PCI DSS gets its name from the institution that created it: the Payment Card Industry Association. The organization has a division, called the Payment Card Industry Security Standards Council, which commissions and sponsors standards to help protect the finance industry and its customers. The “DSS” part of the standard’s name stands for Data Security Standards.
PCI DSS is not enforced by law. However, it is a requirement of Visa, Mastercard, American Express, Discover, and JCB, so if you don’t comply, you won’t be able to process card payments from the customers of those systems.
The protection of the personal information of customers is a strong legal requirement of the General Data Protection Regulation (GDPR), which is applied in the whole of the European Union (EU).
Here is our list of the best PCI DSS compliance tools:
- Access rights management
- Software patch management
- SolarWinds Patch Manager (FREE TRIAL) Keeps software up to date in order to close of exploits. Runs on Windows Server and is PCI DSS compliant.
- Security information and event management tools
- Intrusion prevention systems
- OSSEC A highly respected log analysis tool that is open source and free to use. It lacks a user interface.
- Splunk Enterprise A live traffic analyzer that runs on Windows or Linux. Available in free and paid versions.
- Anti-malware systems
- Malwarebytes Endpoint Protection and Response An anti-malware system that has PCI DSS Requirement 5 certification. Runs on Windows.
- Trend Micro Security for Mac Provides certified PCI DSS Requirement 5 compliance and runs on Mac OS.
- Cardholder Data Environment protection
- ManageEngine Endpoint DLP Plus (FREE TRIAL) This package of data loss prevention tools includes a discovery and categorization system for sensitive data and applies controls over data access and movement. Runs on Windows Server.
- SENF A free sensitive data locator that runs on Windows, Linux, Mac OS, and Unix.
- PowerGREP A sensitive data locator with a 3-month money-back guarantee.
- Wireless security monitoring
- OpenWIPS-NG An intrusion prevention system for wireless networks. This utility is free to use and install on Linux.
- Aruba RFProtect A wireless intrusion prevention system that complies with PCI DSS specifications.
- Password protection lockers
- KeePass Password Safe A free password protection system for Windows, Linux, Mac OS, Linux, and memory sticks.
- Password Gorilla A widely-used password protector for Windows, Linux, Mac OS, and Unix.
- Network monitoring systems
- SolarWinds Network Performance Monitor (FREE TRIAL) The leading network performance monitor with SNMP-based routines that runs on Windows Server.
- Paessler PRTG Network Performance Monitor An all-in-one monitor that covers networks, servers, and applications. Runs on Windows Server.
- Configuration management
- ManageEngine Network Configuration Manager This tool protects switches, routers, and firewalls against unauthorized configuration changes.
- SolarWinds Network Configuration Manager (FREE TRIAL) A configuration manager that is compliant with PCI DSS and integrates with other SolarWinds infrastructure management tools.
Introducing data protection measures is a wise idea. It will protect your business’s sensitive information as well as ensuring that you don’t get sued by customers or employees for data disclosure.
There are many categories of security tools that you will need in order to enforce security on your system in order to protect customer data and card transaction information. These are:
- Access rights management
- Security information and event management tools
- Intrusion prevention systems
- Anti-malware systems
- Cardholder Data Environment protection
- Wireless security monitoring
- Password protection lockers
- Network monitoring systems
- Software patch management
- Configuration management
We will explain each of these types of software and propose the two best tools in each category.
Access rights management
You need to control who has access to cardholder data. In cases where operators need to see transaction and customer information, for refunds and customer inquiries, for example, you need to limit the categories of data that can be accessed.
The usernames and passwords of authorized users are the targets of a type of hacker attack, called “phishing”. This hacker method tricks staff into disclosing their login accounts. If you also allow external access to your network, such mistakes over the confidentiality of user credentials can threaten the security of your data.
Access rights management software will help you keep track of the activities of the company’s authorized users and make sure that they don’t engage in unauthorized activities. User activity tracking is a requirement of PCI DSS. You need to keep logs of each user session to present for any PCI DSS audit.
Our methodology for selecting a PCI DSS compliance tool
We reviewed the market for services that enable you to comply with PCI DSS requirements and analyzed options based on the following criteria:
- Logging of all actions
- Storage of logs in a meaningful directory structure and in collections that are cohesive and clearly labeled
- Facilities to identify the user account involved in each action
- Encryption to protect data in transit and at rest
- File access controls for sensitive data
- A free trial or a demo package that enables a risk-free assessment
- Value for money from a comprehensive security tool that doesn’t cost the earth
With these selection criteria in mind, we identified a list of system management and monitoring tools that will protect bank account data and enforce compliance with PCI DSS.
The two best access rights management systems that you should look into are:
The SolarWinds Access Rights Manager contributes to PCI DSS compliance. The tool monitors Active Directory, Exchange Server, SharePoint, and file servers. It produces logs that detail the user, the system accessed, and the times of access. The dashboard links to user information to show you not just the username, but also the real name of the account holder.
- Provides a clear look into permission and file structures through automatic mapping and visualizations
- Preconfigured reports make it easy to demonstrate compliance
- Any compliance issues are outlined after the scan and paired with remediation actions
- Sysadmins can customize access rights and control in Windows and other applications
- SolarWinds Access Rights Manager is an in-depth platform designed for sysadmin which may take time to fully learn
The ARM integrates user management function as well, including a self-service portal that enables users to check on their accounts and perform simple admin tasks, such as changing their passwords. This tool gives you the ability to oversee a large number of users from one dashboard. It is a paid tool that runs on Windows Server and you can get it on a 30-day free trial.
SolarWinds Access Rights Manager is our top pick for a PCI DSS compliance tool because properly managed user authentication and access rights are the bedrock of data security. This package runs on your own site and assesses all of the entries in your AD global catalog. It will ensure that user groups and their permissions are well defined and that abandoned accounts have been removed. With this tool, you can enforce a strong and effective password policy and reduce the threat of hacker attacks. Being able to track user activity is fundamental to PCI DSS and control of access to sensitive data can’t be enforced without proper user account management.
OS: Windows Server
ManageEngine ADAudit Plus is very good for implementing PCI DSS compliance and running audit reports to automatically prove your worthiness. This tool focuses on Active Directory, monitoring, and logging any changes to permissions recorded in AD. It will log user actions entering and exiting different systems. It tracks changes to audit file and folder permissions, which will alert you to intruder activity. You can archive alert data for up to three years and generate audit reports.
- Detailed reporting, can generate compliance reports for all major standards (PCI, HIPAA, etc)
- Supports multiple domains, ideal for enterprise networks and multi-tenant use
- Offers delegation for NOC or helpdesk teams
- Allows you to visually view share permissions and the details of security groups
- Has a steeper learning curve than similar tools
This software runs on Windows and is available in both free and paid editions. You can get a 30-day free trial of the Professional edition.
Software patch management
The failure to keep application software up-to-date creates a security weakness. Many updates to software are only produced when a new vulnerability in existing systems is discovered. The software houses that provide these programs quickly write updates to close off the exploit. It is very difficult to keep all software up-to-date so automated tools for patch management help to keep a network secure and compliant with PCI DSS Requirement 6. Here are two patch managers that we recommend.
The SolarWinds Patch Manager runs on Windows Server and integrates Microsoft WSUS patch management and SCCM. This is a vulnerability management system that logs all software running on your site and keeps alert for any updates available for those packages. The dashboard lists available patches and will roll them out automatically upon approval. The system also produces audit reports to help show compliance with PCI DSS.
- Simple dashboard makes it easy to track and visual patches and their progress, even on larger networks
- Integrated directly with SCCM for a smoother patch deployment
- Supports a wide variety of third party patching options
- Can quickly meet compliance requirements by patching systems automatically
- The tool is enterprise-focused, may not be the best option for home labs or small networks
SolarWinds Patch Manager is available for download on a 30-day free trial.
Security information and event management tools
Security Information and Event Management (SIEM) offers two tracking methods that enable you to track activity on your system. These are the monitoring of log files and the examination of the activity that passes along your network.
The protection of log files is particularly important for PCI DSS compliance. You need to be able to demonstrate full tracking of all data access events. These should be logged in log files, but hackers who want to destroy or steal your data know that and they either delete or alter those files. SIEM tools back up log files check for changes and restore the original versions. They also enable you to search through all event logs for pertinent records because the number of event records that any system produces can be overwhelming. SIEM software also tracks network traffic looking for suspicious activities.
The SolarWinds Security Event Manager secures log files, raising alerts when tampering is detected. You can watch log messages live in the dashboard and read data from files to an analyzer. The tool ships with pre-written reports that prove PCI DSS compliance.
The Security Event Manager runs on Windows Server but can collect log messages from any operating system and is also able to manage log file storage on a memory stick. It is also capable of automating responses to a detected intrusion. These measures include the ability to suspend or block access to specific addresses, shut down programs and processes, disable user accounts, and block USB storage devices.
- Enterprise focused tool with a vast number of different integrations
- Can quickly detect and stop unauthorized access attempts, protecting sensitive data
- Templates allow administrators to start using SEM with little customization needed
- Historical analysis tool helps detect anomalous behavior, saving sysadmins time from reading between the lines
- SolarWinds Security Event Manager is an advanced security product built for IT professionals and requires time to fully learn
The Security Event Manager is a paid tool that is suitable for large networks. You can check it out on a 30-day free trial.
The ManageEngine EventLog Analyzer tracks Syslog messages and looks for anomalous activity on networks by employing SNMP procedures. The data viewer is able to operate on both live data and filed messages with data operations, such as sorting, search, filtering, and grouping utilities.
The tool protects log files with compression and encryption, imposing authentication on access to the contents. It also monitors the checksums on log files, generating alerts when they change. The EventLog Analyzer includes compliance auditing for the PCI DSS. It also has processes and reports that will assist your compliance with FISMA and HIPAA standards.
- Customizable dashboards that work great for network operation centers
- Uses anomaly detection to assist technicians in their day-to-day operations
- Supports files integrity monitoring that can act as an early warning system for ransomware, data theft, and compliance violations
- Forensic log audit features enable admins to run pre-configured audit reports to ensure compliance
- The ManageEngine platform can take time to fully explore, requiring a decent time investment
The software runs on Windows or Linux and you can get it on a 30-day free trial.
Intrusion prevention systems
Intrusion prevention systems are very similar to SIEM systems. They record standard traffic patterns on a network and then look out for variations to that baseline. They also examine the behavior of passing packets and look for identifiers in the packet headers for warning signs. The key characteristic of an IPS system is that it not only detects intrusion but takes automated steps to shut down that activity. As explained above, OSSEC has intrusion prevention capabilities. Here are two other IPS tools that we recommend:
OSSEC is a free host-based intrusion detection system that features log file analysis and live log message processing. This tool has a great analytical engine, but a terrible front-end. However, there are many free data viewing tools that are compatible with OSSEC, such as Graylog, Splunk, and Kibana.
This system is owned by Trend Micro, which is a prominent cybersecurity firm. The software installs on Windows, Linux, Unix, and Mac OS. It is able to collect log messages from the network that originate from any operating system, no matter which of them it is installed on.
The tool archives log files whenever they are changed, making it possible to rollback if they are interfered with. It uses a rule base to detect anomalous behavior on the network. The log monitoring functions of OSSEC fulfill the requirements of PCI DSS Requirement 10 and the file integrity enforcement features of the tool comply with PCI DSS sections 10.5.5 and 11.5.
- Can be used on a wide range of operating systems, Linux, Windows, Unix, and Mac
- Can function as a combination SIEM and HIDS
- Interface is easy to customize and highly visual
- Community-built templates allow administrators to get started quickly
- Requires secondary tools like Graylog and Kibana for further analysis
- The open-source version lacks paid support
Splunk is a network traffic analyzer in free and paid versions. The higher versions, Splunk Enterprise, and Splunk Cloud include IPS capabilities. The lower editions are Splunk Free and Splunk Light. The detection procedures of the tool include network traffic monitoring and log file analysis. The detection method searches for anomalies, which are patterns of unexpected behavior.
To get AI-based anomaly detection and strong automated prevention systems with Splunk, you need to supplement it with the Splunk Enterprise Security add-on, which is available on a seven-day free trial. Symantec chose to do a deal with Splunk in order to integrate Splunk Enterprise into its security products and gain PCI DSS compliance capabilities.
- Can utilize behavior analysis to detect threats that aren’t discovered through logs
- Excellent user interface, highly visual with easy customization options
- Easy prioritization of events
- Designed to help large companies stay ahead of compliance requirements
- Available for Linux and Windows
- Pricing is not transparent, requires a quote from the vendor
- More suited for large enterprises
- Has a steep learning curve when compared to similar tools
Malware threats to customer information and card transaction data held on your system focus on damaging or deleting data as much as stealing it. Spyware and remote access trojans (RAT) help hackers to steal your data, while ransomware and destructive malware will delete or scramble your data to render it unusable. The installation of anti-malware on your system is Requirement 5 of PCI DSS.
Malwarebytes has been validated as providing PCI DSS Requirement 5 protection for data. The company doesn’t classify its product, Malwarebytes Endpoint Protection, as an antivirus system. Instead, it calls it an “antivirus replacement”. The system runs on Windows and operates in a very similar way to a network IPS, except its domain is a workstation. Rather than relying on a threat database like a traditional AV, the software searches for anomaly signatures in processes running on the computer. It then implements automated remediation procedures to remove the threat.
The software is capable of detecting irregular activity performed by authorized users – a sign of stolen credentials. It protects against ransomware by saving backups of changed files so all can be restored if they are maliciously encrypted.
- Provides thorough endpoint protection without taxing local resources
- Can detect adware and nagware along with legitimate threats
- Offers PCI DSS compliance scanning
- Would be nice to give certain groups more control to change certain setting on the local machine
Trend Micro is the company that owns OSSEC. It classifies Security for Mac as a product for home users. However, the system is fully compliant for PCI DSS Requirement 5, so it is also a good choice for businesses.
As well as blocking viruses, it protects your browser from a range of internet attacks and prevents intruder software from getting control of your Mac’s camera and microphone. The detection system is AI-based, which means it is able to block new viruses. It also includes email protection and password management.
- Native PCI compliance scanning for Mac OS
- Easy to use, even for non-technical users
- Offers built-in ransomware protection
- Search markup system for blocking certain sites can be bypassed easily
As the name suggests, this software runs on Macs. However, a higher security product, called Maximum Security is available for Windows, Mac OS, iOS, and Android. This package can be bought with a 10-device license.
Cardholder Data Environment protection
Requirement 1 of PCI DSS expects you to define your Cardholder Data Environment. This means all of the equipment and processes that deal with cardholder data and the IT elements that support that infrastructure. You are expected to draw a Cardholder Data Environment Diagram of this system.
One tip for tracking down all of these details is to start with the location where cardholder data is stored and then track all of the software that put it there. You then need to look at the services and hardware that supported the process that put the data there. Here are two tools that you could use to trace cardholder data.
ManageEngine Endpoint DLP Plus is a policy enforcement system for data protection. It searches endpoints for sensitive data and then categorizes those instances. The service can be tailored to meet specific requirements, such as those for PCI DSS. This is implemented by selecting a policy template. The DLP system then tracks user activities on those data stores and controls the movements of the files that contain them.
- Sensitive data identification and categorization
- Insider threat prevention
- Data access controls
- No cloud edition
ManageEngine Endpoint DLP Plus is offered in a Free edition that is limited to monitoring 25 devices. The paid version is called the Professional edition and it can track all computers on a network – can also monitor multiple sites in one console. The software runs on Windows Server and you can assess it on a 30-day free trial.
SENF is the Sensitive Number Finder. It was developed by the University of Texas at Austin’s Information Security Office and it is free to use. The software is written in Java and it runs on Windows, Linux, Mac OS, and Unix. It will search through the entire device for sensitive numbers stored there, including credit card numbers and social security numbers. The software was available from a GitHub repository but has been removed since this article was first published.
- Supports cross-platform functionality across Windows, Linux, and Mac OS
- Is easy to launch and doesn’t stress systems resources
- Fairly limited in what it can do proactively
- Compared to newer tools, SENF is outdated in terms of functionality
- Was removed from GitHub, can be hard to find
PowerGREP searches through files on a computer for specified data formats. You could use this feature to search for credit card numbers and establish all of the locations where cardholder data is held. The tool can search through all types of files including text, binary files, and compressed files.
- Highly detailed and customizable scanning methods
- Allows you to preview data discovered to quickly rule out false positives
- Can parse through compressed files
- Regex filters can be confusing to work with
- The interface can be noisy, making it hard to find certain features
PowerGREP is a paid tool, but the vendors offer a three-month money back guarantee.
Wireless security monitoring
OpenWIPS-NG is made by the same people who produced Aircrack-NG, which is a famous hacker tool. This is a free wireless IPS for Linux. The system has three modules: a sensor, a server, and an interface. The sensor is a packet sniffer that passes network traffic to the server, which is where traffic analysis is performed.
The sensor is also able to inject traffic into channels or modify passing wireless traffic. That action can be commanded automatically when the server detects intrusion. It can also be launched manually. The user accesses data streams through the third element in the package, which is the interface.
- Completely free tool
- Performs live traffic analysis and can rescan captured traffic
- Default dashboard insights are informative
- Only available for Linux
- Has a steep learning curve than other tools
Aruba RFProtect is a wireless IPS. The Aruba company is a division of Hewlett Packard and it produces networking equipment, including wireless access points. Aruba RFProtect operates from within the AP. The program scans all channels for anomalous transmissions and also prevents unauthorized changes to the configuration of the AP.
The tool contains defense measures to lock out transmissions from IPs that seem to be engaged in malicious activities. It includes an auditing and reporting module that complies with PCI DSS requirements and can also be tailored towards HIPAA, DoD 8100.2, and GLBA compliance reporting requirements.
- Can automatically detect anomalies such as rogue access points or deauthorization attacks
- Can automatically block malicious IP addresses on a network
- Reporting and auditing scans come preconfigured for PCI DSS
- Pricing is not transparent, must contact sales team
Password protection lockers
If you want to qualify as PCI DSS compliant, password managers are not an option – they are a requirement of the standard. Creating long passwords composed of random characters and storing them for reuse because they are impossible to remember creates extra security for the network. For one thing, users are not able to disclose passwords that can’t be remembered and password manager access procedures place an extra barrier between the outside world and your resources. Here are two password protection systems that we recommend:
The password system has a GUI interface that lists all of the passwords stored in its internal database. The database is locked by AES or Twofish encryption and you need to create one password in order to access the interface. Once started, the program will run in the background and fill in all passwords in screens on the computer for you. It also has a strong password generator.
- Completely free and easy to use, great for end-users
- Uses very strong encryption methods that are resistant to brute force attacks
- Can be run from a USB stick
- The interface feels a bit dated, can get cluttered when managing hundreds of credentials
This is a free password protection system for Windows, Linux, Mac OS, and Unix. There is also a version that can be run from a USB stick.
This locker passes out passwords via the clipboard, so you will have to paste passwords into each site and application that you visit. Passwords are protected by SHA256 and the entire database is encrypted by Twofish. The program includes a password generator that provides impossible to remember random strings for each password.
- Available for Windows, Linux, and Mac OS
- Includes a secure password generator
- Can specify a certain password policy to generate credentials from
- Have to manually paste passwords, newer managers support autofill
- The interface is fairly limited
Password Gorilla is another free password manager that is available for Windows, Linux, Mac OS, and Unix. There is also a standalone version that will run from a USB stick.
Network monitoring systems
Although network monitoring systems are not specifically demanded by the requirements of PCI DSS, the security of a system can only be guaranteed by stability. You will need to keep an eye on the performance of the network because partial failure can reduce the effectiveness of the security systems that are detailed above. Here are two network monitoring systems that we recommend.
The SolarWinds Network Performance Monitor is a leading network monitor that uses SNMP procedures to keep a constant check on the statuses of network devices. Monitored equipment is able to send an alert message to the monitor when emergency conditions arise. The monitor is able to guard wireless systems and virtualizations as well as standard LANs. The tool discovers all network devices automatically and generates a network topology map.
- Built with scale and enterprise in mind, can support thousands of devices across multiple LANs
- Intuitive dashboards provide at-a-glance health reports alongside more granular metrics
- Can support WAN environments and multiple VPN configurations
- Dashboard configuration uses simple drag-and-drop widgets for easy customization
- Alerts allow sysadmins to manage their LAN more proactively than most other products
- This is an enterprise tool, and likely not the best fit for home networks or very small LANs
The SolarWinds Network Performance Monitor installs on Windows Server and you can get a 30-day free trial of this software.
Paessler’s PRTG Network Monitor is a unified network, server, and application monitor that contains a large collection of “sensors”. Each sensor is an individual monitor and you choose which of the large library of sensors you want to activate. The system installs on Windows Server and is free to use if you only activate up to 100 sensors. The monitor uses SNMP procedures to monitor LANs, wireless networks, and virtualizations.
- Supports both LAN and WAN monitoring across multiple networks
- Sensors can be configured for specific application SLAs to help enforce compliance
- Utilizes a number of different visualizations to help keep teams and administrators informed on network performance
- Provides up to 100 sensors completely free, great for smaller businesses
- Has a lot of different features and options for customization, requires time to fully explore all options and features
You can get a 30-day free trial of thisPaessler’s PRTG Network Monitor.
Intruders can get wider access to your network if they are able to alter the settings on your network devices, namely your switches and routers. Creating a standard configuration for your devices, backing them up and installing them on new devices helps you be compliant to PCI DSS Requirement 6. Here are our two recommendations.
The Network Configuration Manager is able to manage configurations for switches, routers, and firewalls. The service backs up the configuration and then monitors for any changes to the set up of your devices, reinstalling the original image if unauthorized changes occur. The system logs all changes and actions and produces audit reports to help PCI DSS compliance.
- Available for Windows, Mac, and Linux systems
- Continuously discovers assets with autodiscovery
- Can immediately alert when changes occur are made
- Neatly organizes networks, devices, and infrastructure to support multi-site use
- Is a full-service monitoring platform that can take time to fully explore all option available
You can get a 30-day trial of the ManageEngine Network Configuration Manager.
The SolarWinds Network Configuration Manager integrates with the SolarWinds Network Performance Monitor. Its reporting module contributes towards PCI DSS compliance. On installation, the tool scans the network, logs all switches, routers, and firewalls and backs up their configurations. Subsequent configuration changes need to be made through the manager’s interface because it will overwrite any direct changes with its stored image.
The tool makes regular checks with the Cisco National Vulnerability Database and updates firmware whenever necessary. It also has strong capabilities when interfacing with the Cisco Adaptive Security Appliance firewall.
- Reporting helps aid in fixing compliance issues
- Can automatically discover new devices on the network and provide templated health reports for immediate insights upon installation
- Offers configuration management, allowing teams to quickly backup and restore changes that may have impacted performance
- Can monitor settings for unauthorized changes and specific teams or managers
- Offers a customizable dashboard that has a host of different options for visualizing network performance
- Not designed for home networks, this is an enterprise tool built for system administrators and network technicians
The tool installs on Windows Server and you can get it on a 30-day free trial.
PCI DSS Compliance FAQs
What is PCI DSS compliance?
PCI DSS stands for Payment Card Industry Data Security Standard. This is a set of guidelines that any business needs to follow if it handles payments by credit or debit card. The rules only apply within the USA. However, the global nature of the eCommerce means that websites run by businesses in other countries could need to comply with PCI DSS. The main thrust of the rules is that personally identifiable information (PII), bank account details, and card data should be protected as much as possible against theft, misuse, or alteration.
Is PCI DSS compliance mandatory?
PCI DSS is an industry standard and not a law. Compliance is a commercial imperative and is usually written into service contracts by banks and payment clearance systems. Failure to comply would get a merchant account suspended and that trader would find it impossible to accept payments by card.
Who must comply with PCI DSS?
If you are unsure whether your business needs to comply with PCI DSS, look at the contracts you have with your payment processing service. This is where PCI DSS is relevant and if the agreement mentions the standard, you could lose your account if you don’t take steps to protect PII and customer banking data.