Does anybody know if HIPS needs to be implemented with a specific protection level or minimum configuration level to meet the PCI compliance requirements?
I don't but I think the firewall component is the more relevant portion as far as PCI compliance goes. I have read a best practices guide, PD20796 - Adopting Host Intrusion Prevention - Best practices for quick success,
that suggested refering to the product manual for infomration on defining and activating the firewall policies but have not looked into that further.
As the author of most of the content of that guide (and a poor reader of these fora) I can offer this additional advice:
Everyone should deploy Host IPS to Block High content. This will help with basic exploit prevention and improve security. However, that won't apply directly to any section of PCI. It might be a compensating control for some QSAs but generally it doesn't fulfill a specific section.
The firewall bits (generally section 1) can be interpretted in numerous ways. Most QSAs are happy with a datacenter surrounded by hardware firewall appliances. Many fast-food/retail stores/bank also use this approach since every store is part of its PCI network. However a number of my customers also want a host-based firewall. In this regard Host IPS can clearly fulfill that role. I would ask that anyone testing the firewall start with Typical Corporate Sample. That isn't just some crappy policy forumated by dimwitted muppets as an afterthought. It started life to fulfill these exact requirements for a number of my customers. After about the 5th or 6th customer gave me the exact same business requirements, I wrote that sample to be included in the product. It is 95% complete and at a minimum it should not break a typical corporate PC (or register or kiosk or whatever). It is far from perfect but my goal was to turn a marathon race into a walk around the block.
The most common error is to try to write your own firewall policies... especially for my customers who assume that firewall appliance policies should be similar (they definitely aren't). You need to break it up into manageable chunks. The second error is to know when to quit. The goal isn't to identify ever little bitty app on your network. It is generally to just stop inbound traffic from talking on the riskier ports. Some folks might disagree with this philosophy but this has worked for about 1+ million endpoints across several dozen customers of mine.
I always welcome feedback on it though.