We all know what PCI 11.5 says, right? At Tripwire it’s almost a corporate anthem:
“Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files…”
Ensuring the integrity of files and configurations is essential to IT security in general, and indispensable in protecting the cardholder information that fuels modern commerce. We know that too, right? Now comes the PCI DSS v2.0 and with it comes a small, almost innocuous addition to this long-standing requirement. The additional testing procedure labeled 11.5b says:
“Verify the tools are configured to alert personnel to unauthorized modification of critical files, and to perform critical file comparisons at least weekly.”
It sounds as if PCI DSS 2.0 is driving us closer to the spirit of their own requirements by injecting a bit of Missouri wisdom: “Show me.”
The new clarification to 11.5, subtle though it seems puts the onus on the merchant to “verify” that the tools in place are actually alerting for unauthorized modifications of critical files. It makes it a requirement to understand change. The phrase, “critical file comparisons” requires more knowledge than “something” changed. It demands to know the degree of change, whether it was to content or permissions or other security attributes. It demands that all merchants get serious about understanding, assessing, and reconciling changes to their critical files and configurations on any ongoing basis. It demands they do more than capture any change (good/bad, authorized/unauthorized).
Why this addition? The PCI Security Council itself stated why this clarification and other additions were deemed important enough come into to Version 2: “Clarifies intent of requirement; ensures that concise wording in the standards portray the desired intent of requirements.”
We care deeply about critical file changes – always have. It’s not a side job for us, or “something else” we do. Because of this, our customers are in a position to respond immediately and confidently to these clarifications. Here’s more information on how we help merchants meet the true intent of file integrity monitoring.
You can also download latest PCI DSS v2.0 and supporting documentation from the PCI Security Standards Council’s website.