OPEM-08

Describe or provide a reference to any other safeguards used to monitor for malicious activity.

Explanation

This question is asking about additional security measures your organization has in place to detect malicious activity beyond the standard PCI DSS requirements. In the context of PCI DSS, organizations are required to have systems in place to monitor and detect security incidents, particularly those that might affect cardholder data. However, this question specifically asks about 'other safeguards' - meaning supplementary monitoring tools or processes that enhance your security posture. The question is being asked to understand the depth and breadth of your security monitoring capabilities. Assessors want to know if you have a comprehensive approach to threat detection that goes beyond minimum compliance requirements. This helps them evaluate your overall security maturity and how proactive you are in identifying potential threats. When answering this question, you should: 1. List all monitoring tools and technologies in place (IDS/IPS, SIEM, EDR, etc.) 2. Describe any threat intelligence programs you subscribe to 3. Explain your monitoring processes, including 24/7 coverage if applicable 4. Mention any specialized monitoring for specific threats relevant to payment card data 5. Include details about your security operations center (SOC) if you have one 6. Describe how alerts are triaged, investigated, and remediated Be specific about technologies, processes, and how they work together to provide comprehensive monitoring coverage.

Guidance

Please detail your monitoring strategy

Example Responses

Example Response 1

Our organization employs multiple layers of safeguards to monitor for malicious activity We utilize a Security Information and Event Management (SIEM) solution (Splunk Enterprise Security) that aggregates and correlates logs from all systems that process, store, or transmit cardholder data This is supplemented by Crowdstrike Falcon EDR on all endpoints for real-time threat detection and response Our network perimeter is protected by Palo Alto Networks next-generation firewalls with threat prevention capabilities and Cisco Secure IDS/IPS appliances We subscribe to multiple threat intelligence feeds including Mandiant, AlienVault OTX, and industry-specific feeds from FS-ISAC that are integrated into our monitoring systems Our 24/7 Security Operations Center (SOC) actively monitors these systems and follows documented incident response procedures for alert triage, investigation, and remediation We also conduct regular vulnerability scanning using Qualys and penetration testing twice annually Additionally, we use Darktrace for network traffic analysis to identify anomalous behavior that might indicate compromise.

Example Response 2

We have implemented a multi-layered approach to monitoring for malicious activity Our primary monitoring system is Microsoft Sentinel, a cloud-native SIEM solution that collects logs from all our Azure-hosted services, including those handling cardholder data This is complemented by Microsoft Defender for Endpoint on all workstations and servers For network monitoring, we use Cisco Umbrella and Cisco Secure IDS to detect and block malicious traffic We've implemented Azure Advanced Threat Protection to monitor for identity-based attacks and unusual authentication patterns Our security team receives alerts from these systems 24/7 through PagerDuty and follows a tiered escalation process based on alert severity We also leverage automated response capabilities through our SOAR platform (Palo Alto XSOAR) for common alert types, allowing for faster containment of potential threats Additionally, we participate in the Retail and Hospitality ISAC to receive industry-specific threat intelligence that is incorporated into our detection rules All monitoring systems generate alerts that are tracked in ServiceNow with SLAs for response times based on severity.

Example Response 3

We currently rely primarily on our firewall logs to monitor for malicious activity We use a basic Fortinet FortiGate firewall that provides some intrusion prevention capabilities, but we do not have a dedicated SIEM solution or 24/7 monitoring in place Our IT team (3 staff members) reviews logs on a weekly basis during business hours, but we do not have after-hours coverage We do run Windows Defender on our endpoints but do not have centralized management or monitoring of these systems We recognize this is an area for improvement in our security program, and we are currently evaluating vendors for a managed security service to provide more comprehensive monitoring capabilities In the meantime, we have implemented strong access controls and encryption for cardholder data as compensating controls while we work to enhance our monitoring capabilities over the next 6-12 months.

Context

Tab
Case-Specific
Category
Payment Card Industry Data Security Standard (PCI DSS)

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron