Change and Configuration Solutions Aid PCI Auditors
by Matt Clark - Network Engineer at Voyence - Monday, 10 March 2008.
Network managers must employ regular password rotation and ensure that no device is ever deployed on the network with vendor-supplied default passwords in place. Any network path that facilitates the transmission of cardholder information must be secured with strong encryption or start to face those aforementioned $5,000 to $25,000 fines.

With 12 chapters and more than 170 individual requirements, planning for compliance with the DSS requirements is a challenge. Automating the change control and configuration process eases the burden of the network manager by providing a structured approach to implementation of the DSS. It should offer advice and best practices documentation in the context of the individual DSS requirements, making it easy for managers to determine which steps need to be taken to ensure compliance with the standard.

Change control processes should be documented and stored so that engineers and managers can access the process documentation on a daily basis. An automated, change control solution can facilitate this, providing the network manager with the ability to include the company’s established policies alongside the individual PCI requirements and vendor best practice documentation.

For example, qualified personal should have the means to easily access the current – not static – status, and supporting documentation, of PCI DSS requirements in one consolidated view. This view should contain:
  • PCI DSS Requirement Definition
    • 2.1 - Always change vendor supply defaults before installing a system on the network.
  • Reports and Links
    • Credential and Usage Reports
    • Communication Mechanism Reports
  • Each Compliance Item and Status:
    • Default Password
      • Cisco Routers
        • 3,772 compliant
        • 43 non compliant
  • Review Comments
    • 05/30/07 - Matt Clark, Updated default passwords policy to include PWs from latest IOS.
With easy access to this content, network engineers looking for direction or confirmation will find it easy to access and review the documentation, ensuring higher adherence to the established processes. Network engineers will be more likely to follow the process when it is widely published than if it is stored in a binder on the shelf of the compliance manager. Auditors will request network managers to demonstrate how the processes are distributed to engineers, and the central repository in the PCI compliance solution will meet the requirement.

One of the largest cost savings provided by having a PCI solution based on automated change and compliance control is the assistance in reducing the scope of the audit. Qualified security assessors (QSAs) are required to set the scope of the audit to the devices that protect, hold, or transmit cardholder data. While it’s incumbent upon network engineers to design the network so that it is properly segmented, a PCI solution can assist in proving this segmentation to the auditor. The solution should provide logical containers to manage each network domain, and change and compliance reporting should highlight the association between the PCI-compliant processes and the in-scope devices to the auditor.

In order to keep up with the changing demands of the business, enterprise networks can absorb multiple changes per day. Engineers were once able to accomplish change management with a battery of scripts and FTP servers, but with today’s heterogeneous networks and heavier audit requirements, this method does not scale to meet current challenges. Full change and compliance control cannot be achieved without a high degree of automation, which is perhaps the largest benefit of a PCI compliance solution.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th