Demonstrating PCI Compliance Using Threat Stack

PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council to protect cardholder data. Threat Stack customers frequently ask us how Threat Stack can help them comply with these two sets of requirements:

  • Requirement 10: Track and monitor all access to network resources and cardholder data (in other words, determine the who, what, where, and when)

  • Requirement 11: Regularly test security systems and processes (in order to continuously monitor and test security controls)

The good news is that the following Threat Stack features can provide significant benefits to customers who need to satisfy PCI Compliance Requirements 10 and 11:

  • Configuration Auditing
  • Vulnerability Scanning
  • Rules monitoring file integrity, logins, network access, and threat intelligence activity

In the remainder of this post, we’ll demonstrate how these can help you meet your PCI compliance and security goals.

Configuration Auditing

If you are hosting your infrastructure on AWS, running Threat Stack’s AWS Configuration Auditing feature (aka Config Audit) helps satisfy the PCI 11.2 requirement that a customer run regular internal and external network vulnerability scans to identify and assess vulnerabilities. You can help satisfy PCI compliance by remediating issues identified in Config Audit and/or by suppressing policies that do not apply to you.

You can add text to policy descriptions (see the bold text in the following examples), indicating how they support specific PCI requirements:


Vulnerability Scanning

So while Config Audit takes care of auditing your AWS infrastructure, running our vulnerability scans on instances (either on-premise or in the cloud) also helps satisfy the requirements of PCI 11.2 by helping to identify vulnerabilities that exist in specific packages that are installed on an instance.

Rules and Alerts

You can create a PCI rule set consisting of rules that help satisfy specific PCI requirements to monitor file integrity, logins, network access, and threat intelligence activity similar to the following:



The following are examples of alerts that can be generated by such rules:






Finally, you can use our webhooks integration to send alerts to a utility such as Zapier for reporting and/or archiving.

Final Words . . .

Again, this post shows how you can take advantage of the best practices that are incorporated into the Threat Stack platform to expedite your path to PCI compliance.

We encourage you to explore additional Threat Stack features and, if you are interested in learning more about Threat Stack’s ability to help with PCI compliance, please download a copy of our free Compliance Playbook for Cloud Infrastructure.