PCI DSS 3.0
Quality Security Assessors (QSAs) are now requiring file integrity monitoring (FIM) on all point of sales (POS) transactions. Content collection—both flat and text files—is a current requirement for PCI DSS compliance.
Ensuring the correct compliance used to be problematic; it was excessively expensive, and the need of such security measures was difficult to comprehend.
This was before EzFIM burst onto the scene with unique products that are both cost-effective, and user-friendly.
PCI DSS v3.0 Requirement 11.5
File integrity monitoring tools are deployed to assist in alerting personnel to unauthorized modification of critical system files. Software is configured to perform file comparisons at least once per week.
Note: For the purposes of file integrity management, “critical files” refers to system files as well as content and configuration files. These files regularly change, thus any modification of said files could indicate a compromise of the system. File integrity products usually come pre-configured with critical files for the operating system. Files from a custom application must be evaluated and defined by the merchant or service provider.
11.5.a – An observation of system settings and monitored files is introduced to verify the use of file integrity monitoring tools within the cardholder data environment. Files that should be monitored include:
- Executable files – including system and application files
- Configuration and parameter files
- Log and audit files, as well as centrally stored and historically archived files
11.5.b – Configured tools are verified to alert personnel of unauthorized modification in files, and at least one critical file comparison is created per week.