Payment Card Industry Data Security Standard Compliance Planning Guide

On This Page

Introduction Introduction
Meeting the PCI DSS Requirements Meeting the PCI DSS Requirements
Appendixes Appendixes

Introduction

The Payment Card Industry Data Security Standard Compliance Planning Guide is designed to help organizations meet Payment Card Industry Data Security Standard (PCI DSS) requirements. Specifically, this guide is targeted to merchants that accept payment cards, financial institutions that process payment card transactions, and service providers—third-party companies that provide payment card processing or data storage services. IT solutions for each of these groups must meet all PCI DSS requirements. The guide is intended to augment The Regulatory Compliance Planning Guide, which introduces a framework-based approach to creating IT controls as part of your efforts to comply with multiple regulations and standards. This guide also describes Microsoft products and technology solutions that you can use to implement a series of IT controls to help meet the PCI DSS requirements, as well as any other regulatory obligations your organization may have.

Note   If your organization provides automatic teller machines (ATMs) as part of its service offerings, Microsoft provides architectural and security guidance for the software, systems, and networks that support ATMs. For more information, see the Microsoft Banking Industry Center Downloads page on the MSDN Web site.

This guide does not contain comprehensive information about how to comply with the PCI DSS for every organization. For answers to specific compliance questions that concern your organization, consult your legal counsel or auditor.

The introduction for this guide includes the following sections:

  • Executive Summary. This section provides a broad overview of the PCI DSS requirements and the primary goals of the planning guide. It discusses the knowledge that IT managers need to start addressing their PCI DSS compliance requirements.

  • Who Should Read This Guide? This section describes the audience for this guide, the guide’s purpose and scope, and caveats and disclaimers about the limitations of this guidance.

  • What Is the Payment Card Industry Data Security Standard? This section provides an overview of the PCI DSS and its requirements.

  • Planning for PCI DSS Compliance. This section introduces using a framework to satisfy PCI DSS requirements. This approach includes creating various types of IT controls, how these controls work in combination, and why they are important components that your organization can use to help meet PCI DSS requirements and other regulatory compliance obligations.

  • The PCI DSS Audit Process. This section provides an overview of the PCI DSS audit process used by auditors to assess an organization’s compliance with PCI DSS requirements.

Because this white paper is meant to supplement The Regulatory Compliance Planning Guide, you should reference that guide as well when you plan a complete solution to meet all regulatory requirements applicable to your organization.

Executive Summary

If your organization processes, stores, or transmits payment cardholder information, your business requirement must comply with the Payment Card Industry Data Security Standard (PCI DSS). The requirements defined in these standards, which were developed by the PCI Security Standards Council, are designed to create the minimum acceptable level of security for cardholders who use your organization’s services.

There are three issues that make this situation complex. The first is that complying with PCI DSS requirements can have an impact throughout your organization. It is important to coordinate compliance efforts across departments, and to have an organization-wide PCI DSS compliance strategy. The second complication is that your organization might need to comply with multiple sets of regulations, each of which mandates a separate set of requirements. Not surprisingly, many companies find it difficult to understand how to respond appropriately to these varied regulatory requirements, while using cost-effective processes and procedures to maintain their regulatory compliance. The third complicating issue is that the PCI DSS mentions IT controls only in passing, as do many other regulations, which leaves IT managers to determine exactly what they must do to achieve and maintain regulatory compliance, with little guidance.

The Payment Card Industry Data Security Standards Compliance Planning Guide is for IT managers who are responsible for meeting the PCI DSS obligations of their companies. The intent of this guide is to help IT managers understand how they can begin to address many of the IT control requirements that apply to their organizations, including PCI DSS compliance requirements. To achieve this, the guide provides information about solutions that you can use in this process.

For a broader discussion of how to comply with multiple regulatory standards, see The Regulatory Compliance Planning Guide.

Important   This planning guide does not provide legal advice. The guide only provides factual and technical information about regulatory compliance. Do not rely exclusively on this guide for advice about how to address your regulatory requirements. For specific questions, consult your legal counsel or auditor.

Who Should Read This Document?

The PCI DSS Compliance Planning Guide is primarily for individuals who are responsible for ensuring that their organizations collect, process, transmit, and store cardholder data securely and reliably, while maintaining cardholder privacy. The audience for this guide includes IT managers who serve their organizations in the following positions:

  • Chief Information Officers (CIOs) who are concerned with the deployment and operation of systems and IT-related processes.

  • Chief Information Security Officers (CISOs) who are concerned with the overall information security program and compliance with information security policies.

  • Chief Financial Officers (CFOs) who are concerned with the overall control environment of their organizations.

  • Chief Privacy Officers (CPOs) who are responsible for the implementation of policies that relate to the management of personal information, including policies that support compliance with privacy and data protection laws.

  • Technical Decision Makers who determine the appropriate technology solutions to solve certain business problems.

  • IT Operations Managers who run the systems and processes that execute the PCI DSS compliance program.

  • IT Security Architects who design the IT control and security systems to provide an appropriate security level to meet the business needs of their organizations.

  • IT Infrastructure Architects who design infrastructures that can support the IT security and controls that IT Security Architects design.

  • Consultants and partners who recommend or implement privacy and security best practices to achieve PCI DSS compliance objectives for their customers.

In addition to this audience, the following individuals also might find this guide valuable:

  • Risk/Compliance Officers who are responsible for the overall risk management of meeting PCI DSS requirements for their organizations.

  • IT Audit Managers who are concerned with auditing IT systems and reducing the workload of internal and external IT auditors.

What Is the Payment Card Industry Data Security Standard?

The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of comprehensive requirements designed to ensure that cardholder credit and debit card information remains secure regardless of how and where it is collected, processed, transmitted, and stored. Developed by the founding members of the PCI Security Standards Council—including American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International—the PCI DSS is meant to encourage international adoption of consistent data security measures.

The PCI DSS addresses its requirements to companies and organizations that handle cardholder data in their daily course of business. Specifically, the PCI DSS sets requirements for financial institutions, merchants, and service providers that handle cardholder data throughout a typical business day. The PCI DSS is made up of a list of requirements for security management, policies, procedures, network architecture, software design, and other measures to protect cardholder data.

PCI DSS version 1.1 is the most recent version of the standard, released in September, 2006. It is organized into a group of six principles and twelve accompanying requirements. Each requirement contains sub-requirements for which you must implement processes, policies, or technology solutions to comply with the requirement. The PCI DSS policies and requirements include:

  • Build and Maintain a Secure Network

    • Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

    • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

  • Protect Cardholder Data

    • Requirement 3: Protect stored cardholder data.

    • Requirement 4: Encrypt transmission of cardholder data across open, public networks.

  • Maintain a Vulnerability Management Program

    • Requirement 5: Use and regularly update anti-virus software.

    • Requirement 6: Develop and maintain secure systems and applications.

  • Implement Strong Access Control Measures

    • Requirement 7: Restrict access to cardholder data to business need-to-know.

    • Requirement 8: Assign a unique ID to each person with computer access.

    • Requirement 9: Restrict physical access to cardholder data.

  • Regularly Monitor and Test Networks

    • Requirement 10: Track and monitor all access to network resources and cardholder data.

    • Requirement 11: Regularly test security systems and processes.

  • Maintain an Information Security Policy

    • Requirement 12: Maintain a policy that addresses information security.

Requirements 9 and 12 do not demand that you implement technology solutions. Requirement 9 instructs you to address the physical security of the locations where cardholder data is stored and processed. This could include implementing building access security, installing and maintaining surveillance equipment, and requiring identity checks for all individuals who work at or visit your facilities. Requirement 12 instructs you to create an information security policy and disseminate it to your employees, vendors, and any other parties within your organization who work with cardholder data.

Planning For PCI DSS Compliance

It is neither efficient nor cost-effective to create your PCI DSS compliance solutions in isolation. There are a number of other regulations that you must consider when you plan your approach to complying with PCI DSS requirements. A sampling of these regulations includes:

  • Sarbanes-Oxley Act (SOX)

  • Gramm-Leach-Bliley Act (GLBA)

  • Health Insurance Portability and Accountability Act (HIPAA)

  • European Union Data Protection Directive (EUDPD)

  • ISO 17799:2005 Code of Practice for Information Security Management (ISO 17799)

Note   If your organization is a multi-national business, you need to make sure that you are compliant with governmental regulations for all locations where you do business. Microsoft suggests you consult legal counsel with knowledge of all regulations for the locations where your organization does business.

For more information about planning compliance efforts for each of these regulations, see The Regulatory Compliance Planning Guide.

The PCI DSS compliance solutions that your organization creates should be developed with full awareness of the following two issues:

  • The currently existing solutions that satisfy other regulatory requirements

  • The best ways to create new solutions that meet all regulatory requirements

To accomplish your compliance goals efficiently and effectively, Microsoft recommends that you use a control framework to help address your organization’s regulatory compliance objectives. Using a control framework enables your organization to map applicable regulations and standards to the framework. Then your organization can more efficiently focus its IT control efforts on addressing the requirements defined in the framework rather than individual regulations.

In addition, as new regulations and standards affect the organization, you can map them to the framework, and then concentrate your efforts on those parts of the framework in which the requirements have changed. Moreover, you can map a wide variety of IT control-related requirements to the framework, including industry-specific requirements such as the Payment Card Industry security requirements, internal policies, and so on.

A framework provides many significant benefits for organizations seeking to achieve their regulatory compliance objectives. The framework-based approach to regulatory compliance allows organizations to:

  • Combine IT controls to meet multiple regulatory standards, such as those from PCI DSS and EUDPD, to avoid separate audits.

  • Address new regulations rapidly as they are introduced.

  • Prioritize spending by choosing IT controls that will achieve the most impact.

  • Avoid duplicating work to meet compliance objectives in different business units within the company.

  • Update current regulations more efficiently through incremental changes to your organization's existing IT controls.

  • Establish a common ground between the IT department and auditors.

You should, of course, review the PCI DSS itself when you begin to plan your compliance efforts. You can download the PCI DSS at https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf. Additionally, the PCI Security Standards Council has created a self-assessment questionnaire that can help your organization determine whether it is in compliance with the PCI DSS. You can also use it to help you plan your organization’s PCI DSS compliance efforts. You can download the PCI DSS Self-Assessment Questionnaire from https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf.

For more information on addressing regulatory requirements using IT controls in a control framework, see The Regulatory Compliance Planning Guide.

The PCI DSS Audit Process

The audit process for PCI DSS compliance is generally similar to the process outlined in The Regulatory Compliance Planning Guide. However, there are a few details specific to PCI DSS auditing that you should know about.

PCI DSS audit reviews are performed by two types of third-party organizations, known as Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). QSAs perform the on-site portions of an audit, while ASVs perform vulnerability scans of your organization’s Internet-facing environments. Businesses that become QSAs and ASVs must be reviewed and approved by the PCI Data Security Council (PCI DSC) once a year.

The QSA is required to prepare a report after auditing your organization, and that report must follow specific guidelines defined by the PCI DSC. These guidelines are contained in a PCI audit procedures document, which you can download from https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf. The guidelines specify how the report that the QSA must file after the audit should be organized. This report includes the contact information for your organization, the date of the audit, an executive summary, a description of the scope of work and the approach the QSA took in auditing your organization, quarterly scan results, and the QSA’s findings and observations. The last section contains the bulk of the information about your organization’s compliance with PCI DSS. In it, the QSA uses a template to report on your organization’s compliance with each of the PCI DSS requirements and sub-requirements.

Before you schedule PCI DSS audits for your organization, or, even better, as you are planning for PCI DSS compliance, key members of your organization should review PCI DSS audit procedures. It can help you fully understand what the QSA will review during your audit.

The ASV must also prepare a report on the results of their vulnerability scans on your organization’s Internet-facing environments. The guidelines for this report are contained in a PCI scanning procedure document, which you can download from https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf. This document specifies what elements of your organization’s environment the ASV must scan and includes a key that will help you read and interpret the ASV’s report.

As a merchant or service provider, your organization must follow each payment card company’s respective compliance reporting requirements to ensure each payment card company acknowledges your organization’s compliance status. In other words, if your organization is a service provider that handles cardholder data associated with Visa and American Express, you must submit your compliance reports to Visa and American Express.

Each payment card company has slightly different compliance rules and procedures. For more information about specific PCI DSS compliance requirements and the support programs each company offers to enable merchant and service provider compliance, contact the payment card companies for which your organization processes, transmits, or stores cardholder data.

Meeting the PCI DSS Requirements

This section details the Microsoft technology solutions that your organization can consider when it plans for PCI DSS compliance. You should incorporate the solutions that you choose into the everyday workings of your organization. As mentioned in the Planning for PCI DSS Compliance section, your organizational policies, procedures, and technology solutions should take into account regulatory compliance across your entire organization, and you should consider how PCI DSS compliance will affect all parts of your company.

For a detailed discussion of the considerations involved in mapping IT controls to technology solutions, see The Regulatory Compliance Planning Guide.

Document Management

Document management solutions combine software and processes to help you manage unstructured information in your organization. This information might exist in many digital forms, including documents, images, audio and video files, and XML files.

PCI DSS Requirements Met

Implementing document management solutions helps with PCI DSS compliance in two ways. First, using such solutions to manage documents that contain cardholder data can help meet PCI DSS requirements that relate to data access, management, and protection. Specifically, you can use document management solutions to meet requirement 7 and sub-requirement 10.2.1. Second, you can use document management systems to maintain and publish policies such as those required to fulfill Sections 3.6, 6.4, 9.2 and 12.  

For full text of each of these requirements, please see The Payment Card Industry Data Security Standard, version 1.1.

Available Technologies

Microsoft offers a number of technologies that you can use together and independently to create IT controls for document management. You should design these controls to meet the PCI DSS requirements, as well as any other regulatory requirements that are applicable to your organization.

  • Microsoft® Windows® Rights Management Services. Windows Rights Management Services (RMS) is a software platform that helps applications safeguard digital information from unauthorized use—both online and offline, and inside and outside of the firewall. RMS is the foundational technology behind the Information Rights Management (IRM) features of Microsoft Office and Windows SharePoint® Services. An RMS server, either deployed in-house or accessed through a hosted service, is required to use these features.

    RMS can augment your organization's security strategy by protecting information through persistent usage policies, which remain with the information no matter where it goes. RMS-enabled applications can be used to manage, control, and audit access to documents containing card holder information. The RMS client is integrated into the Windows Vista™ operating system. For other versions of Windows, the RMS client is available as a free download.
    For more information, see Windows Rights Management Services at https://www.microsoft.com/rms.  

  • Microsoft Office SharePoint Server. SharePoint Server is a collaboration and content management server that allows you to have one integrated platform to support the portal and document management needs of your organization. It allows you to support intranet, extranet, and Web applications across your enterprise, and provides your IT professionals and developers with the platform and tools they need for server administration, application extensibility, and interoperability. SharePoint Server can be used as a central repository for documents containing cardholder data, as well as for documents describing policies and processes. SharePoint Server 2007 is integrated with RMS, so that access control policies can be enforced on all copies of content downloaded from the SharePoint Server 2007. This feature enables site administrators to protect downloads from a document library with IRM. When a user attempts to download a file from the library, Microsoft Windows SharePoint Services verifies that the user has permissions to the given file and issues a license to the user that enables access to the file at the appropriate permissions level. Windows SharePoint Services then downloads the file to the user's computer in an encrypted, rights-managed file format.
    For more information, see the Microsoft SharePoint Products and Technologies Web site at https://go.microsoft.com/fwlink/?linkid=12632.

  • Microsoft Exchange Server. For most businesses today, e-mail is the mission-critical communications tool that employees must use to produce their best results. This greater reliance on e-mail has increased the number of messages sent and received, the amount and variety of work performed by e-mail, and even the speed of business itself. Exchange Server provides a rich messaging platform to manage information exchange in your organization while helping meet PCI DSS compliance objectives. Exchange Server 2007 includes unified messaging, which consolidates e-mail, voice mail, and faxes sent to a user into a single inbox. It also offers features that enable your organization to apply retention rules, scan and act on messages in transport, flexibly journal, and perform rich text searches across all deployed mailboxes.
    For more information, please see the Microsoft Exchange Server web site at https://www.microsoft.com/exchange/default.mspx.

  • Microsoft Office. Office is the premier suite of productivity applications for enterprises. The IRM feature of Microsoft Office helps organizations control access to sensitive information such as cardholder data.

    Specifically, the Office IRM feature helps your organization by:

    • Preventing an authorized recipient of protected information from forwarding, copying, modifying, printing, faxing, or cutting and pasting the information for unauthorized use.

    • Preventing protected information from being copied with the Windows Print Screen function.

    • Providing information with the same level of protection wherever it goes. This is referred to as persistent protection.

    • Providing the same level of protection to e-mail attachments, as long as the attachments are files created with other Office programs, such as Microsoft Excel® or Microsoft Word.

    • Protecting information in e-mail messages or documents that have been set to expire, so that the information can no longer be viewed after a specified period of time.

    • Enforcing corporate policies that govern the use and dissemination of information within and outside the company.

For more information, please see the Microsoft Office Web site at https://office.microsoft.com/en-us/default.aspx.

Risk Assessment

Risk assessment is the process by which your organization identifies and prioritizes risks to your business. Typically, you use a systematic method to identify the assets of an information-processing system, the threats to those assets, and the vulnerability of the system to those threats. In the context of regulatory compliance, risk assessment is the process of assessing the level of compliance and compliance inadequacies within your organization. When planning for PCI DSS compliance, your primary concern will be to identify risks to cardholder data and prioritize those threats.

PCI DSS Requirements Met

Risk assessment can help you meet PCI DSS requirements in a number of ways. It allows you to identify the areas in your network that need to be upgraded to come into compliance. Even after you have obtained initial compliance, risk assessment is important in determining whether your organization is staying in compliance over time. Because you can use risk assessment to address a number of potential issues, it can help you come into compliance with many of the PCI DSS requirements, including requirements 1, 3, 4, 5, 6, 7, 8, and 11.

For full text of each of these requirements, please see The Payment Card Industry Data Security Standard, version 1.1.

Available Technologies

Microsoft offers a number of technologies that you can use together and independently to create IT controls for risk assessment. You should design these controls to meet the PCI DSS requirements, as well as any other regulatory requirements that are applicable to your organization.

  • Microsoft Baseline Security Analyzer (MBSA). One of the primary tools you can use to assess risk to cardholder data in your organization is MBSA. MBSA is an easy-to-use tool that identifies common security misconfigurations in a number of Microsoft products, including Microsoft Windows operating systems, Internet Information Services (IIS), SQL Server™, Microsoft Internet Explorer®, and Microsoft Office. MBSA also scans for any missing security updates, update rollups, and service packs published to Microsoft Update. You can run MBSA from the command prompt or in its GUI, and you can use it with Microsoft Update and Microsoft Windows Server® Update Services. Since keeping your systems current is a very important way to make cardholder data as secure as possible, MBSA can be an invaluable tool in assessing data risk in your organization.

    For more information about MBSA, see Microsoft Baseline Security Analyzer at https://www.microsoft.com/technet/security/tools/mbsahome.mspx.

  • Microsoft Systems Management Server. If your organization uses Microsoft Systems Management Server (SMS) to manage client computers and servers, you may already have some of the tools you need to perform risk assessment for cardholder data. With SMS, your organization can remotely manage security settings on computers running Windows operating systems over distributed networks. You can inventory whether computers on your network have installed required software updates and track the progress of update rollouts to those computers. SMS also enables you to generate reports that identify your full hardware and software inventory, the configuration details and status for computers on your network, and the status of software deployments and deployment errors. These SMS features can be very important in assessing risk to cardholder data within your organization.

    For more information on SMS, see the Microsoft Systems Management Server home page at https://www.microsoft.com/smserver/default.mspx.

  • Microsoft System Center Operations Manager Audit Collection. Operations Manager 2007 can securely and efficiently extract and collect security logs from Windows operating systems and store them for later analysis and reporting. The extracted logs are stored in a separate Audit Collection database. Operations Manager will ship with reports that can be used for the Audit Collection data. Audit Collection can be used to produce various compliance reports, such as supporting Sarbanes-Oxley audits. Audit Collection can also be used for security analysis, such as intrusion detection and unauthorized access attempts.

    For more information, see Audit Collection Services at https://technet.microsoft.com/en-us/library/bb381258.aspx.

  • Windows Server Update Services. Windows Server Update Services with Service Pack 1 enables your organization to deploy many of the latest Microsoft product updates published to the Microsoft Update site. Windows Server Update Services is an update component of Windows Server and offers an effective and quick way to help keep systems up to date. WSUS provides a risk assessment infrastructure consisting of the following:

    • Microsoft Update. The Microsoft Web site to which WSUS components connect for updates of Microsoft products.

    • Windows Server Update Services server.  The server component that is installed on a computer running a Microsoft Windows 2000 Server with Service Pack 4 (SP4) or Windows Server 2003 operating system inside the corporate firewall. Windows Server Update Services server provides the features that administrators need to manage and distribute updates through a Web-based tool, which can be accessed from Internet Explorer on any Windows computer in the corporate network. In addition, a Windows Server Update Services server can be the update source for other Windows Server Update Services servers.

    • Automatic Updates. The client computer component built into Microsoft Windows Vista, Windows Server 2003, Windows XP, and Windows 2000 with Service Pack 3 operating systems. Automatic Updates enables both server and client computers to receive updates from Microsoft Update or from a server running Windows Server Update Services.

    These services enable you to provide all host environments on your network with the latest security fixes from Microsoft for the products installed on the given host.  

    For more information, see the Windows Server Update Services home page at https://www.microsoft.com/windowsserversystem/updateservices/default.mspx.

  • Group Policy. Group Policy is an infrastructure that enables your IT professionals to implement specific configurations for users and computers. Group Policy settings are contained in Group Policy objects (GPOs), which are linked to the following Microsoft Active Directory® directory service containers: sites, domains, or organizational units (OUs).You can centrally manage computers across a distributed network using Group Policy. Because your administrators can use Group Policy to distribute software across a site, domain, or range of organizational units, it can be an important tool for determining the risks posed to your organization’s IT environment.

    You can use the Microsoft Group Policy Management Console (GPMC) to manage Group Policy settings. GPMC is designed to simplify the management of Group Policy by providing a single place for managing core aspects of Group Policy. GPMC addresses the top Group Policy deployment requirements, as requested by customers, by providing:

    • A user interface (UI) that makes Group Policy much easier to use.

    • The ability to backup and restore GPOs.

    • The ability to import and export and copy and paste GPOs and Windows Management Instrumentation (WMI) filters.

    • A simplified way to manage Group Policy-related security.

    • The ability to generate HTML reports for GPO settings and Resultant Set of Policy (RSoP) data.

    • The ability to script GPO operations that are exposed by the GPMC—but not the ability to script settings within a GPO.

    For more information, see Windows Server 2003 Group Policy at https://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/default.mspx and Introducing the Group Policy Management Console at https://www.microsoft.com/windowsserver2003/gpmc/gpmcintro.mspx.

Change Management

Change management is a structured process by which your organization assesses changes to a project plan, an IT infrastructure, software deployments, or other processes or procedures in your organization. A change management system can help you define a change, evaluate the impact of the change, determine what actions are required to implement the change, and disseminate information about the change across your organization. It can also help you track the changes you make across your organization. This allows you to keep your IT environment under control as you make changes to it.

For example, the system for an organization could involve a database to help personnel make better decisions about future changes based on historical data that indicates the success or failure of similar changes that have been tried in the past. Change management is also a structured process that communicates the existence and status of changes to all affected parties. The process can yield an inventory system that indicates what actions were taken and when the actions affect the status of key resources, to help predict and eliminate problems and simplify resource management.

PCI DSS Requirements Met

Change management is as critical to PCI DSS compliance as it is to any other regulatory compliance effort. If your organization does not know what changes it has made to its IT environment, it is difficult to claim with any certainty that the environment is secure. Tracking changes in your network, systems, policies, and procedures helps you to meet PCI DSS requirements 6 and 11.

For full text of each of these requirements, please see The Payment Card Industry Data Security Standard, version 1.1.

Available Technologies

Microsoft offers multiple technologies for you to consider when designing your change management solutions.

  • Microsoft Office SharePoint Server. In addition to being a technology option for your document management solutions, Microsoft Office SharePoint Server can also be a key element in the change management system for your organization. You can use its version tracking capabilities to monitor changes in policy and process documents, updates and other changes to applications, and changes in approved software over time.

    For more information, see the Document Management section and the Microsoft SharePoint Products and Technologies Web site at https://go.microsoft.com/fwlink/?linkid=12632.

  • Microsoft Systems Management Server. Not only can you use SMS to manage risk assessment for your organization, you can also use its management features to track changes in computers systems across your organization. It will track security setting changes as well as applications installed on servers and client computers across the network. Also, you can use the powerful reporting functionality built in to SMS to review the changes that have been made to computers in your organization and whether these changes meet the security requirements you have established.

    For more information about SMS, see the Microsoft Systems Management Server home page at https://www.microsoft.com/smserver/default.mspx.

  • Microsoft SMS 2003 Desired Configuration Monitoring 2.0. You can augment your SMS operations with the SMS 2003 Desired Configuration Monitoring (DCM) feature. You can use DCM to automate the configuration management audits between desired or defined configuration settings and actual configuration settings. DCM accomplishes this by allowing the user to define desired hardware, operating system, and application configuration settings in multiple configuration data sources. Then, using the supplied auditing engine, DCM compares desired settings with actual settings and reports configuration compliance.

    DCM can help you to reduce unplanned service downtime, correlate configuration data, and reduce support costs. It provides you with an easy-to-use XML editing tool and guidance for defining hardware and software Configuration Items. DCM also provides detailed compliance reports to assist with detection and remediation of configuration errors.

  • Microsoft Desktop Optimization Pack for Software Assurance. The Microsoft Desktop Optimization Pack for Software Assurance is a subscription service that reduces application deployment costs, enables delivery of applications as services, and provides better management and control of enterprise desktop environments. The desktop optimization pack allows you to enhance change management processes and rollbacks through:

    • Improved group policy management.

    • Reduced downtime.

    • On-demand access to applications for approved users.

    Microsoft Desktop Optimization Pack is available only to customers with Software Assurance coverage on their desktops. For more information, see Optimizing the Windows Desktop at https://www.microsoft.com/windows/products/windowsvista/buyorupgrade/optimizeddesktop.mspx.

Network Security

Network security solutions constitute a broad solution category designed to address the security of all aspects of the network for the organization, including firewalls, servers, clients, routers, switches, and access points. Planning for and monitoring the security of your organization’s networks is a key element of gaining PCI DSS compliance. While there are a wide variety of solutions available to address network security, your organization should already have many of the elements of a secure network in place as a matter of course. It is likely more efficient and cost-effective to build from the network security solutions you have already implemented than to begin anew.

However, you may consider a change in some technologies that your organization uses, or you may want to implement new solutions that you have not already included in your network security strategy. Microsoft offers several technology solutions and guidance materials for implementing network security solutions that meet the needs of your organization.

PCI DSS Requirements Met

The Payment Card Industry Data Security Standard is very clear that you need to establish secure networks throughout your organization to come into compliance. Policy 1 states that to be compliant, an organization must build and maintain a secure network. Requirement 1 states that organizations must install and maintain a firewall configuration to protect cardholder data. Requirement 2 states that organizations must change the vendor-supplied default settings for system passwords and other security parameters.  Network security solutions also help your organization meet Requirements 4 and 10, which mandate that you encrypt transmission of cardholder data across your network and that you track and monitor network access, respectively.

For full text of each of these requirements, please see The Payment Card Industry Data Security Standard, version 1.1.

Available Technologies

Microsoft offers a number of technologies for you to choose from to meet the first two PCI DSS requirements.

  • Microsoft Windows Firewall. Windows XP Service Pack 2 (SP2) includes the Windows Firewall, which replaced the Internet Connection Firewall (ICF). Windows Firewall is a stateful host-based firewall that drops unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). Windows Firewall provides a level of protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers on a network.   These features have been enhanced in Windows Firewall with Advanced Security on Windows Vista and Windows Server ”Longhorn”.

    Windows Firewall with Advanced Security allows you to block incoming and outgoing connections based on settings that you configure through a Microsoft Management Control (MMC) snap-in. This snap-in not only provides an interface for configuring Windows Firewall locally, but also for configuring Windows Firewall on remote computers and by using Group Policy. Firewall functions are now integrated with Internet Protocol security (IPsec) protection settings, reducing the possibility of conflict between the two protection mechanisms. Windows Firewall with Advanced Security supports separate profiles for when computers are domain-joined or connected to a private or public network. It also supports the creation of rules for enforcing server and domain isolation policies. Windows Firewall with Advanced Security supports more granular rules, including Microsoft Active Directory users and groups, source and destination Internet Protocol (IP) addresses, IP port number, ICMP settings, IPsec settings, specific types of interfaces, services, and more.

    For more information, see Windows Firewall at https://www.microsoft.com/technet/network/wf/default.mspx.  

  • Microsoft Internet Security and Acceleration Server. Microsoft Internet Security and Acceleration (ISA) Server can help you secure your network in several ways. First, you can use it to allow users to remotely access corporate applications over the Internet. To accomplish this, you can configure ISA Server to pre-authenticate incoming user requests, inspect all traffic at the application layer (including encrypted traffic), and provide automated publishing tools. Second, if your organization includes branch offices, ISA Server allows you to use HTTP compression, content caching, and virtual private network (VPN) capabilities to make expanding your network easy and secure. Third, with ISA Server you can protect your network from both internal and external Internet-based threats. It accomplishes this through its proxy-firewall architecture, content inspection capabilities, granular policy settings, and comprehensive alerting and monitoring capabilities.

    For more information, see Microsoft Internet Security and Acceleration Server at https://www.microsoft.com/isaserver/default.mspx.

  • Server and Domain Isolation Using Internet Protocol security (IPsec) and Active Directory Group Policy. Server and Domain Isolation creates a layer of end-to-end protection that can greatly reduce the risk of costly malicious attacks and unauthorized access to your networked resources. Based on Windows IPsec and Active Directory Group Policy, this solution enables you to dynamically segment your Windows environment into more secure and isolated logical networks. There are different ways to create an isolated network, offering you the flexibility to logically isolate an entire managed domain or create more secure virtual networks of specific servers, sensitive data, and clients, thus limiting access to only authenticated and authorized users, or requiring that specific servers or networks protect all data using encryption. By requiring data encryption for the traffic exchanged between specific network hosts or network subnets, you can satisfy business partner and regulatory requirements to encrypt data when it traverses a network.

    For more information, see the Server and Domain Isolation home page on the Microsoft TechNet site at https://www.microsoft.com/technet/network/sdiso/default.mspx.

  • Windows Server 2003 Security Configuration Wizard. The Security Configuration Wizard can help you secure your network by reducing the attack surface on your servers running Windows Server 2003, Service Pack 1. The Security Configuration Wizard determines the minimum functionality required for a server's roles and disables functionality that is not required. Specifically, the Security Configuration Wizard:

    • Disables unneeded services.

    • Blocks unused ports.

    • Allows further address or security restrictions for ports that are left open.

    • Prohibits unnecessary IIS Web extensions, if applicable.

    • Reduces protocol exposure within server message blocks (SMBs), LanMan, and Lightweight Directory Access Protocol (LDAP).

    • Defines a high signal-to-noise audit policy.

    The Security Configuration Wizard can guide your IT professionals through the process of creating, editing, applying, or rolling back a security policy based on the selected roles of the server. The security policies that are created with SCW are XML files that, when applied, configure services, network security, specific registry values, audit policy, and IIS, if applicable.

    For more information, see Security Configuration Wizard for Windows Server 2003 at https://www.microsoft.com/windowsserver2003/technologies/security/configwiz/defaul.mspx.

  • Remote Desktop Connection Using Server Authentication. Remote Desktop Connections are a powerful way to allow users to access shared client computers and servers. This technology can be a cost-effective way to create shared development and testing computers. Additionally, you can use these computers as central access points for many types of projects, and you can allow users from outside your network to access these computers, thereby isolating the risks they pose to network security. Additionally, the Remote Desktop Connection 6.0 client update enables your IT professionals to configure server authentication. With server authentication, you can prevent users from connecting to a different computer or server than they intended and potentially exposing confidential information. Microsoft introduced this feature in Windows Vista and in Windows Server “Longhorn”. The Remote Desktop Connection 6.0 client can be used by computers running Windows Server 2003 with Service Pack 1 or Windows XP with Service Pack 2 (SP2).  The client can be used to connect to legacy terminal servers or to remote desktops as before, but server authentication only occurs when the remote computer is running Windows Vista or Windows Server “Longhorn”.

    For more information, see Remote Desktop Connection 6.0 Client Update Available for Download from the Microsoft Download Center at https://support.microsoft.com/kb/925876.

  • Wi-Fi Protected Access 2. If your organization uses a wireless network, you should consider upgrading to wireless routers, access points, and other devices that support the Wi-Fi Protected Access 2 (WPA2) product certification. WPA2 is a product certification available through the Wi-Fi Alliance that certifies wireless equipment as compatible with the IEEE 802.11i standard. The goal of WPA2 certification is to support the additional mandatory security features of the IEEE 802.11i standard that are not already included for products that support WPA. For example, WPA2 requires support for both TKIP and AES encryption. WPA2 is available in two different modes:

    • WPA2-Enterprise uses 802.1X authentication and is designed for medium and large infrastructure mode networks.

    • WPA2-Personal uses a PSK for authentication and is designed for SOHO infrastructure mode networks.

    WPA2 is supported on Windows XP Service Pack 2, and Windows Vista, and Windows Server “Longhorn”. For more information, see Wireless LAN Technologies and Microsoft Windows at https://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/wrlsxp.mspx, and Wi-Fi Protected Access 2 (WPA2) Overview at https://www.microsoft.com/technet/community/columns/cableguy/cg0505.mspx.

  • Network Access Protection. Network Access Protection (NAP) is a platform for Windows Server “Longhorn” and Windows Vista. It provides policy enforcement components that help ensure that computers connecting to a network or communicating on a network meet administrator-defined requirements for system health. Your organization can use a combination of policy validation and network access limitation components to control network access or communication. You can also choose to temporarily limit the access of computers that do not meet requirements to a restricted network. Depending on the configuration you chose, the restricted network might contain resources that are required to update the computers so that they then meet the health requirements for unlimited network access and normal communication. NAP includes an application programming interface (API) set for developers and vendors to create complete solutions for health policy validation, network access limitation, and ongoing health compliance. NAP provides limited access enforcement components for IPsec, IEEE 802.1X authenticated network connections, VPNs, and Dynamic Host Configuration Protocol (DHCP). You can use these technologies together or separately. With these capabilities, NAP can be a powerful tool to help you ensure the health and security of your network.

    For more information, see Network Access Protection at https://www.microsoft.com/technet/network/nap/default.mspx.

  • Microsoft Virtual Server. Microsoft Virtual Server 2005 R2 provides a virtualization platform that runs most major x86 operating systems in a guest environment. It is supported by Microsoft as a host for Windows Server operating systems and Windows Server System applications. Its integration with a wide variety of existing Microsoft and third-party management tools allows administrators to seamlessly manage a Virtual Server 2005 R2 environment with their existing physical server management tools. Because Microsoft Virtual Server allows your organization to run multiple operating systems on one computer, it can help you meet PCI DSS requirement 2.2.1, which mandates that your organization run only one major function per server. For example, you can use Virtual Server to deploy a virtual Web server, a virtual database server, and a virtual file server on the same computer.

    Microsoft Virtual Server is available as a free download from Microsoft. For more information, see Microsoft Virtual Server at https://www.microsoft.com/windowsserversystem/virtualserver/default.mspx.  

Host Control

Host control solutions control the operating systems in servers and workstations. Host control solutions also include implementing security best practices at all levels of the operating system in each host, maintaining the most current updates and hotfixes, and using secure methods for daily operations.

PCI DSS Requirements Met

Host control solutions can help you meet PCI DSS requirements by keeping operating systems current and securely configured. Specifically, host control can help you comply with PCI DSS requirements 6 and 11.

For full text of each of these requirements, please see The Payment Card Industry Data Security Standard, version 1.1.

Available Technologies

Microsoft offers a number of technologies that you can use together and independently to create host control solutions. As with other technology solutions, you should design these solutions to meet the PCI DSS requirements, as well as any other regulatory requirements that are applicable to your organization.

  • Microsoft Baseline Security Analyzer (MBSA). One of the primary tools you can use to assess risk to cardholder data in your organization is MBSA. MBSA is an easy-to-use tool that identifies common security misconfigurations in a number of Microsoft products, including the Windows operating system, Internet Information Services, SQL Server, Internet Explorer, and Microsoft Office. MBSA also scans for any missing security updates, update rollups, and service packs published to Microsoft Update. You can run MBSA from the command prompt or from a GUI, and you can use it with Microsoft Update and Windows Server Update Services. Since keeping your systems updated is a very important way to make cardholder data as secure as possible, MBSA can be an invaluable tool in assessing data risk in your organization.

    For more information, see Microsoft Baseline Security Analyzer at https://www.microsoft.com/technet/security/tools/mbsahome.mspx.

  • Microsoft Windows Server Update Services. Microsoft Windows Server Update Services (WSUS) with Service Pack 1 enables your organization to deploy many of the latest Microsoft product updates published to the Microsoft Update site. WSUS is an update component of Windows Server that offers an effective and quick way to help keep systems updated. WSUS provides a management infrastructure consisting of the following:

    • Microsoft Update. The Microsoft Web site to which WSUS components connect for updates of Microsoft products.

    • Windows Server Update Services server.  The server component that is installed on a computer running a Microsoft Windows 2000 Server with Service Pack 4 (SP4) or Windows Server 2003 operating system inside the corporate firewall. WSUS server provides the features that administrators need to manage and distribute updates through a Web-based tool, which can be accessed from Internet Explorer on any Windows computer in the corporate network. In addition, a WSUS server can be the update source for other WSUS servers.

    • Automatic Updates. The client computer component built into Windows Vista, Windows Server 2003, Windows XP, and Windows 2000 with SP3 operating systems. With Automatic Updates, both server and client computers can receive updates from Microsoft Update or from a server running WSUS.

    These services help you to keep all host environments on your network updated with the latest security fixes from Microsoft for the products installed on a specific host.  

    For more information, see the Windows Server Update Services home page at https://www.microsoft.com/windowsserversystem/updateservices/default.mspx.

  • Microsoft Systems Management Server. If your organization uses SMS to manage client computers and servers, you may already have some of the tools you need to perform risk assessment for cardholder data. With SMS, your organization can remotely manage security settings on computers running Windows operating systems over distributed networks. You can inventory whether computers on your network have installed required software updates and track the progress of update rollouts to those computers. SMS also enables you to generate reports that identify your full hardware and software inventory, the configuration details and status for computers on your network, and the status of software deployments and deployment errors. These SMS features can be very important in assessing risk to cardholder data within your organization.

    For more information on SMS, see the Microsoft Systems Management Server home page at https://www.microsoft.com/smserver/default.mspx.

  • Microsoft Desktop Optimization Pack for Software Assurance. The Microsoft Desktop Optimization Pack for Software Assurance is a subscription service that reduces application deployment costs, enables delivery of applications as services, and provides better management and control of enterprise desktop environments. The desktop optimization pack is an effective host control solution that enables you to:

    • Streamline and accelerate the application management lifecycle from planning and predictable deployment, to using, maintaining, and migrating software.

    • Enhance the management of your organization’s software assets.

    • Accelerate and simplify desktop deployments and migrations.

    Microsoft Desktop Optimization Pack is available only to customers with Software Assurance coverage on their desktops. For more information, see the Optimizing the Windows Desktop at https://www.microsoft.com/windows/products/windowsvista/buyorupgrade/optimizeddesktop.mspx.

For links to specific host security guidelines and procedures for many Microsoft products, see the Host Control section of The Regulatory Compliance Planning Guide.

Malicious Software Prevention

Malicious software prevention solutions are key elements in keeping cardholder data secure across your network. By preventing spam and keeping systems on the network free of viruses and spyware, these solutions can ensure that systems across your network are working at their peak and that sensitive data is not transmitted unintentionally to unauthorized parties.

PCI DSS Requirements Met

The malicious software prevention solutions that you choose can help you meet PCI DSS requirements 5 and 6.

For full text of each of these requirements, please see The Payment Card Industry Data Security Standard, version 1.1.

Available Technologies

Microsoft offers a number of technologies that you can use together and independently for malicious software prevention. You should consider these technologies in the context of your larger PCI DSS compliance efforts, as well as any broader regulatory requirements for your organization.

  • Microsoft Forefront™. Forefront is a suite of line-of-business security products that provide protection for client operating systems, application servers, and the network edge. You can use Forefront with your existing IT infrastructure to protect your servers and client computers from malware and other malicious attacks that originate inside or outside of your organization.

    In particular, Forefront Client Security provides protection from malicious software for clients across your organization, There are two parts to the Forefront Client Security solution. The first is the Security Agent—installed on business desktops, laptops and server operating systems—that provides real-time protection from and scheduled scanning for threats such as spyware, viruses, and rootkits. The second is the central management server, which enables administrators to easily manage and update preconfigured or customized malware protection agents and generate reports and alerts about the security status of their environment.

    For more information, see Microsoft Forefront at https://www.microsoft.com/forefront/default.mspx.

  • Malicious Software Removal Tool. The Microsoft Windows Malicious Software Removal Tool checks computers running Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software and helps remove any infection found. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed. Microsoft releases an updated version of this tool on the second Tuesday of each month, and as needed to respond to security incidents.

    For more information, see Malicious Software Removal Tool at https://www.microsoft.com/security/malwareremove/default.mspx.

    Note   Windows Defender and the Malicious Software Removal Tool can also help you discover whether a malicious program uses a rootkit. Rootkits are mechanisms that malicious software creators use to hide their presence from spyware blockers as well as antivirus and system management utilities. For more information about rootkits and how to detect them, see https://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx.   

  • Third-Party Filters with Microsoft ISA Server. In addition to providing network security solutions, ISA Server can help protect your organization from malware attacks. You can do this by using custom or third-party filters that remove malware before it reaches your corporate network.

    For more information, see Microsoft Internet Security and Acceleration Server at https://www.microsoft.com/isaserver/default.mspx.

Application Security

To meet the PCI DSS requirements, you should consider your application security solutions on two fronts. First, you should require that any new applications created by developers within your organization comply with secure development practices. Second, you should ensure that you use the security guidelines supplied with any software applications that you purchase from Microsoft or any third-party supplier.

PCI DSS Requirements Met

Developing and maintaining secure applications, whether they are Web or Windows-based, is an important step in your PCI DSS compliance efforts. In particular, these technology solutions allow you to meet requirement 6.

For full text of each of this requirement, please see The Payment Card Industry Data Security Standard, version 1.1.

Available Technologies

Microsoft offers specific guidance and tools for developing secure applications. It also offers specific guidelines to use its major server products securely.

  • Microsoft Visual Studio® 2005. Visual Studio 2005 supplies a number of tools that enable your developers to check their code for security violations during the development stage:

    • FxCop checks managed code for defects, including security defects.

    • PREfast is a static analysis tool for C and C++ code. It can help your developers find a variety of security issues.

    • Standard Annotation Language can help developers find security bugs that may not be picked up by the C or C++ code compilers.

    • When compiling unmanaged code written in C or C++, your developers should always compile with the /GS stack overrun detection capability and link the code with the /SafeESH option.

    • RPC developers should compile their code with the MIDL /robust flag specified.  

    The security development lifecycle suggests you use such tools as FxCop, PREfast, and the GS C++ compiler option to make sure that code runs without compromising known security issues.

    For more information, see the Visual Studio home page at https://msdn2.microsoft.com/en-us/vstudio/default.aspx.

  • Microsoft Intelligent Application Gateway (IAG) 2007. A part of Microsoft Forefront Network Edge Security, IAG provides a secure socket layer (SSL) VPN, a Web application firewall, and endpoint security management that enable access control, authorization, and content inspection for a wide variety of line-of-business applications. Together, these technologies provide mobile and remote workers with easy and flexible secure access from a broad range of devices and locations including kiosks, desktop computers, and mobile devices. IAG also enables IT administrators to enforce compliance with application and information usage guidelines through a customized remote access policy based on device, user, application, or other business criteria. Key benefits include:

    • A unique combination of SSL VPN-based access, integrated application protection, and endpoint security management.

    • A powerful, Web-application firewall that helps keep malicious traffic out and sensitive information in.

    • Reduced complexity of managing secure access and protecting business assets with a comprehensive, easy to use platform.

    • Interoperability with core Microsoft application infrastructure, third-party enterprise systems, and custom in-house tools.

    For more information, see Intelligent Application Gateway 2007 Product Overview at https://www.microsoft.com/forefront/edgesecurity/iag/overview.mspx.  

Guidelines
  • Security Development Lifecycle. If your organization decides to develop some of its own solutions to handle cardholder data, you should consider requiring your developers to use the Security Development Lifecycle developed at Microsoft. It is a comprehensive approach to developing secure Web and desktop applications for use in an organization that processes and stores sensitive information, such as cardholder data. The Security Development Lifecycle begins with planning for secure applications, ensures that you use secure coding techniques, and includes testing and deploying applications securely after development is complete.

    For more information, see A Look Inside the Security Development Lifecycle at Microsoft at https://msdn.microsoft.com/msdnmag/issues/05/11/SDL/.

  • Follow Product Security Guidelines. Microsoft offers security guidelines for a number of its software products. Of particular interest to large and medium-sized organizations are security guidelines for Exchange Server, Systems Management Server, and SQL Server. For information on security guidelines for these products, see the Application Security section of The Regulatory Compliance Planning Guide.

Messaging and Collaboration

To meet PCI DSS requirements, you must ensure that any messaging and collaboration software that your organization uses is configured and set up securely. Because messaging and collaboration applications have become essential tools in the payment card industry, it is vital that you do all you can to make sure that any documents or e-mail messages that may contain cardholder data are secure.

PCI DSS Requirements Met

Common methods to help prevent messaging security breaches include messaging gateways, secure messaging servers, and messaging content filtration. Both messaging gateways and messaging content filtration route messages to a specialized software application. This application can use a variety of methods to isolate specific word strings, number strings, word patterns, or other items depending on how the solution was designed. Messages that contain these key words or strings can then be placed in quarantine until the suspect information in the messages can be checked, or the solution can simply delete and purge the message. These methods can help you secure cardholder data when it is sent through an e-mail message or document in a collaboration environment. All of these techniques and solutions can help you meet PCI DSS requirement 4.

For full text of each of this requirement, please see The Payment Card Industry Data Security Standard, version 1.1.

Available Technologies

Microsoft provides a number of solutions that can help you secure messaging and collaboration software. Each of these solutions provides a solution for differing aspects of your enterprise. You should deploy them in an organized way so that as few security vulnerabilities as possible remain after you have finished.

  • Microsoft Exchange Server. As with document management, Exchange can help you define powerful solutions for your organization’s messaging needs while keeping any cardholder data in e-mail messages secure. Exchange Server 2007 includes unified messaging, which consolidates e-mail, voice mail, and faxes sent to a user into a single inbox. It also offers features that enable your organization to apply retention rules, scan and act on messages in transport, flexibly journal, and perform rich text searches across all deployed mailboxes.
    For more information, please see the Microsoft Exchange Server web site at https://www.microsoft.com/exchange/default.mspx.  

  • Microsoft Forefront Security for Exchange Server. Microsoft Forefront Security for Exchange Server helps protect your e-mail infrastructure from infection and downtime through an approach that emphasizes layered defenses, optimization of Exchange Server performance and availability, and simplified management control.

    • Comprehensive Protection. Microsoft Forefront Security for Exchange Server includes multiple scan engines from industry-leading security firms integrated in a single solution to help businesses protect their Exchange messaging environments from viruses, worms, and spam.

    • Optimized Performance. Through deep integration with Exchange Server, scanning innovations and performance controls, Forefront Security for Exchange Server helps protect messaging environments while maintaining uptime and optimizing server performance.

    • Simplified Management. Forefront Security for Exchange Server also enables administrators to easily manage configuration and operation, automated scan engine signature updates and reporting at the server and enterprise level.

    For more information, see Microsoft Forefront at https://www.microsoft.com/forefront/default.mspx.

  • Microsoft Exchange Hosted Services. Microsoft Exchange Hosted Services for messaging security and management is composed of four distinct services that help organizations protect themselves from e-mail-borne malware, satisfy retention requirements for compliance, encrypt data to preserve confidentiality, and preserve access to e-mail during and after emergency situations. The services are deployed over the Internet using a “Software as a Service” model which helps minimize additional capital investment, free up IT resources to focus on other value-producing initiatives, and mitigate messaging risks before they reach the corporate firewall.

  • For more information, see Microsoft Exchange Hosted Services at https://www.microsoft.com/exchange/services/default.mspx.

  • Microsoft Office Information Right Management (IRM). Office is the premier suite of productivity applications for enterprises. The IRM feature of Microsoft Office can help your organizations control access to sensitive information such as cardholder data.

    Specifically, the Office IRM feature helps your organization by enabling you to:

    • Prevent an authorized recipient of protected information from forwarding, copying, modifying, printing, faxing, or cutting and pasting the information for unauthorized use.

    • Prevent protected information from being copied with the Microsoft Windows Print Screen function.

    • Provide information with the same level of protection wherever it goes. This is referred to as "persistent protection."

    • Provide the same level of protection to e-mail attachments, as long as the attachments are files created with other Office programs, such as Excel or Word.

    • Protect information in e-mail messages or documents that have been set to expire, so that the information can no longer be viewed after a specified period of time.

    • Enforce corporate policies that govern the use and dissemination of information within and outside the company.

Office IRM is built on the Microsoft Windows Rights Management Services platform. To enable this feature in Office, you must purchase RMS server licenses.

For more information, please see the Microsoft Office web site at https://office.microsoft.com/en-us/default.aspx.

  • Microsoft Windows SharePoint Services Information Rights Management (IRM). As with your document management solutions, SharePoint Services IRM can help you make your collaboration solutions meet PCI DSS requirements. This technology allows you to create a persistent set of access controls that are attached to the content rather than a specific network location, which will help you control access to files even after they leave your direct control. IRM is available for files that are located in document libraries and stored as attachments to list items. Site administrators can elect to protect downloads from a document library with IRM. When a user attempts to download a file from the library, Windows SharePoint Services verifies that the user has permissions to the file and issues a license to the user that enables access to the file at the appropriate permissions level. Windows SharePoint Services then downloads the file to the user's computer in an encrypted, rights-managed file format.

    Office IRM is built on the Microsoft Windows Rights Management Services platform. To enable this feature in Office, you must purchase RMS server licenses.

    For more information, see the Microsoft SharePoint Products and Technologies Web site at https://go.microsoft.com/fwlink/?linkid=12632.

Data Classification and Protection

Data classification and protection solutions are central elements of successfully meeting the PCI DSS requirements and keeping cardholder data secure. These solutions deal with how to apply security classification levels to cardholder data either on a system or in transmission. This solution category also deals with data protection in terms of providing confidentiality and integrity to data that is either in storage or in transmission. Cryptographic solutions are the most common method that organizations use to provide data protection.

PCI DSS Requirements Met

Data classification and protection solutions help you meet PCI DSS requirements by securing cardholder data when it is stored in a database, transmitted from one server to another, or transmitted into your network when a cardholder makes a purchase. Using these solutions allows you to meet PCI DSS requirements 3 and 7.

For full text of each of these requirements, please see The Payment Card Industry Data Security Standard, version 1.1.

Available Technologies

Microsoft offers a number of technologies that can help you classify and protect cardholder data, whether it is transmitted over your network, stored in a document on an employee’s computer, or stored to a database. These include:

  • BitLocker™ Drive Encryption. BitLocker Drive Encryption helps you protect cardholder data by providing drive encryption and integrity checking on early-boot components. Drive encryption protects data by preventing unauthorized users from breaking Windows file and system protection on lost or stolen computers. This protection is achieved by encrypting the entire Windows volume. With BitLocker, all user and system files are encrypted, including the swap and hibernation files. Integrity checking the early-boot components helps to ensure that data decryption is performed only if those components appear unmolested and that the encrypted drive is located in the original computer. BitLocker is available on Windows Vista Enterprise and Ultimate, and on Windows Server “Longhorn.”

    For more information, see BitLocker Drive Encryption: Executive Overview at https://technet.microsoft.com/en-us/windowsvista/aa906018.aspx.

  • Windows Encrypting File System (EFS). EFS provides the core file encryption technology used to store encrypted files on NTFS file system volumes. After you encrypt a file or folder, you work with the encrypted file or folder just as you do with any other files and folders.

    Encryption is transparent to the user that encrypted the file. This means that you do not have to manually decrypt an encrypted file before you can use it. You can open and change the file as you normally do.

    Using EFS is similar to using permissions on files and folders. Both methods can be used to restrict access to data. However, an intruder who gains unauthorized physical access to your encrypted files or folders will be prevented from reading them. An intruder who tries to open or copy your encrypted file or folder receives an access-denied message. Permissions on files and folders do not protect against unauthorized physical attacks.

    For more information, see Encrypting File System Overview at https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/encrypt_overview.mspx?mfr=true or Encrypting File System at https://www.microsoft.com/windows/products/windowsvista/features/details/encryptingfilesystem.mspx.

  • Microsoft Windows Rights Management Services. Microsoft Windows Rights Management Services (RMS) is a software platform that helps applications safeguard cardholder data from unauthorized use—both online and offline, inside and outside of the firewall.

    RMS augments an organization's security strategy by protecting information through persistent usage policies, which remain with the information no matter where it goes. RMS-enabled applications can be used to manage, control and audit access to documents containing cardholder information. The RMS client is integrated into the Windows Vista operating system. For other Windows versions, the RMS client is available as a free download.
    For more information, see Windows Rights Management Services at https://www.microsoft.com/rms.  

  • Microsoft SQL Server Encryption. When you store cardholder data in SQL Server, it encrypts data with a hierarchical encryption and key management infrastructure. Each layer encrypts the layer below it by using a combination of certificates, asymmetric keys, and symmetric keys. There is a master key for SQL Server itself, and a separate key for each database within that instance of SQL Server. This provides security to your organization’s cardholder data storage.

    For more information, see Microsoft SQL Server at https://www.microsoft.com/sql/default.mspx.

Identity Management

Identity management is another important element in reaching PCI DSS compliance. Identity management solutions allow you to limit the personnel who can access, process, and transmit cardholder data. Your organization can use these identity management solutions to help manage digital identities and permissions for your employees, clients, and partners.

PCI DSS Requirements Met

Using identity management solutions can allow you to meet PCI DSS requirement 8 by helping you create and assign a unique ID to each person in your organization that has access to a computer. These solutions can also help you restrict access to cardholder data based on that unique ID, the tenet of PCI DSS requirement 7.

For full text of each of this requirement, please see The Payment Card Industry Data Security Standard, version 1.1.

Available Technologies

Microsoft provides numerous technologies to help you meet your organization’s identity management requirements.

  • Microsoft Active Directory. Active Directory supports a number of techniques to help you control the personnel who can access cardholder data on your network and outside of it. First, Active Directory supports Kerberos authentication, one of the default Windows Authentication techniques. Kerberos provides secure user authentication with an industry standard that permits interoperability. The Active Directory domain controller maintains user-account and login information to support the Kerberos service. Second, Active Directory supports smart card authentication. You can require remote users or administrators of systems containing cardholder data to use a smart card and PIN to access your network. Third, Active Directory supports credential roaming, a service which enables users who have to use multiple computers to use the same credentials on each of those computers. Fourth, Active Directory allows your organization to customize the credential providers that it uses to authenticate users. These features can help you granularly control how you allow Active Directory accounts to access cardholder data, and which accounts you provide with access to that data.

    For more information, see the Windows Server 2003 Active Directory technology center at https://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx.  

  • Microsoft Active Directory Federation Services. With Active Directory Federation Services (ADFS), you can create identity management solutions that extend beyond the traditional boundaries of your Active Directory forest. By employing ADFS, your organization can extend its existing Active Directory infrastructure to provide access to resources that are offered by trusted partners across the Internet. These trusted partners can include external third parties or other departments or subsidiaries in the same organization.

    ADFS is tightly integrated with Active Directory. ADFS retrieves user attributes from Active Directory, and it authenticates users by using Active Directory. ADFS also uses Windows Integrated Authentication. ADFS is available on Windows Server 2003 R2 and Windows Server “Longhorn” operating systems.

    For more information, see Overview of Active Directory Federation Services (ADFS) in Windows Server 2003 R2 at https://www.microsoft.com/WindowsServer2003/R2/Identity_Management/ADFSwhitepaper.mspx.

  • Microsoft Identity Lifecycle Manager. Microsoft Identity Lifecycle Manager (ILM) simplifies the process of matching and managing identity records from disparate data repositories, and prevents anomalies, such as active records for employees who have left the organization. ILM provides your organization with a policy framework to control and track the identity and access data that helps manage compliance. It also includes self-help tools for end users, enabling your IT department to improve efficiency by securely delegating many tasks to end users. Another key feature of ILM is that it includes a Windows-based certificate management solution that integrates with the Windows Server 2003 operating system and Active Directory to provide a turnkey solution for managing the end-to-end life cycle of smart cards and digital certificates for the Windows Server 2003 Certificate Authority.

    ILM enables your organization to:

    • Synchronize identity information across a variety of heterogeneous directory and non-directory identity stores. This enables you to automate the process of updating identity information across disparate platforms while maintaining the integrity and ownership of that data across the enterprise.

    • Provision and de-provision user accounts and identity information such as distribution, e-mail accounts, and security groups across systems and platforms. New accounts for employees can be created quickly based on events or changes in authoritative stores like the human resources system. Additionally, when employees leave a company, they can be immediately de-provisioned from the same systems.

    • Manage certificates and smart cards. ILM includes a workflow and policy-based solution that enables organizations to easily manage the life cycle of digital certificates and smart cards. ILM leverages Active Directory Services and Active Directory Certificate Services to provision digital certificates and smart cards, with automated workflow to manage the entire life cycle of certificate-based credentials. ILM significantly lowers the costs associated with digital certificates and smart cards by enabling organizations to more efficiently deploy, manage, and maintain a certificate-based infrastructure. It also streamlines the provisioning, configuration, and management of digital certificates and smart cards, while increasing security through strong, multifactor authentication technology.

    For more information, see Microsoft Identity Lifecycle Manager home page at https://www.microsoft.com/windowsserver/ilm2007/default.mspx.  

  • Microsoft SQL Server. You can use SQL Server in conjunction with other technologies to create identity management solutions. Use SQL Server databases to store username and password information and to map certificates to user accounts and other solutions. You can user SQL Server in concert with Microsoft ILM, Active Directory, Group Policy, and ACLs to restrict users’ access to cardholder data stored in another database, in documents, or in directories.

    For more information, see Microsoft SQL Server at https://www.microsoft.com/sql/default.mspx.

Operating System Support Features
  • Public Key Infrastructure. A public key infrastructure (PKI) is a system of digital certificates, certificate authorities (CAs), and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction through the use of public key cryptography. This infrastructure can allow you to secure and exchange cardholder data with strong security across the Internet, extranets, intranets, and applications.

    PKI support is available in Windows Server 2000, Windows XP Professional, Windows Server 2003, Windows Vista, and Windows Server “Longhorn.”

    For more information, see Public Key Infrastructure for Windows Server 2003 at https://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx.

Authentication, Authorization, and Access Control

Authentication is the process of identifying a user. In IT environments, authentication usually involves a username and a password, but it can include additional methods to demonstrate identity, such as a smart card, retina scan, voice recognition, or fingerprints. Authorization focuses on determining whether the authenticated identity is allowed to access requested resources. You can choose to grant or deny access based on a variety of criteria, such as the network address of the client, the time of day, or the browser that the person uses.

When planning your authentication, authorization, and access control strategy, you should also develop a strategy for granting user account permissions to all resources across your network. For more information, see Applying the Principle of Least Privilege to User Accounts on Windows XP.

PCI DSS Requirements Met

Authentication, authorization, and access control are key portions of your cardholder data security strategy, particularly in combination with data classification and protection and identity management solutions. In this context, authentication, authorization and access control solutions can help your organization meet PCI DSS requirements 6, 7 and 8.

For full text of each of these requirements, please see The Payment Card Industry Data Security Standard, version 1.1.

Available Technologies

Microsoft offers several technologies that can help you create and integrate authentication, authorization, and access control strategies into your complete PDI DSS compliance solution.

  • Microsoft Active Directory. Much of the Active Directory service in Microsoft Windows 2000 Server, Windows Server 2003, and Windows Server “Longhorn” focuses on authentication, authorization, and access control. For example, Active Directory supports Kerberos authentication, one of the default Windows Authentication techniques. Kerberos provides secure user authentication with an industry standard that permits interoperability. The Active Directory domain controller maintains user account and login information to support the Kerberos service. Also, Active Directory supports smart card authentication. You can require remote users or administrators of systems containing cardholder data to use a smart card and PIN to access your network. Active Directory supports credential roaming, a service which enables users who have to use multiple computers to use the same credentials on each of those computers. With Active Directory, your organization can also customize the credential providers that it uses to authenticate users. Additionally, Active Directory allows you to delegate administrative tasks across your organization. These features can help you granularly control how you allow Active Directory accounts to access cardholder data, and to which accounts you provide access to that data.

    For more information, see the Windows Server 2003 Active Directory technology center at https://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx.  

  • Microsoft Internet Authentication Service. Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and VPN connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers. By doing this, IAS performs authentication steps for remote connections before they reach your organization’s network. With the credentials the user supplied to connect remotely, you can authorize them to access only those resources on your network that they need to accomplish their work.

    For more information, see the Internet Authentication Service at https://www.microsoft.com/technet/network/ias/default.mspx.

Operating System Support Features
  • Using Access Control Lists to Grant Resource Permissions. A access control list (ACL) is a mechanism used by operating systems since Microsoft Windows NT to protect resources such as files and folders. ACLs contain multiple access control entries (ACEs) that associate a principal (usually a user account or group of accounts) with a rule that governs the use of the resource. ACLs and ACEs let your organization allow or deny rights to resources based on permissions that you can associate with user accounts. For example, you can create an ACE and apply it to the ACL of a file to bar anyone but an administrator from reading the file. You must use this technology within your larger identity management solution, but it remains a good way to restrict access to cardholder data to only those individuals with a business need.

    For more information, see the ACL Technology Overview at https://msdn2.microsoft.com/en-us/library/ms229742.aspx.

  • Windows Firewall in Microsoft Windows Vista and Windows Server “Longhorn”. As previously discussed, Windows Firewall on Windows Vista and Windows Server “Longhorn” can help you protect your systems and networks from malicious attacks. It can also help you control what users, computers, and groups can access resources on a computer or domain. When you use Windows Firewall with Advanced Security, you can create rules that filter connections by Active Directory user, computer, or group. To create these types of rules, you must secure the connection with IPsec using credentials that carry Active Directory account information, such as Kerberos version 5.

    For more information, see Windows Firewall at https://www.microsoft.com/technet/network/wf/default.mspx.

For links to conceptual information and planning guides about authentication, authorization and access control, see the Authentication, Authorization, and Access Control section of The Regulatory Compliance Planning Guide.

Vulnerability Identification

Vulnerability identification solutions provide tools that your organization can use to help test for vulnerabilities in its information systems. Your IT personnel must be aware of vulnerabilities in the IT environment before they can effectively address them. Also involved in vulnerability identification is the ability to restore data that was inadvertently lost due to user error.

PCI DSS Requirements Met

Vulnerability solutions allow your organization to meet PCI DSS requirement 11, regularly testing security systems and procedures.

For full text of each of this requirement, please see The Payment Card Industry Data Security Standard, version 1.1.

Available Technologies

Microsoft offers solutions that help you design vulnerability identification solutions to meet your PCI DSS requirements.

  • Microsoft Baseline Security Analyzer (MBSA). As with assessing risk when designing many of your cardholder data protection controls, MBSA enables you to periodically review any vulnerability that may compromise the security of cardholder data. You can use MBSA to locate common security misconfigurations in a number of Microsoft products, including the Windows operating system, Internet Information Services, SQL Server, Internet Explorer, and Microsoft Office. MBSA also scans for any missing security updates, update rollups, and service packs published to Microsoft Update. You can run MBSA from the command prompt or from a GUI, and you can use it with Microsoft Update and Windows Server Update Services. Since keeping your systems updated is a very important way to make cardholder data as secure as possible, MBSA can be an invaluable tool in determining whether your product installations have created cardholder data vulnerabilities over time.

    For more information, see Microsoft Baseline Security Analyzer at https://www.microsoft.com/technet/security/tools/mbsahome.mspx.

Monitoring, Auditing, and Reporting

Monitoring and reporting solutions collect and audit logs that result from authentication and access to systems. You can design these solutions to collect specific information based on PCI DSS, or use existing logs built into operating systems or software packages.

A subcategory of monitoring and reporting is the collection, analysis, and correlation of all logged data across your organization. This is sometimes accomplished through a dashboard-type solution, where you can better analyze the various information gathered throughout the organization. This type of solution allows IT management to better determine if there is a correlation between events.

PCI DSS Requirements Met

Monitoring, auditing, and reporting solutions can help you meet PCI DSS Requirement 10, to track and monitor all access to network resources and cardholder data.

Available Technologies

Microsoft offers a number of technologies that allow you to monitor network access and access to cardholder data.

  • Microsoft System Center Operations Manager Audit Collection. Operations Manager 2007 can securely and efficiently extract and collect security logs from Windows operating systems and store them for later analysis and reporting. The extracted logs are stored in a separate Audit Collection database. Operations Manager will ship with reports that can be used for the Audit Collection data. Audit Collection can be used to produce various compliance reports, such as supporting Sarbanes-Oxley audits. Audit Collection can also be used for security analysis, such as intrusion detection and unauthorized access attempts.

    For more information, see Audit Collection Services at https://technet.microsoft.com/en-us/library/bb381258.aspx.

  • Microsoft Windows Vista Event Logging Infrastructure. Improvements to the Windows event logging infrastructure make the Windows Vista desktop easier to manage and monitor and provide better information for troubleshooting. Strict standards ensure that events are meaningful, actionable, and well-documented. Many components that stored logging information in text files in previous versions of Windows now add events to the event log. With event forwarding, administrators can centrally manage events from computers anywhere on the network, making it easier to proactively identify problems and to correlate problems that affect multiple computers. Finally, the Event Viewer has been completely rewritten to allow users to create custom views, to easily associate events with tasks, and to remotely view logs from other computers. This input makes it much more practical for administrators to use the event log to troubleshoot users' problems.

    For more information, see Windows Vista Management Features at https://technet.microsoft.com/en-us/windowsvista/aa905069.aspx.

  • Microsoft SQL Server. SQL Server Reporting Services is a comprehensive, server-based solution that enables the creation, management, and delivery of both traditional, paper-oriented reports and interactive, Web-based reports. An integrated part of the Microsoft business intelligence framework, Reporting Services combines the data management capabilities of SQL Server and Microsoft Windows Server with familiar and powerful Microsoft Office System applications to deliver real-time information to support daily operations and drive decisions. You can use these services to generate reports that analyze cardholder data and track changes to it. You can also use reporting services to more easily monitor network usage patterns and information flow.

    For more information, see Microsoft SQL Server at https://www.microsoft.com/sql/default.mspx.

Operating System Support Features
  • NTFS System Access Control Lists. Your organization can use NTFS System Access Controls Lists (SACLs) on files and directories to help you track changes to files or folders on a system. When you set a SACL on a file or folder, whenever a user performs an action on that file or folder, the SACL causes the Windows operating system to log the action, and who performed the action. You cannot set SACLs on systems that are formatted to the FAT file system, so your organization should use the NTFS file system format on all volumes that store user data and cardholder data.

    For more information, see User Data and Settings Management at https://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xpusrdat.mspx.

Managing PCI DSS Technology Solutions

While using management products does not help your organization meet any specific PCI DSS requirements, they can help you keep track of the IT controls that you have implemented for compliance purposes. In creating a framework of IT controls, it is always important to be able to centrally manage those controls from as few administrators’ desks as possible.

Available Technologies

Microsoft offers two primary tools for managing your framework of IT controls that you implement to meet PCI DSS and other regulatory requirements.

  • Microsoft Forefront. Microsoft Forefront is a suite of line-of-business security products that provide protection for client operating systems, application servers, and the network edge. You can use Forefront with your existing IT infrastructure to protect your servers and client computers from malware and other malicious attacks—all through easy integration with applications servers such as Exchange, SharePoint, and Instant Messaging. Forefront also features built-in integration with Active Directory, and uses ISA Server to work with Active Directory for RADIUS, DHCP, and smart card support. Forefront also provides a centralized management tool for a central reporting location, along with a centralized location to set policy control measures.

    For more information, see Microsoft Forefront at https://www.microsoft.com/forefront/default.mspx.

  • Microsoft System Center. Microsoft’s System Center is a family of management products aimed at providing the tools your organization needs to automate the system management across your organization. System Center includes technologies that help automate the most common management tasks, and it also provides tools to help IT professionals detect, diagnose, and correct problems in their computing environment. Specifically, System Center provides products that perform the following functions:

    • Monitoring the hardware and software in a distributed environment to detect issues, then providing tools to fix those issues.

      Automating the process of installing, updating, and patching software.

    • Providing implementations of standard processes for systems management.

    • Handling backup and restore of Windows file server data.

    • Addressing the monitoring and configuration requirements of smaller organizations.

    • Managing virtual machines. As faster hardware lets more applications run on each machine, organizations are increasingly using virtualization to isolate those applications.

    • Sizing installations properly by providing tools for estimating the required resources.

    For more information, see Microsoft System Center at https://www.microsoft.com/systemcenter/default.aspx.  

Summary

This section provides a description of technology solutions that your organization can use to help achieve and maintain PCI DSS compliance. It discusses the reasons these solutions are important, and offers links to Microsoft guidance and technology that can help your organization toward achieving regulatory compliance.

The effect of implementing these solutions not only helps to provide security and compliance standards for your IT environment, but also has a positive effect on your organization's business processes. Before you implement any of the identified solutions, be sure to meet with your legal advisors and auditors to obtain legal advice about your own unique PCI DSS compliance needs, and carefully consider the impact of these solutions on the entire organization, not just in terms of compliance. Microsoft is committed to providing more in-depth research and solutions for PCI DSS and other regulatory compliance. However, you can also search publicly to pursue more information on this complex and important subject.

Appendixes

This section contains questions commonly asked by customers about Microsoft’s technology solutions and how they fit into complying with PCI DSS requirements. It also contains a map of which technology solutions can help your organization meet those requirements.

Frequently Asked Questions

Q: Why should my organization bother to comply with the Payment Card Industry Data Security Standard? Isn’t this another useless and costly standard to deal with?

A: There are three reasons that your organization should work to comply with the PCI DSS. One, card brands such as Visa have committed to providing financial incentives for PCI compliance and penalties for noncompliance. Two, compliance may help reduce liability in case of data loss. Three, by doing a thoughtful analysis and appropriate design of your systems, the process can actually help you better track customer data, and as a result help you to improve customer service and satisfaction.

Q: Is Microsoft overselling its technologies for PCI DSS compliance?

A: Each organization’s situation is different and this guide aims to be as comprehensive as possible. Microsoft may develop specific guidance for industry verticals. You can also contact your Microsoft sales representative for guidance. As stated above, you can achieve better business results if you look at this not as simply a compliance project but improving your tracking and management of customer information.

Q: This paper describes many technologies to help comply with the PCI DSS , but very few compliance solutions. Why is that?

A: Each situation is unique, and so it is not possible to come up with a single solution that will fit all. Microsoft is committed to provide your organization with more detailed information as mentioned in the summary.

Q: What can Microsoft do to help my organization get PCI DSS certified?

A: Microsoft can offer software and services that can help you meet PCI DSS requirements, but it cannot ensure that your organization will come into compliance. As a vendor, we are very interested in helping your organization meet these requirements comply, but compliance is between your organization, its auditors, and the card brands with which you work.

Q: Doesn’t Section 3.4.1 imply that Microsoft data protection technologies can’t be used?

A: No. That section says, in full:

“If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local system or Active Directory accounts). Decryption keys must not be tied to user accounts.”

Microsoft data protection technologies do not tie decryption keys to user accounts. For example, BitLocker Drive Encryption never ties decryption keys (PINs or recovery passwords) to user accounts in Active Directory. Encrypting File System (EFS) does not tie decryption keys to user accounts either. Your organization can revoke a person’s ability to decrypt a document without changing system access privileges. In certain configurations, EFS attempts to optimize the user experience by automatically placing some decryption keys in the user profiles of specific users. However, this behavior can be changed through appropriate configuration.

PCI DSS Requirements and Associated Technology Solutions

Requirement

Technology Solution Sections

Requirement 1

Risk Assessment; Network Security

Requirement 2

Network Security

Requirement 3

Document Management; Risk Assessment; Data Classification and Protection

Requirement 4

Risk Assessment; Messaging and Collaboration; Data Classification and Protection; Network Security

Requirement 5

Risk Assessment; Malicious Software Prevention

Requirement 6

Document Management; Risk Assessment; Change Management; Host Control; Malicious Software Prevention; Application Security; Authentication, Authorization, and Access Control

Requirement 7

Document Management; Risk Assessment; Identity Management; Authentication, Authorization, and Access Control; Data Classification and Protection

Requirement 8

Risk Assessment; Authentication, Authorization, and Access Control

Requirement 9

Document Management

Requirement 10

Document Management; Change Management; Monitoring, Auditing, and Reporting; Network Security

Requirement 11

Risk Assessment; Host Control; Vulnerability Identification

Requirement 12

Document Management

Additional Resources

The Payment Card Industry Data Security Standard, version 1.1

The Regulatory Compliance Planning Guide

The PCI DSS Self-Assessment Questionnaire

The PCI DSS QSA Audit Procedures

The PCI DSS ASV Scanning Procedures

Applying the Principle of Least Privilege to User Accounts on Windows XP

Best Practices for Delegating Active Directory Administration

Banking Industry Center Downloads

Feedback

Please direct questions and comments about this guide to secaware@microsoft.com.