Direct Inward Dialing: +1 408 916 9393
Free EditionPayment Card Industry Data Security Standard (PCI DSS) compliance refers to the act of adhering to the requirements set by the PCI, a regulatory mandate that organizations should comply with to show that the cardholder data they collect is secure. If your organization stores, transmits, or processes credit card information in any way, it is imperative to comply with the standards put forth by the Payment Card Industry Security Standards Council.
PCI DSS requirements comprise multiple guidelines on network security, physical security, access control, data protection, and more to ensure that that cardholder data remains secure and protected from data breaches.
PCI DSS compliance is pivotal to secure and safeguard sensitive cardholder data from data breaches and unauthorized access. All organizations that transmit, store, or process cardholder data, regardless of their size, must comply with the PCI DSS. This applies to:
Businesses that accept or process payment cards, irrespective of the payment method.
Organizations that handle payment card data on behalf of merchants, such as those that provide payment gateways, processing, and other related services.
Institutions that handle cardholder data, such as banks or payment processors.
E-commerce businesses and other businesses that accept payment through cards and the external payment gateways and platforms they use.
Apart from these entities, any organization that stores, processes, or interacts with cardholder data must comply with PCI DSS requirements. Non-compliance with the PCI DSS can cause more than just financial penalties and can include reputational damage, lose of business, and data breaches.
The PCI DSS sets a baseline for the technical and operational measures that must be adopted by organizations to safeguard cardholder data and the payment environment. As per PCI DSS v4.0, there are 12 requirements that can be broadly classified into six PCI DSS goals to safeguard cardholder data. Each of these requirements has granular guidelines on how it can be assessed and met. The following table lists the high-level requirements.
| Goals | PCI DSS requirements |
| Build and maintain a secure network and systems | 1. Install and maintain network security controls. 2. Apply secure configurations to all system components. |
| Protect account data | 3. Protect stored account data. 4. Protect cardholder data with strong cryptography during transmission over open, public networks. |
| Maintain a vulnerability management program | 5. Protect all systems and networks from malicious software. 6. Develop and maintain secure systems and software. |
| Implement strong access control measures | 7. Restrict access to system components and cardholder data by business need to know. 8. Identify users and authenticate access to system components. 9. Restrict physical access to cardholder data. |
| Regularly monitor and test networks | 10. Log and monitor all access to system components and cardholder data. 11. Test security of systems and networks regularly. |
| Maintain an information security policy | 12. Support information security with organizational policies and programs. |
ADManager Plus, an identity governance and administration tool, comes packed with capabilities such as access certification and role-based access delegation to help organizations meet compliance requirements with ease. The following table illustrates how you can swiftly meet PCI DSS requirements with ADManager Plus.
| Section | Description | How ADManager Plus helps |
| 2.2.2 | Vendor default accounts are managed as follows:
|
ADManager Plus allows you to keep track of users' password changes with the Password Unchanged report. You can also learn the status of vendor accounts from the All Users or Inactive Users reports and manage them onthefly. |
| 3.2.1 | Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following:
|
ADManager Plus allows you to retain cardholder data as long as necessary for business, legal, and/or regulatory purposes and purge it securely after the retention period. You can also define specific settings, such as the data retention period and how oftenit should be backed up, to securely back up data. |
| 7.2.1 | An access control model is defined and includes granting access as follows:
|
ADManager Plus allows you to control access to system components and data by implementing role-based access control using granular delegation of duties. This ensures that entities are granted only the minimum privileges required to efficiently perform their job roles.You can also manage the NTFS permissions and group memberships of users in bulk. Gain visibility into NTFS permissions, group memberships, and other user permissions by generating comprehensive reports. |
| 7.2.2 | Access is assigned to users, including privileged users, based on:
|
|
| 7.2.3 | Required privileges are approved by authorized personnel. | With ADManager Plus, you can regularly review and validate access to system components and cardholder data using automated access certification campaigns. Authorized personnel can be configured to certify the access and ensure that only the right people have access. ADManager Plus' multi-level workflows also ensure that privilege-related tasks are reviewed and executed by authorized personnel. |
| 7.2.4 | All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows:
|
Access certification campaigns can be run frequently at desired times to ensure user accounts and access remain appropriate based on their job role. These campaigns also help in detecting any excessive rights that are assigned to user accounts and removing them promptly to prevent malicious activities. Access rights for stale accounts can also be revoked during the certification process. |
| 7.2.5 | All application and system accounts and related access privileges are assigned and managed as follows:
|
|
| 7.2.5.1 | All access by application and system accounts and related access privileges are reviewed as follows:
|
|
| 7.2.6 | All user access to query repositories of stored cardholder data is restricted as follows:
|
|
| 7.3.1 | An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components | You can ensure users' access rights are controlled by automating the permission management process and implementing just-in-time access measures. ADManager Plus also allows you to periodically review users' access rights and certify them. |
| 7.3.2 | The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function. | You can periodically review and attest group memberships, NTFS permissions, and Microsoft 365 roles based on users' job classification and function. |
| 8.2.1 | All users are assigned a unique ID before access to system components or cardholder data isallowed. | Users have a unique security ID that represents them and any action performed by them can be attributed to them using these unique IDs. ADManager Plus allows you to gain insights on various user attributes by generating comprehensive user reports . |
| 8.2.4 | Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed as follows:
|
ADManager Plus allows you to manage the entire life cycle of a user using workflow-controlled automations, ensuring that user actions are always overseen before execution. Individuals can be delegated granular roles to manage user life cycles. They can be delegated with only those permissions that are essential to perform their jobs. The delegated tasks can be overseen using multi-level workflows. All the actions are audited and can be generated as reports . |
| 8.2.5 | Access for terminated users is immediately revoked. | Access for terminated users can be immediately revoked using event-driven automations. |
| 8.2.6 | Inactive user accounts are removed or disabled within 90 days of inactivity | With ADManager Plus automations, you can automatically disable or delete inactive users after 90 days of inactivity. |
| 8.2.7 | Accounts used by third parties to access, support, or maintain system components via remote access are managed as follows:
|
Using ADManager Plus, remote access can be continuously monitored for unexpected activity by scheduling the Terminal Services report to run automatically at a set time. |
| 8.2.8 | If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session. | Using ADManager Plus, you can configure users' idle session limit to end after 15 minutes or more. |
| 8.3.5 | If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user as follows:
|
ADManager Plus allows you to set these flags while provisioning a new user. |
| 8.3.9 | If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either:
|
In scenarios where passwords are the only authentication factor, password resets can be automatically triggered every 90 days using ADManager Plus. |
| 10.2.1.2 | Audit logs capture all actions taken by any individual with administrative access, including anyinteractive use of application or system accounts. | All the actions performed by administrators or those with elevated privileges in ADManager Plus are logged with all the relevant details in the Admin Audit report. These logs can also be exported in various formats. |
| 10.2.1.4 | Audit logs capture all invalid logical access attempts. | ADManager Plus records invalid login attempts. They can be easily accessed in the form of a report. The report can be periodically generated and emailed to concerned stakeholders to swiftly mitigate password-related attacks. |
| 10.2.1.5 | Audit logs capture all changes to identification and authentication credentials including, but not limited to:
|
Audit reports in ADManager Plus capture and display all the actions performed using the solution, including but not limited to password resets, permission management, and user account management. |
| 10.2.2 | Audit logs record the following details for each auditable event:
|
ADManager Plus' audit reports record all the details listed in this requirement. The solution also logs the user who performed the action and the user on which the action was performed. |
| 10.3.1 | Read access to audit logs files is limited to those with a job-related need. | Read access to audit reports in ADManager Plus can be delegated granularly only to those users who require them to fulfill their job roles. |
| 10.3.2 | Audit log files are protected to prevent modifications by individuals. | By providing granular access to audit reports, ADManager Plus secures them from intentional and unintentional tampering. |
While meeting PCI DSS requirements is a crucial step in the roadmap to compliance, there are other steps that must also be followed to become compliant without any hiccups. Here's a checklist that you can follow to become PCI DSS compliant:
Thoroughly understand the requirements and the responsibilities that come with them.
Assess the current security status of your environment, including its components, processes, and policies, and identify areas that can lead to non-compliance.
Draft security and access control policies that will not only help you achieve compliance but also protect your network from threats and malicious activities.
Establish processes to continuously monitor your threat landscape and areas that might lead to non-compliance, and take stringent actions as and when something crops up.
By following these steps, you can adopt a comprehensive approach to ensuring security and achieving PCI DSS compliance at the same time.
Gain insights on cardholder data with over 200 predefined reports that can be generated at the click of a button.
Certify access to system components and network resources with automated certification campaigns.
Notify stakeholders and audit teams in real time with detailed reports.
Implement role-based access control, the principle of least privilege, just-in-time access, and more effortlessly.
Automate repetitive tasks, such as password resets or AD data cleanup, and minimize manual errors.
Gain visibility into the potential vulnerabilities in your hybrid AD network and promptly mitigate them.
Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here
Fire a shotgun-shell of AD User Management Tasks in a Single Shot. Also use csv files to manage users. Effect bulk changes in the Active Directory, including configuring Exchange attributes.
Monitor logon activities of Active Directory users on your AD environment. Filter out Inactive Users. Reporting on hourly level. Generate reports for true last logon time & recently logged on users.
Granular reporting on your AD Computer objects to the minutest detail. Monitor...and modify computer attributes right within the report. Reports on Inactive Computers and operating systems.
A mini Active Directory ticket-management and compliance toolkit right within ADManager Plus! Define a rigid yet flexible constitution for every task in your AD. Tighten the reins of your AD Security.
Get rid of the inactive, obsolete and unwanted objects in your Active Directory to make it more secure and efficient...assisted by ADManager Plus's AD Cleanup capabilities.
A complete automation of AD critical tasks such as user provisioning, inactive-user clean up etc. Also lets you sequence and execute follow-up tasks and blends with workflow to offer a brilliant controlled-automation.
Need Features? Tell Us
If you want to see additional features implemented in ADManager Plus, we would love to hear. Click here to continue
