PCI DSS compliance: Keep sensitive cardholder data safe
UserLock and FileAudit can help you keep sensitive cardholder data safe by addressing both users’ network access security and file access security.
Organisations worldwide are regulated by the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS compliance applies to all businesses that handle payment card data and follows common-sense steps that mirror best security practices.
As is the case with other financial services compliance — SOX, GLBA, and the FCA, PCI DSS has separate requirements relating to access security, which if you fail to adhere to, you risk non-compliance and cyber attack.
Here's how UserLock and FileAudit can help you address both users' network access security and file access security. This PCI DSS compliance checklist is not exhaustive but will help you on your way to becoming PCI DSS compliant and keeping sensitive cardholder data safe.
"To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job."
PCI DSS Standards | IS Decisions Solution | Feature |
---|---|---|
Do you restrict network access on a job-role basis? | UserLock | Enables the administrator to set granular access rights to different types of employees to ensure that they can only access the information they need to do their job. |
Do you review network access for employees who change roles in the organisation? | UserLock | Enables administrators to easily change access rights (permanently or temporarily) for individual users, groups of users, or organisational units. |
Do workstations automatically log users off the network following a period of inactivity? | UserLock | Automatically logs off a session after a specific length of idle time to prevent unauthorised users accessing sensitive information from unattended workstations. What’s more UserLock can set authorised timeframes for certain users’ access and force workstations to log off outside these hours. |
"Assigning a unique identification (ID) to each person with access ensures their actions taken on critical data and systems and performed by, and can be traced to, known and authorized users."
PCI DSS Standards | IS Decisions Solution | Feature |
---|---|---|
Do you adopt multi-factor authentification (MFA) as per requirement? | UserLock | Makes access controls more robust and enhances their effectiveness to verify a user's identity. |
Do your employees need to log in to access your network and do they do so with unique login credentials? | UserLock | Ensures that nobody can log in to the system without uniquely identifiable credentials. |
Do you restrict users from sharing logins? | UserLock | Prevents concurrent logins with the same set of user credentials — helping to eradicate dangerous password sharing practices and stop unauthorized access. |
Can you attribute actions on the network to individual users? | UserLock | Helps administrators verify all users’ identity at any time, making users accountable for any activity — malicious or otherwise. |
Do you enforce the secure use of passwords? | UserLock | Strengthens unique network login credentials with context-aware access restrictions and user reminders, which help verify that a person seeking access to the network and the information within is genuinely who they say they are. |
"Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs."
PCI DSS Standards | IS Decisions Solution | Feature |
---|---|---|
Do you monitor access to the network? | UserLock | Monitors all logon and logoff activity in real time to ensure that the only people who can access the network and vital data within, are the people who need to. UserLock alerts administrators to any suspicious, disruptive or unusual logins based on time, location and device. |
Do you monitor specific actions on files or folders. like copying, moving and deleting? | FileAudit | Monitors all files and folders in real time on your network and records all actions that users take when making modifications. It verifies that users have not altered or destroyed customer information or other sensitive data in an unauthorised manner. |
Do you conduct regular security audits or reports? | UserLock FileAudit | Records and audits all network logon events, across all session types, from a central system. Audits all access and changes to files and folders, and immediately alerts administrators to suspicious behaviour. |