PCI compliance checklist for ApexSQL Audit

PCI compliance relates to companies that process purchase transactions that include credit, debit or prepaid cards over the internet, phone

PCI SCC (Security Standards Council) Requirements are made up of three constituent parts: PCI Data Security Standard (DSS), PIN Transaction Security (PTS) Requirements, and Payment Application Data Security Standard (PA-DSS)

Only PCI-DSS is relevant to software developers and database administrators as it covers storing and processing customer data. This checklist will address support level for PCI-DSS

PCI DSS Requirements:

ApexSQL Audit provides minimal or no support and/or it is not applicable to the software:

1: Install and maintain a firewall configuration to protect cardholder data
2: Do not use vendor-supplied defaults for system passwords and other security parameters
4: Encrypt transmission of cardholder data across open, public networks
5: Protect all systems against malware and regularly update anti-virus software or program
8: Identify and authenticate access to system components
9: Restrict physical access to cardholder data
11: Regularly test security systems and processes

ApexSQL Audit provides partial support:

10: Track and monitor all access to network resources and cardholder data
12: Maintain a policy that addresses information security for all personnel

ApexSQL Audit supports:

3: Protect stored cardholder data
6: Develop and maintain secure systems and applications
7: Restrict access to cardholder data by business need to know

PCI DSS Requirement
Level of Support & Supporting FeaturesApexSQL Audit Provides
Requirement 3: Protect stored cardholder data
3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).SupportsApexSQL doesn’t display any real data in reports and doesn’t store any real data values in the repository database.
Requirement 6: Develop and maintain secure systems and applications
6.4.1 Separate development/test environments from production environments, and enforce the separation with access controlsSupportsAuditing all access rights changes and activities of users with development / test user access rights.
6.4.3 Production data (live PANs) are not used for testing or developmentSupportsApexSQL Audit can audit access to all tables where production data is stored and can detect any SELECT, DELETE or UPDATE statement executed on that table, including real time alerting
6.4.4 Removal of test data and accounts before production systems become activeSupports with
Exceptions
Auditing and reporting on all data and user accounts removal, allows confirm that all unwanted data and user accounts are removed
Requirement 7: Restrict access to cardholder data by business need to know
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include below:SupportsOnce the user rights have been set, ApexSQL can audit and report every change of security privileges or any unapproved new users creation, including real time alerting
7.1.1 All individual user accesses to cardholder data. SupportsApexSQL Audit can audit and report on any user access to any database or database object that stores the cardholder user data including the real time alerting
7.1.2 Assign privileges based on individual personnel’s job classification and function.SupportsApexSQL Audit can audit and report on any unapproved user account change including the real time alerting
7.2.2 Assign privileges based on individual personnel’s job classification and function.SupportsApexSQL Audit can audit and report on any unapproved user account change including the real time alerting
Requirement 10: Track and monitor all access to network resources and cardholder data
10.1 Implement audit trails to link all access to system components to each individual user.SupportsFully featured auditing and reporting of all user activities including access to sensitive data and recording of who changed what, when, and where helps
10.2.1 All individual user accesses to cardholder data.
10.2.2 All actions taken by any individual with root or administrative privileges.SupportsAudit status of built-in administrative groups’ membership and all activities by users with administrative rights.
10.2.4 Invalid logical access attempts.SupportsAudit failed logon attempts.
10.2.5 Use of and changes to identification and authentication mechanisms – including but not limited to creation of new accounts and elevation of privileges – and all changes, additions, or deletions to accounts with root or administrative privileges.SupportsAuditing of all user logons, activities and changes to account policies and modifications to user accounts including elevation of privileges.
10.2.7 Creation and deletion of system-level objects.Audit all modifications to database tables and other objects.
10.3 Record at least the following audit trail entries for all system components for each event:SupportsFull information of every change: who changed what, when, and where.
10.3.1 User IdentificationSupports
10.3.2 Type of eventSupports
10.3.3 Date and timeSupports
10.3.4 Success or failure indicationSupports
10.3.5 Origination of eventSupports
10.3.6 Identity or name of affected data, system component or resourceSupports
10.5 Secure audit trails so they cannot be altered.Supports with
exceptions
Centralized collection, archiving, and consolidation of all data. ApexSQL Audit doesn’t prevent audit data alteration but makes such attempts to tamper fully evident
10.6 Review logs and security events for all system components to identify anomalies or suspicious activity.SupportsFully-featured reporting functionality with real time alerts, predefined reports and ability to apply customized filters and analyze data for PCI compliance violations. Out-of-the box reports
10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.Supports with
exceptions
Partially implemented. Will be fully supported in 2015 R2.
Requirement 12: Maintain a policy that addresses information security for all personnel

12.2 Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures)SupportsApexSQL Audit is constantly developing ongoing procedures and policies to comply with SQL best practice standards and regulations

 

For Appendix on meaning of category assessments e.g. supports, click here