Skip to content

PCI Compliance Requirements with SQL Server

For those seeking to undertake PCI compliancing with SQL Server infrastructure, the following table details out some of these requirements along with how SQL Server (upwards from version 2008) caters for these:

PCI Requirement How SQL Server Addresses
1. Install and maintain firewall configuration * N/A – Controlled at Network Level
2. Do not use vendor-supplied credentials * SQL Server does not assign default passwords
* Most SQL 2008 features are disabled by default
* The system administrator account is disabled by default when SQL is setup using Windows Authentication
* The BUILTIN/Administrators Windows role is not a member of the sysadmin group by default
3. Protect stored card holder data * SQL Server 2008 Transparent Data Encryption (TDE)offers full data encryption
* SQL Server 2008 cell-level encryption offers encryption of individual columns
* SQL Server 2008 Extensible Key Management (EKM) offers split encryption key ownership
4. Encrypt transmission of card holder data * SQL Server 2008 supports SSL encryption
5. Use and update antivirus software * N/A – Controlled at Network Level
6. Develop / maintain secure systems / applications * Change controls are operational in nature, however segregation of duties is addressed under requirements 7.
7. Restrict access to card holder data * SQL’s Signed module facilitates segregation of duties
* SQL Supports Windows Authentication
* SQL Server supports Role-Based Access
8. Assign a unique ID to each person with computer access * SQL Server supports Windows Authentication. Unique identification is preserved even when granted access as a member of a group.
9. Restrict Physical access to card holder data. * N/A – Physical access control.
10. Track / monitor all access to network resources and card holder data * SQL Server Audit provides granular auditing capabilities
* Once target systems are identified and PCI compliant configurations set, SQL Policy-based Management can track changes
11. Regularly test security systems and processes * N/A – Controlled at Network Level
12. Maintain Plicy that addresses information security * N/A – Operational control procedures

There are six primary ways in which SQL Server caters for PCI complancing, which we’ll be covering in more detail in later posts;

  • Transparent Data Encryption (TDE)
  • Extensible Key Management (EKM)
  • SQL Server Audit and Change Data Capture
  • Signed Module
  • Build-in Control over Default SQL Server 2008 Features
  • Policy-Based Management (PBM)