Payment Card Industry Data Security Standard (PCI DSS) is a complex set of rules and requirements that applies to every person, business or organisation that handles credit card data. This includes any person, business or organisation that receives, stores, processes or transmits credit card details.
The PCI DSS is a product of the Payment Card Industry Security Standards Council, an organisation founded by participating payment brands Visa International, Master Card, American Express, Diners Club and JCB.
The purpose of the Payment Card Industry Security Standards Council is to establish a uniform world wide standard to aggressively addresses vulnerability and risk associated with the handling of credit card data across all industries.
In this post I will be giving a few tips around how to get your Microsoft Environment to meet PCI DSS compliance.
What is PCI DSS?
First of all you must understand the PCI DSS compliance requirements. Head over to the e-Path website to get an understanding of the rules and requirements around PCI DSS compliance. There is links to PCI Security Standards Council - Supporting documentation which lists everything involved around bring your organisation align with PCI DSS compliance.
What do I need to become PCI DSS compliant?
Once you understand the requirements next you need to understand what technology is available to meet these requirements. Microsoft has published an article called "Payment Card Industry Data Security Standard Compliance Planning Guide" which documents all the various Microsoft Technologies available in meeting the PCI requirements. This document is aimed primarily at CIO's and IT Managers however a more detailed target audience is listed inside the document. Download this document from the following location:
Note: The are many third party (non Microsoft products) that can help you meet PCI DSS compliance, look elsewhere for these.
Microsoft Security Guide
Next you should look at the Microsoft Security Guide for meeting PCI DSS compliance. This provides an overview for the Security Compliance Management Toolkit which is a bunch of administrative tools for locking down a Microsoft Windows network.
The Microsoft Solution Accelerators - Security and Compliance (SA-SC) team developed the security guides included in this suite to provide you with recommendations for hundreds of Group Policy security settings designed to assist customers in making the environments of their organizations more secure.
These SA SC team created two policy sets for different environments:
- Enterprise Client (EC)
- Specialized Security - Limited Functionality (SSLF)
Both meet PCI DSS requirements!
Enterprise Client (EC)
The Enterprise Client (EC) environment referred to in this guidance consists of a domain using AD DS in which computers running Windows Server 2008 with Active Directory manage client computers that can run either Windows Vista or Windows XP, and member servers running Windows Server 2008 or Windows Server 2003 R2.
The domain controllers, member servers, and client computers are managed in this environment through Group Policy, which is applied to sites, domains, and OUs. Group Policy provides a centralized infrastructure within AD DS that enables directory-based change and configuration management of user and computer settings, including security and user data. The Group Policy this guide prescribes does not support client computers running Windows® 2000.
Specialized Security - Limited Functionality (SSLF)
The Specialized Security – Limited Functionality (SSLF) baseline in this guide addresses the demand to help create highly secure environments for computers running Windows Server® 2008. Concern for security is so great in these environments that a significant loss of functionality and manageability is acceptable. The Enterprise Client (EC) security baseline helps provide enhanced security that allows sufficient functionality of the operating system and applications for the majority of organizations.
Caution: The SSLF security settings are not intended for the majority of enterprise organizations. To successfully implement the SSLF settings, organizations must thoroughly test the settings in their environment to ensure that the prescribed security configurations do not limit required functionality.
If you decide to test and deploy the SSLF configuration settings to servers in your environment, the IT resources in your organization may experience an increase in help desk calls related to the limited functionality that the settings impose. Although the configuration for this environment provides a higher level of security for data and the network, it also prevents some services from running that your organization may require. Examples of this include Remote Desktop, which allows users to connect interactively to desktops and applications on remote computers.
For a copy of the Windows Server 2008 Security Guide visit the following location:
Note: This documentation refers to using the "Security Compliance Management Toolkit". This toolkit has now been replaced by "Microsoft Security Compliance Manager 1.0".
The Security Compliance Management Toolkit contains a tool called GPOAccelerator which automatically creates all the GPOs that you need to deploy the recommended security settings for your environment allowing you to meet PCI DSS requirements.
By using GPO Accelerator it saves you time preventing the need for manually editing policy settings and applying templates. It can create the recommended GPO lockdown policies for each type of windows server:
All of the GPOs that the GPOAccelerator creates are fully populated with the settings.
The GPOAccelerator will also create lockdown policies for your workstations.
Please see the following link to download the GPOAccelerator whitepaper:
Note: GPOAccelerator was a tool included in the Security Compliance Management Toolkit. Security Compliance Management Toolkit is now retired and has been replaced with Microsoft Security Compliance Manager 1.0. Microsoft Security Compliance Manager 1.0 now includes a tool called Local Policy Tool (LPT) which takes over the functionality of GPOAccelerator. Please use LPT to create your security policies to meet PCI DSS requirements.
Auditing Requirements for PCI DSS
I read an excellent article on the auditing requirements for PCI DSS. To understand the Auditing Requirements please read: