PCI DSS compliance can be difficult, and it’s important to utilize the “tried and true” solutions. This page maintains an updated list of popular tools for purposes of security and accomplishing PCI compliance. Please let us know if you have any suggestions on additional tools on our forum!
PCI-Approved Malware/Anti-Virus Protection
Centralized anti-virus and anti-malware are critical to maintaining PCI DSS compliance. Popular malware attacks, such as the May 2017 WannaCry attack, require anti-malware that can detect, analyze and fight malicious software and ransomware that may pose a threat to your environment.
Credit Card Detection Software
CDE scoping, including identifying and defining where payment cards are stored, is critical for PCI DSS compliance. The following free and low-cost tools can be used to search your networks and systems for payment card data.
Hosted Payment Page/Payment Page Redirect (eCommerce SAQ A Qualification)
When accepting payment online, merchants utilizing a hosted payment page or payment page redirect are much more secure and can significantly reduce their scope of PCI DSS compliance. By using a 3rd party to host an eCommerce website and its payment processing, merchants can qualify for an SAQ-A – the most significant level of scope reduction for eComm merchants.
- Shopify: https://www.shopify.com
File Integrity Monitoring
File-integrity monitoring tools alert users to modifications of critical configuration and other system files within your environment, which could potentially be the result of a compromise.
- OSSEC: http://www.ossec.net (also does centralized logging and host IDS)
- Samhain: http://la-samhna.de/samhain (also does centralized logging and host IDS)
- Ftimes: http://ftimes.sourceforge.net/FTimes
PCI DSS requires intrusion-detection systems (IDS) and/or intrusion-prevention systems (IPS) to monitor traffic on the perimeter of the Cardholder Data Environment (CDE).
- OSSEC: http://www.ossec.net
- Samhain: http://la-samhna.de/samhain
- Snort: http://www.snort.org
- Suricata: http://www.openinfosecfoundation.org/index.php/download-suricata
- OSSIM: http://www.alienvault.com/open-threat-exchange/projects
PCIBlog suggests never utilizing wifi as part of your PCI DSS environment. That being said, you’re still responsible for detecting and identifying wireless access points (WAPs) within your production environment.
- Wireless netview: http://www.nirsoft.net/utils/wireless_network_view.html
- Kismet: http://www.kismetwireless.net
- Inssider office: http://www.metageek.net/products/inssider-office
- Xirrus Wi-Fi Inspector: http://www.xirrus.com/Products/Network-Management-and-Software/Network-Management/Wi-Fi-Inspector
For pass word storage, PCI requires that passwords for CDE systems be managed and stored securely.
From both an IT and compliance perspective, it’s imperative that every organization be aware of failure in processes such as network stability. Network monitoring tools like the below can ensure that you’re team is notified should any issues occur within your network infrastructure with real-time alerting.