| PCI Requirement |
SQL Server Database Monitor capability |
|
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
|
- SQL Server Database Monitor includes a network intrusion detection system (NIDS) that
analyze network traffic against a continuously updated set of rules that identifies
thousands of worms, vulnerability exploits, port scans, and other suspicious behavior.
-
A properly configured firewall will block known attacks and prevent
unauthorized access to cardholder data. If a breach occurs because of
unknown attacks or misconfigured rules, the detailed historical record
of database traffic maintained by SQL Server Database Monitor will enable you to
reconstruct the series of events leading up to the breach so that you can
identify the cause and prevent it recurring.
|
|
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
|
- Avoiding the use of vendor-supplied defaults is a fundamental principle of system hardening.
Once your SQL Server databases have been hardened, you can configure SQL Server Database Monitor to report on and alert you to
any anomalies that occur, for example:
- Database transactions involving the sa or Administrator account.
- Inbound and outbound traffic involving ports that should have been closed during hardening.
- Traffic packets containing unencrypted data.
|
|
Requirement 3: Protect stored cardholder data.
|
- SQL Server Database Monitor helps you to protect cardholder data by recording details
of all accesses to tables containing cardholder data. You can view real-time up-to-date reports or be
alerted to specific events such as access to a table by an unprivileged user. SQL Server Database Monitor stores detailed information about each transaction, including the user name, encryption status, IP address,
table, date, time, traffic volume, and SQL command issued.
|
|
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
|
- SQL Server Database Monitor can detect whether the traffic it monitors is encrypted or
not. You can configure it to generate reports or alerts when it detects unencrypted traffic involving data from tables
that store cardholder data.
-
Many legacy database systems have been designed without full encryption, and would require substantial
redesign to enable them to fully comply with the PCI encryption requirement. The PCI standard allows for
database monitoring to be relied upon as a compensating control that will satisfy audit requirements
when a legitimate technological or documented business constraint prevents full compliance with the standard.
|
|
Requirement 5: Use and regularly update anti-virus software.
|
- SQL Server Database Monitor works in parallel with standard anti-virus
software to ensure the strongest possible protection for sensitive data:
- Its network intrusion detection system protects against many kinds of
suspicious behavior including worms, vulnerability exploits, and port scans.
- Its historical database of network events can report and alert on
patterns of behavior that cannot be detected from real-time analysis alone and may be missed
by anti-virus software.
- It can ensure that your anti-virus software is up-to-date, active, and
generating audit logs.
|
|
Requirement 6: Develop and maintain secure systems and applications.
|
- SQL Server Database Monitor helps you to maintain a secure system and application
environment by alerting you to policy breaches and suspicious behavior on the network. In particular, it:
- Records details of every access to specified SQL Server databases and tables.
- Alerts you in real-time to security breaches such as unencrypted data transmission, incoming and
outgoing traffic on ports that should be blocked, and denial of service (DoS) attacks.
- Verifies that systems are kept up to date with Windows and SQL Server updates such as service packs
and security patches.
|
|
Requirement 7: Restrict access to cardholder data by business need-to-know.
|
-
Database systems and applications that deal with cardholder data must be designed and configured with
this requirement in mind. Once they are deployed, SQL Server Database Monitor ensures that your systems
and applications conform to the requirement. You can configure real-time, policy-based alerts to
notify you of any attempts by unauthorized users to access cardholder data. The alerts generated by
SQL Server Database Monitor contain detailed information about each transaction, including the user name,
encryption status, IP address, table, date, time, and SQL command issued.
-
SQL Server Database Monitor integrates with Active Directory, enabling you to easily identify the users
involved in accesses to cardholder data.
|
|
Requirement 8: Assign a unique ID to each person with computer access.
|
-
Practically every computer system enforces a policy of assigning unique credentials to every user. However, it is
technically and physically possible for more than one person to know a particular username and password, thereby
generating a non-compliance with Requirement 8. This seldom arises in well-managed enterprise networks, but
SQL Server Database Monitor can help you to ensure compliance and satisfy the audit requirement. You can drill down through
the traffic information to view details of all traffic by user name and IP address – if you find that a user is
accessing the database from several different IP addresses, it could indicate that the username is being shared by more than
one user.
|
|
Requirement 9: Restrict physical access to cardholder data.
|
-
This requirement is outside the scope of a software product such as SQL Server Database Monitor. Physical access to cardholder
data must be implemented by applying the appropriate physical security measures to protect the hardware on which the data
is stored.
|
|
Requirement 10: Track and monitor all access to network resources and cardholder data.
|
-
SQL Server Database Monitor has unique tracking and monitoring capabilities. From the raw traffic
flowing through your network, it can detect all accesses to your SQL Server databases and tables, including details
of the user name, encryption status, IP address, table, date, time, traffic volume, and SQL
command issued.
- If you have specific tables containing cardholder data, you can configure SQL Server Database Monitor
to report specifically on those tables or generate alerts whenever the tables are accessed.
|
|
Requirement 11: Regularly test security systems and processes.
|
-
SQL Server Database Monitor delivers ongoing testing of your security systems and processes by continuously
monitoring your SQL Server infrastructure, keeping a detailed record of all transactions, and providing
you with alerts in real time whenever an alert criterion (for example, access to cardholder data)
is met. The scheduling and reporting features of SQL Server Database Monitor combine to help you demonstrate
compliance with this requirement – by running reports at regular intervals
and saving the output you can demonstrate that you are regularly testing your systems and processes.
|
|
Requirement 12: Maintain a policy that addresses information security.
|
-
SQL Server Database Monitor makes it easy for you to maintain a policy that addresses information
security. You can create alerts and reports to monitor the aspects of your SQL Server environment that
are covered by your policy, and create a customized dashboard that displays an at-a-glance view of
security policy compliance status.
|