How to pass your next PCI audit with PDQ Inventory & Deploy

Brock Bingham candid headshot
Brock Bingham|Updated May 12, 2021
Pass Your Next PCI Audit With PDQ Inventory And Deploy
Pass Your Next PCI Audit With PDQ Inventory And Deploy

Do you think it’s possible to both love and hate something at the same time? I believe it is. For example, I hate being audited, but I love the fact that we have audits. Could you imagine all the chaos that would ensue if companies weren’t required to adhere to specific standards? What if you found out that the grocery store you shop at stored all your personal details and credit card information in plain text on an external hard drive, and one day, that drive decided to go for a walk? This scenario, and many others like it, are the types of situations audits are designed to prevent.

Table of contents

What is PCI DSS

PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the Payment Card Industry Security Standards Council and is mandated by the card brands, such as Visa and Discover. PCI DSS applies to any entity that processes card payment transactions and those handling cardholder data. The goal of PCI DSS is to safeguard cardholder data and prevent credit card fraud. To that end, there are twelve requirements companies need to follow to maintain compliance with PCI DSS.

  1. Install and maintain a firewall configuration to protect cardholder data

  2. Do not use vendor-supplied defaults for system passwords and other security parameters

  3. Protect stored cardholder data

  4. Encrypt transmission of cardholder data across open, public networks

  5. Use and regularly update anti-virus software or programs

  6. Develop and maintain secure system and applications

  7. Restrict access to cardholder data by business need to know

  8. Assign a unique ID to each person with computer access

  9. Restrict physical access to cardholder data

  10. Track and monitor all access to network resources and cardholder data

  11. Regularly test security system and processes

  12. Maintain a policy that addresses information security for all personnel

How PDQ Inventory and PDQ Deploy can help

While PDQ Inventory and PDQ Deploy can’t help you write or maintain your security policies, there are several areas of the PCI DSS audit where we can help. Specifically, we’ll show you how you can use PDQ Inventory’s collections and reports to gather useful PCI DSS information. We’ll also show you how to target collections with PDQ Deploy’s auto download and scheduling to ensure all of your devices stay up to date. If you don’t have PDQ Inventory and Deploy, you can download a free trial.

Check firewall configurations with scan profiles

Requirement 1 of the PCI DSS audit requires systems to be protected with properly configured firewalls. Firewalls protect systems by restricting network traffic based on rules configured by an organization. PDQ Inventory makes it easy to scan devices and return their firewall configuration settings by including a firewall scan profile. To use the built-in Windows Firewall Configuration scanner, right-click on any computer in PDQ Inventory and click Scan Computers > Windows Firewall Configuration. If you want to scan the entire collection of computers, choose Scan Collection instead of Scan Computers.

right-click on any computer in PDQ Inventory and click Scan Computers > Windows Firewall Configuration

To view the results, double-click on any computer that ran the scan and click on Registry. The results of the scan will be displayed.

If you would like to return more information than what is provided by the default Windows Firewall Configuration scanner, you can edit the scanner to include more data. Let’s add a few more registries to the scanner and configure the scanner to run after seven days since the last scan automatically.

  1. In PDQ Inventory, click Options > Scan Profiles

  2. Double-click the scan profile Windows Firewall Configuration

  3. Select the registry scanner and click Edit

  4. Add the following three registry values. These values check to see if the firewall is enabled on the domain, standard, and public profile

    1. SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall

    2. SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall

    3. SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall

      Edit Registry Scanner
  5. After you’ve added those registries, click OK

  6. Click on the Triggers tab

  7. Click Scan Age

  8. Change the scan age to 7 days and click OK

You can manually rerun the scan to return the new results, or you can wait for the scan profile to run automatically again after seven days.

Change the scan age to 7 days and click OK

With this data, you can create collections and reports to identify which systems are compliant or not.

Detect missing or out of date antivirus with PDQ Inventory

Auditors have a way of finding devices that haven’t been touched in years, and they always choose those devices to audit. Often the result is a non-compliant workstation because of out of date software, including antivirus. With PDQ Inventory, we can create a collection to show us which machines have the latest antivirus software installed, which machines have an old version of antivirus installed, and which machines have no antivirus installed. For this example, we’ll use Avast antivirus software.

  1. With PDQ Inventory open, click New Dynamic Collection

  2. For the name, enter Antivirus

  3. Change the filter to Application > Name > Contains > avast and click OK

    Change the filter to Application > Name > Contains > avast and click OK

This dynamic collection should return all of the computers with Avast installed. While this information is nice, we still don’t know which computers don’t have antivirus software installed and which ones have old antivirus versions installed. Let’s create a few more dynamic collections to give us the rest of the information we’re looking for.

  1. Right-click on the Antivirus collection and click New > Dynamic Collection

  2. Name this new collection Antivirus Latest

  3. Add the filter Application > Name > Contains > avast

  4. Add the filter Application > Version > Version Equals > 21.1.2444 (which is currently the latest version of Avast) and click OK

new collection Antivirus Latest

This new collection will return only computers with the latest version of antivirus installed.

Now let’s create a collection that returns computers with old versions of antivirus installed.

  1. Right-click on the Antivirus (Latest) collection and select Duplicate

  2. Double-click on the duplicated collection to open it up

  3. Rename the collection Antivirus (Old)

  4. Change the comparison value from Version Equals to Version Lower Than and click OK

Rename the collection Antivirus (Old)

For our last collection, we’ll create one that only returns computers that don’t have antivirus software installed.

  1. Right-click on the Antivirus collection and click New > Dynamic Collection

  2. Name it Antivirus (Not Installed)

  3. Change the filter to Not Any > Application > Name > Contains > avast and click OK

Change the filter to Not Any > Application > Name > Contains > avast and click OK

With these dynamic collections created, we know which computers have antivirus installed, which don’t, which have the latest versions, and which have an old version. If we want to create a report with any of these collections, we can simply right-click on the collection and select New > Report From Collection. This will copy the collection filter into a new report. Now you just need to add any columns you want the report to show. For example, we can add the application name and application version to the report. Click Save, and you’re all done. Your boss will think you’ve spent hours creating a custom report.

right-click on the collection and select New > Report From Collection.

Keeping Up To Date

In addition to antivirus, auditors will check to ensure the operating systems and other applications installed on machines that qualify for the PCI audit are patched and up to date. Luckily, keeping systems patched and up to date is the bread and butter of PDQ Inventory and PDQ Deploy. PDQ Inventory comes out of the gate with dynamic collections for tons of commonly used applications and several useful reports. The package library in PDQ Deploy includes Windows updates and hundreds of pre-packaged applications, all ready to be deployed to your workstations with just a few clicks.

Since PCI auditors only need to audit computers that fall under the PCI scope, I recommend creating a collection for your PCI computers in PDQ Inventory. To do this, we can either create a static collection or a dynamic collection. These collections will allow us to target reports and deployments to this specific collection of computers.

To create a static collection:

  1. Click the New Static Collection button

  2. Name the collection PCI

  3. Holding the ctrl key on your keyboard, click on each computer that needs to be added to the collection, and click the arrow > button

  4. Click OK

New Static Collection

To create a dynamic collection, we first need to add a custom field.

  1. In the top menu, click Options > Custom Fields

  2. Click New Field > True/False

  3. Enter PCI for the name and click OK

In the top menu, click Options > Custom Fields

Now we need to assign this custom field to our PCI computers.

  1. Double-click on a computer you want to assign the PCI field to

  2. Click the Custom Fields menu option in the menu tree

  3. You should see PCI as a custom field option and a check box in the Value column. Select the check box

    You should see PCI as a custom field option and a check box in the Value column
  4. Repeat steps 1 - 3 for any remaining computers you need to add to the PCI collection

With our custom fields assigned, we can now create a dynamic collection.

  1. Click the New Dynamic Collection button

  2. Name the collection PCI

  3. Select All for the group filter

  4. For the value filter, select Computer > PCI > Is True and click OK

select Computer > PCI > Is True and click OK

With our collection created, we can now automate reports and deployments and target this specific computer collection. Let’s first look at how to configure auto reports because manually generating reports is beneath us.

  1. Right-click on Auto Reports and click on New > Auto Report

  2. Enter PCI Report for the report name

  3. Enter the unc path where you would like to save the report

  4. Configure the file naming convention. I’ve used $(Report:Name)-$(Date)

  5. Choose your preferred format. I’ve chosen Portable Document (.pdf)

    Portable Document (.pdf)
  6. Select the Triggers tab

  7. Configure the schedule that works best for you. I’ve chosen to automatically run the report on the 1st day of every month

    Auto Report
  8. If you set up your mail server information in the mail server preferences, you can configure the report to be mailed out in the Mail tab

  9. Select the Reports tab

  10. Click on the Attach button and click on the reports you want to add

  11. Once you added your reports, select them all by clicking on one and hitting CTRL+A

  12. Click the Change Collection button

    Click the Change Collection button
  13. Click on the PCI collection and click OK

These reports will now run on the first of each month and only target the PCI collection. We can do the same with our deployments to make sure these computers stay up to date. Since more than 60% of users use Chrome, let’s configure Chrome to automatically deploy to our PCI workstations when a new version is released.

  1. Launch PDQ Deploy

  2. Click on Package Library

  3. In the filter field, type in Chrome

  4. Select the Google Chrome Enterprise package

  5. Click Download Selected (As Auto Download)

    Click Download Selected (As Auto Download)
  6. Click on the package once it finished downloading

  7. Click on the New Schedule button

  8. Name your schedule

  9. Configure the schedule to meet your needs. I’m going to configure it to run weekly by clicking on the Weekly button

  10. I’ve chosen to run the deployment every Friday at 4 pm

    update schedule
  11. Once the schedule is configured, click on the Targets tab

  12. Click Choose Targets > PDQ Inventory > Collection

  13. Select your PCI collection and click OK

  14. Click the Options tab

  15. Make sure Stop deploying to targets once they succeed is selected on click OK to finish

Make sure Stop deploying to targets once they succeed is selected on click OK to finish

Now we have Chrome configured to deploy every Friday at 4 pm automatically. This is just one example of what’s possible with PDQ Inventory and PDQ Deploy. You can configure Windows updates and other applications just as easy to make sure you’re never caught with an out of date application or OS on your PCI workstations.

Audit user access to PCI devices

Requirement 7 of the PCI DSS list requires access to PCI devices to be limited to business need to know. Basically, if you don’t need access to a PCI device, you shouldn’t have access to a PCI device. Requirement 8 restricts PCI devices from having shared or generic accounts and requires all user accounts to be unique. This data is easy to collect and report on in PDQ Inventory.

PDQ Inventory comes with a built-in scanner to return local accounts on workstations. If the standard scan profile has scanned a machine, you can see the local user accounts by double-clicking on a computer and selecting Local Users from the menu tree. We can take this a step further by using a WMI scanner to return all user profiles on a workstation, not just the local accounts.

To create a new WMI scanner:
  1. In PDQ Inventory, click on Options > New Scanner > WMI

  2. Name your scanner User Profiles

  3. For the Namespace, use CIMV2

  4. Enter SELECT LocalPath From Win32_UserProfile for our WQL Query and click OK

    SELECT LocalPath From Win32_UserProfile for our WQL Query and click OK
  5. The New Scan Profile window will open

  6. Enter User Profiles for the name

  7. Since I want user profiles and local accounts, we’ll add the Users & Groups scanner also by clicking on Add and selecting Users & Groups

  8. If you want this scan to run on a schedule, click the Triggers

  9. With the Triggers tab open, create your schedule. I’ve configured mine to scan when the scan age is 3 days old

    With the Triggers tab open, create your schedule.
  10. Now let’s attach the scan profile to our collection by clicking on the Collections tab

  11. Click Link To Collection(s)

  12. Select the PCI collection and click OK twice

If you don’t want to wait for the new scanner to run to ensure it’s working, you can right-click on the PCI collection and select Scan Collection > User Profiles. To view the results, double-click on any computer in the collection and click on the WMI option in the menu tree. If you have more than one WMI scanner, make sure you are viewing the correct one from the drop-down menu.

right-click on the PCI collection and select Scan Collection > User Profiles

Remember, you can add this data to a report and include it in the auto report we created earlier. Auditors love reports, but more importantly, having these reports ready to go makes your life that much easier. To add this data to a report

  1. Click on Report > New Report > Basic Report

  2. Name your report User Profiles

  3. Click the Add Column button

  4. Change the table value to WMI (User Profiles)

  5. Click Save

  6. Click Run Report if you want to view the resulting data

Click Run Report if you want to view the resulting data

You can add this report to the auto report we created earlier by clicking Auto Reports and double-clicking our PCI Report. Click Attach > User Profiles. Right-click the User Profiles report and select Change Collection. Select the PCI collection and click OK twice.

Right-click the User Profiles report and select Change Collection

Wrapping up

While I may not enjoy being audited, it gives me peace of mind knowing that when I shop for some new pauldrons to complete my LARPing outfit, the LARP store must comply with these standards and keep my data safe. Shopping, in general, wouldn’t be what it is today without these standards.

If you can’t get enough PDQ and PCI, you can head over to our YouTube channel and watch Shane and Lex go into detail about creating reports and collections specifically for PCI in this helpful video.

Brock Bingham candid headshot
Brock Bingham

Born in the '80s and raised by his NES, Brock quickly fell in love with everything tech. With over 15 years of IT experience, Brock now enjoys the life of luxury as a renowned tech blogger and receiver of many Dundie Awards. In his free time, Brock enjoys adventuring with his wife, kids, and dogs, while dreaming of retirement.

Related articles