Complying with the PCI DSS requires policies and processes plus implementing and managing a variety of software tools. As a QSA who has performed many PCI assessments for merchants and service providers, I’ve seen and assessed a variety of free and low-cost (under $200) software tools that help our customers comply with PCI DSS.
Neither Coalfire nor I are endorsing the software tools discussed here, and not all free and low-cost tools that can help with PCI DSS compliance will be covered. Also keep in mind that the tools mentioned here will not work for all organizations and there are many other commercial and higher-cost tools that can be used to help with PCI DSS compliance.
With that, let’s begin a tour of free and low-cost software tools that can help your organization comply with PCI DSS.
Credit Card Detection Software
CDE scoping, including identifying and defining where payment cards are stored, is critical for PCI DSS compliance. The following free and low-cost tools can be used to search your networks and systems for payment card data:
File Integrity Monitoring
PCI DSS requires organizations to implement file-integrity monitoring tools that alert employees to unauthorized modifications of critical system, configuration and content files. The following free file integrity monitoring tools can be used for this requirement:
PCI DSS requires organizations to implement intrusion-detection systems (IDS) and/or intrusion-prevention systems (IPS) to monitor all traffic at the perimeter of the cardholder data environment (CDE) and at critical points inside the CDE. The following free IDS/IPS tools can be used for this requirement:
Securing and Synchronizing Router Configuration Files
PCI DSS requires organizations to secure and synchronize CDE router configuration files. The following free tool can be used to meet this requirement:
PCI DSS requires organizations to regularly detect and identify wireless access points (WAPs) within their CDEs. The following free and low-cost tools can be used to detect and identify WAPs:
PCI DSS requires that passwords for CDE systems be securely stored and managed. You can use the following free tools to manage passwords:
Network monitoring tools can be used to ensure that PCI DSS-required controls and processes (e.g. SSH, SSL) are correctly running. The following free network monitoring tools are often seen by Coalfire during PCI assessments:
With the lists of tools here, we’ve only scratched the surface of free and low-cost software tools that you might use to help with PCI DSS compliance. I encourage you to explore these tools and determine which ones might benefit your organization.