enough change volume.
- Log parsing tool – Let’s face it, you can’t sit watching the logs for incidents. The PCI DSS says it is optional in requirement 10, but I personally would want one just so I can sleep at night. Most of the time I see security event and incident management(SEIM) tools that have a logger and a log parser with alerting all combined into one.
- Rogue Access Point analyzer/monitor – You can walk around your entire company and inspect everybody’s systems for access points in order to satisfy requirement 11.1, but I think its much easier to just have a tool tell you where a rogue access point is. There are effective tools, and there are smart access point gateways that will do the same thing by showing you access points that were not there before and help you physically pinpoint where they are on your network.
- Learning management system – They help keep up with who was trained and help to remind (read: nag) people to complete the training for requirement 12.6. Sometimes these are add-in modules to some governance, risk and compliance tools.
- Vendor management tool – You can track third party service providers with a spreadsheet, but vendor management tools do make the process easier for requirement 12.8. These too are sometimes made part of an overarching governance, risk and compliance tool.
While this list is not exhaustive, I have hit on some of the tools I see when I’m conducting assessments that will make your life easier. Picking a new tool can be a daunting task simply because there are so many of them in the marketplace. Couple that with the fact that tools can be very expensive and there needs to be defined business requirements identified to determine what needs to be purchased or outsourced. Given how critical your PCI DSS compliance is to your customers and subsequently to your company, seeking ways to automate what you can is paramount and an integral part of information technology in the 21st century.
SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
Drew Cathey has been a member of the SecureTrust team for five years and has been in IT for 35 years. Coming from a background in telecommunications IT operations, he has held positions in engineering, project management and IT security. Drew holds degrees in biology, engineering and an MBA in Information Technology management along with PMP, CISSP, CISA and QSA certifications. He resides in St. Petersburg, FL with his two children and enjoys running, bicycling and tennis.