How to use PCI/DSS Accelerator to implement PCI compliance

Configure IBM® Security Guardium®’s PCI/DSS Accelerator and create a series of policies and reports, in order to meet PCI/DSS requirements.

PCI/DSS (Payment Card Industry/ Data Security Standard) is a set of technical and operational requirements designed to protect cardholder data.

Value-added: Give customers a whole view of PCI/DSS and provide predefined policies and reports to save configuration time.

Follow these steps:

  1. Configure PCI role.

  2. Configure reports and policies that follow the requirements.

Configure PCI role

  1. Login via the Guardium GUI page using the “accessmgr” user account. Select a user (in this case, user1), and click on Roles.

    Configure role

  2. In the user role form, check PCI, and then save the assignment.

    User roles

Implement PCI accelerator

Log on using “user1” and click Accelerators.

Menu selections
Overview

  1. Click PCI Accelerator for Compliance.

  2. Click PCI Data Security Standard.

PCI Accelerator for Compliance
PCI Data Security Standard

Plan and Organize

Plan and Organize

Click the Overview for an introduction of how the predefined reports follow the compliance.

  1. Cardholder Server IPs List: Cardholder information database server list. According to the company's actual situation, set the PCI Authorized Server IPs group information, which specifies the database server that stores cardholder information.

  2. Cardholders Databases: Cardholder information database. Set the PCI Cardholder DB: designated group information, which is stored in the database's cardholder information.

  3. Cardholder Objects: Cardholder information object. This needs to set the PCI Cardholder Sensitive objects.

  4. DB Clients to Servers Map: Client/server mapping and PCI Authorized Server IPs set group information, which specifies the database servers storing cardholder information. Query can be used to find client access to the cardholder database.

  5. Active DB Users: Administrator in addition to categories of users, which visited the cardholder database. Set the “PCI Authorized Server IPs” and “PCI Admin Users”.

  6. Cardholder DB Administration: Cardholder database management operations. Set the PCI Authorized Server IPs and Admin Users.

  7. Authorized Source Programs: Credit program access. Set the PCI Authorized Server IPs, PCI Authorized Source Programs. Procedure for recording Credit Cardholder database access.

  8. Unauthorized Application Access: Non-credit program access. Set the PCI Authorized Server IPs, PCI Authorized Source Programs. Records of credit program for the cardholder database access.

  9. 8.5.8 Shared Accounts: PCI eighth requirements to have each person having computer access to be assigned a unique ID. Set PCI Authorized Server IPs to count the number of times the same database username is trying to access from the cardholder database IP.

In the statements, click to view a report form, and then determine what specific group content needs to be filled in.

Icons, change report
Here is the actual name of the group:
Name of group

Navigate to Setup > Tools and Views > Group Builder, and in the Modify Existing Groups selection, select the group name.

Modify existing groups
Click Modify (the pencil icon) and go to Manage Members for Selected Group page. Add new members.
Group Builder
The group can also be filled through a customized query.
Customize Query
PCI Req. 10 Track & Monitor

Click the Overview for an introduction of how the Guardium monitor and predefined reports follow the compliance.

  1. 10.2 and 10.3 Automation - Use the online help Protect help book and Comply Help book to automate this section.
  2. 10.2.1 Data Access - PCI Access to cardholder data, Set the PCI Authorized Server IPs and PCI Admin Users.
  3. 10.2.2 Admin Activity - PCI Activity by Admin. user. Set the PCI Authorized Server IPs and PCI Admin Users.
  4. 10.2.3 Audit Trail Access - To follow this section completely, at least four kinds of reports must be defined: Logins to SQLGuard; User activity audit trails on Guardium server; Scheduled job exceptions; and, User to-to lists. Navigate to investigate > Query-Report Builder to create reports as you need.
  5. 10.2.4 Invalid Access - PCI - Invalid Login Access Attempts: record the login failed try in the database. PCI - Unauthorized Application access: record the database access not defined in PCI Authorized Source Programs.
  6. These three sections can also use the Monitor and Audit Help Book in the embedded online help - 10.2.6 Initialization Log, 10.5 Secure audit trails, and 10.6 Access Auditing.

PCI Req. 11 Ongoing Validation

Click Overview for a discussion on the importance of vulnerabilities assessment. Click Harden > Assessment Builder to build an assessment process.

PCI Policy Monitoring

Click Overview to introduce the Policy.

  1. To show your current policy installations, navigate to Setup > Tools and Views > Policy Installation and choose a suitable policy for installation.
    Policy monitoring

  2. Policy Violations - Records of violation operations.