The Lumigent^® PCI Advantage Pack™

The Payment Card Industry Data Security Standard (PCI DSS) defines requirements for the storage, processing, and transmission of cardholder data. There are twelve rules (coined the “Dirty Dozen” by the industry) that merchants and service providers must comply with in order to do business with the credit card companies associated with the standard.

The Lumigent PCI Advantage Pack provides compliance with the most difficult of the twelve requirements: rules 2, 6, 7, 8, 10, and 12. The solution’s core capabilities are based upon Lumigent Audit DB. At the heart, is the ability to produce a secure and irrefutable audit of database activity that reveals violations in security policies and identifies when credit card data is inappropriately accessed, viewed, or changed. It is unmatched in its ability to monitor privileged users; and it is trusted by auditors to deliver a complete and secure audit trail of information access and use. Audit trail history can be retained online for a period of time (e.g., 90 days as called for in the standard) and then archived for as long as necessary.

The Lumigent PCI Advantage Pack includes a set of pre-defined audit policies and reports that enable and speed compliance with the PCI Data Security Standard. All audit information required by the standard is included:

• User ID
• Type of event
• Date and time
• Success or failure of a committed action
• Event origin
• Identity or name of all affected data, system components, and resources
  

The Lumigent PCI Advantage Pack covers these rules under the PCI Data Security Standard:

Rule #2:

• Disable default databases, usernames, and passwords
• Remove dormant users (accounts that haven’t been used in 60 days)
• Scan database servers and OS files for configuration issues

Rule #6:

• Ensure database versions and patch levels are current
• Track all changes made to database systems (update, insert, delete, etc…) by privileged users and reconcile back to an approved change ticket

Rule #7:

• Identify database users and their privileges related to where cardholder data exists
  
• Remove users/entitlements that are not required on a “need to know basis”
  
• Limit privileges (i.e. delete, insert, update, etc…) wherever possible

Rule #8:

• Scan databases for a list of users; ensure that all access is tracked by a unique ID
  
• Scan databases to ensure:
  - Terminated (obsolete) users are removed
  - Dormant users (users with no login for 60 days) are removed
  - Password quality/strength is enforced
  - Password lifetimes are enforced
  - Password reuse policies are enforced
  - Password break-in thresholds are enforced

Rule #10

• Log and alert on all database activity associated with cardholder data (inserts, updates, deletes and selects) that is outside of normal access
  
• Capture all failed logins
  
• Capture all successful logins
  
• Track all activity by privileged users

Rule #12: Maintain an information security policy

To learn more about the Lumigent PCI Advantage Pack, read our data sheet located in the resources section of this web site. Or, view our on-demand presentation.