Navigation Menu Products Knowledge About NetVision Contact Us Customer Support NetVision Blog


PCI Compliance for Active Directory Administrators

Effectively Audit Active Directory
for Compliance with PCI-DSS Requirements
while Lowering your Cost!

NetVision has more than a decade experience helping organizations like yours deal with complicated audit reporting requirements. Our core expertise has always been around the network directory and related file system. Microsoft Active Directory not only controls access to the network, but often access to files and folders as well. NetVision provides reports across the board to ensure compliance with PCI and other regulations and best practices.

If you're an Active Directory administrator helping your organization to meet the demands of a PCI audit, here's what you need to keep in mind:

  • PCI-DSS is about credit card information. Typically, it affects customer data and not employee data. And most Active Directory implementations won't store credit card information. BUT, that doesn't mean that AD will be ignored during a PCI audit. It controls access to the network. COBIT categorizes controls that are pervasive across the IT infrastructure as General Controls. This applies to Active Directory and sometimes Windows File System which control access to programs and data.
  • Requirement 8: Assign a unique ID to each person with computer access. This requirement applies to Active Directory. You want to control access to the computers and networ, know which accounts exist, which groups they belong to, and when they become dormant or inactive. Details on how NetVision approaches the subsections of Requirement 8 of PCI are available here.
  • Requirement 10: Track and monitor all access to network resources. Active Directory serves as the launchpad into the network. Tracking who got in, when, and from what workstation is critical to performing forensic investigations of network activity.
  • Ultimately, PCI-DSS is about access rights. Active Directory is a core component to the access rights that your employees and associates have been granted. In some cases, direct access to the systems that hold credit card information is granted through the core network directory via pass-through authentication and/or group memberships. In those cases, AD is THE central point of audit for PCI. So, watch user accounts, access rights, group memberships, and administrative changes. Be able to tell an auditor when and how a particular user was granted privileges. And monitor access rights to maintain a controlled environment.

Find out more:

* Name:

* Email:



Three Gray Blocks