Understanding the New PCI Checklist for Windows 10 As a Financial Organization

Last month IBM published an updated PCI checklist for organizations managing Windows 10 devices and using the BigFix PCI Compliance add-on. This update is especially important for those with Windows 10 devices in the financial sector, as it adds additional remediation points to further ensure that no Windows 10 device falls out of compliance. This change gives financial and retail organizations a great new tool in improving PCI compliance. Achieving and maintaining PCI compliance in financial organizations means that you are keeping your customers information safe and secure and preventing cybercriminals from using that data in a fraudulent and costly way.

What Is It?

This latest addition to the BigFix Compliance add-on is a component that provides security configuration checklists which are based on the Payment Card Industry Data Security Standard v3.2 (PCI DSS). These additional security configuration checks are focused on Windows 10 devices and are designed to ensure the continued compliance of these devices. This checklist release also adds support for the Windows 10 Enterprise Anniversary Update.

The new component uses the Security Configuration Management (SCM) module within the BigFix Compliance add-on. SCM is able to provide a comprehensive library of controls to detect and enforce set security policies for Windows 10 devices in an organization. The great thing about utilizing SCM is that it includes a web interface to summarize and analyze data streams to show in real-time the health of an organization’s assets. This offers the additional benefit of having reporting views and tools at your fingertips to easily manage any devices found to be non-compliant, thereby giving a financial house instant enforcement and constant policy compliance.

A PCI DSS World Must Have

In the financial world, having a single device out of compliance will give your PCI auditor fits. This checklist, with its updated remediation checks, helped one of my clients catch a major compliance issue that went unnoticed until the latest checklist was put into place.

This particular client is a small (less than 250 users) brokerage that implemented BigFix on its own about a year ago, along with the BigFix PCI Compliance add-on. Having a small IT staff has made them aggressive to implement new product releases, especially those aimed at making PCI compliance an easier undertaking. They called me the day after this latest release of the PCI DSS checklist.

They had completed their Windows 10 migration during the last quarter, but the senior engineer that led both efforts had left the brokerage. They noticed issues with some of their Windows 10 devices not reporting into the BigFix console, and thus were not being monitored for compliance issues. They assumed that the monthly patches were going out without errors, and subsequent clean security scans using a third-party software, meant all was well.

After the new PCI DSS checklist was instituted in the BigFix Compliance add-on, those assumptions quickly went out the window. When the new component went into place, the missing clients all started to check in, but the devices were so severely out of compliance that they all had to be reimaged. This was exasperated by the lack of an OSD monitoring rule in BigFix to verify that devices being imaged completed at the highest level of patching and at the highest level of security compliance possible.

The new checklist component, when it evaluated the security settings of these devices in the context of PCI DSS contents stored in the IBM BigFix Compliance add-on, started to report compliance failures on over 95% of their Windows 10 devices. Making matters worse, instead of fixing outdated and grossly noncompliant images, the former engineer had simply turned off the OSD alerting rules. In other words, when the new checklist was put into place and BigFix began to enforce the set security policies with the updated checklist, gaping holes in their BigFix setup had come to light. This small brokerage house was now severely out of PCI compliance.

To aid them in getting up to speed as quickly as possible, I utilized an additional feature to this latest checklist: the analysis property. The analysis property provides an improved method for financial institutions to perform immediate analysis and remediation on Windows 10 devices that fall out of compliance, while generating real-time reporting that can be viewed from the already-in-place BigFix console. This gave us the ability to quickly bring effected devices back into PCI compliance, thankfully with no impact to the security of the organization.

Calling In The Experts

By calling on Champion, the client was able to get out of trouble without being hurt by a former employee’s shortsightedness. In using the updated PCI DSS checklist for the BigFix Compliance add-on, we at Champion were able to give them instant visibility into the configurations of their relatively new Windows 10 endpoints, allowing for real-time detection and remediation efforts. Champion’s expertise and technical muscle will calm the PCI compliance waters for anyone in the financial sector.


Employing BYOD MDMs To Help Users with Self Service Support


What the New Azure PCI Matrix Means for Finance