If your organization processes, stores, or transmits payment cardholder information associated with American Express, Discovery Financial Services, JCB International, MasterCard Worldwide, or Visa Inc. International, it must comply with the Payment Card Industry Data Security Standard (PCI DSS). The requirements defined in this standard, which were developed by the PCI Security Standards Council, are designed to create the minimum acceptable level of security for cardholders who use your organization's services.
Achieving compliance with PCI DSS can be challenging, and can significantly affect your organization's business processes, service architecture, and technology solutions. For example, in order to establish a fully functional, documented and enforced PCI DSS compliance strategy, it is important to centrally coordinate compliance efforts across your organization. Guidance that can help your organization with these efforts is available in the Governance Risk and Compliance (GRC) Service Management Function, as well as other service management functions (SMFs) in Microsoft Operations Framework (MOF) 4.0. Organizations must also consider what GRC authority documents apply to them, and how overlaps in control objectives can be addressed as efficiently as possible. Complying with multiple sets of regulations will likely require additional research to determine whether there are overlapping requirements that mandate a separate set of controls. Such complexities can make it difficult to understand how to respond appropriately to different regulatory requirements, as well as how to do so in a cost-effective manner. Compliance to regulatory, industry standard, and client-issued requirements affect the organization's ability to effectively conduct business, and may be measured differently.
The Payment Card Industry Data Security Standards (PCI DSS) Compliance Planning Guide is designed to help individuals who are responsible for addressing PCI DSS requirements in their organizations. The purpose of this guide is to help IT managers understand how they can start to address many IT control requirements that apply to their organizations, including PCI DSS compliance requirements. The guide also provides information about technology solutions that can help facilitate this process.
Important This planning guide does not provide legal advice. The guide only provides factual and technical information about PCI DSS. Do not rely exclusively on this guide for advice about how to address your regulatory requirements. For specific questions, consult your legal counsel, GRC subject matter expert, and PCI assessor.
The PCI DSS Compliance Planning Guide is designed to help organizations address the requirements of version 1.2 of the Payment Card Industry Data Security Standard (PCI DSS). Specifically, this guide is intended for merchants that accept payment cards, financial institutions that process payment card transactions, and service providers—third-party companies that provide payment card processing or data storage services. IT solutions for each of these groups must address all PCI DSS 1.2 requirements.
This guide is intended to extend the IT Compliance Management Guide, which introduces a framework–based approach to creating IT controls as part of your organization's efforts to comply with multiple regulations and standards. The IT Compliance Management Guide also provides configuration and operation guidance for Microsoft products and technology solutions that you can use to implement a series of IT controls to help address PCI DSS requirements, as well as many other regulatory obligations that your organization may have.
Important This planning guide does not provide legal advice. The guide only provides factual and technical information about PCI DSS. Do not rely exclusively on this guide for advice about how to address your regulatory requirements. For specific questions, consult your legal counsel, GRC subject matter expert, and PCI assessor.
This guide includes the following sections:
Because this guide is a supplement to the IT Compliance Management Guide, Microsoft recommends to reference both guides when planning a complete solution to help address all applicable regulatory requirements for your organization.
Note If your organization provides automatic teller machines (ATMs) as part of its service offerings, Microsoft provides architectural and security guidance for the software, systems, and networks that support ATMs.
The PCI DSS Compliance Planning Guide is primarily for individuals who are responsible for ensuring that their organizations collect, process, transmit, and store cardholder data securely and reliably, while maintaining cardholder privacy. Typically, these responsibilities are addressed by individuals serving in one or more of the following roles:
In addition, the following individuals might also find this guide to be helpful:
For more details about key roles and responsibilities, refer to the MOF 4.0 Team SMF, which identifies key roles and responsibilities in an IT operations environment.
PCI DSS is a set of comprehensive requirements designed to ensure that cardholder credit and debit card information remains secure regardless of how and where it is collected, processed, transmitted, and stored. Developed by the founding members of the PCI Security Standards Council—including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.—PCI DSS helps protect credit card customers through established business and technical best practices and encourages international adoption of consistent data security measures.
Additional information about PCI DSS is available on the About the PCI Data Security Standard (PCI DSS) page of the PCI Security Standards Council's Web site.
PCI DSS version 1.2 is the most recent version of the standard, and supersedes all previous versions of PCI DSS. The standard is organized into the following group of six principles and 12 requirements. Each requirement contains subrequirements for which you must implement processes, policies, or technology solutions to comply with the requirement:
Requirements 9 and 12 do not demand that you implement technology solutions. Requirement 9 instructs you to address the physical security of the locations where cardholder data is stored and processed. Addressing this requirement could include implementing building access security, installing and maintaining surveillance equipment, and requiring identity checks for all individuals who work at or visit your facilities. Requirement 12 instructs you to create an information security policy and disseminate it to your employees, vendors, and any other parties within your organization who work with cardholder data.
It is neither efficient nor cost-effective to create PCI DSS compliance solutions in isolation from other applicable GRC objectives. Other regulations must be considered when planning your approach to such compliance solutions, including the following:
Note If your organization is a multinational business, or accepts transactions from international locations, you should have a discussion with your GRC subject matter expert to ensure that it is in compliance with governmental regulations for all locations where you do business. Microsoft suggests to also consult legal counsel with knowledge of all regulations for the locations where your organization does business.
PCI DSS compliance solutions should be developed with full awareness of existing solutions that satisfy other regulatory requirements. To accomplish compliance goals efficiently and effectively, Microsoft recommends that you use a control framework to map applicable regulations and standards, which will help your organization be more efficient through a harmonized set of controls. Details on effective frameworks that can help address your organization's regulatory compliance objectives are available in the IT Compliance Management Guide.
Using the Microsoft Operations Framework (MOF), you can take advantage of several service management functions that help to organize compliance efforts. The Plan phase of MOF contains the Business/IT Alignment, Reliability, and Policy service management functions. Use these functions to determine how your organization may take advantage of IT to meet the compliance needs of a business in a reliable and policy-driven manner. The manage layer contains the Governance, Risk, and Compliance Service Management Function, which focuses on meeting the goals of compliance through proper resourcing and analysis of business value. After installing a compliance framework, you can map new regulations and standards affecting the organization to it. You can then efficiently concentrate your efforts on those parts of the framework in which requirements have changed.
A framework provides many significant benefits for organizations seeking to achieve their compliance objectives. A framework–based approach to compliance allows organizations to accomplish the following:
Review PCI DSS prior to planning your compliance efforts to meet the standard. The PCI Security Standards Council's Web site provides a helpful Portable Document Format (PDF) file titled Navigating PCI DSS – Understanding the Intent of the Requirements. In addition, the Council has created a New Self-Assessment Questionnaire that can help your organization determine whether it is in compliance with PCI DSS. You can also use it to help plan your organization's PCI DSS compliance efforts. The PCI Council has also provided guidance for prioritizing how to achieve DSS compliance.
For more information about supporting documentation for PCI DSS 1.2, such as a summary of changes made to version 1.1 of the standard, and general FAQs, see the Supporting Documents PCI DSS V1.2 page.
The audit process for PCI DSS compliance is generally similar to the process outlined in the IT Compliance Management Guide. However, a few details that are specific to PCI DSS auditing in this section might be useful to your IT staff.
The PCI SSC New Self-Assessment Quiestionnaire (SAQ) contains a tiered audit formula to determine what type of audit is required of your organization. Factors include the role of your organization (service provider or merchant), and data elements and monthly transaction volume processed by your organization. Answers to these questions determine whether a self-audit is sufficient, or whether an onsite audit and attestation is required by a qualified third-party organization. Consult the PCI DSS Applicability Information, Scope of Assessment for Compliance with PCI DSS Requirements, and Additional PCI DSS Requirements for Shared Hosting Providers sections of PCI DSS for further information. Then complete the Self-Assessment Questionnaire (PDF) to determine what level of audit is required of your organization. The logical diagram at the end of this questionnaire can assist you in determining your audit requirements.
PCI DSS audit reviews are performed by two types of third-party organizations, known as Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). QSAs perform the onsite portions of an audit, while ASVs perform vulnerability scans of your organization's Internet-facing environments. Organizations that become QSAs and ASVs must be reviewed and approved by the PCI Security Standards Council (PCI SSC) once a year.
The QSA is required to prepare a report on Compliance (ROC) after auditing your organization that must follow specific guidelines defined by the PCI DSC. These guidelines are contained in a Security Audit Procedures (PDF) document for merchants on the PCI Security Council's Web site. Service providers and merchants must complete an Attestation of Compliance document (Microsoft® Word document), which is also available from the Council's Web site.
The guidelines specify how to organize the report that the QSA must file after the audit. This report includes the contact information for your organization, the date of the audit, an executive summary, a description of the scope of work, as well as the approach the QSA took in auditing your organization, quarterly scan results, compensating controls (if any), and the QSA's findings and observations. The last section contains the bulk of the information about your organization's compliance with PCI DSS. In this section, the QSA uses a template to report on your organization's compliance with each of the PCI DSS requirements and subrequirements.
As you plan for and schedule PCI DSS audits for your organization, your legal counsel, GRC subject matter expert, internal auditor, and the IT management of your organization should review PCI DSS audit procedures as identified. A project scope best practice can be found in MOF section 3.2 Project Plan. Using this information can help you fully understand what the QSA will review during your audit.
The ASV must also prepare a report on the results of their vulnerability scans on your organization's Internet-facing environments. Guidelines for this report are contained in a Security Scanning Procedures (PDF) document available on the PCI Security Standards Council's Web site posted in the PCI DSS Security Scanning Procedures section of the supporting documents. This document specifies what elements of your organization's environment the ASV must scan and includes a key to help you read and interpret the ASV's report.
As a merchant or service provider, your organization must follow each payment card company's respective compliance reporting requirements to ensure that they acknowledge your organization's compliance status. Each payment card company has slightly different compliance rules and procedures. For more information about specific PCI DSS compliance requirements, and the support programs each company offers to enable merchant and service provider compliance, contact the payment card companies for which your organization processes, transmits, or stores cardholder data.
This section describes Microsoft technology solutions that your organization might consider when it plans for PCI DSS compliance. Incorporate the solutions that you choose into the everyday workings of your organization. As mentioned in the "Planning for PCI DSS Compliance" section earlier in this guide, your organizational policies, processes, procedures, and technology solutions should address regulatory compliance across your entire organization, and you should consider how PCI DSS compliance will affect all parts of your organization.
For a detailed discussion of the considerations involved in mapping IT controls to technology solutions, see the IT Compliance Management Guide and other related guidance in the Regulatory Compliance TechCenter on Microsoft TechNet. In addition, using Microsoft Operations Framework 4.0 can provide integrated best practices, principles, and activities that will help guide your organization through the best service-oriented functions using well-defined service management functions (SMFs) that are grouped to better address all phases of service management. Your organization can take advantage of a MOF–based approach to help ensure that planning, deployment, and monitoring are done in the most effective manner.
For example, a PCI review will often involve the use of external help. To ensure that contractor resources are well utilized and managed correctly, MOF 4.0 provides valuable guidance for engaging them in an optimal method.
Document management solutions combine software and processes to help you manage unstructured information in your organization. This information might exist in many digital forms, including documents, images, audio and video files, and XML files.
Implementing document management solutions helps with PCI DSS compliance in two ways. For example, using such solutions to manage documents that contain cardholder data can help address PCI DSS requirements that relate to data access, management, and protection. Specifically, you can use document management solutions to meet requirement 7 and subrequirement 10.2.1. You also can use document management systems to maintain and publish policies, such as those required to fulfill Sections 3.6, 6.4, 9.2 and 12.
For the full text of each of these requirements, see Navigating PCI DSS – Understanding the Intent of the Requirements (PDF) on the PCI Security Standards Council's Web site.
Microsoft offers a number of technologies that you can use together or independently to create IT controls for document management. Design these controls to meet PCI DSS requirements, as well as any other regulatory requirements that are applicable to your organization.
Microsoft Windows® Rights Management Services. Windows Rights Management Services (RMS) is a software platform that helps applications safeguard digital information from unauthorized use—both online and offline, and inside and outside of the firewall. RMS is the foundational technology behind the Information Rights Management (IRM) features of Microsoft Office and Windows SharePoint® Services. An RMS server, either deployed in-house or accessed through a hosted service, is required to use these features. RMS can augment your organization's security strategy by protecting information through persistent usage policies, which remain with the information no matter where it goes. You can use RMS-enabled applications to manage, control, and audit access to documents that contain card holder information. The RMS client is integrated into the Windows Vista® operating system. For other versions of Windows, the RMS client is available as a free download.
Microsoft Office SharePoint® Server. SharePoint Server is a collaboration and content management server that allows you to use one integrated platform to support the portal and document management needs of your organization. It allows you to support intranet, extranet, and Web applications across your enterprise, and provides your IT professionals and developers with the platform and tools they need for server administration, application extensibility, and interoperability. You can use SharePoint Server as a central repository for documents that contain cardholder data, as well as for documents that describe policies and processes. SharePoint® Server 2007 is integrated with RMS, so that access control policies can be enforced on all copies of content downloaded from SharePoint Server 2007. This feature enables site administrators to protect downloads from a document library with IRM. When a user attempts to download a file from the library, Microsoft Windows SharePoint Services verifies that the user has permissions to the given file, and then issues a license to the user that enables access to the file at the appropriate permissions level. Windows SharePoint Services then downloads the file to the user's computer in an encrypted, rights-managed file format. Microsoft recommends to store credit card information in an encrypted database, not in documents in a collaboration environment. Policies, procedures, audit information, and the PCI DSS could be stored in the collaborative environment to facilitate controlled and efficient access to required information.
Microsoft Exchange Server. For most organizations today, e-mail is the mission-critical communications tool that employees must use to produce their best results. This greater reliance on e-mail has increased the number of messages sent and received, the amount and variety of work performed by e-mail, and even the speed of business itself. Exchange Server provides a rich messaging platform to manage information exchange in your organization while helping meet PCI DSS compliance objectives. Exchange Server 2007 includes unified messaging, which consolidates email, voice mail, and faxes sent to a user into a single inbox. It also offers features that enable your organization to apply retention rules, scan and act on messages in transport, flexibly journal, and perform rich text searches across all deployed mailboxes.
Microsoft Office. Office is the premier suite of productivity applications for organizations. The Information Rights Management (IRM) feature of Microsoft Office helps organizations control access to sensitive information such as cardholder data.
Risk assessment is the process by which your organization identifies and prioritizes risks to your business. Typically, you use a systematic method to identify the assets of an information-processing system, the threats to those assets, and the vulnerability of the system to those threats. In the context of regulatory compliance, risk assessment is the process of assessing the level of compliance and compliance inadequacies within your organization. When planning for PCI DSS compliance, your primary concern is to identify risks to cardholder data and prioritizing the mitigating solutions to those threats.
Risk assessment can help you address PCI DSS requirements in a number of ways. It allows you to identify the areas in your network that need to be upgraded to achieve compliance. Even after you have achieved initial compliance, risk assessment is important in determining whether your organization stays in compliance over time. Because you can use risk assessment to address many potential issues, it can help you achieve compliance with many of the PCI DSS requirements, including requirements 1, 3, 4, 5, 6, 7, 8, and 11.
For full text of each of these requirements, see Navigating PCI DSS – Understanding the Intent of the Requirements (PDF) on the PCI Security Standards Council's Web site.
Microsoft offers a number of technologies that you can use together or independently to create IT controls for risk assessment. Design the following controls to meet PCI DSS requirements, as well as other regulatory requirements that are applicable to your organization:
Microsoft Security Assessement Tool (MSAT). A free tool that provides organization with the ability to assess weaknesses in a working IT environment. MSAT provides guidance, reveals a prioritized list of issues, and helps provide specific guidance to minimize those risks. MSAT is an easy, cost-effective way to start strengthening the security of your computing environment and your business. Begin the process by taking a snapshot of your current security state, and then use MSAT to continuously monitor your infrastructure's ability to respond to security threats. MSAT consists of over 200 questions covering infrastructure, applications, operations, and people.
Microsoft Baseline Security Analyzer (MBSA). One of the primary tools you can use to assess risk to cardholder data in your organization is the MBSA tool. This easy-to-use tool identifies common security misconfigurations in a number of Microsoft products, including Microsoft Windows operating systems, Internet Information Services (IIS), SQL Server®, Microsoft Internet Explorer®, and Microsoft Office. The MBSA tool also scans for missing security updates, update rollups, and service packs published to Microsoft Update. You can run the MBSA tool from the command prompt or in its GUI, and you can use it with Microsoft Update and Microsoft Windows Server® Update Services. Because keeping your systems current is a very important way to make cardholder data as secure as possible, the MBSA tool can be invaluable for assessing data risk in your organization.
Microsoft Systems Management Server. If your organization uses Microsoft Systems Management Server (SMS) to manage client computers and servers, you may already have some of the tools you need to perform risk assessment for cardholder data. With SMS, your organization can remotely manage security settings on computers running Windows operating systems over distributed networks. You can inventory whether computers on your network have installed required software updates and track the progress of update rollouts to those computers. SMS also enables you to generate reports that identify your full hardware and software inventory, the configuration details and status for computers on your network, and the status of software deployments and deployment errors. These SMS features can be very important in assessing risk to cardholder data within your organization.
Microsoft System Center Operations Manager Audit Collection Services (ACS). Operations Manager 2007 can securely and efficiently extract and collect security logs from computers running Windows operating systems and store them for later analysis and reporting. The extracted logs are stored in a separate Audit Collection server database. Operations Manager ships with reports that you can use for ACS data. You can use Audit Collection to produce various compliance reports, such as supporting Sarbanes-Oxley audits. You also can use ACS for security analysis, such as intrusion detection and unauthorized access attempts.
Windows Server Update Services. Windows Server Update Services with Service Pack 1 (SP1) enables your organization to deploy many of the latest Microsoft product updates published to the Microsoft Update site. Windows Server Update Services is an update component of Windows Server and offers an effective and quick way to help keep systems up to date. WSUS provides a risk assessment infrastructure that consists of the following:
Group Policy. Group Policy is a capability that enables IT professionals to implement specific configurations for users and computers. Group Policy settings are contained in Group Policy objects (GPOs), which are linked to Active Directory® Domain Services (AD DS) containers such as sites, domains, and organizational units (OUs). You can centrally manage computers across a distributed network using Group Policy. Because your administrators can use Group Policy to distribute software across a site, domain, or range of OUs, it can be an important tool for determining risks to your organization's IT environment. You can use the Microsoft Group Policy Management Console (GPMC) to manage Group Policy settings. The GPMC is designed to simplify the management of Group Policy by providing a single place for managing core aspects of Group Policy. GPMC addresses the top Group Policy deployment requirements, as requested by customers, by providing the following:
For more information about Group Policy, see the Windows Server Group Policy page on Technet, and Introducing the Group Policy Management Console. Consider using the GPOAccelerator as part of the Security Compliance Management Toolkit Series to deploy recommended security settings for your environment. Using this tool can save you hours of work that you would otherwise need to configure these settings.
MOF Change and Configuration Management is a structured process by which your organization assesses changes to a project plan, an IT infrastructure, software deployments, or other processes or procedures in your organization. A change management system can help you define a change, evaluate the impact of the change, determine what actions are required to implement the change, and disseminate information about the change across your organization. It can also help you track the changes you make in your organization and help you maintain control of your IT environment as you make changes to it.
For example, a change management system could involve a database to help personnel make better decisions about future changes based on historical data that indicates the success or failure of similar changes that have been tried in the past. Change management is also a structured process that communicates the existence and status of changes to all affected parties. The process can yield an inventory system that indicates what actions were taken and when the actions affect the status of key resources, which can help predict and eliminate problems and simplify resource management.
Change management is as critical to PCI DSS compliance as it is to any other regulatory compliance effort. If your organization does not know what changes it has made to its IT environment, it is difficult to claim with any certainty that the environment is secure. Tracking changes in your network, systems, policies, and procedures helps you to meet PCI DSS requirements 6 and 11.
For the full text of each of these requirements, see Navigating PCI DSS – Understanding the Intent of the Requirements (PDF) on the PCI Security Standards Council's Web site.
Microsoft offers multiple technologies for you to consider when designing your change management solutions.
Microsoft Office SharePoint Server 2007. In addition to being a technology option for your document management solutions, Microsoft Office SharePoint Server 2007 can also be a key element in a change management system for your organization. You can use its version tracking capabilities to monitor changes in policy and process documents, updates and other changes to applications, and changes in approved software over time.
Microsoft Systems Management Server. Not only can you use SMS to manage risk assessment for your organization, you can also use its management features to track changes in computer systems across your organization. SMS tracks security setting changes as well as applications installed on servers and client computers across the network. You also can use the powerful reporting functionality built in to SMS to review the changes that have been made to computers in your organization and whether these changes address the security requirements you have established.
Microsoft SMS 2003 Desired Configuration Monitoring 2.0. You can augment your SMS operations with the SMS 2003 Desired Configuration Monitoring (DCM) feature. You can use DCM to automate the configuration management audits between desired or defined configuration settings and actual configuration settings. DCM accomplishes this by allowing users to define desired hardware, operating system, and application configuration settings in multiple configuration data sources. Then, using the supplied auditing engine, DCM compares desired settings with actual settings and reports configuration compliance.
DCM can help you to reduce unplanned service downtime, correlate configuration data, and reduce support costs. It provides you with an easy-to-use XML editing tool and guidance for defining hardware and software configuration items. DCM also provides detailed compliance reports to help detect and remediate configuration errors.
The Security Compliance Management Toolkit Series provides DCM Configuration Packs that provide security baselines for Windows Server 2008, Windows Server 2003, Windows Vista, Windows XP, and Microsoft Office 2007. The purpose of the toolkit series is to reduce the work required to manage DCM configuration baselines that maintain recommended security settings for different operating systems from Microsoft. For more information about how to baseline Microsoft products in your environment, see the guidance provided in each toolkit of the series.
Microsoft Desktop Optimization Pack for Software Assurance. The Microsoft Desktop Optimization Pack for Software Assurance is a subscription service that reduces application deployment costs, enables delivery of applications as services, and provides better management and control of enterprise desktop environments. The desktop optimization pack allows you to enhance change management processes and rollbacks through:
The Microsoft Desktop Optimization Pack is available only to customers with Software Assurance coverage on their desktops. For more information, see Optimizing the Windows Desktop.
Network security solutions constitute a broad solution category designed to address the security of all aspects of an organization's network, including firewalls, server computers, client computers, routers, switches, and access points. Planning for and monitoring the security of your organization's networks is a key element of achieving PCI DSS compliance. Although there are many solutions available to address network security, your organization should already have many of the elements of a secure network in place as a matter of course. It is likely more efficient and cost-effective to build from the network security solutions you have already implemented than to begin anew.
However, you might consider changing some technologies that your organization uses, or you might want to implement new solutions that you have not already included in your network security strategy. Microsoft offers several technology solutions and guidance materials for implementing network security solutions to help address the needs of your organization.
The Payment Card Industry Data Security Standard (PCI DSS) is very clear in stating that you need to establish secure networks throughout your organization to achieve compliance. Requirement 1 states that to be compliant, an organization must build and maintain a secure network. Requirement 1 states that organizations must install and maintain a firewall configuration to protect cardholder data. Requirement 2 states that organizations must change the vendor-supplied default settings for system passwords and other security parameters. Network security solutions also help your organization meet Requirements 4 and 10, which mandate that organizations encrypt transmission of cardholder data across your network and that you track and monitor network access, respectively.
For the full text of these requirements, see Navigating PCI DSS – Understanding the Intent of the Requirements (PDF) on the PCI Security Standards Council's Web site.
Microsoft offers a number of technologies to address the first two PCI DSS requirements.
Windows Firewall. Windows Firewall is a built-in, host-based, stateful firewall that is included in Windows Vista, Windows Server 2008, Windows XP with SP2, Windows XP with SP3, Windows Server 2003 with SP1, and Windows Server 2003 with SP2. Windows Firewall drops incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). Windows Firewall provides a level of protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers. In Windows Vista and Windows Server 2008, Windows Firewall can also drop outgoing traffic.
Windows Firewall with Advanced Security allows you to block incoming and outgoing connections based on settings that you configure through a Microsoft Management Control (MMC) snap-in. This snap-in not only provides an interface for configuring Windows Firewall locally, but also for configuring Windows Firewall on remote computers and by using Group Policy. Firewall functions are now integrated with Internet Protocol security (IPsec) protection settings, which reduces the possibility of conflict between the two protection mechanisms. Windows Firewall with Advanced Security supports separate profiles for when computers are domain-joined or connected to a private or public network. It also supports the creation of rules for enforcing server and domain isolation policies. Windows Firewall with Advanced Security supports more precise rules, including Active Directory users and groups, source and destination IP addresses, IP port number, ICMP settings, IPsec settings, specific types of interfaces, services, and more.
Microsoft Forefront Internet Security and Acceleration Server. Microsoft Forefront™ Internet Security and Acceleration (ISA) Server can help you secure your network in several ways. For example, you can use it to allow users to remotely access your organization's applications over the Internet. To provide this access, you can configure ISA Server to pre-authenticate incoming user requests, inspect all traffic at the application layer (including encrypted traffic), and provide automated publishing tools. In addition, if your organization includes branch offices, ISA Server allows you to use HTTP compression, content caching, and virtual private network (VPN) capabilities to make expanding your network easy and secure. ISA Server can also help you protect your network from both internal and external Internet-based threats through its proxy-firewall architecture, content inspection capabilities, detailed policy settings, and comprehensive alerting and monitoring capabilities.
Server and Domain Isolation Using Internet Protocol security (IPsec) and Active Directory Group Policy. Server and domain isolation creates a layer of end-to-end protection that can greatly reduce the risk of costly malicious attacks and unauthorized access to your networked resources. Based on Windows IPsec and Active Directory Group Policy, this solution enables you to dynamically segment your Windows environment into more secure and isolated logical networks. There are different ways to create an isolated network, and this solution offers the flexibility to logically isolate an entire managed domain or create more secure virtual networks of specific servers, sensitive data, and clients, thus limiting access to only authenticated and authorized users, or requiring that specific servers or networks protect all data using encryption. By requiring data encryption for the traffic exchanged between specific network hosts or network subnets, you can satisfy business partner and regulatory requirements to encrypt data when it traverses a network.
Windows Server 2003 and Windows Server 2008 Security Configuration Wizard. The Security Configuration Wizard can help you secure your network by reducing the attack surface on servers running Windows Server 2003 with SP2 or Windows Server 2008. The Security Configuration Wizard determines the minimum functionality required for a server's roles and disables functionality that is not required. Specifically, the Security Configuration Wizard performs the following tasks:
The Security Configuration Wizard can guide IT professionals through the process of creating, editing, applying, or rolling back a security policy based on the selected roles of the server. The security policies that are created with SCW are XML files that when applied, configure services, network security, specific registry values, audit policy, and IIS, if applicable.
For more information, see Security Configuration Wizard for Windows Server 2003. For information about enhancements to the Security Configuration Wizard in Windows Server 2008, download the wizard from Windows Server 2008 Security Configuration Wizard and SC Configuration Manager 2007 Service Pack 1.
Remote Desktop Connection Using Server Authentication. Remote Desktop Connections are a powerful way to allow users to access shared client computers and servers. This technology can be a cost-effective way to create shared development and testing computers. In addition, you can use these computers as central access points for many types of projects and allow users from outside your network to access them, thereby isolating the risks they pose to network security. Also, the Remote Desktop Connection 6.0 client update enables IT professionals to configure server authentication. With server authentication, you can prevent users from connecting to a different computer or server than they intended, which could potentially expose confidential information. Microsoft introduced this feature in Windows Vista and in Windows Server 2008. Computers running Windows Server 2003 with SP1 or Windows XP with SP2 can use the Remote Desktop Connection 6.0 client. The client can connect to legacy terminal servers or remote desktops as before, but server authentication only occurs when the remote computer is running Windows Vista or Windows Server 2008.
Wi-Fi Protected Access 2. If your organization uses a wireless network, consider upgrading to wireless routers, access points, and other devices that support the Wi-Fi Protected Access 2 (WPA2) product certification. WPA2 is a product certification available through the Wi-Fi Alliance that certifies wireless equipment as compatible with the IEEE 802.11i standard. The goal of WPA2 certification is to support the additional mandatory security features of the IEEE 802.11i standard that are not already included for products that support WPA. For example, WPA2 requires support for both TKIP and AES encryption.
Network Access Protection. Network Access Protection (NAP) is a platform for Windows Server 2008 and Windows Vista. It provides policy enforcement components that help ensure that computers connecting to a network or communicating on a network meet administrator-defined requirements for system health. Your organization can use a combination of policy validation and network access limitation components to control network access or communication. You can also choose to temporarily limit the access of computers that do not meet requirements for a restricted network. Depending on the configuration you choose, the restricted network might contain resources that are required to update the computers so that they can meet the health requirements for network access and normal communication. NAP includes an application programming interface (API) set for developers and vendors to create complete solutions for health policy validation, network access limitation, and ongoing health compliance. NAP provides limited access enforcement components for IPsec, IEEE 802.1X authenticated network connections, VPNs, and DHCP. You can use these technologies together or separately. With these capabilities, NAP can be a powerful tool to help you ensure the health and security of your network.
Microsoft Hyper-V Server™ Server 2008. Microsoft Hyper-V Server 2008 Server provides a simplified, reliable, and optimized virtualization solution, enabling improved server utilization and reduced costs. Because Hyper-V Server is a dedicated stand-alone product, which contains only the Windows Hypervisor, Windows Server driver model, and virtualization components, it provides a small footprint and minimal overhead. Hyper-V Server easily plugs into customers' existing IT environments, enabling them to take advantage of their existing patching, provisioning, management, support tools, processes, and skills. Hyper-V Server allows your organization to run multiple operating systems on one computer that can help you meet PCI DSS requirement 2.2.1, which mandates that your organization run only one major function per server. For example, you can use Hyper-V Server to deploy a virtual Web server, a virtual database server, and a virtual file server on the same computer. Microsoft Hyper-V Server 2008 is available as a free download from Microsoft.
Host control solutions control the operating systems in servers and workstations. They also implement security best practices at all levels of the operating system in each host, maintain the most current updates and hotfixes, and use secure methods for daily operations.
Host control solutions can help you address PCI DSS requirements by keeping operating systems current and securely configured. Specifically, host control can help you comply with PCI DSS requirements 6 and 11.
For the full text of each of these requirements, see the Navigating PCI DSS – Understanding the Intent of the Requirements (PDF) on the PCI Security Standards Council's Web site.
Microsoft offers a number of technologies that you can use together and independently to create host control solutions. As with other technology solutions, design these solutions to meet PCI DSS requirements, as well as any other regulatory requirements that are applicable to your organization.
Microsoft Security Assessement Tool (MSAT). A free tool that provides organization with the ability to assess weaknesses in a working IT environment. MSAT provides guidance, reveals a prioritized list of issues, and helps provide specific guidance to minimize those risks. MSAT is an easy, cost-effective way to start strengthening the security of your computing environment and your business. Start the process by taking a snapshot of your current security state, and then use MSAT to continuously monitor your infrastructure's ability to respond to security threats. MSAT consists of over 200 questions covering infrastructure, applications, operations, and people.
Microsoft Baseline Security Analyzer (MBSA). One of the primary tools you can use to assess risk to cardholder data in your organization is the MBSA tool. This easy-to-use tool identifies common security misconfigurations in a number of Microsoft products, including the Windows operating system, Internet Information Services, SQL Server, Internet Explorer, and Microsoft Office. The MBSA tool also scans for missing security updates, update rollups, and service packs published to Microsoft Update. You can run the MBSA tool from the command prompt or from a GUI, and you can use it with Microsoft Update and Windows Server Update Services. Because keeping your systems updated is a very important way to make cardholder data as secure as possible, the MBSA tool can be an invaluable tool in assessing data risk in your organization.
Microsoft Windows Server Update Services. Microsoft Windows Server Update Services (WSUS) with SP1 enables your organization to deploy many of the latest Microsoft product updates published to the Microsoft Update site. WSUS is an update component of Windows Server that offers an effective and quick way to help keep systems updated. WSUS provides a management infrastructure that consists of the following components:
Microsoft Update. The Microsoft Web site that WSUS components connect to for Microsoft product updates.
Windows Server Update Services server. The server component that installs on computers inside the organization's firewall that are running Microsoft Windows 2000 Server SP4 or Windows Server 2003. WSUS server provides features that administrators need to manage, and distributes updates through a Web-based tool, which they can access from Internet Explorer on any Windows computer in the organization's network. In addition, a WSUS server can be the update source for other WSUS servers.
Automatic Updates. The client computer component built into Windows Vista, Windows Server 2003, Windows XP, and Windows 2000 SP3. With Automatic Updates, both server and client computers can receive updates from Microsoft Update or from a server running WSUS.
These services help you to keep all host environments on your network updated with the latest security fixes from Microsoft for the products installed on a specific host.
Microsoft System Center Configuration Manager. If your organization uses System Center Configuration Manger 2007 to manage client computers and servers, you might already have some of the tools you need to perform risk assessment for cardholder data. With Configuration Manger 2007, your organization can remotely manage security settings on computers running Windows operating systems over distributed networks. You can inventory computers on your network, determine whether they have installed required software updates, and track the progress of update rollouts to those computers. Configuration Manger also enables you to generate reports that identify your hardware and software inventory, the configuration details and status of the computers on your network, and the status of software deployments and deployment errors. These Configuration Manger features can be very important in assessing risk to cardholder data within your organization.
Security Compliance Management Toolkit Series. The toolkit series offers DCM Configuration Packs that provide security baselines for Windows Server 2008, Windows Server 2003, Windows Vista, Windows XP, and Microsoft Office 2007. The purpose of the toolkit series is to reduce the work required to manage DCM configuration baselines that maintain recommended security settings for different operating systems from Microsoft.
Microsoft Desktop Optimization Pack for Software Assurance. The Microsoft Desktop Optimization Pack for Software Assurance is a subscription service that reduces application deployment costs, enables delivery of applications as services, and provides better management and control of enterprise desktop environments. The desktop optimization pack is an effective host control solution that enables you to achieve the following:
The Microsoft Desktop Optimization Pack is available only to customers with Software Assurance coverage on their desktops. For more information, see Optimizing the Windows Desktop. For links to specific host security guidelines and procedures for many Microsoft products, see the Learning Resources for Solution Accelerators page on TechNet.
Malicious software prevention solutions are key elements in keeping cardholder data secure across your network. By preventing spam and keeping systems on the network free of viruses and spyware, these solutions can help ensure that systems across your network are working at their peak and that sensitive data is not transmitted unintentionally to unauthorized parties.
The malicious software prevention solutions that you choose can help your organization meet PCI DSS requirements 5 and 6.
For the full text of each of these requirements, see Navigating PCI DSS – Understanding the Intent of the Requirements (PDF) on the PCI Security Standards Council's Web site.
Microsoft offers a number of technologies that you can use together and independently for malicious software prevention. Consider these technologies in the context of your larger PCI DSS compliance efforts, as well as any broader regulatory requirements for your organization.
Microsoft Forefront. Forefront is a suite of security products that provide protection for client operating systems, application servers, and the network edge. You can use Forefront with your existing IT infrastructure to protect your servers and client computers from malware and other malicious attacks that originate inside or outside of your organization.
In particular, Forefront Client Security provides protection from malicious software for clients across an organization, There are two parts to the Forefront Client Security solution. One part is the Security Agent—installed on business desktop, laptop, and server operating systems—that provides real-time protection and scheduled scanning of threats such as spyware, viruses, and rootkits. The other part is the central management server, which enables administrators to easily manage and update preconfigured or customized malware protection agents, and generate reports and alerts about the security status of their environment.
The Microsoft Windows Malicious Software Removal Tool checks computers running Windows Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom—and helps remove any infection found. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed. Microsoft releases an updated version of this tool on the second Tuesday of each month, and as needed to respond to security incidents. The tool is available from Microsoft Update, Windows Update and the Microsoft Download Center.
Note Windows Defender and the Malicious Software Removal Tool can also help you discover whether a malicious program uses a rootkit. Rootkits are mechanisms that malicious software creators use to hide their presence from spyware blockers as well as antivirus and system management utilities.
Third-Party Filters with Microsoft Forefront ISA Server. In addition to providing network security solutions, ISA Server can help protect your organization from malware attacks. You can do this by using custom or third-party filters that remove malware before it reaches your corporate network.
To address PCI DSS requirements, Microsoft recommends to consider your application security solutions on two fronts. First, require that any new applications created by developers within your organization comply with secure development practices. Second, ensure that you use the security guidelines supplied with any software applications that you purchase from Microsoft or any third-party supplier.
Developing and maintaining secure applications, whether they are Web or Windows–based, is an important step in your PCI DSS compliance efforts. In particular, these technology solutions allow you to meet requirement 6.
For the full text of this requirement, see Navigating PCI DSS – Understanding the Intent of the Requirements (PDF) on the PCI Security Standards Council's Web site.
Microsoft offers specific guidance and tools for developing secure applications. It also offers the following specific guidelines for using its primary server products securely:
Microsoft Visual Studio® 2008. Visual Studio supplies a number of tools that enable developers to check their code for security violations as they develop it, including the following:
The Microsoft Security Development Lifecycle suggests to use such tools as FxCop, PREfast, and the GS C++ compiler option to ensure that code runs without compromising known security issues.
Microsoft Intelligent Application Gateway (IAG) 2007. A part of Microsoft Forefront Network Edge Security, IAG provides a secure socket layer (SSL) VPN, a Web application firewall, and endpoint security management that enable access control, authorization, and content inspection for a wide variety of line-of-business applications. Together these technologies provide mobile and remote workers with easy and flexible secure access from a broad range of devices and locations, including kiosks, desktop computers, and mobile devices. IAG also enables IT administrators to enforce compliance with application and information usage guidelines through a customized remote access policy based on device, user, application, or other business criteria. Key benefits include:
Microsoft offers the following guidelines to help ensure the security of your applications:
Security Development Lifecycle. Organizations that develop custom software solutions to handle cardholder data should consider implementing the Microsoft Security Development Lifecycle (SDL). The SDL introduces security and privacy early and throughout the development process. Combining a holistic and practical approach, the SDL is risk-based with the goal of protecting users by reducing the number and severity of vulnerabilities in code. The SDL starts with planning for secure applications, ensures the use of secure coding techniques, and includes testing and deploying applications securely after development is complete.
Microsoft Operations Framework (MOF) 4.0. MOF delivers practical guidance for everyday IT practices and activities, helping users establish and implement reliable, cost-effective IT services. It encompasses the entire IT life cycle through a defined management layer, phases, and service management functions.
Follow Product Security Guidelines. Microsoft offers security guidelines for a number of its software products. Of particular interest to large and medium-sized organizations are security guidelines for Exchange Server, Systems Management Server, and SQL Server.
To address PCI DSS requirements, you must ensure that the messaging and collaboration software your organization uses is configured and set up securely. Because messaging and collaboration applications have become essential tools in the payment card industry, it is vital to do all you can to ensure that any documents or e-mail messages that might contain cardholder data are secure.
Common methods to help prevent messaging security breaches include messaging gateways, secure messaging servers, and messaging content filtration. Both messaging gateways and messaging content filtration route messages to a specialized software application, which can use a variety of methods to isolate specific word strings, number strings, word patterns, or other items, depending on how the solution was designed. Messages that contain these key words or strings can then be placed in quarantine until the suspect information they contain is checked, or the solution can simply delete and purge the messages. These methods can help you secure cardholder data when it is sent through an e-mail message or document in a collaboration environment. All of these techniques and solutions can help you address PCI DSS requirement 4.
For the full text of this requirement, see Navigating PCI DSS – Understanding the Intent of the Requirements (PDF) on the PCI Security Standards Council's Web site.
Microsoft provides a number of solutions that can help you secure messaging and collaboration software. Ensure to deploy each in an organized way so that as few security vulnerabilities as possible remain after you have finished. Each solution addresses different organizational needs:
Microsoft Exchange Server. As with document management, Exchange can help you define powerful solutions for your organization's messaging needs while keeping any cardholder data in e-mail messages secure. Exchange Server 2007 includes unified messaging, which consolidates incoming e-mail, voice mail, and faxes into a single inbox. It also offers features that enable your organization to apply retention rules, scan and act on messages in transport, flexibly journal, and perform rich text searches across all deployed mailboxes.
Microsoft Forefront Security for Exchange Server. Microsoft Forefront Security for Exchange Server helps protect your e-mail infrastructure from infection and downtime through an approach that emphasizes layered defenses, optimization of Exchange Server performance and availability, and simplified management control.
Comprehensive Protection. Microsoft Forefront Security for Exchange Server includes multiple scan engines from industry-leading security firms integrated in a single solution to help businesses protect their Exchange messaging environments from viruses, worms, and spam.
Optimized Performance. Through deep integration with Exchange Server, scanning innovations and performance controls, Forefront Security for Exchange Server helps protect messaging environments while maintaining uptime and optimizing server performance.
Simplified Management. Forefront Security for Exchange Server also enables administrators to easily manage configuration and operation, automated scan engine signature updates, and reporting at the server and enterprise level.
Microsoft Exchange Hosted Services. Microsoft Exchange Hosted Services for messaging security and management is composed of four distinct services that help organizations protect themselves from e-mail-borne malware, satisfy retention requirements for compliance, encrypt data to preserve confidentiality, and preserve access to e-mail during and after emergency situations. The services are deployed over the Internet using a Software as a Service model that helps minimize additional capital investment, free up IT resources to focus on other value-producing initiatives, and mitigate messaging risks before they reach the organization's firewall.
Microsoft Office Information Rights Management (IRM). Office is the premier suite of productivity applications for organizations. The IRM feature of Microsoft Office can help your organization control access to sensitive information such as cardholder data. Specifically, the Office IRM feature helps your organization accomplish the following:
Microsoft Windows SharePoint Services Information Rights Management (IRM). As with your document management solutions, SharePoint Services IRM can help you make your collaboration solutions address PCI DSS requirements. This technology allows you to create a persistent set of access controls that are attached to the content rather than a specific network location, which helps you control access to files even after they leave your direct control. IRM is available for files that are located in document libraries and stored as attachments to list items. Site administrators can elect to protect downloads in a document library with IRM. When a user attempts to download a file from the library, Windows SharePoint Services verifies that the user has permissions to the file, and then issues a license to the user that enables access to the file at the appropriate permissions level. Windows SharePoint Services then downloads the file to the user's computer in an encrypted, rights-managed file format.
Office IRM is built on the Microsoft Windows Rights Management Services platform. To enable this feature in Office, you must purchase RMS server licenses.
Data classification and protection solutions are central elements in efforts to successfully address PCI DSS requirements and keep cardholder data secure. These solutions deal with how to apply security classification levels to cardholder data either on a system or in transmission. This solution category also deals with data protection in terms of providing confidentiality and integrity to data that is either in storage or in transmission. Cryptographic solutions are the most common method that organizations use to provide data protection.
Data classification and protection solutions help you meet PCI DSS requirements by securing cardholder data when it is stored in a database, transmitted from one server to another, or transmitted into your network when a cardholder makes a purchase. Using these solutions helps you address PCI DSS requirements 3, 4 and 7.
For the full text of each of these requirements, see Navigating PCI DSS – Understanding the Intent of the Requirements (PDF) on the PCI Security Standards Council's Web site.
Microsoft offers a number of technologies that can help you classify and protect cardholder data, whether it is transmitted over your network, stored in a document on an employee's computer, or stored to a database. These technologies include the following:
BitLocker™ Drive Encryption. BitLocker Drive Encryption helps you protect cardholder data by providing drive encryption and integrity checking on early-boot components. Drive encryption protects data by preventing unauthorized users from breaking Windows file and system protection on lost or stolen computers. This protection is achieved by encrypting the entire Windows volume. With BitLocker, all user and system files are encrypted, including the swap and hibernation files. Integrity checking the early-boot components help to ensure that data decryption is performed only if those components appear unmolested and that the encrypted drive is located in the original computer. BitLocker is available in Windows Vista Enterprise and Ultimate and Windows Server 2008.
Windows Encrypting File System (EFS). EFS provides the core file encryption technology used to store encrypted files on NTFS file system volumes. After you encrypt a file or folder, you work with the encrypted file or folder just as you do with any other files and folders.
Encryption is transparent to the user that encrypted the file, which means that they do not have to manually decrypt an encrypted file before they can use it. Users can open and change the file as they typically do.
Using EFS is similar to using permissions on files and folders. You can use both methods to restrict access to data. However, an intruder who gains unauthorized physical access to your encrypted files or folders will be prevented from reading them. An intruder who tries to open or copy your encrypted file or folder receives an access-denied message. Permissions on files and folders do not protect against unauthorized physical attacks.
Microsoft Windows Rights Management Services. Microsoft Windows Rights Management Services (RMS) is a software platform that helps applications safeguard cardholder data from unauthorized use—both online and offline, inside and outside of the firewall.
RMS augments an organization's security strategy by protecting information through persistent usage policies, which remain with the information no matter where it goes. RMS–enabled applications can be used to manage, control, and audit access to documents that contain cardholder information. For other Windows versions, the RMS client is available as a free download.
Microsoft SQL Server® 2008 Encryption and Key management. When you store cardholder data in SQL Server, you can implement one of three built-in capabilities in SQL Server 2008 to protect cardholder data:
SQL Server 2008 Extensible Key Management (EKM) offers split encryption key ownership. EKM provides a robust key management solution that ensures you can encrypt all data using TDE. EKM reduces issues with managing a potentially complex key management solution in SQL Server. For more information, see the Microsoft SQL Server 2008 Web site, or Deploying SQL Server 2008 Based on Payment Card Industry Data Security Standards (PCI DSS) (PDF) by Parente Randolph.
Identity management is another important element in achieving PCI DSS compliance. Identity management solutions allow you to limit the personnel who can access, process, and transmit cardholder data. Your organization can use these identity management solutions to help manage digital identities and permissions for your employees, clients, and partners.
Using identity management solutions can allow you to address PCI DSS requirement 8 by helping you create and assign a unique ID to each person in your organization that has access to a computer. These solutions can also help you restrict access to cardholder data based on that unique ID, the principle of PCI DSS requirement 7.
For the full text of this requirement, see Navigating PCI DSS – Understanding the Intent of the Requirements (PDF) on the PCI Security Standards Council's Web site.
Microsoft provides the following technologies to help you address your organization's identity management requirements:
Active Directory Domain Services. Active Directory Domain Services (AD DS) supports a number of techniques to help you control the personnel who can access cardholder data on your network and outside of it. AD DS supports Kerberos authentication, one of the default Windows Authentication techniques. Kerberos provides secure user authentication with an industry standard that permits interoperability. The AD DS domain controller maintains user account and login information to support the Kerberos service. In addition, AD DS supports smart card authentication. You can require remote users or administrators of systems that contain cardholder data to use a smart card and PIN to access your network. AD DS also supports credential roaming, a service that enables users who have to use multiple computers to use the same credentials on each of those computers. And AD DS allows your organization to customize the credential providers that it uses to authenticate users. These features can help you precisely control how you allow AD DS accounts to access cardholder data, and which accounts you provide with access to that data.
Microsoft Active Directory Federation Services. With Active Directory Federation Services (ADFS), you can create identity management solutions that extend beyond the traditional boundaries of your Active Directory forest. By employing ADFS, your organization can extend its existing AD DS infrastructure to provide access to resources that are offered by trusted partners across the Internet. These trusted partners can include external third parties or other departments or subsidiaries in the same organization.
ADFS is tightly integrated with AD DS. ADFS retrieves user attributes from AD DS and it authenticates users by using AD DS. ADFS also uses Windows Integrated Authentication. ADFS is available in Windows Server 2003 R2 and Windows Server 2008.
Microsoft Identity Lifecycle Manager. Microsoft Identity Lifecycle Manager (ILM) simplifies the process of matching and managing identity records from disparate data repositories and helps prevent anomalies, such as active records for employees who have left the organization. ILM provides your organization with a policy framework to control and track the identity and access data that helps manage compliance. It also includes self-help tools for users, enabling your IT department to improve efficiency by securely delegating many tasks to users. Another key feature of ILM is that it includes a Windows–based certificate management solution that integrates with the Windows Server 2008 operating system and Active Directory to provide a turnkey solution for managing the end-to-end life cycle of smart cards and digital certificates for the Windows Server 2008 Certification Authority.
ILM enables your organization to accomplish the following:
Microsoft SQL Server 2008. You can use SQL Server in conjunction with other technologies to create identity management solutions. For example, you can use SQL Server 2008 extensible key management (EKM) and transparent data encryption (TDE)to store username and password information and to map certificates to user accounts and other solutions. You can user SQL Server in concert with Microsoft ILM, Active Directory Domain Services, Group Policy, and ACLs to restrict users' access to cardholder data stored in another database, in documents, or in directories. For more information, see the Microsoft SQL Server 2008 Web site or Deploying SQL Server 2008 Based on Payment Card Industry Data Security Standards (PCI DSS) (PDF) by Parente Randolph.
Public Key Infrastructure. A public key infrastructure (PKI) is a system of digital certificates, certification authorities (CAs), and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction through the use of public key cryptography. This infrastructure can allow you to secure and exchange cardholder data with strong security across the Internet, extranets, intranets, and applications.
Authentication is the process of identifying users. In IT environments, authentication usually involves usernames and passwords, but it can include methods to demonstrate identity, such as smart cards, retina scans, voice recognition, or fingerprints. Authorization focuses on determining whether the authenticated identity is allowed to access requested resources. You can choose to grant or deny access based many criteria, such as the network address of the client, the time of day, or the user's browser.
When planning your authentication, authorization, and access control strategy, Microsoft also recommends to develop a strategy for granting user account permissions to all resources across your network. For more information, see Applying the Principle of Least Privilege to User Accounts on Windows XP, Inside Windows Vista User Account Control, and Configuring Applications for Least Privilege. on Microsoft TechNet.
Authentication, authorization, and access control are key portions of your cardholder data security strategy, particularly in combination with data classification and protection, and identity management solutions. In this context, authentication, authorization and access control solutions can help your organization meet PCI DSS requirements 6, 7, and 8.
For the full text of each of these requirements, see Navigating PCI DSS – Understanding the Intent of the Requirements (PDF) on the PCI Security Standards Council's Web site.
Microsoft offers several technologies to help you create and integrate authentication, authorization, and access control strategies into your PDI DSS compliance solution:
Active Directory Domain Services. Much of Active Directory Domain Services (AD DS) in Windows 2000 Server, Windows Server 2003, and Windows Server 2008 focuses on authentication, authorization, and access control. For example, AD DS supports Kerberos authentication, one of the default Windows Authentication techniques. Kerberos provides secure user authentication with an industry standard that permits interoperability. The AD DS domain controller maintains user account and login information to support the Kerberos service. AD DS also supports smart card authentication. You can require remote users or administrators of systems containing cardholder data to use a smart card and PIN to access your network. AD DS supports credential roaming, a service which enables users who have to use multiple computers to use the same credentials on each of those computers. With AD DS, your organization can also customize the credential providers that it uses to authenticate users. AD DS also allows you to delegate administrative tasks. These features can help you precisely control how you allow AD DS accounts to access cardholder data, and to which accounts you provide access to that data.
Windows CardSpace. The Internet continues to be increasingly valuable, and yet also faces significant challenges. Online identity theft, fraud, and privacy concerns are rising. Users must track a growing number of accounts and passwords. This burden results in "password fatigue," which results in nonsecure practices, such as reusing the same account names and passwords at many sites. Many of these problems are rooted in the lack of a widely adopted identity solution for the Internet.
CardSpace is the Microsoft implementation of an Identity Metasystem that enables users to choose from a portfolio of identities that belong to them, and then use them in contexts where they are accepted, independent of the underlying identity systems where the identities originate and are used.
Microsoft Internet Authentication Service. Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and VPN connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. By doing this, IAS performs authentication steps for remote connections before they reach your organization's network. With the credentials that users supplied to connect remotely, you can authorize them to access only those resources on your network that they need to accomplish their work.
Using Access Control Lists to Grant Resource Permissions. An access control list (ACL) is a mechanism used by operating systems since Microsoft Windows NT to protect resources such as files and folders. ACLs contain multiple access control entries (ACEs) that associate a principal (usually a user account or group of accounts) with a rule that governs the use of the resource. ACLs and ACEs let your organization allow or deny rights to resources based on permissions that you can associate with user accounts. For example, you can create an ACE and apply it to the ACL of a file to bar anyone but an administrator from reading the file. You must use this technology within your larger identity management solution, but it remains a good way to restrict access to cardholder data to only those individuals with a business need.
Windows Firewall in Windows Vista and Windows Server 2008. As previously discussed, Windows Firewall in Windows Vista and Windows Server 2008 can help you protect your systems and networks from malicious attacks. It can also help you control which users, computers, and groups can access resources on a computer or domain. When you use Windows Firewall with Advanced Security, you can create rules that filter connections by an AD DS user, computer, or group. To create these types of rules, you must secure the connection with IPsec using credentials that carry AD DS account information, such as Kerberos version 5 protocol.
Vulnerability identification solutions provide tools that your organization can use to help test for vulnerabilities in its information systems. Your IT personnel must be aware of vulnerabilities in the IT environment before they can effectively address them. The ability to restore data that was inadvertently lost because of user error is also involved in vulnerability identification.
Vulnerability solutions allow you to meet PCI DSS requirement 11, which requires organizations to regularly testing security systems and procedures.
For the full text of this requirement, see Navigating PCI DSS – Understanding the Intent of the Requirements (PDF) on the PCI Security Standards Council's Web site.
Microsoft offers the following solution to help you design vulnerability identification solutions to address your PCI DSS requirements:
Microsoft Baseline Security Analyzer (MBSA). As with assessing risk when designing many of your cardholder data protection controls, the MBSA tool enables you to periodically review any vulnerability that might compromise the security of cardholder data. You can use the MBSA tool to locate common security misconfigurations in a number of Microsoft products, including the Windows operating system, Internet Information Services (IIS), SQL Server, Internet Explorer, and Microsoft Office. The MBSA tool also scans for any missing security updates, update rollups, and service packs published to Microsoft Update. You can run the tool from the command prompt or from a GUI, and you can use it with Microsoft Update and Windows Server Update Services. Because keeping your systems updated is a very important way to make cardholder data as secure as possible, the MBSA tool can be invaluable in determining whether your product installations have created cardholder data vulnerabilities over time.
Monitoring and reporting solutions collect and audit logs that are generated by authentication processes and access to systems. You can design these solutions to collect specific information based on PCI DSS, or use existing logs built into operating systems or software packages.
A subcategory of monitoring and reporting is the collection, analysis, and correlation of all logged data across your organization. These actions are sometimes accomplished through a dashboard-type solution, in which you can better analyze the various information gathered throughout the organization. This type of solution allows IT management to better determine whether there are correlations between events.
Monitoring, auditing, and reporting solutions can help you address PCI DSS Requirement 10, which requires organizations to track and monitor all access to network resources and cardholder data.
Microsoft offers the following technologies that allow you to monitor network access and access to cardholder data:
Microsoft System Center Operations Manager Audit Collection Services (ACS). Operations Manager 2007 can securely and efficiently extract and collect security logs from computers running Windows operating systems and store them for later analysis and reporting. The extracted logs are stored in a separate Audit Collection server database. Operations Manager ships with reporting capability that you can use for the ACS data. You can use Audit Collection to produce various compliance reports, such as supporting Sarbanes-Oxley audits. You also can use ACS for security analysis, such as intrusion detection and unauthorized access attempts.
Microsoft Windows Vista Event Logging Infrastructure. Improvements to the Windows event logging infrastructure make the Windows Vista desktop easier to manage and monitor, and provide better information for troubleshooting. Strict standards ensure that events are meaningful, actionable, and well-documented. Many components that stored logging information in text files in previous versions of Windows now add events to the event log. With event forwarding, administrators can centrally manage events from computers anywhere on the network, making it easier to proactively identify problems and to correlate problems that affect multiple computers. In addition, the Event Viewer has been completely rewritten to allow users to create custom views to easily associate events with tasks, and to remotely view logs from other computers. These capabilities make it much more practical for administrators to use the event log to troubleshoot users' problems.
Microsoft SQL Server2008. SQL Server Reporting Services is a comprehensive, server-based solution that enables the creation, management, and delivery of both traditional, paper-oriented reports and interactive, Web-based reports. An integrated part of the Microsoft business intelligence framework, Reporting Services combines the data management capabilities of SQL Server and Windows Server with familiar and powerful Microsoft Office System applications to deliver real-time information to support daily operations and drive decisions. You can use these services to generate reports that analyze cardholder data and track changes to it. You can also use reporting services to more easily monitor network usage patterns and information flow.
NTFS System Access Control Lists. Your organization can use NTFS System Access Controls Lists (SACLs) on files and directories to help you track changes to files or folders on a computer. When you set a SACL on a file or folder, any actions that are performed on that file or folder are logged by the Windows operating system, which also logs who performed the action. You cannot set SACLs on computers that are formatted with the FAT file system, so your organization should use the NTFS file system format on all volumes that store user data and cardholder data.
Although using management products does not help your organization meet any specific PCI DSS requirements, they can help you keep track of the IT controls that you have implemented for compliance purposes. In creating a framework of IT controls, it is always important to be able to centrally manage those controls from as few administrators' desks as possible.
Microsoft offers two primary tools for managing your framework of IT controls that you implement to address PCI DSS and other regulatory requirements:
Microsoft Forefront. Microsoft Forefront is a suite of line-of-business security products that provide protection for client operating systems, application servers, and the network edge. You can use Forefront with your existing IT infrastructure to protect your servers and client computers from malware and other malicious attacks—all through easy integration with application servers such as Exchange, SharePoint, and Instant Messaging. Forefront also features built-in integration with Active Directory Domain Services, and uses ISA Server to work with Active Directory Domain Services (AD DS) for RADIUS, DHCP, and smart card support. Forefront also provides a centralized management tool for a central reporting location, along with a centralized location to set policy control measures.
Microsoft System Center. Microsoft System Center is a family of management products aimed at providing the tools your organization needs to automate system management across your organization. System Center includes technologies that help automate the most common management tasks, and it also provides tools to help IT professionals detect, diagnose, and correct problems in their computing environments. Specifically, System Center provides products that perform the following functions:
This guide provided descriptions of technology solutions that your organization can use to help achieve and maintain PCI DSS compliance. It discussed the reasons these solutions are important, and offers links to Microsoft guidance and technology that can help your organization toward achieving regulatory compliance.
The effect of implementing these solutions not only helps to provide security and compliance standards for your IT environment, but also has a positive effect on your organization's business processes. Before you implement any of the identified solutions, be sure to meet with your legal advisors and auditors to obtain legal advice about your own unique PCI DSS compliance needs, and carefully consider the impact of these solutions on the entire organization, not just in terms of compliance. Microsoft is committed to providing more in-depth research and solutions for PCI DSS and other regulatory compliance standards.
This appendix contains questions that are commonly asked by customers about Microsoft technology solutions and how your organization can take advantage of them to address PCI DSS requirements. It also contains a table that maps which technology solutions can help your organization address PCI DSS requirements that the guide discusses.
Q: Why should my organization bother to comply with the Payment Card Industry Data Security Standard? Isn't this another useless and costly standard to deal with?
A: There are three reasons that your organization should work to comply with PCI DSS. One, card brands such as Visa have committed to providing financial incentives for PCI compliance and penalties for noncompliance. Two, compliance can help reduce liability in case of data loss. Three, by performing a thoughtful analysis and appropriate design of your systems, the process can actually help you better track customer data, and as a result help you to improve customer service and satisfaction.
Q: Is Microsoft overselling its technologies for PCI DSS compliance?
A: Each organization's situation is different and this guide aims to be as comprehensive as possible. Microsoft might develop specific guidance for industry verticals. You can also contact your Microsoft sales representative for more guidance. As stated above, you can achieve better business results if you look at this not as simply a compliance project, but also as a project dedicated to improving your tracking and management of customer information.
Q: This paper describes many technologies that organizations can use to help them comply with PCI DSS, but very few compliance solutions. Why is that?
A: Each organization's situation is unique, and so it is not possible to come up with a single solution that fits all. Microsoft is committed to providing your organization with more detailed information.
Q: What can Microsoft do to help my organization get PCI DSS certified?
A: Microsoft can offer software and services that can help you address PCI DSS requirements, but it cannot ensure that your organization will achieve compliance with PCI DSS. As a vendor, we are very interested in helping your organization address these requirements, but compliance is between your organization, its auditors, and the card brands with which you work.
Q: Doesn't PCI DSS Requirments and Security Assessment Procedures, v1.2 Section 3.4.1 imply that Microsoft data protection technologies cannot be used?
A: No. That section says, in full:
"If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local system user accounts). Decryption keys must not be tied to user accounts."
Microsoft data protection technologies do not tie decryption keys to user accounts. For example, BitLocker Drive Encryption never ties decryption keys (PINs or recovery passwords) to user accounts in Active Directory Domain Services (AD DS). Encrypting File System (EFS) does not tie decryption keys to user accounts either. Your organization can revoke a person's ability to decrypt a document without changing system access privileges. In certain configurations, EFS attempts to optimize the user experience by automatically placing some decryption keys in the user profiles of specific users. However, this functionality can be changed through appropriate configuration.
Table 1. PCI DSS Requirements and Associated Technology Solutions
Requirements | Technology solution sections |
Requirement 1 | Risk Assessment; Network Security |
Requirement 2 | Network Security |
Requirement 3 | Document Management; Risk Assessment; Data Classification and Protection |
Requirement 4 | Risk Assessment; Messaging and Collaboration; Data Classification and Protection; Network Security |
Requirement 5 | Risk Assessment; Malicious Software Prevention |
Requirement 6 | Document Management; Risk Assessment; Change Management; Host Control; Malicious Software Prevention; Application Security; Authentication, Authorization, and Access Control |
Requirement 7 | Document Management; Risk Assessment; Identity Management; Authentication, Authorization, and Access Control; Data Classification and Protection |
Requirement 8 | Risk Assessment; Authentication, Authorization, and Access Control |
Requirement 9 | Document Management |
Requirement 10 | Document Management; Change Management; Monitoring, Auditing, and Reporting; Network Security |
Requirement 11 | Risk Assessment; Host Control; Vulnerability Identification |
Requirement 12 | Document Management |