AutomoxIT CompliancePatch Management

Patching for PCI Compliance

Compliance is a multifaceted challenge for any organization. Consider HR and workplace safety regulations, accounting and financial services regulations, and of course IT with data security regulations. It’s no surprise maintaining compliance is both a priority, as well as an ongoing struggle for businesses of any size.

Solutions that deliver confidence by simplifying efforts required to maintain compliance are in demand.

Data security has become an area of increasing regulation. More data is routed through, and stored in, the cloud. Cyber attacks have become more sophisticated and increasingly more frequent. These factors have created new security requirements and compliance regulations. For example, if your company accepts payments with a credit/debit card, then stores, processes, or transmits cardholder data, then you are subject to the Payment Card Industry Data Security Standard (PCI DSS or PCI for short).

PCI compliance requires that cardholder data is securely stored and transmitted. Fortunately, the 12 PCI requirements are straightforward and prescriptive:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

Patching is specifically applicable to requirement six: Develop and maintain secure systems and applications. This requirement states:

“Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software.”

Diving deeper into the requirement six, section 6.2 of PCI DSS Requirements states:

“Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.”

Lastly, under Testing Procedures 6.2.a:

“Examine policies and procedures related to security patch installation to verify processes are defined for:

  • Installation of applicable critical vendor-supplied security patches within one month of release.
  • Installation of all applicable vendor-supplied security patches within an appropriate time frame (for example, within three months).

This requirement applies to applicable patches for all systems and installed software, including payment applications (both those that are PA-DSS validated and those that are not).

The solution to patching quickly and accurately is automated system protection. Automox customers have found that automating patching across any system reduces the amount of time and resources spent on patching by 90%.

The Automox cloud based solution employs an agent on every system (i.e., server, workstation, and laptop) enabling instant visibility of system security and compliance from a single dashboard. Working across Windows, Mac OS X, Linux, and 3rd party software, Automox provides complete control of system and software configuration within the defined PCI window.

With Automox, you’re in complete control.

Automox allows you to automate patching in the way that meets your needs. From full automation where patches are applied within hours of their release, to patch testing lifecycle where you can manage when patches are deployed into production.

It’s also important to remember, compliance does not equal security. Compliance is just the confirmation that the company has met the requirements prescribed in regulations (or best practices or industry standards) at a specific point in time. Security is the ongoing and active process that keeps your systems current with the constant changes associated with technology.

Automox automates system protection so compliance is not a one time exercise, it’s an everyday activity.  To learn more, drop us a note. Or if you’d like, try us out on your own with a free 15 day trial.


Holly Hamann, CMO

Author Holly Hamann, CMO

Holly Hamann serves as Automox's Chief Marketing Officer and is an entrepreneur and start-up veteran. She has helped launch six tech companies in the social media, content, video, and marketing software industries and specializes in SaaS software marketing, content marketing, and influencer marketing. She is an American Marketing Association "Marketer of the Year" recipient and holds a Bachelor's Degree in Mathematics and Computer Science.

More posts by Holly Hamann, CMO