Several SolarWinds products can help with various areas of the Payment Card Industry (PCI) Data Security Standards (DSS) requirements. The purpose of the PCI DSS is to set a baseline of minimum security for any vendor that takes credit cards. This is good for the consumer as it (theoretically) institutes best practices that reduce the risk of a security breach that could expose their data, making vendors that are PCI compliant less likely to put you and I at risk for identity theft that way. This is good for IT shops because it's been historically difficult to get IT budget money for security and privacy initiatives, even if you know they are really the right way to do it. PCI is also an ongoing cost for IT, though, because many of the controls are not one-time checkboxes, they are continuous mandates to help you stay out of the headlines.
The PCI DSS is broken down into several sections. These sections cover everything from physical security requirements to secure IT implementation to scanning and monitoring.
NCM is a network configuration management system that provides auditing of network device policies and changes, and allows you to institute change management procedures (including approvals) around device changes. More info about NCM's features as they apply to PCI compliance can be found here, but here's the specific items it can help with:
NCM provides specific reports for PCI compliance to make it easy to audit configuration settings and changes.
Patch Manager provides integration with native Windows patching technology (WSUS/SCCM) AND provides built-in third-party application patching. More info on Patch Manager's features can be found here, but here's the specific items it can help with:
Serv-U MFT provides the ability to ensure security of transferred files, supporting configurations that keep your sensitive data from hanging out in the wild. If you use file transfer when it comes to cardholder data, Serv-U is for you. More detail is available here on the Serv-U site: Serv-U FTP Server PCI Compliance, but here's the specific items it can help with:
SolarWinds LEM is a Security Information & Event Management (SIEM) and Log Management system that provides capabilities around log collection, real-time correlation/notification/response, flexible and extensive historical search, compliance reporting, and some endpoint security. More info about LEM's features as they apply to PCI compliance can be found here, but here's the specific items it can help with:
LEM provides extensive audit log reporting capabilities for all of the collected log data, whether it's for auditing compliance with any of the standards mentioned above, or the specific items mentioned in 10.6.
No. SolarWinds products do not capture credit card data directly, provide access to card data directly, or authenticate card data directly. Products that are "in scope" for PCI compliance themselves would include things like databases, file servers, firewalls and routers used for networks that store or access cardholder data, user accounts used to directly access cardholder data. Our management products are used to meet specific PCI requirements at what you could think of as a meta level - they aren't providing the cardholder data, they are providing information about access to the cardholder data, networks, and systems.
For LEM, when we collect audit trail data, this data does not include cardholder data, again, only information about access to cardholder data. With NCM, you can approve/modify firewall configurations, but we are not collecting or reviewing network traffic. With other products that monitor or live on the network (like NPM and NTA), we are, again, not collecting or storing actual network traffic that may contain cardholder data, only information ABOUT network traffic. With SAM, we are similarly monitoring system activity, but not directly related to cardholder data itself. With SEUM, your recorded transactions contain the data you choose to submit, which would not be customer cardholder data that they may be submitting to the same site (if you're testing performance on a form related to card number submission). Patch Manager can inform you of missing patches or the state of patching of a system that stores or accesses cardholder data, but never accesses the system for any purpose other than patching.
Requirements such as default user accounts, SNMP communities, and audit trails are often general security best practices. Some of them can be applied to SolarWinds products, others can't. The answer is a solid "it depends."
Specific configuration changes we've been asked about:
Most of the changes in PCI DSS v3.0 don't affect your SolarWinds implementations, and product changes were not necessary though your implementation and processes might need to be tweaked. Notable changes that can apply to SolarWinds products:
If you've got questions about how SolarWinds products are used for PCI, what specific reports or features to look for, or how to implement any of the best practices security configurations, leave them in the comments. I'll update this page with any other common questions we get related to PCI configuration and can direct link any features if that's helpful.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.