PCI DSS Compliance Reports

What is the PCI DSS ?

The PCI DSS stands for Payment Card Industry Data Security Standard. It is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. It represents a set of rules that need to be adhered to by businesses that process credit cardholder information, to ensure data is protected. The PCI Data Security Standard is comprised of 12 general requirements designed to:

• Build and maintain a secure network
• Protect cardholder data
• Ensure the maintenance of vulnerability management programs
• Implement strong access control measures
• Regularly monitor and test networks
• Ensure the maintenance of information security policies

This standard is governed by PCI Security Standards Council https://www.pcisecuritystandards.org/

PCI DSS Compliance in Security Manager Plus

Security Manager Plus can help you weigh the effectiveness of your organization's PCI DSS compliance efforts. It can scan your network for vulnerabilities, determine if your network security is compromised and report whether the systems are compliant or not-compliant to the Payment Card Industry - Data Security Standards (PCI DSS). Security Manager Plus enables corporate networks adhere to PCI DSS, by assessing many key requirements of the PCI DSS and furnishing compliance reports.

PCI DSS compliance report presents the violations in your network from the requirements of Payment Card Industry (PCI) Data Security Standard (DSS). This report is generated using information provided by the "Payment Card Industry Data Security Standard" available at https://www.pcisecuritystandards.org/tech/index.htm.

PCI DSS Requirements covered in Security Manager Plus

• Section 2.1 : Always change vendor-supplied defaults before installing a system on the network(for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts)
• Section 2.2.1 : Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers)
• Section 2.2.2 : Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices� specified function)
• Section 2.2.3 : Configure system security parameters to prevent misuse
• Section 2.3 : Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access
• Section 4.1 : Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi (IEEE 802.11x), global system for mobile communications (GSM), and general packet radio service (GPRS)
• Section 5.1.1 : Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware.
• Section 5.2 : Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs
• Section 6.1 : Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release.
• Section 6.2 : Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update standards to address new vulnerability issues.
• Section 6.5 : Develop all web applications based on secure coding guidelines. such as the Open Web Application Security Project Guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following :
  • 6.5.1 Unvalidated input,
  • 6.5.2 Broken access control (for example, malicious use of user IDs),
  • 6.5.3 Broken authentication and session management (use of account credentials and session cookies),
  • 6.5.4 Cross-site scripting (XSS) attacks,
  • 6.5.5 Buffer overflows,
  • 6.5.6 Injection flaws (for example, structured query language (SQL) injection),
  • 6.5.7 Improper error handling,
  • 6.5.8 Insecure storage,
  • 6.5.9 Denial of service,
  • 6.5.10 Insecure configuration management
• Section 11.2 : Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
• Section 11.5 : Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files; and configure the software to perform critical file comparisons at least weekly.
• Section 12.2 : Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).

Accessing PCI DSS Compliance Report

PCI DSS Compliance reports in Security Manager Plus can be generated from here :

• Asset Group - View the Asset Group Details screen for a particular asset group, click on the Reports button in this view and choose the report type: "PCI DSS Compliance Report" from the list.

You can generate PCI DSS Compliance reports for all the sections defined in the PCI report template or choose the sections that you finish to generate the reports for from the drop down provided.

• Reports tab - Click on the Reports tab, from the Compliance Reports section, choose PCI DSS Compliance Report --> Generate Report and click on it, select the assets groups displayed for which you will need the report to be generated and click the Generate button.

Editing PCI DSS Compliance Report Template

The PCI DSS Compliance report in Security Manager Plus is governed by a template. Using this template you can edit the properties (or reporting criteria) for the report by choosing from the supported PCI DSS requirement sections and save them either as the same template or as a new report template. This can be done from Reports tab --> PCI DSS Compliance Report --> Edit Template.