ThreatLocker and PCI-DSS v4 Compliance | ThreatLocker Help Center

PCI-DSS compliance is a set of standards used to secure credit and debit card transactions against fraud or theft. Businesses that store, process, or transmit credit cardholder data must adhere to the PCI-DSS compliance framework. 

When properly configured, ThreatLocker can assist organizations in fulfilling PCI-DSS compliance requirements. We have done our best to outline the requirements of PCI-DSS that ThreatLocker supports. Where a requirement is not listed, ThreatLocker doesn’t currently support it.

Requirement 1: Install and Maintain Network Security Controls

1.2 Network security controls (NSCs) are configured and maintained.

1.2.5 “All services, protocols, and ports allowed are identified, approved, and have a defined business need.”

1.2.6 “Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.”

ThreatLocker Network Control can assist with meeting these requirements of PCI-DSS compliance. ThreatLocker Network Control is a centrally managed server and endpoint firewall that gives you control of network traffic. Instead of opening and closing firewall ports or using a VPN, Network Control policies can provide on-demand port control using agent authentication or dynamic ACLs. Authorized devices are automatically given access while preventing unauthorized devices from seeing or connecting to the in-use port. The connection closes within minutes when it is no longer in use.

1.2.8 “Configuration files for NSCs are:

Secured from unauthorized access.
Kept consistent with active network configurations.”

ThreatLocker Network Control can assist with meeting this requirement of PCI-DSS compliance. ThreatLocker Network Control is a centrally managed server and endpoint firewall. All Network Control configurations are managed from the ThreatLocker cloud portal. Only authorized users have access to the ThreatLocker Portal. Once provided access to the ThreatLocker Portal, granular control can be placed so that only specific admins can view or change settings for Network Control. The System Audit logs all activity that occurs in the ThreatLocker Portal, showing the logged-in user and what areas were viewed or manipulated.

1.3 Network access to and from the cardholder data environment is restricted.

1.3.1 “Inbound traffic to the CDE is restricted as follows:

To only traffic that is necessary.
All other traffic is specifically denied.”

ThreatLocker Network Control can assist with meeting this requirement of PCI-DSS compliance. Using Network Control, permit access to the machine holding cardholder data to only the specific devices that require that access. Authorized devices will automatically be given access while preventing unauthorized devices from seeing or connecting to the in-use port. The connection closes within minutes when it is no longer in use.

ThreatLocker Storage Control can also assist with meeting this requirement. Storage Control provides granular control over data locations (e.g., local files, network shares, external storage). Permit access to specific users and applications that require access to the location of CDE, and all other access will be blocked.

1.3.3 “NSCs are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE, such that:

All wireless traffic from wireless networks into the CDE is denied by default.
Only wireless traffic with an authorized business purpose is allowed into the CDE.”

ThreatLocker Network Control can assist with meeting this requirement of PCI-DSS compliance. ThreatLocker Network Control is a centrally managed server and endpoint firewall that gives you control of network traffic. Instead of opening and closing firewall ports or using a VPN, Network Control policies can provide on-demand port control using agent authentication or dynamic ACLs. Authorized devices are automatically given access while preventing unauthorized devices from seeing or connecting to the in-use port. No matter if the connection is wireless or wired, unless designated as permitted, access to the CDE will be blocked.

1.4 Network connections between trusted and untrusted networks are controlled.

1.4.1“NSCs are implemented between trusted and untrusted networks.

1.4.3 Inbound traffic from untrusted networks to trusted networks is restricted to:

Communications with system components that are authorized to provide publicly accessible services, protocols, and ports.
Stateful responses to communications initiated by system components in a trusted network.
All other traffic is denied.”

ThreatLocker Network Control can assist with meeting these requirements of PCI-DSS compliance. ThreatLocker Network Control is a centrally managed server and endpoint firewall that gives you control of network traffic. Instead of opening and closing firewall ports or using a VPN, Network Control policies can provide on-demand port control using agent authentication or dynamic ACLs. Authorized devices are automatically given access while preventing unauthorized devices from seeing or connecting to the in-use port. No matter if the connection is wireless or wired, unless designated as permitted, access to the CDE will be blocked.

1.4.4 “System components that store cardholder data are not directly accessible from untrusted networks.”

1.5 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

1.5.1“Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows:

Specific configuration settings are defined to prevent threats being introduced into the entity’s network.
Security controls are actively running.
Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period.”

ThreatLocker can assist with meeting this requirement of PCI-DSS compliance. ThreatLocker Allowlisting operates using a default deny. No unauthorized applications, scripts, or libraries will be able to run on ThreatLocker protected devices.

ThreatLocker Ringfencing creates boundaries that limit what permitted applications can interact with and access, including the internet, other applications, and files.

ThreatLocker Configuration Manager provides the ability to set security policies from a central location without the need for machines to be a member of Active Directory (e.g., Set password security policies, disable Office Macros, disable Autorun) to further protect against threats.

ThreatLocker Network Control is a centrally managed server and endpoint firewall that provides total control over inbound network traffic.

All ThreatLocker module configurations are managed from the ThreatLocker cloud portal. Only authorized users have access to the ThreatLocker Portal. Once provided access to the ThreatLocker Portal, granular control can be placed so that only specific admins can view or change settings for any of the ThreatLocker modules. The System Audit logs all activity that occurs in the ThreatLocker Portal, showing the logged-in user and what areas were viewed or manipulated.

Combined, the ThreatLocker Endpoint Security Platform provides superior protection against threats.

Requirement 2: Apply Secure Configurations to All System Components

2.2 System components are configured and managed securely.

2.2.1 “Configuration standards are developed, implemented, and maintained to:

Cover all system components.
Address all known security vulnerabilities.
Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.
Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1.
Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.”

ThreatLocker can assist with meeting this requirement of PCI-DSS compliance. ThreatLocker Health Center can identify vulnerable machines and link to the offending policies for immediate revision.

ThreatLocker Ops uses telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., using a vulnerable MS Exchange version). Once a parameter is set, users can configure action steps to take if the parameter is met, like isolating a machine from the network. The ThreatLocker team has created and maintains ThreatLocker Ops policies for many known indicators of compromise. When the IOCs change, the policy will be automatically updated to reflect those changes. New policies will be added as ThreatLocker observes and responds to real-world malware events.

ThreatLocker Configuration Manager provides central control of endpoint security policies, regardless of whether the machine is domain-joined. Set password security policies, disable local admin and guest accounts, disable UPnP, and control many more endpoint hardening policies all from within the ThreatLocker Portal.

2.2.4 “Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.”

2.2.5 “If any insecure services, protocols, or daemons are present:

Business justification is documented.
Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.”

ThreatLocker Network Control can assist with meeting these requirements of PCI-DSS compliance. ThreatLocker Network Control is a centrally managed server and endpoint firewall that gives you control of network traffic. Instead of opening and closing firewall ports or using a VPN, Network Control policies can provide on-demand port control using agent authentication or dynamic ACLs. Authorized devices are automatically given access while preventing unauthorized devices from seeing or connecting to the in-use port. Ports remain closed by default, and only open on demand for approved connections. No unauthorized connections are permitted.

Requirement 3: Processes and Mechanisms for Protecting Stored Account Data are Defined and Understood

3.3 Sensitive authentication data (SAD) is not stored after authorization.

3.3.3 “Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is:

Encrypted using strong cryptography. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.”

ThreatLocker can help meet this requirement of PCI-DSS compliance. ThreatLocker Storage control can be used to enforce encryption on external storage media.

ThreatLocker Configuration Manager can alert if BitLocker is not enabled on ThreatLocker-protected devices.

ThreatLocker Storage Control can be used to enforce encryption on removable storage devices, although it does not provide the method of encryption, policies can be configured to prevent access to any non-encrypted storage devices.

3.4 Access to displays of full PAN and ability to copy PAN is restricted.

3.4.2 “When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need.”

ThreatLocker can assist in meeting this requirement of PCI-DSS compliance. ThreatLocker Network control provides full control over inbound network traffic. Block all inbound remote connections to devices containing PAN and then permit access only to personnel that need access.

Ringfencing can be used to prevent access to data locations by remote access software.

Allowlisting can be used to permit only specific users to use remote software, and policies can be combined with Ringfencing to specify that certain users can use the remote software to access data, and other users cannot use the remote software to access data.

3.5 Primary account number (PAN) is secured wherever it is stored.

3.5.1.2 “If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only as follows:

On removable electronic media OR
If used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1.”

ThreatLocker can help meet this requirement of PCI-DSS compliance. ThreatLocker Storage control can be used to enforce encryption on external storage media.

ThreatLocker Configuration Manager can alert if BitLocker isn’t enabled on ThreatLocker-protected devices.

Requirement 5: Protect All Systems and Networks from Malicious Software

5.2 Malicious software (malware) is prevented, or detected and addressed.

5.2.1 “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.

5.2.2 The deployed anti-malware solution(s):

Removes, blocks, or contains all known types of malware.”

ThreatLocker can help meet these requirements of PCI-DSS compliance. Once secured, Application Allowlisting will block any executable that isn't expressly permitted with the ThreatLocker default-deny policy, providing protection against malicious code being run in your environment.

Storage Control can prevent the use of removable media or allow only specific serial numbered devices and control the access of local files and network shares, to limit the ability of malware to reach protected data.

Ringfencing places boundaries on permitted applications to prevent them from interacting with the powerful built-in Windows tools, the registry, the internet, or files.

Network Control allows total control of inbound traffic based on IP addresses, specific keywords, and/or objects to your ThreatLocker-protected devices using a simple server-client connection. Permit access to protected servers to only approved devices. Create a default deny, and ports will automatically open on demand for permitted connections. Unapproved devices will not have visibility of the ports in use.

Combined, the ThreatLocker Endpoint Protection Platform provides superior protection against known and unknown malware.

5.3 Anti-malware mechanisms and processes are active, maintained, and monitored.

5.3.1 “The anti-malware solution(s) is kept current via automatic updates.”

ThreatLocker provides the ability to specify an update channel, which controls the release of automatic ThreatLocker updates to an environment.

5.3.2 “The anti-malware solution(s):

Performs periodic scans and active or real-time scans. OR
Performs continuous behavioral analysis of systems or processes.”

ThreatLocker can help meet this requirement of PCI-DSS compliance. ThreatLocker Ops can be used to identify and respond to IoCs or weaknesses in the environment, in near real-time. Based on an organization’s risk appetite, admins can be notified and/or other actions can automatically be performed.

5.3.3 “For removable electronic media, the antimalware solution(s):

Performs automatic scans of when the media is inserted, connected, or logically mounted, OR
Performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted.”

ThreatLocker can help meet this requirement of PCI-DSS compliance. ThreatLocker Ops can be used to identify and respond to IoCs or weaknesses in the environment, in near real-time, regardless of whether the behavior originates from removable media or from within the machine. Based on an organization’s risk appetite, admins can be notified and/or other actions can automatically be performed.

ThreatLocker Allowlisting will block any process not permitted on the allowlist, regardless of whether it is introduced via removable media.

ThreatLocker Configuration Manager can be used to disable Autorun.

5.3.4 “Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1.”

ThreatLocker can assist in meeting this requirement of PCI-DSS compliance. ThreatLocker provides a System Audit that logs all activity within the ThreatLocker Portal. System Audit logs can’t be altered or deleted.

5.3.5 “Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period.”

ThreatLocker can assist in meeting this requirement of PCI-DSS compliance. ThreatLocker Tamper Protection prevents ThreatLocker settings from being changed on the endpoint. ThreatLocker can only be turned off or disabled from within the ThreatLocker Portal.

5.4 Anti-phishing mechanisms protect users against phishing attacks.

5.4.1 “Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks. 5.4.1 Observe implemented processes and examine mechanisms to verify controls are in place to detect and protect personnel against phishing attacks. Customized Approach Objective Mechanisms are in place to protect against and mitigate risk posed by phishing attacks.”

ThreatLocker can assist in meeting this requirement of PCI-DSS compliance. ThreatLocker Allowlisting prevents any application, script, or library not contained in the allow list from running.

ThreatLocker Ringfencing provides boundaries for permitted applications. Block applications from interacting with PowerShell and CMD to further reduce the risk of a permitted application being used to launch a malicious script. Ringfence CMD and PowerShell from communicating with the Internet to further reduce the risk that a script can be run to reach out to a malicious website.

ThreatLocker Configuration Manager provides the ability to disable downloaded macros in Office, and disable OLE in Office, protecting against phishing attacks that use Office as an entryway.

Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know

7.2 Access to system components and data is appropriately defined and assigned.

7.2.1 “An access control model is defined and includes granting access as follows:

Appropriate access depending on the entity’s business and access needs.
Access to system components and data resources that is based on users’ job classification and functions.
The least privileges required (for example, user, administrator) to perform a job function.”

7.2.2 “Access is assigned to users, including privileged users, based on:

Job classification and function.
Least privileges necessary to perform job responsibilities.”

7.2.5 “All application and system accounts and related access privileges are assigned and managed as follows:

Based on the least privileges necessary for the operability of the system or application.
Access is limited to the systems, applications, or processes that specifically require their use.”

ThreatLocker can assist in meeting these requirements of PIC-DSS compliance. ThreatLocker Allowlisting provides the ability to control access to applications only to the specific users that need to use those applications.

ThreatLocker Ringfencing can prevent applications from accessing protected files if they don’t require that access.

ThreatLocker Elevation can be used to reduce or eliminate local admin accounts. Instead of providing admin credentials, ThreatLocker Elevation can be applied to applications that require admin privileges to run or update. Create very granular policies that can elevate a single file if that is all necessary and permit the Elevated applications to be used only by the user(s) that require it. Any non-elevated applications will run as a standard user. Combine with Ringfencing to ensure that an application that is Elevated can’t be abused to hop to another application as an elevated user.

ThreatLocker Storage Control provides control over local files, network shares, and external media. Permit access to data only to the users that require it. Permit data access only to applications that require it (e.g., backup files can only be accessed by backup software).

7.3 Access to system components and data is managed via an access control system(s).

7.3.2 “The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function.”

ThreatLocker can assist in meeting this requirement of PIC-DSS compliance. Create computer groups in ThreatLocker according to job classification or function.

ThreatLocker Allowlisting provides the ability to control access to applications only to the specific computer group that needs to use those applications.

ThreatLocker Ringfencing can prevent applications from accessing protected files if they don’t require that access.

ThreatLocker Elevation can be used to reduce or eliminate local admin accounts. Instead of providing admin credentials, ThreatLocker Elevation can be applied to applications that require admin privileges to run or update. Create very granular policies that can elevate a single file if that is all necessary and permit the Elevated applications to be used only by the computer group(s) that require it. Any non-elevated applications will run as a standard user. Combine with Ringfencing to ensure that an application that is Elevated can’t be abused to hop to another application as an elevated user.

ThreatLocker Storage Control provides control over local files, network shares, and external media. Permit access to data only to the computer group(s) that require it. Permit data access only to applications that require it (e.g., backup files can only be accessed by backup software).

Requirement 8: Identify Users and Authenticate Access to System Components

8.3 Strong authentication for users and administrators is established and managed.

8.3.4 “Invalid authentication attempts are limited by:

Locking out the user ID after not more than 10 attempts.
Setting the lockout duration to a minimum of 30 minutes or until the user’s identity is confirmed.”

ThreatLocker can assist with meeting this requirement of PCI-DSS compliance. ThreatLocker Configuration Manager provides the ability to alert and act on excessive failed logon events. Automatically lock out users after x logon failures. Configuration Manager can also isolate or isolate and shutdown a computer that has experienced failed logons based on custom thresholds.

8.3.6 “If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity:

A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters).
Contain both numeric and alphabetic characters.”

ThreatLocker can assist with meeting this requirement of PCI-DSS compliance. ThreatLocker Configuration Manager provides the ability to enforce local password length and complexity.

8.3.9 “If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either:

Passwords/passphrases are changed at least once every 90 days, OR
The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.”

ThreatLocker can assist with meeting this requirement of PCI-DSS compliance. ThreatLocker Configuration Manager provides the ability to enforce local password age to prevent the use of a password for longer than 90 days.

Requirement 9: Restrict Physical Access to Cardholder Data

9.2 Physical access controls manage entry into facilities and systems containing cardholder data.

9.2.2 “Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility.”

ThreatLocker can assist with meeting this PCI-DSS requirement. While ThreatLocker cannot physically control access to network jacks, ThreatLocker Network Control can be used to control logical access to the network. Control inbound traffic, whether from the LAN or WAN, and only permit access to specific devices. Any unauthorized device will be unable to connect to the protected network resources.

Requirement 10: Log and Monitor All Access to System Components and Cardholder Data

10.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1 “Audit logs are enabled and active for all system components and cardholder data.”

10.2.1.1 “Audit logs capture all individual user access to cardholder data.”

10.2.1.2 “Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.”

ThreatLocker can assist in meeting these requirements of PCI-DSS compliance. ThreatLocker Storage Control audits access to protected data locations. The Unified Audit displays all Storage Control logs, including the logged-in user, hostname, filename, and whether it was a read, write, or delete.

10.2.1.3 “Audit logs capture all access to audit logs.”

ThreatLocker can assist in meeting this requirement of PCI-DSS compliance. The System Audit logs all access to the Unified Audit, whether it was successful or unsuccessful.

10.2.1.4 “Audit logs capture all invalid logical access attempts.”

ThreatLocker can assist in meeting this requirement of PCI-DSS compliance. ThreatLocker Storage Control audits access to protected data locations. The Unified Audit displays all Storage Control logs, including the logged-in user, hostname, filename, and whether it was a read, write, or delete, including whether it was a successful attempt or unsuccessful attempt.

10.2.1.5 “Audit logs capture all changes to identification and authentication credentials including, but not limited to:

Elevation of privileges.”

ThreatLocker can assist with meeting this requirement of PCI-DSS compliance. The Unified Audit will record all activity on ThreatLocker-protected devices. Unified Audit logs will demarcate any actions that were performed using elevated privileges.

10.2.2 “Audit logs record the following details for each auditable event:

User identification.
Type of event.
Date and time.
Success and failure indication.
Origination of event.
Identity or name of affected data, system component, resource, or service (for example, name and protocol).”

ThreatLocker can assist with meeting this compliance requirement of PCI-DSS. ThreatLocker Unified Audit provides near-real-time logs of all activity (using Allowlisting, Storage Control, and Network Control). The log file will include the logged-in user, the hostname, the type of activity (install, execute, read, write, delete), the date and time, the filename, the process that spawned the activity, and whether it was successful or not. Network activity will include the source and destination IP address and port number.

10.3 Audit logs are protected from destruction and unauthorized modifications.

10.3.1 “Read access to audit logs files is limited to those with a job-related need.”

ThreatLocker can assist with meeting this requirement of PCI-DSS compliance. Access to the Unified Audit can be granted to only those admins that require access to it.

10.3.2 “Audit log files are protected to prevent modifications by individuals.”

ThreatLocker can assist with meeting this compliance requirement of PCI-DSS. ThreatLocker Unified Audit logs can’t be edited or deleted by anyone until the specified storage period has been exceeded. By default, the storage period is 30 days, but if needed, it can be extended.

10.3.4 “File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.”

ThreatLocker can assist with meeting this compliance requirement of PCI-DSS. Although ThreatLocker cannot alert it the Unified Audit is changed, there is no need for an alert because the ThreatLocker Unified Audit logs can’t be edited or deleted by anyone until the specified storage period has been exceeded. By default, the storage period is 30 days, but if needed, it can be extended.

Requirement 11: Test Security of Systems and Networks Regularly

11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed.

11.3.1 “Internal vulnerability scans are performed as follows:

At least once every three months.
High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
Rescans are performed that confirm all high risk and critical vulnerabilities (as noted above) have been resolved.
Scan tool is kept up to date with latest vulnerability information.
Scans are performed by qualified personnel and organizational independence of the tester exists.”

ThreatLocker can assist with meeting this requirement of PCI-DSS compliance. ThreatLocker Health Center continually monitors information available within ThreatLocker and can identify vulnerable machines and link to the offending policies for immediate revision.

ThreatLocker Ops continually monitors the environment, using telemetry data collected across all the ThreatLocker modules to identify and respond to potential indicators of compromise or weakness in the environment (e.g., using a vulnerable MS Exchange version). Once a parameter is set, users can configure action steps to take if the parameter is met, like isolating a machine from the network. The ThreatLocker team has created and maintains ThreatLocker Ops policies for many known indicators of compromise. When the IOCs change, the policy will be automatically updated to reflect those changes. New policies will be added as ThreatLocker observes and responds to real-world malware events.

11.5 Network intrusions and unexpected file changes are detected and responded to.

11.5.1 “Intrusion-detection and/or intrusion prevention techniques are used to detect and/or prevent intrusions into the network as follows:

All traffic is monitored at the perimeter of the CDE.
All traffic is monitored at critical points in the CDE.
Personnel are alerted to suspected compromises.
All intrusion-detection and prevention engines, baselines, and signatures are kept up to date.”

ThreatLocker can assist with meeting this requirement of PCI-DSS compliance. ThreatLocker Network Control logs all network traffic and permits only authorized inbound connections.

11.5.2 “A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows:

To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files.
To perform critical file comparisons at least once weekly.”

ThreatLocker can assist with meeting this requirement of PCI-DSS compliance. ThreatLocker Allowlisting blocks all unpermitted files. Any unauthorized change in a permitted application, library, or script, will be immediately blocked. ThreatLocker provides file integrity monitoring; any file allowlisted by hash will be blocked if that file is altered in any way, ensuring the integrity of the file.

ThreatLocker Ops policies can be configured to alert based on file creation and/or deletion.

ThreatLocker provides the option to generate a report of file created in the last 7 days.