PCI DSS IT Compliance
Third Rock Assurance™ proves PCI compliance by assessing deployed systems against approved references.
The PCI Data Security Standard (PCI DSS) mandates that all systems involved in credit card transaction processing have controls in place to validate that applications and configurations are securely deployed. Additionally, PCI requires that organizations must detect and notify when unauthorized changes are made to critical system files and configurations.
Third Rock Assurance™ proves PCI compliance by assessing deployed systems against approved PCI references, detecting and reporting on any deviations. By generating an audit trail which proves that only approved and documented changes are being deployed to managed systems, our solutions dramatically reduce the cost of audits.
Proving PCI compliance
- Verifying that systems are compliant with PCI standards
- Detecting and alerting when unauthorized changes are made to monitored systems
- Generating reports that demonstrate historical PCI compliance
PCI controls covered...
- 02.2.2 Disable all unnecessary and insecure services and protocols
- 02.2.3.c Configure system security parameters to prevent misuse
- 07.2.3 Confirm that the access control systems has a default “deny-all” setting
- 08.4.a Verify that passwords are unreadable during transmission and storage
- 08.4.b Password files to verify that customer passwords are encrypted
- 08.5.08.a Generic user IDs and accounts are disabled or removed
- 08.5.09 Change user passwords at least every 90 days
- 08.5.10 Require a minimum password length of at least seven characters
- 08.5.11 Use passwords containing both numeric and alphabetic characters
- 08.5.12 Do not allow a new password that is the same as any of the last four passwords
- 08.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts
- 08.5.14 Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID
- 08.5.15 Session Idle Timeout
- 10.2.4 Verify invalid logical access attempts are logged
- 10.2.5 Verify use of identification and authentication mechanisms is logged
- 10.2.6 Verify initialization of audit logs is logged
- 10.5.5 Use file integrity monitoring and change detection software
- 10.4.a Verify that NTP is being used to synchronize clocks
- 11.5.a Deploy file-integrity monitoring tools
- 12.3.8 Verify usage policies require automatic disconnect of sessions for remote-access after inactivity