Compliance Reports: Payment Card Industry (PCI)

Document created by RSA Information Design and Development on May 25, 2016Last modified by RSA Information Design and Development on Nov 15, 2018
Version 169Show Document
  • View in full screen mode
 

The Payment Card Industry (PCI) Data Security Standard applies to all payment card industry members, merchants, and service providers that store, process, or transmit payment cardholder data. Additionally, these security requirements apply to all "system components" - any network component, server, or application included in, or connected to, the cardholder data environment.

Dependencies

The PCI compliance reports have the following dependencies.

                  
SA RulesSA ListsApp Rules

Accounts Created

Accounts Deleted

Accounts Modified

Admin Access to Compliance Systems Details

Admin Access to Compliance Systems Summary

Antivirus Signature Update

Change in Audit Settings

Encryption Failures

Encryption Key Generation and Changes

Failed Escalation of Privileges Details

Firewall Configuration Changes

Firmware Changes on Wireless Devices

Group Management

Inbound Network Traffic

Logon Failures Details

Logon Failures Summary

Outbound Network Traffic

Password Changes

Router Configuration Changes

Successful Escalation of Privileges Details

System Clock Synchronization

User Access Revoked

User Access to Compliance Systems Details

User Access to Compliance Systems Summary

User Session Terminated Summary

Administrative Users

Compliance Systems

account:created

account:deleted

account:modified

account:logon-success

av:signature-update

config:change-audit-setting

encryption:failures

encryption:key-gen-and-changes

access:privilege-escalation-failure

config:fw-config-changes

config:firmware-config-changes

account:group-management

alm:inbound-network-traffic

account:logon-failure

alm:outbound-network-traffic

account:password-change

config:router-change

access:privilege-escalation-success

alm:system-clock-synch

access:user-access-revoked

account:logout

Citations

The PCI reports have the following Citations.

                                                                                                                                               
Report RuleCitation NumberCitation Description
Antivirus Signature Update§ 5.25.2 Ensure that all antivirus mechanisms are current, actively running, and generating audit logs.
Access to Compliance Data - Detail
Access to Compliance Data - Top 25
§ 10.2.110.2.1 All individual accesses to cardholder data.
Accounts Created§ 8.58.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components.
Accounts Deleted§ 8.58.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components.
Accounts Modified§ 8.58.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components.
Admin Access to Compliance Systems - Detail§ 10.2.210.2.2 All actions taken by any individual with root or administrative privileges
Admin Access to Compliance Systems - Top 25§ 10.2.210.2.2 All actions taken by any individual with root or administrative privileges.
Change in Audit Settings§ 2.2.32.2.3 Configure system security parameters to prevent misuse.
Encryption Failures§ 4Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Key Generation and Changes§ 4Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Escalation of Privileges - Detail
Failed Escalation of Privileges - Top 25
§ 7.17.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.
Firewall Configuration Changes§ 6.46.4 Follow change control processes and procedures for all changes to system components.
Firmware Changes Wireless Devices§ 6.46.4 Follow change control processes and procedures for all changes to system components.
Group Management§ 7.17.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.
Inbound Network Traffic - Top 25§ 1.2.11.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.
Logon Failures - Detail§ 10.2.410.2.4 Invalid logical access attempts.
Logon Failures - Top 25§ 10.2.410.2.4 Invalid logical access attempts.
Outbound Network Traffic - Top 25§ 1.2.11.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.
Password Changes - Detail
Password Changes - Top 25
§ 8.58.5 Ensure proper user identification and authentication management for nonconsumer users and administrators on all system components.
Router Configuration Changes§ 6.46.4 Follow change control processes and procedures for all changes to system components.
System Clock Synchronization§ 10.410.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.
User Access Revoked§ 8.5.48.5.4 Immediately revoke access for any terminated users
User Access to Compliance Systems - Detail§ 10.2.110.2.1 Verify all individual access to cardholder data is logged.
User Access to Compliance Systems - Top 25§ 10.2.110.2.1 Verify all individual access to cardholder data is logged.
Account Management§ 8.58.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components.
User Session Terminated - Top 25§ 8.5.158.5.15 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
You are here
Table of Contents > Compliance Reports: Payment Card Industry (PCI)

Attachments

    Outcomes