Accelerate the path to PCI DSS data compliance using InfoSphere Guardium

Use prebuilt reports, policies, and groups to simplify configuration

This article gives you a step-by-step overview of using the Payment Card Industry (PCI) Data Security Standard (DSS) accelerator that is included with the standard InfoSphere® Guardium® data security and protection solution. The PCI DSS is a set of technical and operational requirements designed to protect cardholder data and applies to all organizations who store, process, use, or transmit cardholder data. Failure to comply can mean loss of privileges, stiff fines, and, in the case of a data breach, severe loss of consumer confidence in your brand or services. The InfoSphere Guardium accelerator helps guide you through the process of complying with parts of the standard using predefined policies, reports, group definitions, and more.


Kathryn Zeidenstein (, InfoSphere Guardium Evangelist, IBM

Photo of Kathryn ZeidensteinKathy Zeidenstein has worked at IBM for a bazillion years. Currently, she is working as a technology evangelist for InfoSphere Guardium data activity monitoring, based out of the Silicon Valley Lab. Previously, she was an Information Development Manager for InfoSphere Optim data lifecycle tools. She has had roles in technical enablement, product management and product marketing within the Information Management and ECM organizations at IBM.

Shengyan Sun (, InfoSphere Guardium QA Engineer, IBM

Photo of Sheng Yan SunShengyan Sun has focused on IBM InfoSphere Guardium core component testing since she joined IBM in 2010. She works closely with customers and actively promotes the application of InfoSphere Guardium in the Asia-Pacific market. She had many years of experience in DBA and data analysis system development before joining IBM.

18 April 2013


Recent high profile data thefts, along with industry statistics, indicate significant work remains to be done in most organizations to implement PCI DSS. In its 2010 Data Breach Investigation Report of 141 global organizations that experienced breaches, Verizon's Business Risk Team found that 83% of records compromised involved payment card data. "While other types of data are sought by certain groups (i.e. competitors may target IP), the vast majority of cybercriminals are looking for a quick and easy payoff. Payment cards certainly fit the bill." Investigations also showed that 79% of the organizations attacked that were subject to PCI DSS were not compliant with the standard.

InfoSphere Guardium is designed to help you meet standard compliance requirements. It includes four compliance accelerators that you are entitled to use with your Activity Monitoring or Vulnerability Assessment license: Basel II, Data Privacy, PCI DSS, and Sarbanes-Oxley (SOX). They can be downloaded from Passport Advantage as part of the InfoSphere Guardium e-assembly. In this article, you will get an overview of the PCI accelerator, looking at each of the major components of the accelerator. You will learn how the accelerator helps you design the correct reports and policies for compliance, but how it is also structured as a checklist of sorts to make it easy to demonstrate to an external auditor how you are managing to PCI compliance standards using InfoSphere Guardium.

What is PCI DSS?

Payment Card Industry (PCI) Data Security Standard (DSS) is a set of technical and operational requirements designed to protect cardholder data and applies to all organizations who store, process, use, or transmit cardholder data. As stated on the PCI Security standard website, the framework for compliance is built around three steps:

  • Assess: Inventory your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data.
  • Remediate: Fix those vulnerabilities.
  • Report: Compile records required by PCI DSS to validate remediation and submitting compliance reports to the acquiring bank and global payment brands you do business with.

This article assumes some knowledge of InfoSphere Guardium to do the hands-on activities, but the main points of the article, in terms of benefits for compliance, should be clear, even without prior Guardium experience. Because the examples show populated reports, this article also assumes that you have already installed and configured InfoSphere Guardium and are collecting data activity from your database servers.

In this article, you will learn:

  • How to install the accelerator and configure a PCI role that will see the GUI enhancements specifically for the PCI accelerator.
  • The layout of the accelerator and the reports that are included to demonstrate compliance. You will learn how to add members to groups that will enable those reports to return the correct information. The article also briefly discusses security policies and rules.
  • How to use audit processes to automate compliance workflow for reviews and sign-offs.

Recommendation: You can download the checklist, which helps you to gather the required information to populate the groups used in the PCI reports and policies.

Summary for advanced users

If you are familiar with InfoSphere Guardium and don't need step-by-step instructions, here is a summary of what you need to do.

  1. Download and install the PCI DSS accelerator from Passport Advantage, assigning the PCI role to a user, and resetting the GUI layout for that user. See Install the PCI DSS accelerator and configure the PCI role for more details.
  2. Using the Guardium API (See the appendix) or the Group Builder (see Populating groups), populate groups that are used to generate the reports you need, as summarized here:
    • PCI Admin Users
    • PCI Authorized Client IPs
    • PCI Authorized Server IPs
    • PCI Authorized Source Programs
    • PCI Cardholder DBs
    • PCI Cardholder Sensitive objects
    • PCI Limited Access Users
  3. Configure a security policy, optionally using one of the PCI policies as a template. (See Set up the security policy.)
  4. Use regularly scheduled security assessments to detect common vulnerabilities or usage of bad practices for security. (See Run regular security assessments.)
  5. Use audit processes to automate sign-offs and review (See Use audit processes to automate sign-offs and review.)

Install the PCI DSS accelerator and configure the PCI role

The PCI DSS accelerator, along with the accelerators for Sarbanes-Oxley, Data Privacy, and HIPAA, are part of your entitlement to InfoSphere Guardium. Use the following steps to obtain and install it.

  1. From an authorized Passport Advantage ID, download the Accelerator module for your release of InfoSphere Guardium and upload it to your file server.
  2. Log in to the Guardium appliance as CLI (or an admin with CLI), run the following CLI command, and follow the prompted steps:

    store system patch install sys

  3. After the installation is complete, use the following CLI command to confirm that the patch installed successfully:

    show system patch installed

    In the listing of the command, you should see a line for the accelerator that shows a status of: DONE: Patch Installation Succeeded, as shown in Figure 1.

    Figure 1. Successful installation of the PCI accelerator
    output of show system patch installed command

InfoSphere Guardium uses roles to segregate the components that a particular user has access to. The Guardium access manager is responsible for assigning users to roles. The PCI role enables the person responsible for configuring Guardium for PCI compliance to see the relevant information in the Guardium user interface.

In this section, learn how to configure an existing user to have the PCI role in Guardium and configure the layout for the PCI accelerator.

Recommendation: When you configure the layout, that user will lose any existing UI customization, so it is recommended that you create a different user for testing purposes.

  1. Log in to the Guardium web UI using the accessmgr user account. Select a user (in this case, user1), and click Roles.
    Figure 2. Adding a role for a user
    in user browser, select a user and then click on Roles button
  2. In the User Role Form, check the box for PCI, and then click Save.
    Figure 3. Adding a role for a user
    In user role form, click on PCI and then Save button
  3. Next, click Change Layout to configure the user interface to add the PCI-specific user interface components.
    Figure 4. Change the layout to activate PCI components of the user interface
    In user browser, click on change layout for user
  4. A window opens asking for an optional description. You can add a description or not, then click Reset.
    Figure 5. Reset will reset the layout for the user when they log on
    Clicking the reset button

Now user1 is ready to begin configuring Guardium for PCI monitoring.

First, as user1, log in to the Guardium web interface. Because of your PCI role, you see a customized layout for PCI. If not already highlighted, click on the PCI Accelerator tab and then the Overview subtab. On the left navigation pane, you have the option of viewing an overview of the PCI Standard (as shown in Figure 6) or an introduction to the Guardium PCI accelerator itself.

Figure 6. An overview of the PCI standard
overview text of accelerator.
  • From the left menu pane, select the PCI Data Security Standard to open the Introduction page.
  • From the left menu pane, select PCI Accelerator for Compliance to get the detailed introduction to the PCI accelerator.

Plan and organize

The accelerator can help you with planning and organizing for PCI compliance activities. This section includes reports that inventory your cardholder database servers, database users, authorized source programs, and more.

You can use Guardium API automation to keep these inventories updated as your environment changes, or you can update the inventory manually using the GUI.

Click on the Plan & Organize tab and then click on the Overview option from the left navigation menu to get to the introduction of how the report templates in this section can help you:

  • Create an inventory map of cardholder information servers, clients, databases, and users.
  • View information about the "who, what, when, and how" of cardholder information that has been touched.
  • Verify that generic IDs and accounts are disabled or removed and that there are no shared IDs for system administration activities and other critical functions.
Figure 7. Plan and organize overview
Text on this page basically covers similar material to text above

In the left menu pane, you see the list of report templates that are provided to help you plan and stay organized.

Figure 8. Built-in reports to help you plan and organize
Menu listing of reports that will be covered in the subsequent text

If you click on any of these reports, you will see data not found because they rely on groups being populated with relevant members. InfoSphere Guardium uses groups to simplify the management of the system. So, for example, you might have a group of cardholder databases and a group of authorized programs. The reports use the appropriate populated groups as a runtime parameter to show you the relevant information.

This becomes more clear as you continue in this article. First, you'll get a description of the reports and the relevant groups, and then you'll see how to find for yourself what groups a report is using and how to populate a group.

Here is an overview of the reports in the Plan & Organize tab and the group or groups it relies on.

Graphical maps

It is possible to create a graphical view (including a PDF) of client/server mapping as well. This is called the Access Map Application. That application uses IP addresses and database types for filtering, not groups. See the "how-to" topic in the InfoSphere Guardium information center for more details (see Resources for a link).

  • Cardholder Server IPs List: This reports the cardholder information database server list. You will need to populate the PCI Authorized Server IPs group, which specifies the database server that stores cardholder information.
  • Cardholders Databases: Cardholder information databases. You will need to populate the PCI Cardholder DBs group.
  • Cardholder Objects: Cardholder information objects. This could be a table, view, or stored procedure that contains the sensitive information. You will need to populate the PCI Cardholder Sensitive objects group.
  • DB Clients to Servers Map: This report is a client to server mapping of PCI Authorized Server IPs (the group that specifies the database servers storing cardholder information) to client IPs that are accessing that server. See Figure 14 for an example.
  • Active DB Users: This reports on users (who are not administrators) who are visiting the cardholder database. This report uses the PCI Admin Users groups.
  • Authorized Source Programs: This reports on the authorized credit applications. This report relies on the PCI Authorized Server IPs and the PCI Authorized Source Programs groups.
  • Unauthorized Application Access: This report lets you know if there is a program other than one of your authorized credit applications accessing the authorized database server. Again, this relies on the PCI Authorized Server IPs and PCI Authorized Source Programs groups. (At runtime, the report uses negation on the PCI Authorized Source Program group to identify the unauthorized applications.)
  • 8.5.8 Shared Accounts: PCI requirement 8 is that each person who has computer access is assigned a unique ID. This report can help identify when the same user ID is used from multiple client IPs to connect to the same server, which could indicate that ID sharing is occurring

Populating groups

To see the magic behind the reports, you can go to any report and click on the pencil icon to see the query that is used to build the report.

Figure 9. Edit a report to see the query behind it
shows pencil icon highlighted.

The Query Builder will include the names of relevant group or groups used when running the report.

Figure 10. Query conditions for a report may contain groups
shows excerpt of query builder with two pci groups in the IN GROUP query condition.

Your task now is to populate the group, and you'll do that using the Group Builder.

You can access the Group Builder from many different places as groups are a critical component of reporting, security assessments, and policy rules. You navigate to the Group Builder from the Comply tab, which is a tab that appears when you are logged on in the user role. Click on the Comply tab, then select Group builder from the graphic, as shown in Figure 11.

Figure 11. Accessing the group builder tool
Highlights Group builder text as shown in the custom reporting graphic on the Comply tab.

Highlight the group you want to modify, and then click Modify. In Figure 12, PCI Authorized Server IPs is selected.

Figure 12. Modify the built-in group
Highlights group name and shows Modify button highlighted.

In the Manage Members for Selected Group portlet you can add authorized server IPs to the group. Enter each server IP, and then click Add to put the member in the Group Members window. When you are done, click Back.

Figure 13. Adding members to a group
IP is in the window. is in the create and add new member field. Add button is highlighted. when Add is clicked that IP will move up into the window with the other IP.

You can also use the Guardium APIs to populate your groups. The appendix includes an example of how to do this.

As shown in Figure 13, the authorized server IP group is populated with the following IPs:

The client-to-server map report, shown in Figure 14, which uses that authorized server IP group for its query, shows the client accesses to just those two server IPs.

Figure 14. Client-to-server map report
This report shows the clients for the IPs that were included in the authorized server ip group' that is, IP and

Track and monitor (PCI requirement 10)

Now that you've populated your groups and are able to report on PCI assets and use patterns, you're ready to move on to the Track & Monitor tab. Requirement 10 of the standard states that you must track and monitor all access to network resources and cardholder data. This tab includes a combination of reports and information to help you reach compliance with this part of the standard. Let's take a look.

Figure 15. Reports and activities to comply with Requirement 10
The items in the menu are described in text below.
  • 10.2 and 10.3 Automation: This section explains the requirements for this part of the standard and how InfoSphere Guardium reports help you comply. Compliance automation enables you to schedule reports and send reports to the appropriate people for action, if required, and sign-off. For more information, see the online help section entitled Protect and Comply.
  • 10.2.1 Data Access: This report documents access to cardholder data and relies on the PCI Authorized Server IPs and PCI Admin Users groups (negation on this group means that users who are not admin users are tracked).
  • 10.2.2 Admin Activity: Similar to the Data Access report, except that it tracks admin user access to PCI data.
  • 10.2.3 Audit Trail Access: This section explains that compliance to this part of the standard requires that the access to audit trails be logged to detect tampering by malicious users who may attempt to hide their tracks. InfoSphere Guardium is self-monitoring so that all actions on the appliance are monitored.
  • 10.2.4 Invalid Access: This section contains two reports that can help you detect if someone is trying a brute force attack or if there is an unauthorized application accessing cardholder objects.
  • 10.2.6 Initialization Log: PCI section 10.2.6 is concerned with initialization of assessment logs because loss of the log data means that evidence is completely destroyed. This section of the PCI accelerator explains how InfoSphere Guardium handles audit logs, which are encrypted and archived to secondary storage. The data can be restored to the Guardium appliance if required for incident investigation.
  • 10.5 Secure audit trails: This section explains how Guardium helps you address this section of the compliance standard, including use of security roles for separation of duties, the use of a hardened, tamper-proof appliance to protect the audit repository, and the ability to automate the archive and purge processes.
  • 10.6 Access Auditing: This section of the standard is concerned with frequency of log review, at least daily, to ensure that a breach is detected early. With InfoSphere Guardium, you can use the audit process workflow to automate review of audit reports and create an audit trail of review and sign-offs to validate that you have met the requirements of this part of the standard. See Using audit processes to automate compliance workflow for more information.

Run regular security assessments (PCI requirement 11)

Click on the Ongoing validation (PCI Req 11) tab. This section of the accelerator addresses the PCI standard ("develop configuration standards for all system components") because of the extensive library of assessment tests that are built around Center for Internet Security (CIS) and Defense Information Systems Agency Security Technical Implementation Guides (DISA STIG). For PCI Requirement 11.5, which requires regular monitoring of changes to critical system files, the assessment also includes configuration file "bad practices" as well as a configuration audit system that monitors any changes to those files after they have been locked down.

This section relies on capabilities found in the Vulnerability Assessment tools in InfoSphere Guardium.

From the PCI Req. 11 Ongoing Validation tab, click Overview to get the introduction about the importance of doing regular assessments of possible vulnerabilities.

  1. From the left menu pane, select Security Assessment.
  2. From the graphic on that pane, select Define what database you want assessed to open the Security Assessment builder.
    Figure 16. Accessing security assessments
    highlights in context the information described above
  3. Click New to create a new assessment.
    Figure 17. Creating a new assessment
    highlights New button.
  4. Enter a description and time period for this assessment, and click Add Datasource to associate this assessment with a data source.
    Figure 18. Add a datasource for the assessment
    added card_db2_sec as a data source.
  5. Enter the name and type for the database as well as the user name and password. Enter the server IP, port, and service name (if needed for that database). Click Apply, and then click Back.
    Figure 19. Datasource details
    added card_db2 as a data source, sample database and relevant port. Apply is highlighted
  6. Click Test Connection to make sure Guardium can connect to the data source with the provided information. If all is well, click Back.
  7. In the Datasource Finder, select the data source you just created, and then click Add.
    Figure 20. Add the datasource to the new assessment
    data source is selected and Add button is highlighted.
    This adds this data source to the assessment you are building, as shown in Figure 21. Click Apply.
    Figure 21. Datasource added to the assessment
    card_db2 is now shown under datasources. Apply is highlighted
    Click Configure Tests…, which brings up the screen shown in Figure 22. From your database type tab, select and add tests, which are based on database security best practices, and test for common vulnerability exposures (CVEs). You may want to start by identifying only critical exposures and then add additional tests after you fix the critical vulnerabilities.
    Figure 22. Guardium includes a wide variety of built-in assessment tests
    screen shows a variety of tests available for DB2
  8. Click Run Once Now to run the assessment immediately. This may take a while if you have a lot of tests, which is why it is recommended to add these security tests to an audit process, which can be scheduled. (See Using audit processes to automate compliance workflow for more information.)

    As shown in the excerpts in Figure 23, you get an assessment result that shows you which tests passed, which tests failed, and how you can fix the failures. There is also a graph that shows you results over time so that you can set goals and show progress.

    Figure 23. Assessment test results
    various sections of the VA results are show

Again, it is recommended to add security assessment testing on a regular schedule by using the audit process to help you comply with the PCI requirements.

This section has only briefly touched on the topic of vulnerability assessments. Be sure to read the Assess and Harden online help book for more information.

Set up the security policy

Click on the PCI Policy Monitoring tab. This section of the accelerator is all about using policies, which are at the heart of how InfoSphere Guardium does its job. Click Overview to learn how InfoSphere Guardium policy-based monitoring and protection helps you comply with PCI mandates, including the ability to create a policy based on "normal" baseline activity so that deviations from that baseline can be logged as policy violations.

InfoSphere Guardium policies consist of an ordered set of rules that is applied between any observed traffic between the database clients and servers. The three main types of rules are:

  • Access rules, which apply to traffic coming from the database client to the database server.
  • Exception rules, which apply to any exceptions returned from the database server to the client.
  • Extrusion rules, which apply to data results. This might include a policy rule to mask returned data, for example.

Although we describe how to find the currently installed policy and view its rules, the detailed information about how to create rules and their behavior is outside the scope of this article. If you are responsible for creating policies in your organization, you should definitely review some of the materials highlighted in Resources to learn more.

  1. From the left menu pane, click Policy Description to see the currently installed policy, which will look something like Figure 24.
    Figure 24. Installed policy
    window that shows some info about the installed policy such as the fact it is a log full details policy
  2. To edit or create a new policy, click on the Monitor/Audit tab. This takes you to the policy finder where you can find a list of predefined policies that you can modify. You can create your own policy by creating new rules or by cloning an existing policy and modifying the rules. Let's see how to do that.
  3. Click on the policy you want to modify, such as PCI , and click Clone.
    Figure 25. Cloning an existing policy to modify its rules
    PCI policy is selected and Clone button is highlighted
  4. Give the policy a new name, and then click Save.
    Figure 26. MYPCI new name
    we entered MyPCI as the new name. Save button is highlighted
  5. Select your policy from the policy finder list, and then click Edit Rules....
    Figure 27. Modifying rules of cloned policy
    MyPCI is selected and Edit Rules button is highlighted
  6. As shown in Figure 28, you will see a collapsed list of all the policy rules in the PCI policy that you can modify for your environment. You'll see many different rules, including ones that detect and log violations for access to credit card magnetic stripe data and credit card number patterns as well as masking those numbers upon return to an unauthorized user.

    To view a rule, you can click on the plus sign. To modify the rule, click on the pencil icon as shown in Figure 28, where you are modifying rule 6.

    Figure 28. Click on pencil icon to modify a rule
    A bunch of rules are shown. Pencil icon in rule 6 is highlighted.
  7. Figure 29 is policy rule 6 expanded. Here, you can see two groups, Cardholder DB Objects and DDL commands, that you need to add members to if you have not done so already. Remember how we said that Group Builder can be found in many places in Guardium? You can see it here in the Policy Builder as well.
    Figure 29. Modify Cardholder Objects and DDL commands groups for this rule
    A bunch of rules are shown. Pencil icon in rule 6 is highlighted.
  8. Click on the Group builder icon and enter members to the group, as described in Populating groups.
  9. Any time you change a policy, you must install the policy. It's a simple click of a button to install, but you will not do that here, because you are just looking at an existing PCI policy to see some of the rules that are there that you may want to use for your environment.
  10. Now navigate back to PCI Accelerator > PCI Policy Monitoring, and from the left menu pane select Policy Violations. This is where any policy rules that are triggered appear. You can define the severity of the rule with INFO, LOW, MEDIUM, or HIGH. Figure 30, for example, is an excerpt of Rule #4 of the built-in PCI policy that has a medium level severity.
    Figure 30. A medium severity alert for an exception violation
    SQL Error violation.
    The violations will be color coded in the Policy Violations report according to severity.

Use audit processes to automate compliance

A key ingredient in the recipe to reduce the burden of PCI compliance and to maintain an audit trail of all reviews and approvals is to use an audit process, which lets you define:

  • What activities, such as reports or security assessments.
  • Who has to review or sign off.
  • When the activities in this audit process run. For example, some activities must be run daily, others may be weekly, monthly, or even quarterly.

Figure 31 shows a sample audit process flow. In this example, the PCI owner must review and approve all new connections to the database. That gets passed on to the Information Security officer who must review, and finally to the Guardium administrator, who has a task to perform to ensure that the approved connection does not get reported as a violation in the future. The PCI owner and the Guardium administrator receive PDFs and CSVs of the report in their e-mail, while the information security office receives a link to the report.

Figure 31. Audit process workflows automate compliance processes
text above describes the audit process workflows used to automate compliance processes

The audit process shown in Figure 31 can be run on a scheduled basis to ensure that new connections are being reviewed and acted upon in a timely fashion.

Figure 32 shows an example of the audit trail comments that are included with the report.

Figure 32. The comments are included with the report for auditing
authorized connection report shows timestamp, user, and text of comment

Reports can be automatically fed to a content repository such as Microsoft™ SharePoint after all the previous receivers have reviewed and signed off. This makes it easy to retrieve all the information you need to satisfy an audit, including comments from the reviewers, without requiring retrieval of archived audit data.

In addition, by using the data-level security feature in InfoSphere Guardium, you can define a single report and still ensure that only those people who are associated with a particular database server see results for that server. For more information about using data-level security and audit processes, refer to the developerWorks article "Use data-level security for granular access control of auditing results in InfoSphere Guardium" (see Resources).


By following the best practices outlined by the standards, you are taking a major leap forward in protecting your data assets from costly and embarrassing breaches.

InfoSphere Guardium standards accelerators are designed specifically to make it easy to demonstrate compliance to various standards such as PCI, Basel II, Sarbanes-Oxley, and data privacy. Not only are report and policy templates included for you, the accelerator itself helps you demonstrate to an auditor specifically which section of the compliance standard is being addressed and how. Automated workflow management helps you maintain compliance with a reduced total cost of ownership.

Appendix: Use InfoSphere Guardium API to populate groups

InfoSphere Guardium has a rich set of APIs to help you automate configuration and maintenance of groups. You can get more information in the Appendices help or from the command-line interface (CLI).

When logged in as CLI or as a user with a CLI role, to see a list of all grdapi commands, enter:

CLI> grdapi

To see the parameters for a particular command, enter the command and help=true as shown here:

CLI> grdapi create_member_to_group_by_desc --help=true

Listing 1 shows an example of using the APIs to populate PCI groups and to list the members of those groups.

Listing 1. Using the Guardium APIs to populate groups for PCI compliance
-- Populate PCI groups 
grdapi  create_member_to_group_by_desc desc="PCI Admin 
Users"  member="Joe"
grdapi  create_member_to_group_by_desc desc="PCI Admin 
Users"  member="JDiPietro"
grdapi  create_member_to_group_by_desc desc="PCI Admin 
Users"  member="SA"
grdapi  create_member_to_group_by_desc desc="PCI Admin 
Users"  member="System"
grdapi  create_member_to_group_by_desc desc="PCI Admin 
Users"  member="DB2inst2"
grdapi  create_member_to_group_by_desc desc="PCI Admin 
Users"  member="bill"

grdapi  create_member_to_group_by_desc desc="PCI 
Authorized Client IPs"  member=""
grdapi  create_member_to_group_by_desc desc="PCI 
Authorized Client IPs"  member=""
grdapi  create_member_to_group_by_desc desc="PCI 
Authorized Client IPs"  member=""
grdapi  create_member_to_group_by_desc desc="PCI 
Authorized Client IPs"  member=""
grdapi  create_member_to_group_by_desc desc="PCI 
Authorized Client IPs"  member=""

grdapi  create_member_to_group_by_desc desc="PCI 
Authorized Server IPs"  member=""
grdapi  create_member_to_group_by_desc desc="PCI 
Authorized Server IPs"  member=""
grdapi  create_member_to_group_by_desc desc="PCI 
Authorized Server IPs"  member=""
grdapi  create_member_to_group_by_desc desc="PCI 
Authorized Server IPs"  member=""

grdapi  create_member_to_group_by_desc desc="PCI 
Authorized Source Programs"  member="%SQLPLUS%"
grdapi  create_member_to_group_by_desc desc="PCI 
Authorized Source Programs"  member="SQLPLUS"
grdapi  create_member_to_group_by_desc desc="PCI 
Authorized Source Programs"  member="SAP"
grdapi  create_member_to_group_by_desc desc="PCI 
Authorized Source Programs"  member="Oracle EBS"
grdapi  create_member_to_group_by_desc desc="PCI 
Cardholder DBs"  member="master"
grdapi  create_member_to_group_by_desc desc="PCI 
Cardholder DBs"  member="creditcard"

grdapi  create_member_to_group_by_desc desc="PCI 
Cardholder Sensitive objects"  member="creditcard"
grdapi  create_member_to_group_by_desc desc="PCI 
Cardholder Sensitive objects"  member="cc"
grdapi  create_member_to_group_by_desc desc="PCI 
Cardholder Sensitive objects"  member="patient"

grdapi  create_member_to_group_by_desc desc="PCI Limited 
Access Users"  member="harry"

-- Verify members added to group

grdapi list_group_members_by_desc desc="PCI Limited 
Access Users"
grdapi list_group_members_by_desc desc="PCI Cardholder 
Sensitive objects"
grdapi list_group_members_by_desc desc="PCI Cardholder 
grdapi list_group_members_by_desc desc="PCI Authorized 
Source Programs"
grdapi list_group_members_by_desc desc="PCI Authorized 
Server IPs" 
grdapi list_group_members_by_desc desc="PCI Authorized 
Client IPs"
grdapi list_group_members_by_desc desc="PCI Admin Users"


PCI pre-audting checklistPCIpre-audit.pdf143KB



Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement Service Oriented Architecture efficiently.



developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Information management on developerWorks

Zone=Information Management
ArticleTitle=Accelerate the path to PCI DSS data compliance using InfoSphere Guardium