Any organisation that accepts and stores credit card details must comply with the PCI-DSS (Payment Card Industry Data Security Standard). The standard was introduced in an attempt to reduce the chances of credit card fraud. While most Active Directory implementations don’t store credit card details, they may still be subject to a PCI audit. Non-Compliance of PCI can lead to lawsuits, fines, insurance claims, and a subsequent loss of sales as non-compliance will likely tarnish the company’s reputation.
While there are many steps your organisation can take to ensure PCI compliance, if you are a large organisation you may want to consider hiring a Qualified Security Assessor (QSA). QSA’s are organizations that have been qualified by the PCI Security Standards Council to verify an organisation’s adherence to PCI-DSS.
Of course, one of the best ways to circumvent the need for compliance is to not store credit card details. You can instead use a third-party payment processor such as: PayPal, Authorize.Net, BitPay, DigiCash etc. These are companies who are setup to handle credit card transactions on your behalf, thus mitigating the need for PCI compliance.
Below are some of the steps your business can take to ensure PCI compliance:
1. Install a firewall to prevent unauthorised access to sensitive data
2. Ensure that system passwords are secure
3. Encrypt sensitive data and prevent transmission of unencrypted data across public networks
4. Ensure that you have antivirus software installed and it is updated regularly
5. Assign a unique ID to each person with computer access
6. Restrict physical to credit card information
7. Ensure that you can monitor and control who, what, where and when resources are accessed
8. Ensure that you have a security policy in place that specifically deals with credit card information
9. Regularly perform security tests to ensure that your policy is effective
In addition to the points above, you need to be quick at spotting potential rogue administrators, as they may seek to sell credit card details to criminals. You will need to train your staff to spot certain behavioural characteristics, and keep track of the dates when certain admin privileges should expire.
You may also want to consider using a free tool that scans Active Directory for password security vulnerabilities. Many tools on the market provide a set of interactive reports which can help you manage your password security policy and align yourself with current industry and compliance best practices. They can also identify admin accounts which haven’t been used for a while and detect passwords that are due to expire. This can help prevent potential lockouts or resets.
Ultimately, to ensure that you are compliant with the PCI, you will need to start making use of automated auditing solutions, such as our Lepide Active Directory Auditing, which will enable you to monitor and report any changes to your critical IT servers. Such solutions help to automate the process of tracking user access, logon failures, cleaning-up inactive users, as well as dealing with password locks, resets and expiries. LepideAuditor Suite also comes with in-built PCI compliance reports to help speed up and simplify your auditing.