File integrity monitoring (FIM) is essential for securing data and meeting compliance regulations. In particular, the Payment Card Industry Data Security Standard (PCI DSS) requires organizations to use FIM to help secure their business systems against card data theft by detecting changes to critical system files. This article explains these PCI DSS requirements and how to achieve compliance using FIM.
What are PCI DSS compliance requirements?
PCI DSS is a set of technical and operational security standards designed to ensure the security of cardholder data. Compliance with PCI DSS is required for all organizations that accept, process, use, store, manage or transmit credit card information.
Types of data regulated by PCI DSS
PCI DSS covers two categories of data:
- Cardholder information, including account numbers, cardholder names, service codes and card expiry dates
- Sensitive authentication data, such as magnetic-stripe data or the chip equivalent, PIN blocks and PINs, and card verification values (CAV2/CVC2/CVV2/CID)
Core requirements
To protect this data from improper handling and breaches, PCI DSS includes the following 12 essential requirements:
- Establish a secure firewall configuration to help secure cardholder data.
- Avoid using vendor-supplied defaults for system passwords and other security parameters.
- Protect all stored cardholder data.
- Encrypt cardholder data during transmission across all networks, especially public ones.
- Minimize the vulnerability of all systems to malware, including ensuring regular updates of antivirus software.
- Develop and maintain secure systems and program
- Implement strong data access controls that restrict access to cardholder data in the environment on a need-to-know basis.
- Detect and verify access to different system components.
- Restrict physical access to cardholder data.
- Monitor all access requests to network resources and cardholder data.
- Test security systems regularly.
- Create and maintain an information security policy for all personnel.
Penalties
Failure to meet PCI DSS requirements can result in steep penalties and fines. The contract between a merchant and a payment processor defines the size and terms of the fee for a violation, which can be as much as $5,000 to $100,000 per month. In addition to the financial impact of these fines, a single violation can seriously damage your company’s market reputation and lead to expensive lawsuits, or even suspension of your ability to accept credit card payments.
How can file integrity monitoring help with PCI DSS compliance?
What is file integrity monitoring?
File integrity monitoring (FIM) software tracks changes to sensitive system and configuration files and alerts security teams about any modifications that present security risks. For example, an improper modification of a critical configuration file or registry, whether deliberate or accidental, could allow attackers to gain control of key system resources, execute malicious scripts and access sensitive data. Accordingly, FIM is a recommended best security practice mandated by many compliance standards, including PCI DSS.
In the context of PCI compliance, file integrity monitoring can help ensure protection of sensitive credit card data. For instance, one way attackers extract credit card data is by injecting malicious code into the operating system configuration files. A FIM tool can detect this change by checking those files against the established baseline. The process uses a secure hash algorithm (SHA) that ensures that even small file changes result in a vastly different hash value than the one generated by the properly configured file, causing the integrity check to fail. As a result, FIM makes it virtually impossible for malicious code injected into authentic system files to go undetected.
PCI DSS requirements for file integrity monitoring
PCI DSS lists file integrity monitoring as one of its core requirements. Specifically, Requirement 11.5 states that organizations must “Use File-Integrity Monitoring or Change-Detection software on logs to ensure that existing log data cannot be changed without generating alerts.”
File monitoring software can also help organizations meet other PCI DSS requirements, including:
- Requirement 1: Install and manage a firewall configuration to build a secure network for cardholder data
- Requirement 2: Avoid using vendor-supplied defaults for system passwords and other security parameters
- Requirement 6: Develop and maintain secure systems and programs
- Requirement 10. Monitor and track all access requests to network resources and cardholder data regularly
- Requirement 11. Test security systems regularly
Which types of data should be monitored for integrity?
Integrity monitoring should include all of the following types of data:
System files and libraries
In Windows operating systems, you need to watch these system files and library folders:
- C:WindowsSystem32
- Boot/start, password, Active Directory, Exchange SQL, etc.
If you’ve got a Linux system, you should monitor these critical directories:
- /trash
- /sbin
- /usr/bin
- /usr/sbin
Application files
It’s important to closely monitor program files such as firewalls, media players, antivirus software, configuration files, and libraries.
On Windows systems, these are files stored in:
- C:Program Files
- C:Program Files (x86)
On Linux systems, these files are stored in:
- /opt
- /usr/bin
- /usr/sbin
Configuration files
Configuration files control the functions of a device and application. Examples include the Windows registry and text-based configuration files on Linux systems.
Log files
Log files contain records of events, including access and transaction details and errors. In Windows operating systems, log files are stored in the event viewer. In UNIX-based systems, they are in the system’s /var/log directory.
How can Netwrix help?
Netwrix Change Tracker helps organizations achieve and maintain PCI DSS compliance by enabling IT teams to maintain secure configurations for critical systems. In particular, the solution can help you:
- Harden critical systems with customizable build templates from multiple standards bodies, including CIS, DISA STIG and SCAP/OVAL.
- Verify that your critical system files are authentic by tracking all modifications to them and making it easy to review a complete history of all changes.
- Detect malware and other threats promptly and speed effective incident response.
- Reduce the time and effort spent on compliance reporting with 250+ CIS certified reports covering NIST, PCI DSS, CMMC, STIG and NERC CIP.
FAQ
What are the penalties for non-compliance with PCI DSS?
The payment brands can impose steep fines of $5,000 to $100,000 per month for violations of PCI DSS. In addition, your company’s reputation may suffer irreparable damage, and your business may be suspended from accepting card payments.
Why should organizations monitor file integrity?
By monitoring file integrity, organizations ensure that critical system configuration files are not changed without authorization. Using file integrity monitoring (FIM) technology for the PCI DSS requirements will help your organization avoid compliance violations.
Is FIM required by PCI DSS?
Yes. PCI DSS requirement 11.5 explicitly states that organizations subject to the mandate must deploy FIM to guarantee that the system generates alerts whenever log data is changed.