1

In today’s competitive world every company wants to give

the best service to their customers to make their life easy.
One of the most popular facility in today’s world are credit
card through which user can borrow money for payment to
merchants or as a cash advance to the users.

To secure the cardholder’s data is a critical concern for

merchants & service providers. For getting the customer’s
trust & giving them satisfaction the five major credit card
companies (Discover Financial Services, American
Express, Visa International JCB, Master-Card Worldwide)
united to support the latest independent body recognized
as the Payment Card Industry Security Standards Council
(PCI SSC), to make stronger security controls among their
members.

If the business process transmits credit card holder’s data,

then the business should comply with PCI compliance
security standards. No matter how many credit cards
company processes or handles, it must comply with all
Payment Card Industry Data Security standards (PCI DSS)
and if the businesses fail to comply with PCI DSS
compliance then they may be imposed by stiff fines and
penalties.
So how can the business achieve these stringent new PCI
DSS compliance requirements on time, without
overburdening IT staff or wasting valuable resources?
Secure Auditor can help, with a strategic, identity based
approach to PCI DSS compliance that addresses the
complete range of requirements. This allows the business
to simplify and automate PCI DSS compliance and
enhance overall IT Security and operations.
Benefits of Secure Auditor PCI Compliance
• Improve Network Security & Business
• Create a safer environment for the customers
• Protect servers and systems
• Comprehensive reports
• Up-to-date security
• Get Customers trust & satisfaction
• Secure from penalties
• Safe and easy-to-use
Payment Card Industry (PCI)
Payment Card Industry data Security Standard (PCI
DSS) is an international information security
standard assembled by the Payment Card Industry
Security Standards Council (PCI SSC). The
standard was created to help organizations that
process card payments to prevent credit card fraud
through increased controls around data and its
exposure to compromise.
Why should you be concerned?
A most important priority to the card associations is
assuring that cardholder information is handled in a
secure manner. All merchants will be required to
meet compliance guidelines. Failure to comply with
these regulations can result in significant fines for
merchants and the possible cancellation of payment
processing capabilities.
PCI DSS compliance Requirements
• Build and maintain a secure IT network
• Protect cardholder’s data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

Secure Auditor Compliance Statement for PCI DSS compliance

 2

Secure Auditor’s Purposed Solution Matrix

Secure Auditor with over 30 embedded utilities has been designed to help organizations to comply PCI DSS Compliance.

PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS Requirement 1 ( Install and maintain a firewall configuration to protect cardholder data

PCI/DSS 1.1.5 Documentation and business 1.1.5.b Identify insecure services,
justification for use of all protocols, and ports allowed; and
services, protocols, and ports verify they are necessary and that
allowed, including security features are documented
documentation of security and implemented by examining
features implemented for those firewall and router configuration
protocols considered to be standards and settings for each
insecure. service. An example of an insecure
service, protocol, or port is FTP,
which passes user credentials in
clear-text.
Secure Auditor’s port scanner allow users to
check insecure ports like FTP, HTTP, TFTP
and SNMP it also identifies Peer to Peer data
sharing application (P2P), Voice over IP
(VoIP), Games Ports and Trojan Ports on the
host system or network. This helps in checking
if the host computer is running any software
against policy and to find the Trojans present
on the host computer. It also provides
information about the Trojan ports to the end
users, which they can use to double check
whether it is a Trojan port or not and if yes then
how to remove the Trojan.

PCI/DSS 1.2.2 Secure and synchronize router
configuration files.
Verify that router configuration files
are secure and synchronized for
example, running configuration files
(used for normal running of the
routers) and start-up configuration
files (used when machines are
rebooted), have the same, secure
configurations.
Secure Auditor’s Cisco configuration Manager
utility allows the user to download ‘Startup’ and
‘Running’ configurations of Cisco Routers and
change/compare the configurations of different
routers on the network. This utility not only
allows the users to change or compare
configurations but also creates a date-wise
backup each time a configuration is uploaded
into a router. This allows the user to have a
complete trail of changes made on each router
with dates and fulfill compliance requirements.
Users can also use embedded TFTP server
provided with this utility to save configurations.

PCI/DSS 1.3.6 Implement stateful inspection,
also known as dynamic packet
filtering. (That is, only
”established” connections are
allowed into the network.
Verify that the firewall performs Secure Auditor’s port scanner provides option
stateful inspection (dynamic packet to check all TCP ports along with UDP ports.
filtering). [Only established
connections should be allowed in,
and only if they are associated with
a previously established session
(run a port scanner on all TCP ports
with “syn reset” or ”syn ack” bits
set—a response means packets are
allowed through even if they are not
part of a previously established
session).

PCI/DSS 1.4 Install personal firewall software
on any mobile and/or employee
owned computers with direct
connectivity to the Internet (for
example, laptops used by
employees), which are used to
access the organization’s
network.
Verify that the personal firewall
software is configured by the
organization to specific standards
and is not alterable by mobile
computer users.
Secure Auditor conducts audit on Windows
based machines in which it detects whether
desktop firewall software is installed or not. It
verifies the presence of personal firewalls on
both office and mobile users.

Secure Auditor Compliance Statement for PCI DSS compliance


PCI Clause No PCI Clause
PCI/DSS Requirement 2 ( Do not use vendor-supplied defaults for system passwords and other security parameters
PCI/DSS 2.1 Always change vendor-supplied
defaults before installing a
system on the network—for
example, include passwords,
simple network management
protocol (SNMP) community
strings, and elimination of
unnecessary accounts.
PCI/DSS 2.1.1 For wireless environments
connected to the cardholder data
environment or transmitting
cardholder data, change wireless
vendor defaults, including but not
limited to default wireless
encryption keys, passwords, and
SNMP community strings.
Ensure wireless device security
settings are enabled for strong
encryption technology for
authentication and transmission.
PCI/DSS 2.2 Develop configuration standards
for all system components.
Assure that these standards
address all known security
vulnerabilities and are consistent
with industry accepted system
hardening standards.
PCI/DSS 2.2 .2 Disable all unnecessary and
insecure services and protocols
(services and protocols not
directly needed to perform the
device’s specified function)
Secure Auditor Compliance Statement for PCI DSS compliance
3
Illustration
Choose a sample of system
components, critical servers, and
wireless access points, and attempt
to log on (with system administrator
help) to the devices using default
Vendor-supplied accounts and
passwords, to verify that default
accounts and passwords have been
changed. (Use vendor manuals and
sources on the Internet to find
vendor-supplied counts/passwords.)
Default SNMP community strings on
wireless devices were changed.
Examine the organization’s system
configuration standards for all types
of system components and verify the
system configuration standards are
consistent with industry-accepted
hardening standards—for example,
SysAdmin Audit Network Security
(SANS), National Institute of
Standards Technology (NIST), and
Center for Internet Security (CIS).
For a sample of system
components, inspect enabled
system services, daemons, and
protocols. Verify that unnecessary or
insecure services or protocols are
not enabled, or are justified and
documented as to appropriate use of
the service. For example, FTP is not
used, or is encrypted via SSH or
other technology.
Compliance statement
Secure Auditor provides multiple tools to
identify default passwords in a system. Secure
Auditor embedded tools like Oracle password
Auditor, MSSQL Password Auditor, Oracle
Default Password Tester, MSSQL Default
Password Tester, MSSQL Password Auditor
and Windows Password Auditor, all these tools
identify the existence of default passwords in
the system and facilitate compliance with PCI
clause. With the help of SNMP Browser, user
can easily view the entire list of default SNMP
enabled devices. SNMP Scanner identifies the
default community string enabled on the
network. All of these tools facilitate the
compliance tasks of an organization with ease
of use.
SNMP Browser identifies the default SNMP
community names on the machines. SNMP
Brute Force attacker clearly shows that SNMP
default community strings are changed or not.
Secure Auditor examines the overall health of
an organization through its audit process in
which it identifies system components and
configuration settings. Secure Auditor follows
standards of NIST and contains profiles
according to guidelines of PCI DSS, SANS,
SOX, CIS etc. According to these profiles audit
is conducted on specified machines.
Secure Auditor checks registry and
unnecessary or insecure services or protocols
which are enabled, It is also capable to identify
security flaws in it.
 4

PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS 2.2.3 Configure system security 2.2.3.b Verify that common security Secure Auditor contains embedded profiles
parameters to prevent misuse. parameter settings are included in the that are based on common security
system. parameters defined by international
institutions and compliance standards like PCI
DSS, SANS, SOX, ISACA, CIS etc. Once an
audit is conducted against these standards,
systems are verified according to common
security parameters.

2.2.3.c For a sample of system In Secure Auditor multiple profiles are

components, verify that common embedded that define security parameters of
security parameters are set particular industry. By using these security
appropriately standards user can clearly check that security
parameters are set appropriately or not.

PCI/DSS 2.2.4 Remove all unnecessary For a sample of system components, Secure Auditor checks default registry
functionality, such as scripts, verify that all unnecessary settings that can facilitate in identification of
drivers, features, subsystems, functionalities (for example, scripts, unnecessary functions, configured and
file systems, and unnecessary drivers, features, subsystems, file allowed on a system.
web servers. systems, etc.) are removed. Verify
enabled functions are documented
and support secure configuration, and
that only documented functionality is
present on the sampled machines.

PCI/DSS 2.3 Encrypt all non-console 2.3 For a sample of system Secure Auditor after conducting an audit
administrative access. Use components, verify that no console informs you about the access control for all
technologies such as SSH, VPN, administrative access is encrypted by users and also shows services, encryption,
or SSL/TLS for web based :-Observing an administrator log on to remote log-in and parameter files on systems.
management and other non- each system to verify that a strong By using the Secure Auditor's Event Log
console administrative access. encryption method is invoked before Viewer utility all logs of administrative access
the administrator’s password is can be checked.
requested; - Reviewing services and
parameter files on systems to
determine that Telnet and other
remote log-in commands are not
available for use internally; and –
Verifying that administrator access to
the web based management
interfaces.

Secure Auditor Compliance Statement for PCI DSS compliance


PCI Clause No PCI Clause
PCI/DSS Requirement 3: (Protect stored cardholder data)
PCI/DSS 3.5.1 Restrict access to cryptographic
keys to the fewest number of
custodians necessary.
PCI/DSS 3.6 Fully document and implement
all key-management processes
and procedures for cryptographic
keys used for encryption of
cardholder data, including the
following.
PCI/DSS Requirements 4 ( Encrypt transmission of cardholder data across open, public networks)
PCI/DSS 4.2 Never send unencrypted PANs
by end-user messaging
technologies (for example, e-
mail, instant messaging, chat).
Secure Auditor Compliance Statement for PCI DSS compliance
5
Illustration
3.5.1 Examine user access lists to
verify that access to keys is restricted
to very few custodians.
3.6.a Verify the existence of key-
management procedures for keys
used for encryption of cardholder
data. Note: Numerous industry
standards for key management are
available from various resources
including NIST, which can be found at
http://csrc.nist.gov.
5.2.c For a sample of system
components including all operating
system types commonly affected by
malicious software, verify that
automatic updates and periodic scans
are enabled.
4.2.b Verify the existence of a policy
stating that unencrypted PANs are
not to be sent via end-user
messaging technologies.
Compliance statement
Secure Auditor’s Access rights auditor inform
about access privileges to tables which
contain cryptographic keys.
Secure Auditor by conducting, an audit
according to PCI DSS, SANS, SOX, ISACA
and CIS helps in indentifying key
management from different resources
including NIST.
Secure Auditor's Software Inventory viewer
helps to identify all installed software on the
system according to the company policy and
also indentifies all extra or malicious Installed
software’s. Secure Auditor also informs
whether periodic scan and automatic updates
are enabled or not.
Secure Auditor's port scanner identifies open
ports which uses plain text data like FTP,
HTTP, TFTP and SMTP software, because
the data should be encrypted on both public
and private networks, usage should be limited
only to those protocol and software's that
support encryption.
 6

PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS Requirements 5 ( Use and regularly update anti-virus software)

PCI/DSS 5.1 Deploy anti-virus software on all
systems commonly affected by
malicious software (particularly
personal computers and servers.)
For a sample of system Secure Auditor checks for
components including all antivirus software and its last
operating system types updated file. Making it easily
commonly affected by malicious verifiable through Secure Auditor
software, verify that anti-virus whether Antivirus is deployed and
software is deployed if applicable up to dated.
anti-virus technology exists

PCI/DSS 5.1.1 Ensure that all anti-virus 5.2.c For a sample of system Secure Auditor's Software
programs are capable of components including all Inventory viewer helps to identify
detecting, removing, and operating system types all installed software on the
protecting against all known types commonly affected by malicious system according to company
of malicious software. software, verify that automatic policy and also indentifies all
updates and periodic scans are extra or malicious software’s.
enabled. Secure Auditor also informs
whether periodic scan and
automatic updates are enabled.

PCI/DSS 5.2 Ensure that all anti-virus 5.2.a Obtain and examine the Secure Auditor performs checks
mechanisms are current, actively policy and verify that it requires to identify that an anti virus is
running, and capable of updating of antivirus software and running on a windows based
generating audit logs. definitions. machine. It also keeps a check on
its updated definitions file are
informs the user about the last
update of the antivirus on a
particular system.

PCI/DSS Requirements 6 ( Develop and maintain secure systems and applications)

PCI/DSS 6.1 PCI DSS Requirements Ensure 6.1.a For a sample of system Secure Auditor regularly checks
that all system components and components and related software, patches installed on Windows,
software have the latest vendor compare the list of security Oracle and MSSQL. It compares
supplied security patches patches installed on each system the list of security patches
installed. Install critical security to the most recent vendor security installed on each system to the
patches within one month of patch list, to verify that current most recent vendor security patch
release. vendor patches are installed. list, to verify that current vendor
patches are installed or not. It
clearly indicates patches that are
yet to be installed.

6.1.b Examine policies related to Secure Auditor checks patches

security patch installation to verify and depicts their date for the last
they require installation of all file update that makes it possible
critical new security patches for cross check policy
within one month. requirements of updating security
patch installation within 1 month.

Secure Auditor Compliance Statement for PCI DSS compliance

 7

PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS 6.2 6.2.b Verify that processes to 6.2.b Verify that processes to Secure Auditor conducts an audit
identify new security identify new security according to predefined
vulnerabilities include using vulnerabilities include using embedded profiles that are based
outside sources for security outside sources for security on common security parameters
vulnerability information and vulnerability information and defined by international
updating the system configuration updating the system configuration institutions and compliance
standards reviewed in standards reviewed in standards like PCI DSS, SANS,
Requirement 2.2 as new Requirement 2.2 as new SOX, ISACA and CIS. After
vulnerability issues are found. vulnerability issues are found. auditing it identifies vulnerabilities
and provides the description and
step by step solution for Identified
vulnerabilities.

PCI/DSS 6.3.6 Removal of custom application Custom application accounts, Secure Auditor detects default
accounts, user IDs, and user IDs and/or passwords are passwords in Oracle MSSQL and
passwords before applications removed before system goes into Oracle based applications, during
become active or are released to production or is released to the enumeration phase default
customers customers. password in windows can be
checked .With the help of Secure
Auditor default passwords can be
checked easily which should
removed, before going to
customers or before starting
production.

PCI/DSS 6.4 Follow change control procedures 6.4 b. For a sample of system
for all changes to system components and recent
components changes/security patches, trace
those changes back to related
change control documentation.
For each change examined.
System component and security
patches changes defined in
change control documents can be
verified through identification by
Secure Auditor with the help of
audit and enumeration.

PCI/DSS Requirements 7 ( Restrict access to cardholder data by business need to know )

PCI/DSS 7.1.1 Assignment of privileges is based
on individual personnel’s job
classification and function.
Confirm that privileges are
assigned to individuals based on
job classification and function
(also called “role-based access
control” or RBAC).
Access Rights auditor conducts
an audit on role based access
rights granted on oracle and
MSSQL server.

PCI/DSS 7.1.4 Implementation of an automated 7.1.4 Confirm that access Secure Auditor provides the
access control system controls are implemented via an information about the file and
automated access control folder permission. It checks the
system. user rights and privileges on the
system.

PCI/DSS 7.2.2 Assignment of privileges to Confirm that access control Access rights auditor clearly
individuals based on job systems are configured to enforce audits and demonstrates that
classification and function. privileges assigned to individuals access rights and privileges are
based on job classification and assigned in accordance with the
function. needs and requirements of job
functions.

Secure Auditor Compliance Statement for PCI DSS compliance

 8
PCI Clause
PCI Clause No
PCI/DSS Requirements 8 ( Assign a unique ID to each person with computer access)
PCI/DSS 8.5.3 Set first-time passwords to a
unique value for each user and
change immediately after the first
use.
PCI/DSS 8.5.5 Remove/disable inactive user
accounts at least every 90 days.
PCI/DSS 8.5.6 Enable accounts used by vendors
for remote maintenance only
during the time period needed.
PCI/DSS 8.5.8 Do not use group, shared, or
generic accounts and passwords.
PCI/DSS 8.5.9 Change user passwords at least
every 90 days.
Secure Auditor Compliance Statement for PCI DSS compliance
Illustration
8.5.3 Examine password
procedures and observe security
personnel to verify that first-time
passwords for new users are set
to a unique value for each user
and changed after first use.
Verify that inactive accounts over
90 days old are either removed or
disabled.
8.5.6 Verify that any accounts
used by vendors to support and
maintain system components are
disabled, enabled only when
needed by the vendor, and
monitored while being used.
8.5.8. A. For a sample of system
components, examine user ID
lists to verify the following
Generic user IDs and accounts
are disabled or removed. *
Shared user IDs for system
administration activities and other
critical functions do not exist.
Shared and generic user IDs are
not used to administer any
system components. Audit,
password audit,
For a sample of system
components, obtain and inspect
system configuration settings to
verify that user password
parameters are set to require
users to change passwords at
least every 90 days.
Compliance statement
Secure Auditor's Password
Auditor tools helps identify
default, common easily guessable
passwords. It can help you to
identify whether a user changed
their default password provided
by the administrator. Secure
Auditor also checks password
policy according to the
Company’s Standards.
Secure Auditor shows in its audit
results the number of inactive
accounts for over 90 days.
Secure Auditor Checks the
default accounts which exist in
the system and also respective
informs whether the account is
enabled or disabled. The
activities of user accounts can be
traced by using Secure Auditor’s
Event Log Viewer tool,
furthermore one can use default
password tester to test the
accounts with default passwords.
Secure Auditor’s audit process
identifies generic user IDs and
shared user IDs which are
present in the system. Secure
Auditor also depicts privileges
given to the particular shared
account and determines whether
privileges for system activities
and other critical functions exist.
Event log viewer verify this
feature in much detail by showing
logs that generic user Ids are
used by someone as it is not
possible for anyone to use
disabled IDs . Password Auditor
fetches passwords and
usernames for a particular system
that determines user enabled IDs
on a system.
Secure Auditor identifies the
passwords that are 90 days old or
more. It also checks the
password policy to make sure
password parameters are set in a
way that requires users to change
passwords at least every 90 days.
 9
PCI Clause No PCI Clause
PCI/DSS 8.5.10 Require a minimum password
length of at least seven
characters.
PCI/DSS 8.5.11 Use passwords containing both
numeric and alphabetic
characters.
PCI/DSS 8.5.12 Do not allow an individual to
submit a new password that is the
same as any of the last four
passwords he or she has used.
PCI/DSS 8.5.13 Limit repeated access attempts
by locking out the user ID after
not more than six attempts.
PCI/DSS 8.5.14 Set the lockout duration to a
minimum of 30 minutes or until
administrator enables the user ID.
Secure Auditor Compliance Statement for PCI DSS compliance
Illustration
For a sample of system
components, obtain and inspect
system configuration settings to
verify that password parameters
are set to require passwords to
be at least seven characters long.
For a sample of system
components, obtain and inspect
system configuration settings to
verify that password parameters
are set to require passwords to
contain both numeric and
alphabetic characters. For service
providers only, review internal
processes and customer /user
documentation to verify that
customer passwords are required
to contain both numeric and
alphabetic characters.
For a sample of system
components, obtain and inspect
system configuration settings to
verify that password parameters
are set to require that new
passwords cannot be the same
as the four previously used
passwords.
For a sample of system
components, obtain and inspect
system configuration settings to
verify that password parameters
are set to require that a user’s
account is locked out after not
more than six invalid logon
attempts.
For a sample of system
components, obtain and inspect
system configuration settings to
verify that password parameters
are set to require that once a user
account is locked out, it remains
locked for a minimum of 30
minutes or until a system
administrator resets the account.
Compliance statement
Secure Auditor verifies
implemented password policy on
a system or database and checks
whether the password policy
parameters are set to accept a
minimum of at least seven
characters.
Secure Auditor also checks
password policy to determine that
password policy is set to use
strong passwords that contain
numerical and alphabetical
characters. It also identifies and
fetches weak passwords on a
system that verifies extend of
implications on password policy.
Secure Auditor checks the
password policy and checks if the
password history is properly set
according to the PCI standards.
Secure Auditor checks account
lockout policy set on a system
according to the PCI standards.
This feature will verify that
password parameters are set to
require that a user’s account is
locked out after not more than six
invalid logon attempts.
Secure Auditor checks the
account lock out duration
according to the PCI standards.
These auditing processes verify
that account will remain locked for
30 minutes or until administrator
enables the user ID.
 10

PCI Clause Illustration Compliance statement

PCI Clause No

PCI/DSS Requirements 10 ( Track and monitor all access to network resources and cardholder data )

PCI/DSS 10.2.2 All actions taken by any individual Verify actions taken by any Event log viewer clearly verifies
with root or administrative individual with root or actions taken by any individual
privileges administrative privileges are with root or administrative
logged. privileges. It fetches Oracle,
MSSQL and Windows log and
displays them in a readable
manner in the form of a report
that demonstrate all active made
by users having administrative
privileges.

PCI/DSS 10.2.3 Access to all audit trails Verify access to all audit trails is Secure Auditor checks whether
logged. audit trail is being logged or not. It
checks whether audit trail logging
is enabled or disabled on the
system.

PCI/DSS 10.2.4 Invalid logical access attempts Verify invalid logical access Event log viewer generates
attempts are logged. separate report to provide lists of
logical access attempts made on
a particular system.

PCI/DSS 10.2.5 Use of identification and Verify use of identification and Event Log viewer provides logs
authentication mechanisms authentication mechanisms is related to initialization and
logged. authentication mechanisms
defined for a particular system.

PCI/DSS 10.2.6 Initialization of the audit logs Verify initialization of audit logs is With the help of Event Log viewer
logged. user can verify initialization of
audit logs.

PCI/DSS 10.2.7 Creation and deletion of system Verify creation and deletion of With the help of event log viewer
level objects system level objects is logged. user can verify the creation and
deletion of system level objects
with details that who has
performed. Such actions on a
certain time at a particular
instance.

PCI/DSS 10.3.1 User identification Verify user identification is Event Log Viewer provides facility
included in log entries. to view logs of a particular user
that helps in verifying log entries
according to a particular user

PCI/DSS 10.3.2 Type of event Verify type of event is included in Event type is clearly mentioned in
log entries. event log viewer reports.

PCI/DSS 10.3.3 Date and time Verify date and time stamp is Event log viewer represents log
included in log entries. entries along with date and time.
It helps user in verifying time and
date of a particular query

Secure Auditor Compliance Statement for PCI DSS compliance

 11

PCI Clause No PCI Clause Illustration Compliance statement

PCI/DSS 10.3.4 Success or failure indication Verify success or failure Event log viewer generates
indication is included in log reports about successful or failed
entries. log in attempts made by different
users that help in determining the
number of successful and failed
log entries on a particular system.

PCI/DSS 10.3.5 Origination of event Verify origination of event is Whenever an event is occurred, it
included in log entries. is logged. Event log viewer
provides the user an ability to
trace the origination of events
along with the related machine
name and IP address.

PCI/DSS 10.3.6 Identity or name of affected data, Verify identity or name of affected Secure Auditor provides exact
system component, or resource data, system component, or instance details of infected data
resources is included in log along with name, system
entries. components and resources
through event log reports and fine
grained audit report viewable
through the Event log viewer.

PCI/DSS 10.4 Synchronize all critical system 10.4. Obtain and review the Secure Auditor checks the time
clocks and times. process for acquiring and settings that could be verified
distributing the correct time within through cross check with policy
the organization, as well as the that whether system is following
time-related system-parameter defined time related parameter
settings for a sample of system settings.
components. Verify the following
is included in the process and
implemented

10.4 .a. Verify that a known, Secure Auditor checks Network

stable version of NTP (Network time protocol that could be
Time Protocol) or similar compared a with system time to
technology, kept current per PCI check that NTP technology is
DSS Requirements 6.1 and 6.2, kept current and synchronized
is used for time synchronization. according to PCI requirements.

PCI/DSS 10.7 Retain audit trail history for at 10.7.b Verify that audit logs are Secure Auditor checks if the
least one year, with a minimum of available for at least one year and Auditing is enabled according to
three months immediately processes are in place to restore company’s policy and Secure
available for analysis (for at least the last three months’ Auditor's Event Log Viewer tool
example, online, archived, or logs for immediate analysis. can show the previous log which
restorable from backup). may be required. Logs can be
maintained by saving logs on
monthly or yearly basics.

Secure Auditor Compliance Statement for PCI DSS compliance

 12
PCI Clause No PCI Clause Illustration
PCI/DSS 11.2 Run internal and external network 11.2. A Inspect output from the
vulnerability scans at least most recent four quarters of
quarterly and after any significant internal network, host, and
change in the network (such as application vulnerability scans to
new system component verify that periodic security testing
installations, changes in network of the devices within the
topology, firewall rule cardholder data environment
modifications, product upgrades). occurs. Verify that the scan
process includes rescans until
passing results are obtained
11.2.b Verify that external
scanning is occurring on a
quarterly basis in accordance with
the PCI Security Scanning
Procedures,
11.2.c Verify that internal and/or
external scanning is performed
after any significant change in the
network, by inspecting scan
results for the last year. Verify
that the scan process includes
rescans until passing results are
obtained
PCI/DSS 11.3 Perform external and internal Obtain and examine the results
penetration testing at least once a from the most recent penetration
year and after any significant test to verify that penetration
infrastructure or application testing is performed at least
upgrade or modification annually and after any significant
changes to the environment.
PCI/DSS 11.3.1 Network-layer penetration tests 11.3.1 Verify that the penetration
test includes network-layer
penetration tests. These tests
should include components that
support network functions as well
as operating systems.
PCI/DSS Requirement 12: Maintain a policy that addresses information security for employees and contractors.
PCI/DSS 12.1.1 Addresses all PCI DSS 12.1.1 Verify that the policy
requirements. addresses all PCI DSS
requirements.
Secure Auditor Compliance Statement for PCI DSS compliance
Compliance statement
Secure Auditor conducts
vulnerability scanning on
networks, hosts and database
assets to identify loopholes in
them. Its report facilitates
comparison and contrast result of
multiple audits conducted over a
period of time.
Secure Auditor provides facilities
to scan vulnerabilities. Automated
audits can be scheduled on
defined dates and their reports
can be compared to ensure
quarterly dates of audits.
Secure Auditor can help in
verifying significant changes in
the network by comparing
variation within the reports. User
can compare results of two years
through an archive reports facility
embedded in Secure Auditor.
Secure Auditor provides
penetration testing tools that
facilitate users in performing
penetration tests. So using
Secure Auditor ensures that
penetration testing is performed
at least annually to fulfill the
requirement.
Secure Auditor contains utilities
that provide facilities to conduct
network penetration tests like
SNMP browser, SNMP brute
force attacker, Port Scanner, FTP
and HTTP attackers etc. their
reports are also generated so the
user can compare them to identify
significant changes to the
environment and fulfill compliance
clause requirements as well.
PCI DSS requirements are
included in Secure Auditor which
helps an organization to comply
with PCI DSS.