Requirement 1: Install and maintain a firewall configuration to protect cardholder data

This requires you to segment your network to control who has access to cardholder data and maintain segmentation via regular audits and testing. This may include tracking changes to Group Policy that affect firewall and other security settings and reviewing Windows event logs on a regular basis.

Blackbird provides detailed auditing and fine grained reporting across all Active Directory, Group Policy and Windows Event log entries using a simple, integrated solution.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Change all default passwords. If you don't change the default passwords, then someone can easily get in and undo all your security.

Requirement 3: Protect stored cardholder data.

This requirement spells out the different encryption requirements for storing cardholder data, and also what information you can and cannot be stored.

Blackbird enables organizations to track changes to Group Policy and Local policy that can affect security policies of desktops and servers.

Requirement 4: Encrypt transmission of cardholder data across public networks.

This is a best practice with any important data. When transmitting cardholder data, it needs to be encrypted. This can be a VPN, SSL connection, etc.

For Windows desktops and servers this can be set up via Group Policy and monitored using the Blackbird Active Directory Auditor.

Requirement 5: Use and regularly update anti-virus software.

Any machine in scope needs to have anti-virus software installed. It doesn't matter what operating system you run, they all need anti-virus safeguards.

Requirement 6: Develop and maintain secure systems and applications.

Configuring and monitoring the secured configuration of network resources is a critical component of PCI.

Blackbird enables organizations to track and instantly rollback changes to Group Policy that can affect security policies of desktops and servers.

Requirement 7: Restrict access to cardholder data by business need-to-know.

Anyone who can access your critical data should have a business need-to-know. This access should also always be logged and audited. By encrypting your data, you can have other administrators log into your machines and manage them without giving them access to secure information.

With Blackbird organizations can report on agency-wide user entitlements and access. All access changes are stored in a centralized auditing database, and automated reports can be sent directly to administrators, security officers, and business data owners on a set schedule.

Requirement 8: Assign a unique ID to each person with computer access.

Each person who accesses cardholder data must have a unique ID. They must also access the data via a dual factor authentication scheme if accessing remotely, or via VPN. Also, you must have a strong password policy and user creation policy.

Blackbird enables customizable workflows for security teams, so they can automate the creation, review, and approval of entitlements and roles. Additionally administrators and risk managers can track changes to Group Policy and local policy that can impact Password, Kerberos and audit policies.

Requirement 10: Track and monitor all access to network resources and cardholder data.

With PCI 2.0 you must implement audit trails on all Active Directory, Group Policy and File System resources. Logs must be reviewed at least daily, and retained for 3 months online, 1 year total.

Blackbird integrated audit and event management solutions automate these audit and reporting activities.

Requirement 11: Regularly test security systems and processes.

Test security and audit controls to make sure they are in place.

Blackbird provides instant insight into important security events including:

• Report on who has access to what
• Report on how access was granted
• Reports on Successful User Logons
• Reports on Successful User Logoffs
• Reports on Logon Attempts
• Reports on Locked accounts

Requirement 12: Maintain a policy that addresses information security for employees and contractors.

Examples are a security policy, operational security procedure, usage policies, incident response plan, etc.

Blackbird auditor tracks all changes to administrator accounts and records activities performed by administrators.