Patching for PCI Compliance

Compliance is a multifaceted challenge for any organization. Consider HR and workplace safety regulations, accounting and financial services regulations, and of course IT with data security regulations. It’s no surprise maintaining compliance is both a priority, as well as an ongoing struggle for businesses of any size.

Solutions that deliver confidence by simplifying efforts required to maintain compliance are in demand.

Data security has become an area of increasing regulation. More data is routed through, and stored in, the cloud. Cyber attacks have become more sophisticated and increasingly more frequent. These factors have created new security requirements and compliance regulations. For example, if your company accepts payments with a credit/debit card, then stores, processes, or transmits cardholder data, then you are subject to the Payment Card Industry Data Security Standard (PCI DSS or PCI for short).

PCI compliance requires that cardholder data is securely stored and transmitted. Fortunately, the 12 PCI requirements are straightforward and prescriptive:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

Patching is specifically applicable to requirement six: Develop and maintain secure systems and applications. This requirement states:

“Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software.”

Diving deeper into the requirement six, section 6.2 of PCI DSS Requirements states:

“Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.”

Lastly, under Testing Procedures 6.2.a:

“Examine policies and procedures related to security patch installation to verify processes are defined for:

  • Installation of applicable critical vendor-supplied security patches within one month of release.
  • Installation of all applicable vendor-supplied security patches within an appropriate time frame (for example, within three months).

This requirement applies to applicable patches for all systems and installed software, including payment applications (both those that are PA-DSS validated and those that are not).

The solution to patching quickly and accurately is automated system protection. Automox customers have found that automating patching across any system reduces the amount of time and resources spent on patching by 90%.

The Automox cloud based solution employs an agent on every system (i.e., server, workstation, and laptop) enabling instant visibility of system security and compliance from a single dashboard. Working across Windows, Mac OS X, Linux, and 3rd party software, Automox provides complete control of system and software configuration within the defined PCI window.

With Automox, you’re in complete control.

Automox allows you to automate patching in the way that meets your needs. From full automation where patches are applied within hours of their release, to patch testing lifecycle where you can manage when patches are deployed into production.

It’s also important to remember, compliance does not equal security. Compliance is just the confirmation that the company has met the requirements prescribed in regulations (or best practices or industry standards) at a specific point in time. Security is the ongoing and active process that keeps your systems current with the constant changes associated with technology.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trialof Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Dive deeper into this topic