PCI compliance relates to companies that process purchase transactions that include credit, debit or prepaid cards over the internet, phone
PCI SCC (Security Standards Council) Requirements are made up of three constituent parts: PCI Data Security Standard (DSS), PIN Transaction Security (PTS) Requirements, and Payment Application Data Security Standard (PA-DSS)
Only PCI-DSS is relevant to software developers and database administrators as it covers storing and processing customer data. This checklist will address support level for PCI-DSS
PCI DSS Requirements:
ApexSQL Audit provides minimal or no support and/or it is not applicable to the software:
1: Install and maintain a firewall configuration to protect cardholder data
2: Do not use vendor-supplied defaults for system passwords and other security parameters
4: Encrypt transmission of cardholder data across open, public networks
5: Protect all systems against malware and regularly update anti-virus software or program
8: Identify and authenticate access to system components
9: Restrict physical access to cardholder data
11: Regularly test security systems and processes
ApexSQL Audit provides partial support:
10: Track and monitor all access to network resources and cardholder data
12: Maintain a policy that addresses information security for all personnel
ApexSQL Audit supports:
3: Protect stored cardholder data
6: Develop and maintain secure systems and applications
7: Restrict access to cardholder data by business need to know
| Level of Support & Supporting Features | ApexSQL Audit Provides | |
| 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). | Supports | ApexSQL doesn’t display any real data in reports and doesn’t store any real data values in the repository database. |
| 6.4.1 Separate development/test environments from production environments, and enforce the separation with access controls | Supports | Auditing all access rights changes and activities of users with development / test user access rights. |
| 6.4.3 Production data (live PANs) are not used for testing or development | Supports | ApexSQL Audit can audit access to all tables where production data is stored and can detect any SELECT, DELETE or UPDATE statement executed on that table, including real time alerting |
| 6.4.4 Removal of test data and accounts before production systems become active | Supports with Exceptions |
Auditing and reporting on all data and user accounts removal, allows confirm that all unwanted data and user accounts are removed |
| 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include below: | Supports | Once the user rights have been set, ApexSQL can audit and report every change of security privileges or any unapproved new users creation, including real time alerting |
| 7.1.1 All individual user accesses to cardholder data. | Supports | ApexSQL Audit can audit and report on any user access to any database or database object that stores the cardholder user data including the real time alerting |
| 7.1.2 Assign privileges based on individual personnel’s job classification and function. | Supports | ApexSQL Audit can audit and report on any unapproved user account change including the real time alerting |
| 7.2.2 Assign privileges based on individual personnel’s job classification and function. | Supports | ApexSQL Audit can audit and report on any unapproved user account change including the real time alerting |
| 10.1 Implement audit trails to link all access to system components to each individual user. | Supports | Fully featured auditing and reporting of all user activities including access to sensitive data and recording of who changed what, when, and where helps |
| 10.2.1 All individual user accesses to cardholder data. | ||
| 10.2.2 All actions taken by any individual with root or administrative privileges. | Supports | Audit status of built-in administrative groups’ membership and all activities by users with administrative rights. |
| 10.2.4 Invalid logical access attempts. | Supports | Audit failed logon attempts. |
| 10.2.5 Use of and changes to identification and authentication mechanisms – including but not limited to creation of new accounts and elevation of privileges – and all changes, additions, or deletions to accounts with root or administrative privileges. | Supports | Auditing of all user logons, activities and changes to account policies and modifications to user accounts including elevation of privileges. |
| 10.2.7 Creation and deletion of system-level objects. | Audit all modifications to database tables and other objects. | |
| 10.3 Record at least the following audit trail entries for all system components for each event: | Supports | Full information of every change: who changed what, when, and where. |
| 10.3.1 User Identification | Supports | |
| 10.3.2 Type of event | Supports | |
| 10.3.3 Date and time | Supports | |
| 10.3.4 Success or failure indication | Supports | |
| 10.3.5 Origination of event | Supports | |
| 10.3.6 Identity or name of affected data, system component or resource | Supports | |
| 10.5 Secure audit trails so they cannot be altered. | Supports with exceptions |
Centralized collection, archiving, and consolidation of all data. ApexSQL Audit doesn’t prevent audit data alteration but makes such attempts to tamper fully evident |
| 10.6 Review logs and security events for all system components to identify anomalies or suspicious activity. | Supports | Fully-featured reporting functionality with real time alerts, predefined reports and ability to apply customized filters and analyze data for PCI compliance violations. Out-of-the box reports |
| 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis. | Supports | Audit data trail history is stored in form of an archive data source that can be easily managed and accessible on user demand |
| 12.2 Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures) | Supports | ApexSQL Audit is constantly developing ongoing procedures and policies to comply with SQL best practice standards and regulations |
For Appendix on meaning of category assessments e.g. supports, click here
