Free and low-cost tools for PCI DSS Compliance

Steven Weil, Senior Security Auditor

Complying with the PCI DSS requires policies and processes plus implementing and managing a variety of software tools. As a QSA who has performed many PCI assessments for merchants and service providers, I’ve seen and assessed a variety of free and low-cost (under $200) software tools that help our customers comply with PCI DSS.

Neither Coalfire nor I are endorsing the software tools discussed here, and not all free and low-cost tools that can help with PCI DSS compliance will be covered. Also keep in mind that the tools mentioned here will not work for all organizations and there are many other commercial and higher-cost tools that can be used to help with PCI DSS compliance.
With that, let’s begin a tour of free and low-cost software tools that can help your organization comply with PCI DSS.

Credit Card Detection Software
CDE scoping, including identifying and defining where payment cards are stored, is critical for PCI DSS compliance.  The following free and low-cost tools can be used to search your networks and systems for payment card data:

File Integrity Monitoring
PCI DSS requires organizations to implement file-integrity monitoring tools that alert employees to unauthorized modifications of critical system, configuration and content files. The following free file integrity monitoring tools can be used for this requirement:

PCI DSS requires organizations to implement intrusion-detection systems (IDS) and/or intrusion-prevention systems (IPS) to monitor all traffic at the perimeter of the cardholder data environment (CDE) and at critical points inside the CDE. The following free IDS/IPS tools can be used for this requirement:

Securing and Synchronizing Router Configuration Files
PCI DSS requires organizations to secure and synchronize CDE router configuration files. The following free tool can be used to meet this requirement:

Wireless assessment
PCI DSS requires organizations to regularly detect and identify wireless access points (WAPs) within their CDEs. The following free and low-cost tools can be used to detect and identify WAPs:

Password Storage
PCI DSS requires that passwords for CDE systems be securely stored and managed. You can use the following free tools to manage passwords:

Network Monitoring
Network monitoring tools can be used to ensure that PCI DSS-required controls and processes (e.g. SSH, SSL) are correctly running.  The following free network monitoring tools are often seen by Coalfire during PCI assessments:  

With the lists of tools here, we’ve only scratched the surface of free and low-cost software tools that you might use to help with PCI DSS compliance.  I encourage you to explore these tools and determine which ones might benefit your organization.

Steven Weil


Steven Weil — Senior Security Auditor

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS