Qualys Blog

www.qualys.com
Tim White

Qualys Adds Support for PCI DSS 3.0 in Qualys Policy Compliance

Comply with PCI DSS 3.0 using Mandate-Based Reporting in Qualys Policy Compliance

We are excited to announce an ‘out-of-box’, ready-to-use mandate-based policy for PCI DSS 3.0 consisting of security checks which automate assessment of ‘In-scope’ PCI assets. This policy will greatly simplify the process merchants have to go through to validate PCI compliance for a key set of technical controls that need to be validated across a wide set of different technologies. Qualys Policy Compliance can now automatically scan for all these PCI controls and provide you a detailed report that you can use to demonstrate ongoing compliance.

This new mandate-based policy provides:

  • A comprehensive set of controls based on industry accepted standards such as CIS, NIST, as well as vendor recommended guidelines such as Microsoft SCM, IBM Hardening guidelines for AIX, Websphere, etc.
  • Coverage of all of the  ‘technical secure configuration assessment’ requirements
  • Coverage of the new/evolving requirements of PCI DSS 3.0 –
    • 8.2.3 – Deeper assessment for managing password strength and complexity
    • 10.2.5 – Audit use of and changes to identification and authentication mechanisms
    • 10.2.6 – Assessing initiation, stopping or pausing of the audit logs
    • 6.5.10 – Assessing common security vulnerabilities PCI DSS is applicable to and recommends security for all 'In-Scope' PCI assets.

We provide support not just for different operating systems and databases but also web servers and network devices.  Qualys provides coverage for many common enterprise technologies such as:

  • Windows 7 & 8, Windows Server 2008, Windows Server 2012
  • Linux: SUSE Linux 11, openSUSE 11.x, Red Hat Linux 6, Cent OS 6
  • Unix: Solaris 11, HPUX 11.iv3,  AIX 6 & 7
  • VMware ESXi 5.x
  • Databases: Oracle 11g, IBM DB2 9.x, SYBASE ASE 15, SQL Server 2008 and 2012
  • Web Servers: Apache HTTPD 2.2, IBM HTTP Server 7.x, IIS 7.x and VMware vFabric Web Server 5.x
  • Network Devices: CISCO iOS 15, CISCO ASA 8.x and Juniper JunOS 10.x/11.x
  • Application Servers: IBM Websphere Application Server 7.x

What Are Some of the Key Changes in PCI DSS 3.0?

PCI DSS has recently been updated to version 3.0 and consists of 12 requirements that specify how information must be held and protected and includes requirements in areas such as network security, encrypting cardholder data, restricting access to information and maintaining information security.  For more information; see the PCI DSS 3.0 documentation on the PCI Security Standards website.

The effective date of version 3.0 of the standard was January 1, 2014, but existing PCI DSS 2.0 compliant vendors will have until January 1, 2015 to show compliance with the new standard.  In total, PCI DSS has 6 domains, 12 requirements, and 200 detailed sub-requirements.

Requirement Highlights
PCI Compliance Cycle PCI DSS is no longer a once-a-year auditing activity but needs to be a continuous day-to-day practice.
Requirement 10.2.5 Audit use of and changes to identification and authentication mechanisms.
Requirement 10.2.6 Assess/restrict stopping or pausing of the audit logs.
Requirement 11.1.x Create inventory of authorized wireless access points and scan for unauthorized wireless devices.
Requirement 11.3 Implement a methodology for penetration testing.
Requirement 2.4 Maintain an inventory of system components in scope for PCI DSS.
Requirement 5.1.2 For systems not commonly affected by malware, evaluate them for malware threats.
Requirement 5.3 Evaluate that anti-virus solutions are actively running (formerly in 5.2), and cannot be disabled or altered.
Requirement 6.5.10 Assess coding practices to protect against broken authentication and session management.
Requirement 8.2.3 Deeper assessment for managing password strength and complexity.
Requirement 9.9 Protect devices that capture payment card data from tampering and substitution.
Requirement 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

Additional Support by Qualys for PCI DSS 3.0

In addition to the the mandate based reporting following Qualys products also provide support to meet other PCI DSS requirements:

  • Qualys Policy Compliance (PC) helps in the assessment of secure configuration and hardening requirements for ‘in-scope’ assets/technologies.
  • Vulnerability Management (VM) helps in complying with the requirements of scanning for internal and external network vulnerabilities.
  • Web Application Firewall (WAF) helps in detecting and preventing web-based attacks.

These requirements make PCI a more practical, continuous and on-going process, requiring additional depth in the assessments, while covering all ‘in-scope’ technologies which store/transmit data.  This broadens coverage of security domains as well, including security for web and application servers, penetration testing, security configuration and change assessment, identification and authentication mechanisms, etc.

More Information

Get a free trial of Qualys Policy Compliance or contact your TAM today!

Leave a Reply