20 Best PCI DSS Compliance Tools

PCI DSS gets its name from the institution that created it: the Payment Card Industry Association. The organization has a division, called the Payment Card Industry Security Standards Council, which commissions and sponsors standards to help protect the finance industry and its customers. The “DSS” part of the standard’s name stands for Data Security Standards.

PCI DSS is not enforced by law. However, it is a requirement of Visa, Mastercard, American Express, Discover, and JCB, so if you don’t comply, you won’t be able to process card payments from the customers of those systems.

The protection of the personal information of customers is a strong legal requirement of the General Data Protection Regulation (GDPR), which is applied in the whole of the European Union (EU).

Here is our list of the best PCI DSS compliance tools:

  • Access rights management
    1. SolarWinds Access Rights Manager (FREE TRIAL) Monitors Active directory implementations including Exchange Server and SharePoint permissions. Runs on Windows Server.
    2. ManageEngine ADAudit Plus Produces reports that prove compliance to PCI DSS and other data security standards.
  • Software patch management
    1. Syxsense Manage (FREE TRIAL) An endpoint management system that includes patch management and version auditing that contributes towards HIPAA, SOX, and PCI DSS compliance.
    2. SolarWinds Patch Manager (FREE TRIAL) Keeps software up to date in order to close of exploits. Runs on Windows Server and is PCI DSS compliant.
  • Security information and event management tools
    1. SolarWinds Security Event Manager (FREE TRIAL) Monitors log access and passing data to detect unauthorized data access attempts.
    2. ManageEngine EventLog Analyzer (FREE TRIAL) Syslog manager that includes pre-written PCI DSS compliance audits and reports, plus HIPAA and FISMA auditing.
  • Intrusion prevention systems
    1. OSSEC A highly respected log analysis tool that is open source and free to use. It lacks a user interface.
    2. Splunk Enterprise A live traffic analyzer that runs on Windows or Linux. Available in free and paid versions.
  • Anti-malware systems
    1. Malwarebytes Endpoint Protection and Response An anti-malware system that has PCI DSS Requirement 5 certification. Runs on Windows.
    2. Trend Micro Security for Mac Provides certified PCI DSS Requirement 5 compliance and runs on Mac OS.
  • Cardholder Data Environment protection
    1. SENF A free sensitive data locator that runs on Windows, Linux, Mac OS, and Unix.
    2. PowerGREP A sensitive data locator with a 3-month money-back guarantee.
  • Wireless security monitoring
    1. OpenWIPS-NG An intrusion prevention system for wireless networks. This utility is free to use and install on Linux.
    2. Aruba RFProtect A wireless intrusion prevention system that complies with PCI DSS specifications.
  • Password protection lockers
    1. KeePass Password Safe A free password protection system for Windows, Linux, Mac OS, Linux, and memory sticks.
    2. Password Gorilla A widely-used password protector for Windows, Linux, Mac OS, and Unix.
  • Network monitoring systems
    1. SolarWinds Network Performance Monitor (FREE TRIAL) The leading network performance monitor with SNMP-based routines that runs on Windows Server.
    2. Paessler PRTG Network Performance Monitor An all-in-one monitor that covers networks, servers, and applications. Runs on Windows Server.
  • Configuration management
    1. ManageEngine Network Configuration Manager This tool protects switches, routers, and firewalls against unauthorized configuration changes.
    2. SolarWinds Network Configuration Manager (FREE TRIAL) A configuration manager that is compliant with PCI DSS and integrates with other SolarWinds infrastructure management tools.

Introducing data protection measures is a wise idea. It will protect your business’s sensitive information as well as ensuring that you don’t get sued by customers or employees for data disclosure.

There are many categories of security tools that you will need in order to enforce security on your system in order to protect customer data and card transaction information. These are:

  • Access rights management
  • Security information and event management tools
  • Intrusion prevention systems
  • Anti-malware systems
  • Cardholder Data Environment protection
  • Wireless security monitoring
  • Password protection lockers
  • Network monitoring systems
  • Software patch management
  • Configuration management

We will explain each of these types of software and propose the two best tools in each category.

Access rights management

You need to control who has access to cardholder data. In cases where operators need to see transaction and customer information, for refunds and customer inquiries, for example, you need to limit the categories of data that can be accessed.

The usernames and passwords of authorized users are the targets of a type of hacker attack, called “phishing.” This hacker method tricks staff into disclosing their login accounts. If you also allow external access to your network, such mistakes over the confidentiality of user credentials can threaten the security of your data.

Access rights management software will help you keep track of the activities of the company’s authorized users and make sure that they don’t engage in unauthorized activities. User activity tracking is a requirement of PCI DSS.  You need to keep logs of each user session to present for any PCI DSS audit.

The two best access rights management systems that you should look into are:

1. SolarWinds Access Rights Manager (FREE TRIAL)

SolarWinds Access Rights Manager

The SolarWinds Access Rights Manager contributes to PCI DSS compliance. The tool monitors Active Directory, Exchange Server, SharePoint, and file servers. It produces logs that detail the user, the system accessed, and the times of access. The dashboard links to user information to show you not just the username, but also the real name of the account holder.

The ARM integrates user management function as well, including a self-service portal that enables users to check on their accounts and perform simple admin tasks, such as changing their passwords. This tool gives you the ability to oversee a large number of users from one dashboard. It is a paid tool that runs on Windows Server and you can get it on a 30-day free trial.

SolarWinds Access Rights Manager Download 30-day FREE Trial

2. ManageEngine ADAudit Plus

ADAudit Plus

ManageEngine ADAudit Plus is very good for implementing PCI DSS compliance and running audit reports to automatically prove your worthiness. This tool focuses on Active Directory, monitoring, and logging any changes to permissions recorded in AD. It will log user actions entering and exiting different systems. It tracks changes to audit file and folder permissions, which will alert you to intruder activity. You can archive alert data for up to three years and generate audit reports.

This software runs on Windows and is available in both free and paid editions. You can get a free trial of the Professional edition.

Software patch management

The failure to keep application software up-to-date creates a security weakness. Many updates to software are only produced when a new vulnerability in existing systems is discovered. The software houses that provide these programs quickly write updates to close off the exploit. It is very difficult to keep all software up-to-date so automated tools for patch management help to keep a network secure and compliant with PCI DSS Requirement 6. Here are two patch managers that we recommend.

3. Syxsense Manage (FREE TRIAL)

Syxsense Patch Manager

Syxsense Manage tracks down all of the devices connected to your network and then scans each for its OS version and software inventory. This system documents all OS and software versions on Windows, macOS, and Linux. It can include endpoints on remote sites and it is also able to manage IoT devices.

For each OS or software package that the system discovers, it polls regularly for patches and updates. You can set maintenance windows in the service’s console and then when a patch becomes available, Syxsense will roll it out where appropriate.

All software version management and patch application actions are documented and the system can automatically produce reports formatted for compliance to PCI DSS, HIPAA, and SOX. This is a cloud-based service that is charged on an annual subscription. It is available for a 14-day free trial.

Syxsense Manage Start 14-day FREE Trial

4. SolarWinds Patch Manager (FREE TRIAL)

SolarWinds Patch Manager

The SolarWinds Patch Manager runs on Windows Server and integrates Microsoft WSUS patch management and SCCM. This is a vulnerability management system that logs all software running on your site and keeps alert for any updates available for those packages. The dashboard lists available patches and will roll them out automatically upon approval. The system also produces audit reports to help show compliance with PCI DSS. It is available for download on a 30-day free trial.

SolarWinds Patch Manager Download 30-day FREE Trial

Security information and event management tools

Security Information and Event Management (SIEM) offers two tracking methods that enable you to track activity on your system. These are the monitoring of log files and the examination of the activity that passes along your network.

The protection of log files is particularly important for PCI DSS compliance. You need to be able to demonstrate full tracking of all data access events. These should be logged in log files, but hackers who want to destroy or steal your data know that and they either delete or alter those files. SIEM tools back up log files check for changes and restore the original versions. They also enable you to search through all event logs for pertinent records because the number of event records that any system produces can be overwhelming. SIEM software also tracks network traffic looking for suspicious activities.

3. SolarWinds Security Event Manager (FREE TRIAL)

Solarwinds Log and Event Manager

The SolarWinds Security Event Manager secures log files, raising alerts when tampering is detected. You can watch log messages live in the dashboard and read data from files to an analyzer. The tool ships with pre-written reports that prove PCI DSS compliance.

The Security Event Manager runs on Windows Server but can collect log messages from any operating system and is also able to manage log file storage on a memory stick. It is also capable of automating responses to a detected intrusion. These measures include the ability to suspend or block access to specific addresses, shut down programs and processes, disable user accounts, and block USB storage devices.

The Security Event Manager is a paid tool that is suitable for large networks. You can check it out on a 30-day free trial.

SolarWinds Security Event Manager Download 30-day FREE Trial

4. ManageEngine EventLog Analyzer (FREE TRIAL)

ManageEngine EventLog

The ManageEngine EventLog Analyzer tracks Syslog messages and looks for anomalous activity on networks by employing SNMP procedures. The data viewer is able to operate on both live data and filed messages with data operations, such as sorting, search, filtering, and grouping utilities.

The tool protects log files with compression and encryption, imposing authentication on access to the contents. It also monitors the checksums on log files, generating alerts when they change. The EventLog Analyzer includes compliance auditing for the PCI DSS. It also has processes and reports that will assist your compliance with FISMA and HIPAA standards.

The software runs on Windows or Linux and you can get it on a 30-day free trial.

ManageEngine EventLog Analyzer Download 30-day FREE Trial

Intrusion prevention systems

Intrusion preventions systems are very similar to SIEM systems. They record standard traffic patterns on a network and then look out for variations to that baseline. They also examine the behavior of passing packets and look for identifiers in the packet headers for warning signs. The key characteristic of an IPS system is that it not only detects intrusion but takes automated steps to shut down that activity. As explained above, OSSEC has intrusion prevention capabilities. Here are two other IPS tools that we recommend:

5. OSSEC

OSSEC screenshot

OSSEC is a free host-based intrusion detection system that features log file analysis and live log message processing. This tool has a great analytical engine, but a terrible front-end. However, there are many free data viewing tools that are compatible with OSSEC, such as Graylog, Splunk, and Kibana.

This system is owned by Trend Micro, which is a prominent cybersecurity firm. The software installs on Windows, Linux, Unix, and Mac OS. It is able to collect log messages from the network that originate from any operating system, no matter which of them it is installed on.

The tool archives log files whenever they are changed, making it possible to rollback if they are interfered with. It uses a rule base to detect anomalous behavior on the network. The log monitoring functions of OSSEC fulfill the requirements of PCI DSS Requirement 10 and the file integrity enforcement features of the tool comply with PCI DSS sections 10.5.5 and 11.5.

6. Splunk Enterprise

Splunk screenshot

Splunk is a network traffic analyzer in free and paid versions. The higher versions, Splunk Enterprise, and Splunk Cloud include IPS capabilities. The lower editions are Splunk Free and Splunk Light. The detection procedures of the tool include network traffic monitoring and log file analysis. The detection method searches for anomalies, which are patterns of unexpected behavior.

To get AI-based anomaly detection and strong automated prevention systems with Splunk, you need to supplement it with the Splunk Enterprise Security add-on, which is available on a seven-day free trial. Symantec chose to do a deal with Splunk in order to integrate Splunk Enterprise into its security products and gain PCI DSS compliance capabilities.

Splunk Enterprise installs on Windows or Linux. You can get it on a 60-day free trial. If you prefer the Cloud edition, you can access that on a 15-day free trial.

Anti-malware systems

Malware threats to customer information and card transaction data held on your system focus on damaging or deleting data as much as stealing it. Spyware and remote access trojans (RAT) help hackers to steal your data, while ransomware and destructive malware will delete or scramble your data to render it unusable. The installation of anti-malware on your system is Requirement 5 of PCI DSS.

7. Malwarebytes Endpoint Protection and Response

Malwarebytes Endpoint Protection

Malwarebytes has been validated as providing PCI DSS Requirement 5 protection for data. The company doesn’t classify its product, Malwarebytes Endpoint Protection, as an antivirus system. Instead, it calls it an “antivirus replacement.” The system runs on Windows and operates in a very similar way to a network IPS, except its domain is a workstation. Rather than relying on a threat database like a traditional AV, the software searches for anomaly signatures in processes running on the computer. It then implements automated remediation procedures to remove the threat.

The software is capable of detecting irregular activity performed by authorized users – a sign of stolen credentials. It protects against ransomware by saving backups of changed files so all can be restored if they are maliciously encrypted.

8. Trend Micro Security for Mac

Trend Micro Security for Mac

Trend Micro is the company that owns OSSEC. It classifies Security for Mac as a product for home users. However, the system is fully compliant for PCI DSS Requirement 5, so it is also a good choice for businesses.

As well as blocking viruses, it protects your browser from a range of internet attacks and prevents intruder software from getting control of your Mac’s camera and microphone. The detection system is AI-based, which means it is able to block new viruses. It also includes email protection and password management.

As the name suggests, this software runs on Macs. However, a higher security product, called Maximum Security is available for Windows, Mac OS, iOS, and Android. This package can be bought with a 10-device license.

Cardholder Data Environment protection

Requirement 1 of PCI DSS expects you to define your Cardholder Data Environment. This means all of the equipment and processes that deal with cardholder data and the IT elements that support that infrastructure. You are expected to draw a Cardholder Data Environment Diagram of this system.

One tip for tracking down all of these details is to start with the location where cardholder data is stored and then track all of the software that put it there. You then need to look at the services and hardware that supported the process that put the data there. Here are two tools that you could use to trace cardholder data.

9. SENF

SENF5

SENF is the Sensitive Number Finder. It was developed by the University of Texas at Austin’s Information Security Office and it is free to use. The software is written in Java and it runs on Windows, Linux, Mac OS, and Unix. It will search through the entire device for sensitive numbers stored there, including credit card numbers and social security numbers. The software was available from a GitHub repository but has been removed since this article was first published.

10. PowerGREP

PowerGREP is a paid tool, but the vendors offer a three-month money back guarantee. It searches through files on a computer for specified data formats. You could use this feature to search for credit card numbers and establish all of the locations where cardholder data is held. The tool can search through all types of files including text, binary files, and compressed files.

Wireless security monitoring

11. OpenWIPS-NG

OpenWISP

OpenWIPS-NG is made by the same people who produced Aircrack-NG, which is a famous hacker tool. This is a free wireless IPS for Linux. The system has three modules: a sensor, a server, and an interface. The sensor is a packet sniffer that passes network traffic to the server, which is where traffic analysis is performed.

The sensor is also able to inject traffic into channels or modify passing wireless traffic. That action can be commanded automatically when the server detects intrusion. It can also be launched manually. The user accesses data streams through the third element in the package, which is the interface.

12. Aruba RFProtect

Aruba RFProtect WIPS_Monitor

Aruba RFProtect is a wireless IPS. The Aruba company is a division of Hewlett Packard and it produces networking equipment, including wireless access points. Aruba RFProtect operates from within the AP. The program scans all channels for anomalous transmissions and it also prevents unauthorized changes to the configuration of the AP.

The tool contains defense measures to lock out transmissions from IPs that seem to be engaged in malicious activities. It includes an auditing and reporting module that complies with PCI DSS requirements and can also be tailored towards HIPAA, DoD 8100.2, and GLBA compliance reporting requirements.

Password protection lockers

If you want to qualify as PCI DSS compliant, password managers are not an option – they are a requirement of the standard. Creating long passwords composed of random characters and storing them for reuse because they are impossible to remember creates extra security for the network. For one thing, users are not able to disclose passwords that can’t be remembered and password manager access procedures place an extra barrier between the outside world and your resources. Here are two password protection systems that we recommend:

13. KeePass Password Safe

KeePass Password Safe

This is a free password protection system for Windows, Linux, Mac OS, and Unix. There is also a version that can be run from a USB stick.

The password system has a GUI interface that lists all of the passwords stored in its internal database. The database is locked by AES or Twofish encryption and you need to create one password in order to access the interface. Once started, the program will run in the background and fill in all passwords in screens on the computer for you. It also has a strong password generator.

14. Password Gorilla

Password Gorilla

Password Gorilla is another free password manager that is available for Windows, Linux, Mac OS, and Unix. There is also a standalone version that will run from a USB stick.

This locker passes out passwords via the clipboard, so you will have to paste passwords into each site and application that you visit. Passwords are protected by SHA256 and the entire database is encrypted by Twofish. The program includes a password generator that provides impossible to remember random strings for each password.

Network monitoring systems

Although network monitoring systems are not specifically demanded by the requirements of PCI DSS, the security of a system can only be guaranteed by stability. You will need to keep an eye on the performance of the network because partial failure can reduce the effectiveness of the security systems that are detailed above. Here are two network monitoring systems that we recommend.

15. SolarWinds Network Performance Monitor (FREE TRIAL)

SolarWinds Network Performance monitor

The SolarWinds Network Performance Monitor is a leading network monitor that uses SNMP procedures to keep a constant check on the statuses of network devices. Monitored equipment is able to send an alert message to the monitor when emergency conditions arise. The monitor is able to guard wireless systems and virtualizations as well as standard LANs. The tool discovers all network devices automatically and generates a network topology map. The software installs on Windows Server and you can get a 30-day free trial of this software.

SolarWinds Network Performance Monitor Download 30-day FREE Trial

16. Paessler PRTG Network Monitor

PRTG Network Monitor

Paessler’s PRTG Network Monitor is a unified network, server, and application monitor that contains a large collection of “sensors.” Each sensor is an individual monitor and you choose which of the large library of sensors you want to activate. The system installs on Windows Server and is free to use if you only activate up to 100 sensors. The monitor uses SNMP procedures to monitor LANs, wireless networks, and virtualizations. You can get a 30-day free trial of this system.

Paessler PRTG Network Monitor Download 30-day FREE Trial

Configuration management

Intruders can get wider access to your network if they are able to alter the settings on your network devices, namely your switches and routers. Creating a standard configuration for your devices, backing them up and installing them on new devices helps you be compliant to PCI DSS Requirement 6. Here are our two recommendations.

19. ManageEngine Network Configuration Manager

ManageEngine Network Configuration Manager

The Network Configuration Manager is able to manage configurations for switches, routers, and firewalls. The service backs up the configuration and then monitors for any changes to the set up of your devices, reinstalling the original image if unauthorized changes occur. The system logs all changes and actions and produces audit reports to help PCI DSS compliance. You can get a 30-day trial of this software.

20. SolarWinds Network Configuration Manager (FREE TRIAL)

SolarWinds Network Configuration Manager

The SolarWinds Network Configuration Manager integrates with the SolarWinds Network Performance Monitor. Its reporting module contributes towards PCI DSS compliance. On installation, the tool scans the network, logs all switches, routers, and firewalls and backs up their configurations. Subsequent configuration changes need to be made through the manager’s interface because it will overwrite any direct changes with its stored image.

The tool makes regular checks with the Cisco National Vulnerability Database and updates firmware whenever necessary. It also has strong capabilities when interfacing with the Cisco Adaptive Security Appliance firewall.

The tool installs on Windows Server and you can get it on a 30-day free trial.

SolarWinds Network Configuration Manager Download 30-day FREE Trial