Data Sentinel does it for us, but there are other cheap alternatives. If you do not store any credit card info at all, then you don't need to be as stringent as other merchants who do.
I agree with Erik. Initially we were a level 1 when we did store cc details on our LAN, but now that we don't, although we still need to be stringent and have clear policies, procedures and tools in place for automated (or manual) monitoring of system files and logs, we do not need to be as hot on it as we were (although we still maintain the original standard). The advice I received from Security Metrics when I went through this was that "each network is different and you need to find a solution to suit your own environment and your level of processing." Helpful and unhelpful at the same time. Independent assessors will not give you specific pieces of advice or recommend specific products (in my experience anyway) so you have to do what you think is right based on your own situation. You know yourself if you don't think a piece of software is quite up to the job or the procedure isn't quite right so you just have to cover all bases until you are happy... From: Erik Goldoff [mailto:[email protected]] Sent: 19 May 2011 13:31 To: NT System Admin Issues Subject: RE: Question on PCI compliance "However, you need a more clear concept of "expensive"..." Depends on your budget/revenue, but then again, if you're a level 1 merchant you need to make the most stringent efforts, if you're down at level 4 as a small business with transaction volume towards the bottom of the chart, there can be many 'compensating' controls and mitigating factors that allow less spendy options as reasonable effort. Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: [email protected] [mailto:[email protected]] Sent: Thursday, May 19, 2011 7:37 AM To: NT System Admin Issues Subject: Re: Question on PCI compliance I'll be watching this thread because we're in a similar situation. However, you need a more clear concept of "expensive"... Tripwire may cost a lot of money. Fines, higher processing fees, or being denied the right to accept credit card payements - now THAT's expensive! -- richard Greg Olson <[email protected]> 05/18/2011 04:01 PM Please respond to "NT System Admin Issues" <[email protected]> To "NT System Admin Issues" <[email protected]> Press this button if the "To" is a fax number. Enter in the fax number like 123-456-7890. cc Subject Question on PCI compliance Hi all, I have a quick question on pci compliance and how you guys\gals are handling it for servers you have that take credit card data? We have a small amount of servers that basically host the web code to take cc info and its then passed on directly to the processor. Nothing stays on the server at any time, but we would like to be able to pass a pci audit on these servers which requires that we have "automated" software that monitors and detects changes in the log files, and software that monitors key files (windows directories, and our app directories) for any changes and sends out an alert. We're looking at Tripwire product, but they seem pretty expensive for the small amount of servers we're talking about. Any thoughts? Thanks in advance. -Greg ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin IMPORTANT INFORMATION Internet communications are not secure and therefore CIPS does not accept legal responsibility for the contents of any e-mail message sent via this medium. The content of any e-mail communication is the view of the individual and CIPS does not accept legal liability for the contents. Although this message and any attachments are believed to be free of virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by CIPS for any loss or damage in any way arising from its use. -- Scanned by iCritical. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
