PCI-DSS 3.2 – Requirements
Control Description | Support | AIE Rules/Alerts | Investigations | Reports |
---|---|---|---|---|
1.1.1.a: Examine documented procedures to verify there is a formal process for testing and approval of all: - Network connections and - Changes to firewall and router configurations | Augment | N/A | PCI-DSS: Configuration/Policy Change Detail | PCI-DSS: Configuration/Policy Change Summary PCI-DSS: Configuration/Policy Change Details |
1.1.6.a: Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification and approval for each. | Augment | N/A | PCI-DSS: Network Communication Detail | PCI-DSS: Non-Encrypted Protocol Summary PCI-DSS: Non-Encrypted Protocol Details |
1.1.6.b: Identify insecure services, protocols, and ports allowed; and verify that security features are documented for each service. | Direct | N/A | PCI-DSS: Network Communication Detail | PCI-DSS: Non-Encrypted Protocol Summary PCI-DSS: Non-Encrypted Protocol Details |
1.2.1.a: Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment. | Augment | PCI-DSS: Denied CDE => Internet Comm AIE Rule PCI-DSS: Denied DMZ => Internal Comm AIE Rule PCI-DSS: Denied Inet => Intrn Comm AIE Rule PCI-DSS: Denied Internet => CDE Comm AIE Rule PCI-DSS: Denied Internet => DMZ Comm AIE Rule PCI-DSS: Denied Test => Internal Comm AIE Rule PCI-DSS: Denied Test => Internet Comm AIE Rule PCI-DSS: Denied Wireless => CDE Comm AIE Rule PCI-DSS: Invalid CDE => Internet Comm AIE Rule PCI-DSS: Invalid DMZ => Internal Comm AIE Rule PCI-DSS: Invalid Inet => Intrn Comm AIE Rule PCI-DSS: Invalid Internet => CDE Comm AIE Rule PCI-DSS: Invalid Internet => DMZ Comm AIE Rule PCI-DSS: Invalid Test => Internal Comm AIE Rule PCI-DSS: Invalid Test => Internet Comm AIE Rule | PCI-DSS: AIE Denied CDE => Internet Comm Detail PCI-DSS: AIE Denied DMZ => Internal Comm Detail PCI-DSS: AIE Denied Inet => Intrn Comm Detail PCI-DSS: AIE Denied Internet => CDE Comm Detail PCI-DSS: AIE Denied Internet => DMZ Comm Detail PCI-DSS: AIE Denied Test => Inet Comm Detail PCI-DSS: AIE Invalid CDE => Inet Comm Detail PCI-DSS: AIE Invalid DMZ => Internal Comm Detail PCI-DSS: AIE Invalid Inet => CDE Comm Detail PCI-DSS: AIE Invalid Inet => DMZ Comm Detail PCI-DSS: AIE Invalid Inet => Intrn Comm Detail PCI-DSS: AIE Invalid Test => Inet Comm Detail PCI-DSS: CDE Communication Detail PCI-DSS: Denied CDE => Internet Comm Detail PCI-DSS: Denied DMZ => Internal Comm Detail PCI-DSS: Denied Inet => Intrn Comm Detail PCI-DSS: Denied Internet => CDE Comm Detail PCI-DSS: Denied Internet => DMZ Comm Detail PCI-DSS: Denied Test => Internet Comm Detail PCI-DSS: DMZ Communication Detail PCI-DSS: Internet Communication Detail PCI-DSS: Invalid CDE => Internet Comm Detail PCI-DSS: Invalid DMZ => Internal Comm Detail PCI-DSS: Invalid Inet => Intrn Comm Detail PCI-DSS: Invalid Internet => CDE Comm Detail PCI-DSS: Invalid Internet => DMZ Comm Detail PCI-DSS: Invalid Test => Internet Comm Detail PCI-DSS: Network Communication Detail | PCI-DSS: AIE Denied CDE => Internet Comm Summary PCI-DSS: AIE Denied DMZ => Internal Comm Summary PCI-DSS: AIE Denied Inet => Intrn Comm Summary PCI-DSS: AIE Denied Internet => CDE Comm Summary PCI-DSS: AIE Denied Internet => DMZ Comm Summary PCI-DSS: AIE Denied Test => Internet Comm Summary PCI-DSS: AIE Invalid CDE => Internet Comm Summary PCI-DSS: AIE Invalid DMZ => Internal Comm Summary PCI-DSS: AIE Invalid Inet => Intrn Comm Summary PCI-DSS: AIE Invalid Internet => CDE Comm Summary PCI-DSS: AIE Invalid Internet => DMZ Comm Summary PCI-DSS: AIE Invalid Test => Internet Comm Summary PCI-DSS: Denied CDE => Internet Comm Summary PCI-DSS: Denied DMZ => Internal Comm Summary PCI-DSS: Denied Inet => Intrn Comm Summary PCI-DSS: Denied Internet => CDE Comm Summary PCI-DSS: Denied Internet => DMZ Comm Summary PCI-DSS: Denied Test => Internet Comm Summary PCI-DSS: Invalid CDE => Internet Comm Summary PCI-DSS: Invalid DMZ => Internal Comm Summary PCI-DSS: Invalid Inet => Intrn Comm Summary PCI-DSS: Invalid Internet => CDE Comm Summary PCI-DSS: Invalid Internet => DMZ Comm Summary PCI-DSS: Invalid Test => Internet Comm Summary PCI-DSS: Invalid Test => Internal Comm Summary PCI-DSS: AIE Denied CDE => Internet Comm Details PCI-DSS: AIE Denied DMZ => Internal Comm Details PCI-DSS: AIE Denied Inet => Intrn Comm Details PCI-DSS: AIE Denied Internet => CDE Comm Details PCI-DSS: AIE Denied Internet => DMZ Comm Details PCI-DSS: AIE Denied Test => Internet Comm Details PCI-DSS: AIE Invalid CDE => Internet Comm Details PCI-DSS: AIE Invalid DMZ => Internal Comm Details PCI-DSS: AIE Invalid Inet => Intrn Comm Details PCI-DSS: AIE Invalid Internet => CDE Comm Details PCI-DSS: AIE Invalid Internet => DMZ Comm Details PCI-DSS: AIE Invalid Test => Internet Comm Details PCI-DSS: Denied CDE => Internet Comm Details PCI-DSS: Denied DMZ => Internal Comm Details PCI-DSS: Denied Inet => Intrn Comm Details PCI-DSS: Denied Internet => CDE Comm Details PCI-DSS: Denied Internet => DMZ Comm Details PCI-DSS: Denied Test => Internet Comm Details PCI-DSS: Invalid CDE => Internet Comm Details PCI-DSS: Invalid DMZ => Internal Comm Details PCI-DSS: Invalid Inet => Intrn Comm Details PCI-DSS: Invalid Internet => CDE Comm Details PCI-DSS: Invalid Internet => DMZ Comm Details PCI-DSS: Invalid Test => Internet Comm Details PCI-DSS: AIE Denied Wireless => CDE Comm Details |
1.2.1.b: Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment. | Augment | PCI-DSS: Denied CDE => Internet Comm AIE Rule PCI-DSS: Denied DMZ => Internal Comm AIE Rule PCI-DSS: Denied Inet => Intrn Comm AIE Rule PCI-DSS: Denied Internet => CDE Comm AIE Rule PCI-DSS: Denied Internet => DMZ Comm AIE Rule PCI-DSS: Denied Test => Internal Comm AIE Rule PCI-DSS: Denied Test => Internet Comm AIE Rule PCI-DSS: Denied Wireless => CDE Comm AIE Rule PCI-DSS: Invalid CDE => Internet Comm AIE Rule PCI-DSS: Invalid DMZ => Internal Comm AIE Rule PCI-DSS: Invalid Inet => Intrn Comm AIE Rule PCI-DSS: Invalid Internet => CDE Comm AIE Rule PCI-DSS: Invalid Internet => DMZ Comm AIE Rule PCI-DSS: Invalid Test => Internal Comm AIE Rule PCI-DSS: Invalid Test => Internet Comm AIE Rule | PCI-DSS: AIE Denied CDE => Internet Comm Detail PCI-DSS: AIE Denied DMZ => Internal Comm Detail PCI-DSS: AIE Denied Inet => Intrn Comm Detail PCI-DSS: AIE Denied Internet => CDE Comm Detail PCI-DSS: AIE Denied Internet => DMZ Comm Detail PCI-DSS: AIE Denied Test => Inet Comm Detail PCI-DSS: AIE Invalid CDE => Inet Comm Detail PCI-DSS: AIE Invalid DMZ => Internal Comm Detail PCI-DSS: AIE Invalid Inet => CDE Comm Detail PCI-DSS: AIE Invalid Inet => DMZ Comm Detail PCI-DSS: AIE Invalid Inet => Intrn Comm Detail PCI-DSS: AIE Invalid Test => Inet Comm Detail PCI-DSS: CDE Communication Detail PCI-DSS: Denied CDE => Internet Comm Detail PCI-DSS: Denied DMZ => Internal Comm Detail PCI-DSS: Denied Inet => Intrn Comm Detail PCI-DSS: Denied Internet => CDE Comm Detail PCI-DSS: Denied Internet => DMZ Comm Detail PCI-DSS: Denied Test => Internet Comm Detail PCI-DSS: DMZ Communication Detail PCI-DSS: Internet Communication Detail PCI-DSS: Invalid CDE => Internet Comm Detail PCI-DSS: Invalid DMZ => Internal Comm Detail PCI-DSS: Invalid Inet => Intrn Comm Detail PCI-DSS: Invalid Internet => CDE Comm Detail PCI-DSS: Invalid Internet => DMZ Comm Detail PCI-DSS: Invalid Test => Internet Comm Detail PCI-DSS: Network Communication Detail | PCI-DSS: AIE Denied CDE => Internet Comm Summary PCI-DSS: AIE Denied DMZ => Internal Comm Summary PCI-DSS: AIE Denied Inet => Intrn Comm Summary PCI-DSS: AIE Denied Internet => CDE Comm Summary PCI-DSS: AIE Denied Internet => DMZ Comm Summary PCI-DSS: AIE Denied Test => Internet Comm Summary PCI-DSS: AIE Invalid CDE => Internet Comm Summary PCI-DSS: AIE Invalid DMZ => Internal Comm Summary PCI-DSS: AIE Invalid Inet => Intrn Comm Summary PCI-DSS: AIE Invalid Internet => CDE Comm Summary PCI-DSS: AIE Invalid Internet => DMZ Comm Summary PCI-DSS: AIE Invalid Test => Internet Comm Summary PCI-DSS: Denied CDE => Internet Comm Summary PCI-DSS: Denied DMZ => Internal Comm Summary PCI-DSS: Denied Inet => Intrn Comm Summary PCI-DSS: Denied Internet => CDE Comm Summary PCI-DSS: Denied Internet => DMZ Comm Summary PCI-DSS: Denied Test => Internet Comm Summary PCI-DSS: Invalid CDE => Internet Comm Summary PCI-DSS: Invalid DMZ => Internal Comm Summary PCI-DSS: Invalid Inet => Intrn Comm Summary PCI-DSS: Invalid Internet => CDE Comm Summary PCI-DSS: Invalid Internet => DMZ Comm Summary PCI-DSS: Invalid Test => Internet Comm Summary PCI-DSS: Invalid Test => Internal Comm Summary PCI-DSS: AIE Denied CDE => Internet Comm Details PCI-DSS: AIE Denied DMZ => Internal Comm Details PCI-DSS: AIE Denied Inet => Intrn Comm Details PCI-DSS: AIE Denied Internet => CDE Comm Details PCI-DSS: AIE Denied Internet => DMZ Comm Details PCI-DSS: AIE Denied Test => Internet Comm Details PCI-DSS: AIE Invalid CDE => Internet Comm Details PCI-DSS: AIE Invalid DMZ => Internal Comm Details PCI-DSS: AIE Invalid Inet => Intrn Comm Details PCI-DSS: AIE Invalid Internet => CDE Comm Details PCI-DSS: AIE Invalid Internet => DMZ Comm Details PCI-DSS: AIE Invalid Test => Internet Comm Details PCI-DSS: Denied CDE => Internet Comm Details PCI-DSS: Denied DMZ => Internal Comm Details PCI-DSS: Denied Inet => Intrn Comm Details PCI-DSS: Denied Internet => CDE Comm Details PCI-DSS: Denied Internet => DMZ Comm Details PCI-DSS: Denied Test => Internet Comm Details PCI-DSS: Invalid CDE => Internet Comm Details PCI-DSS: Invalid DMZ => Internal Comm Details PCI-DSS: Invalid Inet => Intrn Comm Details PCI-DSS: Invalid Internet => CDE Comm Details PCI-DSS: Invalid Internet => DMZ Comm Details PCI-DSS: Invalid Test => Internet Comm Details PCI-DSS: AIE Denied Wireless => CDE Comm Details |
1.2.1.c: Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement. | Augment | PCI-DSS: Denied CDE => Internet Comm AIE Rule PCI-DSS: Denied DMZ => Internal Comm AIE Rule PCI-DSS: Denied Inet => Intrn Comm AIE Rule PCI-DSS: Denied Internet => CDE Comm AIE Rule PCI-DSS: Denied Internet => DMZ Comm AIE Rule PCI-DSS: Denied Test => Internal Comm AIE Rule PCI-DSS: Denied Test => Internet Comm AIE Rule PCI-DSS: Denied Wireless => CDE Comm AIE Rule PCI-DSS: Invalid CDE => Internet Comm AIE Rule PCI-DSS: Invalid DMZ => Internal Comm AIE Rule PCI-DSS: Invalid Inet => Intrn Comm AIE Rule PCI-DSS: Invalid Internet => CDE Comm AIE Rule PCI-DSS: Invalid Internet => DMZ Comm AIE Rule PCI-DSS: Invalid Test => Internal Comm AIE Rule PCI-DSS: Invalid Test => Internet Comm AIE Rule | PCI-DSS: AIE Denied CDE => Internet Comm Detail PCI-DSS: AIE Denied DMZ => Internal Comm Detail PCI-DSS: AIE Denied Inet => Intrn Comm Detail PCI-DSS: AIE Denied Internet => CDE Comm Detail PCI-DSS: AIE Denied Internet => DMZ Comm Detail PCI-DSS: AIE Denied Test => Inet Comm Detail PCI-DSS: AIE Invalid CDE => Inet Comm Detail PCI-DSS: AIE Invalid DMZ => Internal Comm Detail PCI-DSS: AIE Invalid Inet => CDE Comm Detail PCI-DSS: AIE Invalid Inet => DMZ Comm Detail PCI-DSS: AIE Invalid Inet => Intrn Comm Detail PCI-DSS: AIE Invalid Test => Inet Comm Detail PCI-DSS: CDE Communication Detail PCI-DSS: Denied CDE => Internet Comm Detail PCI-DSS: Denied DMZ => Internal Comm Detail PCI-DSS: Denied Inet => Intrn Comm Detail PCI-DSS: Denied Internet => CDE Comm Detail PCI-DSS: Denied Internet => DMZ Comm Detail PCI-DSS: Denied Test => Internet Comm Detail PCI-DSS: DMZ Communication Detail PCI-DSS: Internet Communication Detail PCI-DSS: Invalid CDE => Internet Comm Detail PCI-DSS: Invalid DMZ => Internal Comm Detail PCI-DSS: Invalid Inet => Intrn Comm Detail PCI-DSS: Invalid Internet => CDE Comm Detail PCI-DSS: Invalid Internet => DMZ Comm Detail PCI-DSS: Invalid Test => Internet Comm Detail PCI-DSS: Network Communication Detail | PCI-DSS: AIE Denied CDE => Internet Comm Summary PCI-DSS: AIE Denied DMZ => Internal Comm Summary PCI-DSS: AIE Denied Inet => Intrn Comm Summary PCI-DSS: AIE Denied Internet => CDE Comm Summary PCI-DSS: AIE Denied Internet => DMZ Comm Summary PCI-DSS: AIE Denied Test => Internet Comm Summary PCI-DSS: AIE Invalid CDE => Internet Comm Summary PCI-DSS: AIE Invalid DMZ => Internal Comm Summary PCI-DSS: AIE Invalid Inet => Intrn Comm Summary PCI-DSS: AIE Invalid Internet => CDE Comm Summary PCI-DSS: AIE Invalid Internet => DMZ Comm Summary PCI-DSS: AIE Invalid Test => Internet Comm Summary PCI-DSS: Denied CDE => Internet Comm Summary PCI-DSS: Denied DMZ => Internal Comm Summary PCI-DSS: Denied Inet => Intrn Comm Summary PCI-DSS: Denied Internet => CDE Comm Summary PCI-DSS: Denied Internet => DMZ Comm Summary PCI-DSS: Denied Test => Internet Comm Summary PCI-DSS: Invalid CDE => Internet Comm Summary PCI-DSS: Invalid DMZ => Internal Comm Summary PCI-DSS: Invalid Inet => Intrn Comm Summary PCI-DSS: Invalid Internet => CDE Comm Summary PCI-DSS: Invalid Internet => DMZ Comm Summary PCI-DSS: Invalid Test => Internet Comm Summary PCI-DSS: Invalid Test => Internal Comm Summary PCI-DSS: AIE Denied CDE => Internet Comm Details PCI-DSS: AIE Denied DMZ => Internal Comm Details PCI-DSS: AIE Denied Inet => Intrn Comm Details PCI-DSS: AIE Denied Internet => CDE Comm Details PCI-DSS: AIE Denied Internet => DMZ Comm Details PCI-DSS: AIE Denied Test => Internet Comm Details PCI-DSS: AIE Invalid CDE => Internet Comm Details PCI-DSS: AIE Invalid DMZ => Internal Comm Details PCI-DSS: AIE Invalid Inet => Intrn Comm Details PCI-DSS: AIE Invalid Internet => CDE Comm Details PCI-DSS: AIE Invalid Internet => DMZ Comm Details PCI-DSS: AIE Invalid Test => Internet Comm Details PCI-DSS: Denied CDE => Internet Comm Details PCI-DSS: Denied DMZ => Internal Comm Details PCI-DSS: Denied Inet => Intrn Comm Details PCI-DSS: Denied Internet => CDE Comm Details PCI-DSS: Denied Internet => DMZ Comm Details PCI-DSS: Denied Test => Internet Comm Details PCI-DSS: Invalid CDE => Internet Comm Details PCI-DSS: Invalid DMZ => Internal Comm Details PCI-DSS: Invalid Inet => Intrn Comm Details PCI-DSS: Invalid Internet => CDE Comm Details PCI-DSS: Invalid Internet => DMZ Comm Details PCI-DSS: Invalid Test => Internet Comm Details PCI-DSS: AIE Denied Wireless => CDE Comm Details |
1.2.2.a: Examine router configuration files to verify they are secured from unauthorized access. | Augment | PCI-DSS: Firewall Policy Synch Information AIE Rule | PCI-DSS: Firewall Policy Synch Failure Detail | PCI-DSS: AIE Firewall Policy Synch Summary PCI-DSS: Firewall Policy Synch Activity Summary PCI-DSS: AIE Firewall Policy Synch Details PCI-DSS: Firewall Policy Synch Activity Details |
1.2.2.b: Examine router configurations to verify they are synchronized—for example, the running (or active) configuration matches the start-up configuration (used when machines are booted). | Augment | PCI-DSS: Firewall Policy Synch Information AIE Rule | PCI-DSS: Firewall Policy Synch Failure Detail | PCI-DSS: AIE Firewall Policy Synch Summary PCI-DSS: Firewall Policy Synch Activity Summary PCI-DSS: AIE Firewall Policy Synch Details PCI-DSS: Firewall Policy Synch Activity Details |
1.2.3.b: Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. | Augment | PCI-DSS: Denied Inet => Intrn Comm AIE Rule PCI-DSS: Invalid Inet => Intrn Comm AIE Rule | PCI-DSS: AIE Denied Inet => Intrn Comm Detail PCI-DSS: AIE Invalid Inet => Intrn Comm Detail PCI-DSS: Denied Inet => Intrn Comm Detail PCI-DSS: Internet Communication Detail PCI-DSS: Invalid Inet => Intrn Comm Detail PCI-DSS: Network Communication Detail | PCI-DSS: AIE Denied Inet => Intrn Comm Summary PCI-DSS: AIE Invalid Inet => Intrn Comm Summary PCI-DSS: Denied Inet => Intrn Comm Summary PCI-DSS: Invalid Inet => Intrn Comm Summary PCI-DSS: AIE Denied Inet => Intrn Comm Details PCI-DSS: AIE Invalid Inet => Intrn Comm Details PCI-DSS: Denied Inet => Intrn Comm Details PCI-DSS: Invalid Inet => Intrn Comm Details |
1.3.1: Examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. | Augment | PCI-DSS: Denied Inet => Intrn Comm AIE Rule PCI-DSS: Invalid Inet => Intrn Comm AIE Rule | PCI-DSS: AIE Denied Inet => Intrn Comm Detail PCI-DSS: AIE Invalid Inet => Intrn Comm Detail PCI-DSS: Denied Inet => Intrn Comm Detail PCI-DSS: Internet Communication Detail PCI-DSS: Invalid Inet => Intrn Comm Detail PCI-DSS: Network Communication Detail | PCI-DSS: AIE Denied Inet => Intrn Comm Summary PCI-DSS: AIE Invalid Inet => Intrn Comm Summary PCI-DSS: Denied Inet => Intrn Comm Summary PCI-DSS: Invalid Inet => Intrn Comm Summary PCI-DSS: AIE Denied Inet => Intrn Comm Details PCI-DSS: AIE Invalid Inet => Intrn Comm Details PCI-DSS: Denied Inet => Intrn Comm Details PCI-DSS: Invalid Inet => Intrn Comm Details |
1.3.2: Examine firewall and router configurations to verify that inbound Internet traffic is limited to IP addresses within the DMZ. | Augment | PCI-DSS: Denied Inet => Intrn Comm AIE Rule PCI-DSS: Invalid Inet => Intrn Comm AIE Rule | PCI-DSS: AIE Denied Inet => Intrn Comm Detail PCI-DSS: AIE Invalid Inet => Intrn Comm Detail PCI-DSS: Denied Inet => Intrn Comm Detail PCI-DSS: Internet Communication Detail PCI-DSS: Invalid Inet => Intrn Comm Detail PCI-DSS: Network Communication Detail | PCI-DSS: AIE Denied Inet => Intrn Comm Summary PCI-DSS: AIE Invalid Inet => Intrn Comm Summary PCI-DSS: Denied Inet => Intrn Comm Summary PCI-DSS: Invalid Inet => Intrn Comm Summary PCI-DSS: AIE Denied Inet => Intrn Comm Details PCI-DSS: AIE Invalid Inet => Intrn Comm Details PCI-DSS: Denied Inet => Intrn Comm Details PCI-DSS: Invalid Inet => Intrn Comm Details |
(PCI 3.1 - 1.3.3): Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment. | Augment | PCI-DSS: Denied CDE => Internet Comm AIE Rule PCI-DSS: Denied DMZ => Internal Comm AIE Rule PCI-DSS: Denied Internet => CDE Comm AIE Rule PCI-DSS: Denied Internet => DMZ Comm AIE Rule PCI-DSS: Invalid CDE => Internet Comm AIE Rule PCI-DSS: Invalid DMZ => Internal Comm AIE Rule PCI-DSS: Invalid Internet => CDE Comm AIE Rule PCI-DSS: Invalid Internet => DMZ Comm AIE Rule | PCI-DSS: AIE Denied CDE => Internet Comm Detail PCI-DSS: AIE Denied DMZ => Internal Comm Detail PCI-DSS: AIE Denied Internet => CDE Comm Detail PCI-DSS: AIE Denied Internet => DMZ Comm Detail PCI-DSS: AIE Invalid CDE => Inet Comm Detail PCI-DSS: AIE Invalid DMZ => Internal Comm Detail PCI-DSS: AIE Invalid Inet => CDE Comm Detail PCI-DSS: AIE Invalid Inet => DMZ Comm Detail PCI-DSS: CDE Communication Detail PCI-DSS: Denied CDE => Internet Comm Detail PCI-DSS: Denied DMZ => Internal Comm Detail PCI-DSS: Denied Internet => CDE Comm Detail PCI-DSS: Denied Internet => DMZ Comm Detail PCI-DSS: DMZ Communication Detail PCI-DSS: Invalid CDE => Internet Comm Detail PCI-DSS: Invalid DMZ => Internal Comm Detail PCI-DSS: Invalid Internet => CDE Comm Detail PCI-DSS: Invalid Internet => DMZ Comm Detail PCI-DSS: Network Communication Detail | PCI-DSS: AIE Denied CDE => Internet Comm Summary PCI-DSS: AIE Denied DMZ => Internal Comm Summary PCI-DSS: AIE Denied Internet => CDE Comm Summary PCI-DSS: AIE Denied Internet => DMZ Comm Summary PCI-DSS: AIE Invalid CDE => Internet Comm Summary PCI-DSS: AIE Invalid DMZ => Internal Comm Summary PCI-DSS: AIE Invalid Internet => CDE Comm Summary PCI-DSS: AIE Invalid Internet => DMZ Comm Summary PCI-DSS: Denied CDE => Internet Comm Summary PCI-DSS: Denied DMZ => Internal Comm Summary PCI-DSS: Denied Internet => CDE Comm Summary PCI-DSS: Denied Internet => DMZ Comm Summary PCI-DSS: Invalid CDE => Internet Comm Summary PCI-DSS: Invalid DMZ => Internal Comm Summary PCI-DSS: Invalid Internet => CDE Comm Summary PCI-DSS: Invalid Internet => DMZ Comm Summary PCI-DSS: AIE Denied CDE => Internet Comm Details PCI-DSS: AIE Denied DMZ => Internal Comm Details PCI-DSS: AIE Denied Internet => CDE Comm Details PCI-DSS: AIE Denied Internet => DMZ Comm Details PCI-DSS: AIE Invalid CDE => Internet Comm Details PCI-DSS: AIE Invalid DMZ => Internal Comm Details PCI-DSS: AIE Invalid Internet => CDE Comm Details PCI-DSS: AIE Invalid Internet => DMZ Comm Details PCI-DSS: Denied CDE => Internet Comm Details PCI-DSS: Denied DMZ => Internal Comm Details PCI-DSS: Denied Internet => CDE Comm Details PCI-DSS: Denied Internet => DMZ Comm Details PCI-DSS: Invalid CDE => Internet Comm Details PCI-DSS: Invalid DMZ => Internal Comm Details PCI-DSS: Invalid Internet => CDE Comm Details PCI-DSS: Invalid Internet => DMZ Comm Details PCI-DSS: AIE Denied Wireless => CDE Comm Details |
1.3.3 (PCI 3.1 - 1.3.4): Examine firewall and router configurations to verify that anti-spoofing measures are implemented, for example internal addresses cannot pass from the Internet into the DMZ. | Augment | PCI-DSS: Denied DMZ => Internal Comm AIE Rule PCI-DSS: Denied Internet => DMZ Comm AIE Rule PCI-DSS: Invalid DMZ => Internal Comm AIE Rule PCI-DSS: Invalid Internet => DMZ Comm AIE Rule | PCI-DSS: AIE Denied DMZ => Internal Comm Detail PCI-DSS: AIE Invalid Inet => DMZ Comm Detail PCI-DSS: Denied CDE => Internet Comm Detail PCI-DSS: Denied DMZ => Internal Comm Detail PCI-DSS: Denied Internet => DMZ Comm Detail PCI-DSS: DMZ Communication Detail PCI-DSS: Invalid Internet => DMZ Comm Detail PCI-DSS: Network Communication Detail | PCI-DSS: AIE Denied DMZ => Internal Comm Summary PCI-DSS: AIE Denied Internet => DMZ Comm Summary PCI-DSS: AIE Invalid DMZ => Internal Comm Summary PCI-DSS: AIE Invalid Internet => DMZ Comm Summary PCI-DSS: Denied DMZ => Internal Comm Summary PCI-DSS: Denied Internet => DMZ Comm Summary PCI-DSS: Invalid DMZ => Internal Comm Summary PCI-DSS: Invalid Internet => DMZ Comm Summary PCI-DSS: AIE Denied DMZ => Internal Comm Details PCI-DSS: AIE Denied Internet => DMZ Comm Details PCI-DSS: AIE Invalid DMZ => Internal Comm Details PCI-DSS: AIE Invalid Internet => DMZ Comm Details PCI-DSS: Denied DMZ => Internal Comm Details PCI-DSS: Denied Internet => DMZ Comm Details PCI-DSS: Invalid DMZ => Internal Comm Details PCI-DSS: Invalid Internet => DMZ Comm Details |
1.3.4 (PCI 3.1 - 1.3.5): Examine firewall and router configurations to verify that outbound traffic from the cardholder data environment to the Internet is explicitly authorized. | Augment | PCI-DSS: Denied CDE => Internet Comm AIE Rule PCI-DSS: Denied Internet => CDE Comm AIE Rule PCI-DSS: Invalid CDE => Internet Comm AIE Rule PCI-DSS: Invalid Internet => CDE Comm AIE Rule | PCI-DSS: AIE Denied CDE => Internet Comm Detail PCI-DSS: AIE Denied Internet => CDE Comm Detail PCI-DSS: AIE Invalid CDE => Inet Comm Detail PCI-DSS: AIE Invalid Inet => CDE Comm Detail PCI-DSS: CDE Communication Detail PCI-DSS: Denied CDE => Internet Comm Detail PCI-DSS: Denied Internet => CDE Comm Detail PCI-DSS: Invalid CDE => Internet Comm Detail PCI-DSS: Invalid Internet => CDE Comm Detail PCI-DSS: Network Communication Detail | PCI-DSS: AIE Denied CDE => Internet Comm Summary PCI-DSS: AIE Denied Internet => CDE Comm Summary PCI-DSS: AIE Invalid CDE => Internet Comm Summary PCI-DSS: AIE Invalid Internet => CDE Comm Summary PCI-DSS: Denied CDE => Internet Comm Summary PCI-DSS: Denied Internet => CDE Comm Summary PCI-DSS: Invalid CDE => Internet Comm Summary PCI-DSS: Invalid Internet => CDE Comm Summary PCI-DSS: AIE Denied CDE => Internet Comm Details PCI-DSS: AIE Denied Internet => CDE Comm Details PCI-DSS: AIE Invalid CDE => Internet Comm Details PCI-DSS: AIE Invalid Internet => CDE Comm Details PCI-DSS: Denied CDE => Internet Comm Details PCI-DSS: Denied Internet => CDE Comm Details PCI-DSS: Invalid CDE => Internet Comm Details PCI-DSS: Invalid Internet => CDE Comm Details PCI-DSS: AIE Denied Wireless => CDE Comm Details |
1.4.a: Examine policies and configuration standards to verify: - Personal firewall software or equivalent functionality is required for all portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE. - Specific configuration settings are defined for personal firewall (or equivalent functionality). - Personal firewall (or equivalent functionality) is configured to actively run. - Personal firewall (or equivalent functionality) is configured to not be alterable by users of the portable computing devices. | Augment | PCI-DSS: Host Firewall Information AIE Rule | PCI-DSS: Host Firewall Failure Detail | PCI-DSS: AIE Host Firewall Activity Summary PCI-DSS: Host Firewall Activity Summary PCI-DSS: AIE Host Firewall Activity Details PCI-DSS: Host Firewall Activity Details |
2.1.a: Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor- supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.) | Direct | PCI-DSS: Invalid Account Usage AIE Rule | PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail | PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: AIE Invalid Account Usage Details PCI-DSS: Invalid Account Usage Details |
2.1.b: For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled. | Direct | PCI-DSS: Invalid Account Usage AIE Rule | PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail | PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: AIE Invalid Account Usage Details PCI-DSS: Invalid Account Usage Details |
2.2.2.a: Select a sample of system components and inspect enabled system services, daemons, and protocols to verify that only necessary services or protocols are enabled. | Augment | PCI-DSS: Denied CDE => Internet Comm AIE Rule PCI-DSS: Denied DMZ => Internal Comm AIE Rule PCI-DSS: Denied Inet => Intrn Comm AIE Rule PCI-DSS: Denied Internet => CDE Comm AIE Rule PCI-DSS: Denied Internet => DMZ Comm AIE Rule PCI-DSS: Denied Intrn => Inet Comm AIE Rule PCI-DSS: Denied Intrn => Intrn Comm AIE Rule PCI-DSS: Denied Test => Internal Comm AIE Rule PCI-DSS: Denied Test => Internet Comm AIE Rule PCI-DSS: Denied Wireless => CDE Comm AIE Rule PCI-DSS: Invalid CDE => Internet Comm AIE Rule PCI-DSS: Invalid DMZ => Internal Comm AIE Rule PCI-DSS: Invalid Inet => Intrn Comm AIE Rule PCI-DSS: Invalid Internet => CDE Comm AIE Rule PCI-DSS: Invalid Internet => DMZ Comm AIE Rule PCI-DSS: Invalid Intrn => Inet Comm AIE Rule PCI-DSS: Invalid Intrn => Intrn Comm AIE Rule PCI-DSS: Invalid Test => Internal Comm AIE Rule PCI-DSS: Invalid Test => Internet Comm AIE Rule PCI-DSS: Invalid Wireless => CDE Comm AIE Rule | PCI-DSS: AIE Denied CDE => Internet Comm Detail PCI-DSS: AIE Denied DMZ => Internal Comm Detail PCI-DSS: AIE Denied Inet => Intrn Comm Detail PCI-DSS: AIE Denied Internet => CDE Comm Detail PCI-DSS: AIE Denied Internet => DMZ Comm Detail PCI-DSS: AIE Denied Intrn => Inet Comm Detail PCI-DSS: AIE Denied Intrn => Intrn Comm Detail PCI-DSS: AIE Denied Test => Inet Comm Detail PCI-DSS: AIE Denied Test => Intern Comm Detail PCI-DSS: AIE Denied Wireless => CDE Comm Detail PCI-DSS: AIE Invalid CDE => Inet Comm Detail PCI-DSS: AIE Invalid DMZ => Internal Comm Detail PCI-DSS: AIE Invalid Inet => CDE Comm Detail PCI-DSS: AIE Invalid Inet => DMZ Comm Detail PCI-DSS: AIE Invalid Inet => Intrn Comm Detail PCI-DSS: AIE Invalid Intrn => Inet Comm Detail PCI-DSS: AIE Invalid Intrn => Intrn Comm Detail PCI-DSS: AIE Invalid Test => Inet Comm Detail PCI-DSS: AIE Invalid Test => Intrn Comm Detail PCI-DSS: AIE Invalid Wless => CDE Comm Detail PCI-DSS: Application Access Detail PCI-DSS: CDE Communication Detail PCI-DSS: Denied CDE => Internet Comm Detail PCI-DSS: Denied DMZ => Internal Comm Detail PCI-DSS: Denied Inet => Intrn Comm Detail PCI-DSS: Denied Internet => CDE Comm Detail PCI-DSS: Denied Internet => DMZ Comm Detail PCI-DSS: Denied Intrn => Inet Comm Detail PCI-DSS: Denied Intrn => Intrn Comm Detail PCI-DSS: Denied Test => Internal Comm Detail PCI-DSS: Denied Test => Internet Comm Detail PCI-DSS: Denied Wireless => CDE Comm Detail PCI-DSS: DMZ Communication Detail PCI-DSS: Internal Communication Detail PCI-DSS: Internet Communication Detail PCI-DSS: Invalid CDE => Internet Comm Detail PCI-DSS: Invalid DMZ => Internal Comm Detail PCI-DSS: Invalid Inet => Intrn Comm Detail PCI-DSS: Invalid Internet => CDE Comm Detail PCI-DSS: Invalid Internet => DMZ Comm Detail PCI-DSS: Invalid Intrn => Inet Comm Detail PCI-DSS: Invalid Intrn => Intrn Comm Detail PCI-DSS: Invalid Test => Internal Comm Detail PCI-DSS: Invalid Test => Internet Comm Detail PCI-DSS: Invalid Wireless => CDE Comm Detail PCI-DSS: Network Communication Detail PCI-DSS: Test Communication Detail PCI-DSS: Wireless Communication Detail | PCI-DSS: AIE Denied CDE => Internet Comm Summary PCI-DSS: AIE Denied DMZ => Internal Comm Summary PCI-DSS: AIE Denied Inet => Intrn Comm Summary PCI-DSS: AIE Denied Internet => CDE Comm Summary PCI-DSS: AIE Denied Internet => DMZ Comm Summary PCI-DSS: AIE Denied Intrn => Inet Comm Summary PCI-DSS: AIE Denied Intrn => Intrn Comm Summary PCI-DSS: AIE Denied Test => Internal Comm Summary PCI-DSS: AIE Denied Test => Internet Comm Summary PCI-DSS: AIE Denied Wireless => CDE Comm Summary PCI-DSS: AIE Invalid CDE => Internet Comm Summary PCI-DSS: AIE Invalid DMZ => Internal Comm Summary PCI-DSS: AIE Invalid Inet => Intrn Comm Summary PCI-DSS: AIE Invalid Internet => CDE Comm Summary PCI-DSS: AIE Invalid Internet => DMZ Comm Summary PCI-DSS: AIE Invalid Intrn => Inet Comm Summary PCI-DSS: AIE Invalid Intrn => Intrn Comm Summary PCI-DSS: AIE Invalid Test => Internal Comm Summary PCI-DSS: AIE Invalid Test => Internet Comm Summary PCI-DSS: AIE Invalid Wireless => CDE Comm Summary PCI-DSS: Denied CDE => Internet Comm Summary PCI-DSS: Denied DMZ => Internal Comm Summary PCI-DSS: Denied Inet => Intrn Comm Summary PCI-DSS: Denied Internet => CDE Comm Summary PCI-DSS: Denied Internet => DMZ Comm Summary PCI-DSS: Denied Intrn => Inet Comm Summary PCI-DSS: Denied Intrn => Intrn Comm Summary PCI-DSS: Denied Test => Internal Comm Summary PCI-DSS: Denied Test => Internet Comm Summary PCI-DSS: Denied Wireless => CDE Comm Summary PCI-DSS: Invalid CDE => Internet Comm Summary PCI-DSS: Invalid DMZ => Internal Comm Summary PCI-DSS: Invalid Inet => Intrn Comm Summary PCI-DSS: Invalid Internet => CDE Comm Summary PCI-DSS: Invalid Internet => DMZ Comm Summary PCI-DSS: Invalid Intrn => Inet Comm Summary PCI-DSS: Invalid Intrn => Intrn Comm Summary PCI-DSS: Invalid Test => Internal Comm Summary PCI-DSS: Invalid Test => Internet Comm Summary PCI-DSS: Invalid Wireless => CDE Comm Summary PCI-DSS: AIE Denied CDE => Internet Comm Details PCI-DSS: AIE Denied DMZ => Internal Comm Details PCI-DSS: AIE Denied Inet => Intrn Comm Details PCI-DSS: AIE Denied Internet => CDE Comm Details PCI-DSS: AIE Denied Internet => DMZ Comm Details PCI-DSS: AIE Denied Intrn => Inet Comm Details PCI-DSS: AIE Denied Intrn => Intrn Comm Details PCI-DSS: AIE Denied Test => Internal Comm Details PCI-DSS: AIE Denied Test => Internet Comm Details PCI-DSS: AIE Denied Wireless => CDE Comm Details PCI-DSS: AIE Invalid CDE => Internet Comm Details PCI-DSS: AIE Invalid DMZ => Internal Comm Details PCI-DSS: AIE Invalid Inet => Intrn Comm Details PCI-DSS: AIE Invalid Internet => CDE Comm Details PCI-DSS: AIE Invalid Internet => DMZ Comm Details PCI-DSS: AIE Invalid Intrn => Inet Comm Details PCI-DSS: AIE Invalid Intrn => Intrn Comm Details PCI-DSS: AIE Invalid Test => Internal Comm Details PCI-DSS: AIE Invalid Test => Internet Comm Details PCI-DSS: AIE Invalid Wireless => CDE Comm Details PCI-DSS: Denied CDE => Internet Comm Details PCI-DSS: Denied DMZ => Internal Comm Details PCI-DSS: Denied Inet => Intrn Comm Details PCI-DSS: Denied Internet => CDE Comm Details PCI-DSS: Denied Internet => DMZ Comm Details PCI-DSS: Denied Intrn => Inet Comm Details PCI-DSS: Denied Intrn => Intrn Comm Details PCI-DSS: Denied Test => Internal Comm Details PCI-DSS: Denied Test => Internet Comm Details PCI-DSS: Denied Wireless => CDE Comm Details PCI-DSS: Invalid CDE => Internet Comm Details PCI-DSS: Invalid DMZ => Internal Comm Details PCI-DSS: Invalid Inet => Intrn Comm Details PCI-DSS: Invalid Internet => CDE Comm Details PCI-DSS: Invalid Internet => DMZ Comm Details PCI-DSS: Invalid Intrn => Inet Comm Details PCI-DSS: Invalid Intrn => Intrn Comm Details PCI-DSS: Invalid Test => Internal Comm Details PCI-DSS: Invalid Test => Internet Comm Details PCI-DSS: Invalid Wireless => CDE Comm Details |
2.2.2.b: Identify any enabled insecure services, daemons, or protocols and interview personnel to verify they are justified per documented configuration standards. | Augment | PCI-DSS: Denied CDE => Internet Comm AIE Rule PCI-DSS: Denied DMZ => Internal Comm AIE Rule PCI-DSS: Denied Inet => Intrn Comm AIE Rule PCI-DSS: Denied Internet => CDE Comm AIE Rule PCI-DSS: Denied Internet => DMZ Comm AIE Rule PCI-DSS: Denied Intrn => Inet Comm AIE Rule PCI-DSS: Denied Intrn => Intrn Comm AIE Rule PCI-DSS: Denied Test => Internal Comm AIE Rule PCI-DSS: Denied Test => Internet Comm AIE Rule PCI-DSS: Denied Wireless => CDE Comm AIE Rule PCI-DSS: Invalid CDE => Internet Comm AIE Rule PCI-DSS: Invalid DMZ => Internal Comm AIE Rule PCI-DSS: Invalid Inet => Intrn Comm AIE Rule PCI-DSS: Invalid Internet => CDE Comm AIE Rule PCI-DSS: Invalid Internet => DMZ Comm AIE Rule PCI-DSS: Invalid Intrn => Inet Comm AIE Rule PCI-DSS: Invalid Intrn => Intrn Comm AIE Rule PCI-DSS: Invalid Test => Internal Comm AIE Rule PCI-DSS: Invalid Test => Internet Comm AIE Rule PCI-DSS: Invalid Wireless => CDE Comm AIE Rule | PCI-DSS: AIE Denied CDE => Internet Comm Detail PCI-DSS: AIE Denied DMZ => Internal Comm Detail PCI-DSS: AIE Denied Inet => Intrn Comm Detail PCI-DSS: AIE Denied Internet => CDE Comm Detail PCI-DSS: AIE Denied Internet => DMZ Comm Detail PCI-DSS: AIE Denied Intrn => Inet Comm Detail PCI-DSS: AIE Denied Intrn => Intrn Comm Detail PCI-DSS: AIE Denied Test => Inet Comm Detail PCI-DSS: AIE Denied Test => Intern Comm Detail PCI-DSS: AIE Denied Wireless => CDE Comm Detail PCI-DSS: AIE Invalid CDE => Inet Comm Detail PCI-DSS: AIE Invalid DMZ => Internal Comm Detail PCI-DSS: AIE Invalid Inet => CDE Comm Detail PCI-DSS: AIE Invalid Inet => DMZ Comm Detail PCI-DSS: AIE Invalid Inet => Intrn Comm Detail PCI-DSS: AIE Invalid Intrn => Inet Comm Detail PCI-DSS: AIE Invalid Intrn => Intrn Comm Detail PCI-DSS: AIE Invalid Test => Inet Comm Detail PCI-DSS: AIE Invalid Test => Intrn Comm Detail PCI-DSS: AIE Invalid Wless => CDE Comm Detail PCI-DSS: Application Access Detail PCI-DSS: CDE Communication Detail PCI-DSS: Denied CDE => Internet Comm Detail PCI-DSS: Denied DMZ => Internal Comm Detail PCI-DSS: Denied Inet => Intrn Comm Detail PCI-DSS: Denied Internet => CDE Comm Detail PCI-DSS: Denied Internet => DMZ Comm Detail PCI-DSS: Denied Intrn => Inet Comm Detail PCI-DSS: Denied Intrn => Intrn Comm Detail PCI-DSS: Denied Test => Internal Comm Detail PCI-DSS: Denied Test => Internet Comm Detail PCI-DSS: Denied Wireless => CDE Comm Detail PCI-DSS: DMZ Communication Detail PCI-DSS: Internal Communication Detail PCI-DSS: Internet Communication Detail PCI-DSS: Invalid CDE => Internet Comm Detail PCI-DSS: Invalid DMZ => Internal Comm Detail PCI-DSS: Invalid Inet => Intrn Comm Detail PCI-DSS: Invalid Internet => CDE Comm Detail PCI-DSS: Invalid Internet => DMZ Comm Detail PCI-DSS: Invalid Intrn => Inet Comm Detail PCI-DSS: Invalid Intrn => Intrn Comm Detail PCI-DSS: Invalid Test => Internal Comm Detail PCI-DSS: Invalid Test => Internet Comm Detail PCI-DSS: Invalid Wireless => CDE Comm Detail PCI-DSS: Network Communication Detail PCI-DSS: Test Communication Detail PCI-DSS: Wireless Communication Detail | PCI-DSS: AIE Denied CDE => Internet Comm Summary PCI-DSS: AIE Denied DMZ => Internal Comm Summary PCI-DSS: AIE Denied Inet => Intrn Comm Summary PCI-DSS: AIE Denied Internet => CDE Comm Summary PCI-DSS: AIE Denied Internet => DMZ Comm Summary PCI-DSS: AIE Denied Intrn => Inet Comm Summary PCI-DSS: AIE Denied Intrn => Intrn Comm Summary PCI-DSS: AIE Denied Test => Internal Comm Summary PCI-DSS: AIE Denied Test => Internet Comm Summary PCI-DSS: AIE Denied Wireless => CDE Comm Summary PCI-DSS: AIE Invalid CDE => Internet Comm Summary PCI-DSS: AIE Invalid DMZ => Internal Comm Summary PCI-DSS: AIE Invalid Inet => Intrn Comm Summary PCI-DSS: AIE Invalid Internet => CDE Comm Summary PCI-DSS: AIE Invalid Internet => DMZ Comm Summary PCI-DSS: AIE Invalid Intrn => Inet Comm Summary PCI-DSS: AIE Invalid Intrn => Intrn Comm Summary PCI-DSS: AIE Invalid Test => Internal Comm Summary PCI-DSS: AIE Invalid Test => Internet Comm Summary PCI-DSS: AIE Invalid Wireless => CDE Comm Summary PCI-DSS: Denied CDE => Internet Comm Summary PCI-DSS: Denied DMZ => Internal Comm Summary PCI-DSS: Denied Inet => Intrn Comm Summary PCI-DSS: Denied Internet => CDE Comm Summary PCI-DSS: Denied Internet => DMZ Comm Summary PCI-DSS: Denied Intrn => Inet Comm Summary PCI-DSS: Denied Intrn => Intrn Comm Summary PCI-DSS: Denied Test => Internal Comm Summary PCI-DSS: Denied Test => Internet Comm Summary PCI-DSS: Denied Wireless => CDE Comm Summary PCI-DSS: Invalid CDE => Internet Comm Summary PCI-DSS: Invalid DMZ => Internal Comm Summary PCI-DSS: Invalid Inet => Intrn Comm Summary PCI-DSS: Invalid Internet => CDE Comm Summary PCI-DSS: Invalid Internet => DMZ Comm Summary PCI-DSS: Invalid Intrn => Inet Comm Summary PCI-DSS: Invalid Intrn => Intrn Comm Summary PCI-DSS: Invalid Test => Internal Comm Summary PCI-DSS: Invalid Test => Internet Comm Summary PCI-DSS: Invalid Wireless => CDE Comm Summary PCI-DSS: AIE Denied CDE => Internet Comm Details PCI-DSS: AIE Denied DMZ => Internal Comm Details PCI-DSS: AIE Denied Inet => Intrn Comm Details PCI-DSS: AIE Denied Internet => CDE Comm Details PCI-DSS: AIE Denied Internet => DMZ Comm Details PCI-DSS: AIE Denied Intrn => Inet Comm Details PCI-DSS: AIE Denied Intrn => Intrn Comm Details PCI-DSS: AIE Denied Test => Internal Comm Details PCI-DSS: AIE Denied Test => Internet Comm Details PCI-DSS: AIE Denied Wireless => CDE Comm Details PCI-DSS: AIE Invalid CDE => Internet Comm Details PCI-DSS: AIE Invalid DMZ => Internal Comm Details PCI-DSS: AIE Invalid Inet => Intrn Comm Details PCI-DSS: AIE Invalid Internet => CDE Comm Details PCI-DSS: AIE Invalid Internet => DMZ Comm Details PCI-DSS: AIE Invalid Intrn => Inet Comm Details PCI-DSS: AIE Invalid Intrn => Intrn Comm Details PCI-DSS: AIE Invalid Test => Internal Comm Details PCI-DSS: AIE Invalid Test => Internet Comm Details PCI-DSS: AIE Invalid Wireless => CDE Comm Details PCI-DSS: Denied CDE => Internet Comm Details PCI-DSS: Denied DMZ => Internal Comm Details PCI-DSS: Denied Inet => Intrn Comm Details PCI-DSS: Denied Internet => CDE Comm Details PCI-DSS: Denied Internet => DMZ Comm Details PCI-DSS: Denied Intrn => Inet Comm Details PCI-DSS: Denied Intrn => Intrn Comm Details PCI-DSS: Denied Test => Internal Comm Details PCI-DSS: Denied Test => Internet Comm Details PCI-DSS: Denied Wireless => CDE Comm Details PCI-DSS: Invalid CDE => Internet Comm Details PCI-DSS: Invalid DMZ => Internal Comm Details PCI-DSS: Invalid Inet => Intrn Comm Details PCI-DSS: Invalid Internet => CDE Comm Details PCI-DSS: Invalid Internet => DMZ Comm Details PCI-DSS: Invalid Intrn => Inet Comm Details PCI-DSS: Invalid Intrn => Intrn Comm Details PCI-DSS: Invalid Test => Internal Comm Details PCI-DSS: Invalid Test => Internet Comm Details PCI-DSS: Invalid Wireless => CDE Comm Details |
2.2.3.a: Inspect configuration settings to verify that security features are documented and implemented for all insecure services, daemons, or protocols. | Augment | PCI-DSS: TLS Activity PCI-DSS: SSL Activity | PCI-DSS: TLS/SSL Activity | PCI-DSS: TLS/SSL Summary PCI-DSS: Early TLS/SSL Version Summary PCI-DSS: TLS/SSL Detail PCI-DSS: Early TLS/SSL Version Detail |
2.2.3.b: If SSL/early TLS is used, perform testing procedures in Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS. | Augment | PCI-DSS: TLS Activity PCI-DSS: SSL Activity | PCI-DSS: TLS/SSL Activity | PCI-DSS: TLS/SSL Summary PCI-DSS: Early TLS/SSL Version Summary PCI-DSS: TLS/SSL Detail PCI-DSS: Early TLS/SSL Version Detail |
2.3.b: Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access. | Augment | PCI-DSS: Denied Intrn => Inet Comm AIE Rule PCI-DSS: Denied Intrn => Intrn Comm AIE Rule PCI-DSS: Invalid Intrn => Inet Comm AIE Rule PCI-DSS: Invalid Intrn => Intrn Comm AIE Rule | PCI-DSS: AIE Denied Intrn => Inet Comm Detail PCI-DSS: AIE Denied Intrn => Intrn Comm Detail PCI-DSS: AIE Invalid Intrn => Inet Comm Detail PCI-DSS: AIE Invalid Intrn => Intrn Comm Detail PCI-DSS: Application Access Detail PCI-DSS: Denied Intrn => Inet Comm Detail PCI-DSS: Denied Intrn => Intrn Comm Detail PCI-DSS: Internal Communication Detail PCI-DSS: Invalid Intrn => Inet Comm Detail PCI-DSS: Invalid Intrn => Intrn Comm Detail | PCI-DSS: AIE Denied Intrn => Inet Comm Summary PCI-DSS: AIE Denied Intrn => Intrn Comm Summary PCI-DSS: AIE Invalid Intrn => Inet Comm Summary PCI-DSS: AIE Invalid Intrn => Intrn Comm Summary PCI-DSS: Denied Intrn => Inet Comm Summary PCI-DSS: Denied Intrn => Intrn Comm Summary PCI-DSS: Invalid Intrn => Inet Comm Summary PCI-DSS: Invalid Intrn => Intrn Comm Summary PCI-DSS: Non-Encrypted Protocol Summary PCI-DSS: AIE Denied Intrn => Inet Comm Details PCI-DSS: AIE Denied Intrn => Intrn Comm Details PCI-DSS: AIE Invalid Intrn => Inet Comm Details PCI-DSS: AIE Invalid Intrn => Intrn Comm Details PCI-DSS: Denied Intrn => Inet Comm Details PCI-DSS: Denied Intrn => Intrn Comm Details PCI-DSS: Invalid Intrn => Inet Comm Details PCI-DSS: Invalid Intrn => Intrn Comm Details PCI-DSS: Non-Encrypted Protocol Details |
2.3.e: If SSL/early TLS is used, perform testing procedures in Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS. | Augment | PCI-DSS: TLS Activity PCI-DSS: SSL Activity | PCI-DSS: TLS/SSL Activity | PCI-DSS: TLS/SSL Summary PCI-DSS: Early TLS/SSL Version Summary PCI-DSS: TLS/SSL Detail PCI-DSS: Early TLS/SSL Version Detail |
3.6.7.a: Verify that key- management procedures specify processes to prevent unauthorized substitution of keys. | Augment | PCI-DSS: FIM Add Activity AIE Rule PCI-DSS: FIM Delete Activity AIE Rule PCI-DSS: FIM Group Change Activity AIE Rule PCI-DSS: FIM Modify Activity AIE Rule PCI-DSS: FIM Owner Change Activity AIE Rule PCI-DSS: FIM Permission Activity AIE Rule | PCI-DSS: AIE FIM ADD/Delete/Mod Activity Detail PCI-DSS: AIE FIM Permission Change Detail PCI-DSS: FIM Activity Detail PCI-DSS: FIM ADD/Delete/Mod Activity Detail PCI-DSS: FIM Permission Change Detail | PCI-DSS: AIE FIM Activity Summary PCI-DSS: FIM Activity Summary PCI-DSS: AIE FIM Activity Details PCI-DSS: FIM Activity Details |
4.1.c: Select and observe a sample of inbound and outbound transmissions as they occur to verify that all cardholder data is encrypted with strong cryptography during transit. | Augment | PCI-DSS: Denied Intrn => Inet Comm AIE Rule PCI-DSS: Denied Intrn => Intrn Comm AIE Rule PCI-DSS: Invalid Intrn => Inet Comm AIE Rule PCI-DSS: Invalid Intrn => Intrn Comm AIE Rule | PCI-DSS: AIE Denied Intrn => Inet Comm Detail PCI-DSS: AIE Denied Intrn => Intrn Comm Detail PCI-DSS: AIE Invalid Intrn => Inet Comm Detail PCI-DSS: AIE Invalid Intrn => Intrn Comm Detail PCI-DSS: Application Access Detail PCI-DSS: Denied Intrn => Inet Comm Detail PCI-DSS: Denied Intrn => Intrn Comm Detail PCI-DSS: Internal Communication Detail PCI-DSS: Invalid Intrn => Inet Comm Detail PCI-DSS: Invalid Intrn => Intrn Comm Detail | PCI-DSS: AIE Denied Intrn => Inet Comm Summary PCI-DSS: AIE Denied Intrn => Intrn Comm Summary PCI-DSS: AIE Invalid Intrn => Inet Comm Summary PCI-DSS: AIE Invalid Intrn => Intrn Comm Summary PCI-DSS: Denied Intrn => Inet Comm Summary PCI-DSS: Denied Intrn => Intrn Comm Summary PCI-DSS: Invalid Intrn => Inet Comm Summary PCI-DSS: Invalid Intrn => Intrn Comm Summary PCI-DSS: Non-Encrypted Protocol Summary PCI-DSS: AIE Denied Intrn => Inet Comm Details PCI-DSS: AIE Denied Intrn => Intrn Comm Details PCI-DSS: AIE Invalid Intrn => Inet Comm Details PCI-DSS: AIE Invalid Intrn => Intrn Comm Details PCI-DSS: Denied Intrn => Inet Comm Details PCI-DSS: Denied Intrn => Intrn Comm Details PCI-DSS: Invalid Intrn => Inet Comm Details PCI-DSS: Invalid Intrn => Intrn Comm Details PCI-DSS: Non-Encrypted Protocol Details |
4.1.f: Examine system configurations to verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.) | Augment | PCI-DSS: Denied Intrn => Inet Comm AIE Rule PCI-DSS: Denied Intrn => Intrn Comm AIE Rule PCI-DSS: Invalid Intrn => Inet Comm AIE Rule PCI-DSS: Invalid Intrn => Intrn Comm AIE Rule | PCI-DSS: AIE Denied Intrn => Inet Comm Detail PCI-DSS: AIE Denied Intrn => Intrn Comm Detail PCI-DSS: AIE Invalid Intrn => Inet Comm Detail PCI-DSS: AIE Invalid Intrn => Intrn Comm Detail PCI-DSS: Application Access Detail PCI-DSS: Denied Intrn => Inet Comm Detail PCI-DSS: Denied Intrn => Intrn Comm Detail PCI-DSS: Internal Communication Detail PCI-DSS: Invalid Intrn => Inet Comm Detail PCI-DSS: Invalid Intrn => Intrn Comm Detail | PCI-DSS: AIE Denied Intrn => Inet Comm Summary PCI-DSS: AIE Denied Intrn => Intrn Comm Summary PCI-DSS: AIE Invalid Intrn => Inet Comm Summary PCI-DSS: AIE Invalid Intrn => Intrn Comm Summary PCI-DSS: Denied Intrn => Inet Comm Summary PCI-DSS: Denied Intrn => Intrn Comm Summary PCI-DSS: Invalid Intrn => Inet Comm Summary PCI-DSS: Invalid Intrn => Intrn Comm Summary PCI-DSS: Non-Encrypted Protocol Summary PCI-DSS: AIE Denied Intrn => Inet Comm Details PCI-DSS: AIE Denied Intrn => Intrn Comm Details PCI-DSS: AIE Invalid Intrn => Inet Comm Details PCI-DSS: AIE Invalid Intrn => Intrn Comm Details PCI-DSS: Denied Intrn => Inet Comm Details PCI-DSS: Denied Intrn => Intrn Comm Details PCI-DSS: Invalid Intrn => Inet Comm Details PCI-DSS: Invalid Intrn => Intrn Comm Details PCI-DSS: Non-Encrypted Protocol Details |
4.1.g: For TLS implementations, examine system configurations to verify that TLS is enabled whenever cardholder data is transmitted or received. For example, for browser- based implementations: - “HTTPS” appears as the browser Universal Record - Locator (URL) protocol | Augment | PCI-DSS: TLS Activity PCI-DSS: SSL Activity | PCI-DSS: TLS/SSL Activity | PCI-DSS: TLS/SSL Summary PCI-DSS: Early TLS/SSL Version Summary PCI-DSS: TLS/SSL Detail PCI-DSS: Early TLS/SSL Version Detail |
4.1.h: If SSL/early TLS is used, perform testing procedures in Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS. | Augment | PCI-DSS: TLS Activity PCI-DSS: SSL Activity | PCI-DSS: TLS/SSL Activity | PCI-DSS: TLS/SSL Summary PCI-DSS: Early TLS/SSL Version Summary PCI-DSS: TLS/SSL Detail PCI-DSS: Early TLS/SSL Version Detail |
5.1: For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists. | Augment | PCI-DSS: Antivirus Information AIE Rule | PCI-DSS: Antivirus Failure Detail | PCI-DSS: AIE Antivirus Activity Summary PCI-DSS: Antivirus Activity Summary PCI-DSS: AIE Antivirus Activity Details PCI-DSS: Antivirus Activity Details |
5.2.b: Examine anti-virus configurations, including the master installation of the software to verify anti-virus mechanisms are: - Configured to perform automatic updates, and - Configured to perform periodic scans. | Augment | PCI-DSS: Antivirus Information AIE Rule | PCI-DSS: Antivirus Failure Detail PCI-DSS: Signature Update Failure Detail | PCI-DSS: AIE Antivirus Activity Summary PCI-DSS: Antivirus Activity Summary PCI-DSS: Signature Update Activity Summary PCI-DSS: AIE Antivirus Activity Details PCI-DSS: Antivirus Activity Details PCI-DSS: Signature Update Activity Details |
5.2.c: Examine a sample of system components, including all operating system types commonly affected by malicious software, to verify that: - The anti-virus software and definitions are current. - Periodic scans are performed. | Augment | PCI-DSS: Antivirus Information AIE Rule | PCI-DSS: Antivirus Failure Detail PCI-DSS: Signature Update Failure Detail | PCI-DSS: AIE Antivirus Activity Summary PCI-DSS: Antivirus Activity Summary PCI-DSS: Signature Update Activity Summary PCI-DSS: AIE Antivirus Activity Details PCI-DSS: Antivirus Activity Details PCI-DSS: Signature Update Activity Details |
5.2.d: Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that: - Anti-virus software log generation is enabled, and - Logs are retained in accordance with PCI DSS Requirement 10.7. | Direct | PCI-DSS: Antivirus Information AIE Rule | PCI-DSS: Antivirus Failure Detail PCI-DSS: Malware Detail PCI-DSS: Signature Update Failure Detail | PCI-DSS: AIE Antivirus Activity Summary PCI-DSS: Antivirus Activity Summary PCI-DSS: Signature Update Activity Summary PCI-DSS: AIE Antivirus Activity Details PCI-DSS: Antivirus Activity Details PCI-DSS: Signature Update Activity Details |
6.2.b: For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify the following: - That applicable critical vendor-supplied security patches are in | Direct | PCI-DSS: Configuration Change Rule PCI-DSS: Policy Change Rule | PCI-DSS: Software Update Failure Detail PCI-DSS: Signature Update Failure Inv PCI-DSS: Patch Update Failure Inv PCI-DSS: Configuration Change Inv PCI-DSS: Policy Change Inv | PCI-DSS: Software Update Activity Summary PCI-DSS: Signature Update Failure Summary PCI-DSS: Patch Update Failure Summary PCI-DSS: Configuration Change Summary PCI-DSS: Policy Change Summary PCI-DSS: Software Update Activity Details PCI-DSS: Signature Update Failure Detail PCI-DSS: Patch Update Failure Detail PCI-DSS: Configuration Change Detail PCI-DSS: Policy Change Detail |
6.3.a: Examine written software-development processes to verify that the processes are based on industry standards and/or best practices | Augment | N/A | N/A | N/A |
6.3.b: Examine written software-development processes to verify that information security is included throughout the life cycle. | Augment | N/A | N/A | N/A |
6.3.c: Examine written software-development processes to verify that software applications are developed in accordance with PCI DSS. | Augment | N/A | N/A | N/A |
6.3.d: Interview software developers to verify that written software- development processes are implemented. | Augment | N/A | N/A | N/A |
6.4.1.a: Examine network documentation and network device configurations to verify that the development/test environments are separate from the production environment(s). | Augment | PCI-DSS: Denied Test => Internal Comm AIE Rule PCI-DSS: Denied Test => Internet Comm AIE Rule PCI-DSS: Invalid Test => Internal Comm AIE Rule PCI-DSS: Invalid Test => Internet Comm AIE Rule | PCI-DSS: AIE Denied Test => Inet Comm Detail PCI-DSS: AIE Denied Test => Intern Comm Detail PCI-DSS: AIE Invalid Test => Inet Comm Detail PCI-DSS: AIE Invalid Test => Intrn Comm Detail PCI-DSS: Denied Test => Internal Comm Detail PCI-DSS: Denied Test => Internet Comm Detail PCI-DSS: Invalid Test => Internal Comm Detail PCI-DSS: Invalid Test => Internet Comm Detail PCI-DSS: Test Communication Detail | PCI-DSS: AIE Denied Test => Internal Comm Summary PCI-DSS: AIE Denied Test => Internet Comm Summary PCI-DSS: AIE Invalid Test => Internal Comm Summary PCI-DSS: AIE Invalid Test => Internet Comm Summary PCI-DSS: Denied Test => Internal Comm Summary PCI-DSS: Denied Test => Internet Comm Summary PCI-DSS: Invalid Test => Internal Comm Summary PCI-DSS: Invalid Test => Internet Comm Summary PCI-DSS: AIE Denied Test => Internal Comm Details PCI-DSS: AIE Denied Test => Internet Comm Details PCI-DSS: AIE Invalid Test => Internal Comm Details PCI-DSS: AIE Invalid Test => Internet Comm Details PCI-DSS: Denied Test => Internal Comm Details PCI-DSS: Denied Test => Internet Comm Details PCI-DSS: Invalid Test => Internal Comm Details PCI-DSS: Invalid Test => Internet Comm Details |
6.4.1.b: Examine access controls settings to verify that access controls are in place to enforce separation between the development/test environments and the production environment(s). | Augment | PCI-DSS: Denied Test => Internal Comm AIE Rule PCI-DSS: Denied Test => Internet Comm AIE Rule PCI-DSS: Invalid Test => Internal Comm AIE Rule PCI-DSS: Invalid Test => Internet Comm AIE Rule | PCI-DSS: AIE Denied Test => Inet Comm Detail PCI-DSS: AIE Denied Test => Intern Comm Detail PCI-DSS: AIE Invalid Test => Inet Comm Detail PCI-DSS: AIE Invalid Test => Intrn Comm Detail PCI-DSS: Denied Test => Internal Comm Detail PCI-DSS: Denied Test => Internet Comm Detail PCI-DSS: Invalid Test => Internal Comm Detail PCI-DSS: Invalid Test => Internet Comm Detail PCI-DSS: Test Communication Detail | PCI-DSS: AIE Denied Test => Internal Comm Summary PCI-DSS: AIE Denied Test => Internet Comm Summary PCI-DSS: AIE Invalid Test => Internal Comm Summary PCI-DSS: AIE Invalid Test => Internet Comm Summary PCI-DSS: Denied Test => Internal Comm Summary PCI-DSS: Denied Test => Internet Comm Summary PCI-DSS: Invalid Test => Internal Comm Summary PCI-DSS: Invalid Test => Internet Comm Summary PCI-DSS: AIE Denied Test => Internal Comm Details PCI-DSS: AIE Denied Test => Internet Comm Details PCI-DSS: AIE Invalid Test => Internal Comm Details PCI-DSS: AIE Invalid Test => Internet Comm Details PCI-DSS: Denied Test => Internal Comm Details PCI-DSS: Denied Test => Internet Comm Details PCI-DSS: Invalid Test => Internal Comm Details PCI-DSS: Invalid Test => Internet Comm Details |
6.4.2: Observe processes and interview personnel assigned to development/test environments and personnel assigned to production environments to verify that separation of duties is in place between development/test environments and the production environment. | Augment | PCI-DSS: Denied Test => Internal Comm AIE Rule PCI-DSS: Denied Test => Internet Comm AIE Rule PCI-DSS: Invalid Test => Internal Comm AIE Rule PCI-DSS: Invalid Test => Internet Comm AIE Rule | PCI-DSS: AIE Denied Test => Inet Comm Detail PCI-DSS: AIE Denied Test => Intern Comm Detail PCI-DSS: AIE Invalid Test => Inet Comm Detail PCI-DSS: AIE Invalid Test => Intrn Comm Detail PCI-DSS: Denied Test => Internal Comm Detail PCI-DSS: Denied Test => Internet Comm Detail PCI-DSS: Invalid Test => Internal Comm Detail PCI-DSS: Invalid Test => Internet Comm Detail PCI-DSS: Test Communication Detail | PCI-DSS: AIE Denied Test => Internal Comm Summary PCI-DSS: AIE Denied Test => Internet Comm Summary PCI-DSS: AIE Invalid Test => Internal Comm Summary PCI-DSS: AIE Invalid Test => Internet Comm Summary PCI-DSS: Denied Test => Internal Comm Summary PCI-DSS: Denied Test => Internet Comm Summary PCI-DSS: Invalid Test => Internal Comm Summary PCI-DSS: Invalid Test => Internet Comm Summary PCI-DSS: AIE Denied Test => Internal Comm Details PCI-DSS: AIE Denied Test => Internet Comm Details PCI-DSS: AIE Invalid Test => Internal Comm Details PCI-DSS: AIE Invalid Test => Internet Comm Details PCI-DSS: Denied Test => Internal Comm Details PCI-DSS: Denied Test => Internet Comm Details PCI-DSS: Invalid Test => Internal Comm Details PCI-DSS: Invalid Test => Internet Comm Details |
6.4.3.a: Observe testing processes and interview personnel to verify procedures are in place to ensure production data (live PANs) are not used for testing or development. | Augment | N/A | N/A | N/A |
6.4.3.b: Examine a sample of test data to verify production data (live PANs) is not used for testing or development | Augment | N/A | N/A | N/A |
6.4.4.a: Observe testing processes and interview personnel to verify test data and accounts are removed before a production system becomes active. | Augment | N/A | PCI-DSS: Test Data Activity on Prod Systems Inv | N/A |
6.4.4.b: Examine a sample of data and accounts from production systems recently installed or updated to verify test data and accounts are removed before the system becomes active. | Augment | N/A | PCI-DSS: Test Data Activity on Prod Systems Inv | N/A |
6.4.6: For a sample of significant changes, examine change records, interview personnel, and observe the affected systems/networks to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change. | Augment | PCI-DSS: Change Record Statistics | PCI-DSS: Change Record Statistics Inv | |
6.5.1: Examine software- development policies and procedures and interview responsible personnel to verify that injection flaws are addressed by coding techniques that include: - Validating input to verify user data cannot modify meaning of commands and queries. | Augment | N/A | PCI-DSS: Vulnerability Detail | N/A |
6.5.2: Examine software- development policies and procedures and interview responsible personnel to verify that buffer overflows are addressed by coding techniques that include: - Validating buffer boundaries. - Truncating input strings. | Augment | N/A | PCI-DSS: Vulnerability Detail | N/A |
6.5.4: Examine software- development policies and procedures and interview responsible personnel to verify that insecure communications are addressed by coding techniques that properly authenticate and encrypt all sensitive communications. | Augment | N/A | PCI-DSS: Vulnerability Detail | PCI-DSS: Non-Encrypted Protocol Summary PCI-DSS: Non-Encrypted Protocol Details |
6.5.5: Examine software- development policies and procedures and interview responsible personnel to verify that improper error handling is addressed by coding techniques that do not leak information via error messages (for example, by returning generic rather than | Augment | N/A | PCI-DSS: Vulnerability Detail PCI-DSS: Critical/Error Detail | N/A |
6.5.6: Examine software- development policies and procedures and interview responsible personnel to verify that coding techniques address any “high risk” vulnerabilities that could affect the application, as identified in PCI DSS Requirement 6.1. | Augment | N/A | PCI-DSS: Vulnerability Detail | N/A |
6.5.7: Examine software- development policies and procedures and interview responsible personnel to verify that cross-site scripting (XSS) is addressed by coding techniques that include - Validating all parameters before inclusion - Utilizing context-sensitive esc | Augment | N/A | PCI-DSS: Vulnerability Detail | N/A |
A: direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects with | Augment | N/A | PCI-DSS: Vulnerability Detail | N/A |
6.5.9: Examine software development policies and procedures and interview responsible personnel to verify that cross-site request forgery (CSRF) is addressed by coding techniques that ensure applications do not rely on authorization credentials and tokens automatically | Augment | N/A | PCI-DSS: Vulnerability Detail | N/A |
6.6: For public-facing web applications, ensure that either one of the following methods is in place as follows: -- Examine documented processes, interview personnel, and examine records of application security assessments to verify that public-facing web applications are reviewed— using either manual or automated vulnerability security assessment tools or methods—as follows: - At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment - That all vulnerabilities are corrected - That the application is re- evaluated after the corrections. -- Examine the system configuration settings and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) is in place as follows: - Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated. | Augment | N/A | PCI-DSS: Vulnerability Detail | N/A |
7.1.1: Select a sample of roles and verify access needs for each role are defined and include: - System components and data resources that each role needs to access for their job function - Identification of privilege necessary for each role to perform their job | Augment | N/A | PCI-DSS: Priv Acct Auth Detail PCI-DSS: Application Access Detail | PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Access Granted/Revoked Details PCI-DSS: Priv Authentication Activity Detail PCI-DSS: AIE Priv Access Granted/Revoked Details |
7.1.2.a: Interview personnel responsible for assigning access to verify that access to privileged user IDs is: - Assigned only to roles that specifically require such privileged access - Restricted to least privileges necessary to perform job responsibilities. | Augment | N/A | PCI-DSS: Application Access Detail | PCI-DSS: Access Granted/Revoked Activity Summary PCI-DSS: Account Management Activity Summary PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Account Management Activity Summary PCI-DSS: Access Granted/Revoked Activity Details PCI-DSS: Account Management Activity Details PCI-DSS: AIE Access Granted/Revoked Details PCI-DSS: AIE Priv Access Granted/Revoked Details PCI-DSS: Priv Account Management Activity Details PCI-DSS: Priv Access Granted/Revoked Details |
7.1.2.b: Select a sample of user IDs with privileged access and interview responsible management personnel to verify that privileges assigned are: - Necessary for that individual’s job function - Restricted to least privileges necessary to perform job responsibilit | Augment | N/A | PCI-DSS: Application Access Detail | PCI-DSS: Access Granted/Revoked Activity Summary PCI-DSS: Account Management Activity Summary PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Account Management Activity Summary PCI-DSS: Access Granted/Revoked Activity Details PCI-DSS: Account Management Activity Details PCI-DSS: AIE Access Granted/Revoked Details PCI-DSS: AIE Priv Access Granted/Revoked Details PCI-DSS: Priv Account Management Activity Details PCI-DSS: Priv Access Granted/Revoked Details |
8.1.a: Review procedures and confirm they define processes for each of the items below at 8.1.1 through 8.1.8 | Augment | N/A | N/A | PCI-DSS: Access Granted/Revoked Activity Summary PCI-DSS: Account Management Activity Summary PCI-DSS: AIE Vendor Account Enabled Alert Summary PCI-DSS: Vendor Account Management Summary PCI-DSS: Vendor Access Granted/Revoked Summary PCI-DSS: Database Account Management Summary PCI-DSS: Database Access Granted/Revoked Summary PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Account Management Activity Summary PCI-DSS: Account Management Activity Details PCI-DSS: AIE Access Granted/Revoked Details PCI-DSS: Access Granted/Revoked Activity Details PCI-DSS: Account Management Activity Details PCI-DSS: Vendor Account Management Details PCI-DSS: Vendor Access Granted/Revoked Details PCI-DSS: Database Account Management Details PCI-DSS: Database Access Granted/Revoked Details PCI-DSS: Priv Account Management Activity Details PCI-DSS: Priv Access Granted/Revoked Details PCI-DSS: AIE Priv Access Granted/Revoked Details |
8.1.1: Interview administrative personnel to confirm that all users are assigned a unique ID for access to system components or cardholder data. | Augment | N/A | N/A | PCI-DSS: Access Granted/Revoked Activity Summary PCI-DSS: Account Management Activity Summary PCI-DSS: AIE Vendor Account Enabled Alert Summary PCI-DSS: Vendor Account Management Summary PCI-DSS: Vendor Access Granted/Revoked Summary PCI-DSS: Database Account Management Summary PCI-DSS: Database Access Granted/Revoked Summary PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Account Management Activity Summary PCI-DSS: Account Management Activity Details PCI-DSS: AIE Access Granted/Revoked Details PCI-DSS: Access Granted/Revoked Activity Details PCI-DSS: Account Management Activity Details PCI-DSS: Vendor Account Management Details PCI-DSS: Vendor Access Granted/Revoked Details PCI-DSS: Database Account Management Details PCI-DSS: Database Access Granted/Revoked Details PCI-DSS: Priv Account Management Activity Details PCI-DSS: Priv Access Granted/Revoked Details PCI-DSS: AIE Priv Access Granted/Revoked Details |
8.1.2: For a sample of privileged user IDs and general user IDs, examine associated authorizations and observe system settings to verify each user ID and privileged user ID has been implemented with only the privileges specified on the documented approval. | Augment | N/A | N/A | PCI-DSS: Access Granted/Revoked Activity Summary PCI-DSS: Account Management Activity Summary PCI-DSS: AIE Vendor Account Enabled Alert Summary PCI-DSS: Vendor Account Management Summary PCI-DSS: Vendor Access Granted/Revoked Summary PCI-DSS: Database Account Management Summary PCI-DSS: Database Access Granted/Revoked Summary PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Account Management Activity Summary PCI-DSS: Account Management Activity Details PCI-DSS: AIE Access Granted/Revoked Details PCI-DSS: Access Granted/Revoked Activity Details PCI-DSS: Account Management Activity Details PCI-DSS: Vendor Account Management Details PCI-DSS: Vendor Access Granted/Revoked Details PCI-DSS: Database Account Management Details PCI-DSS: Database Access Granted/Revoked Details PCI-DSS: Priv Account Management Activity Details PCI-DSS: Priv Access Granted/Revoked Details PCI-DSS: AIE Priv Access Granted/Revoked Details |
8.1.3.a: Select a sample of users terminated in the past six months, and review current user access lists—for both local and remote access—to verify that their IDs have been deactivated or removed from the access lists. | Augment | PCI-DSS: Account Disabled/Locked AIE Rule PCI-DSS: Invalid Account Usage AIE Rule | PCI-DSS: Account Termination Detail PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail PCI-DSS: Account Disable/Locked Detail PCI-DSS: AIE Account Disable/Locked Detail | PCI-DSS: Access Granted/Revoked Activity Summary PCI-DSS: Account Management Activity Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: AIE Vendor Account Enabled Alert Summary PCI-DSS: Vendor Account Management Summary PCI-DSS: Vendor Access Granted/Revoked Summary PCI-DSS: Database Account Management Summary PCI-DSS: Database Access Granted/Revoked Summary PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Account Management Activity Summary PCI-DSS: Access Granted/Revoked Activity Details PCI-DSS: AIE Access Granted/Revoked Details PCI-DSS: Account Management Activity Details PCI-DSS: AIE Invalid Account Usage Details PCI-DSS: Invalid Account Usage Details PCI-DSS: Vendor Account Management Details PCI-DSS: Vendor Access Granted/Revoked Details PCI-DSS: Database Account Management Details PCI-DSS: Database Access Granted/Revoked Details PCI-DSS: Priv Account Management Activity Details PCI-DSS: Priv Access Granted/Revoked Details PCI-DSS: AIE Priv Access Granted/Revoked Details |
8.1.3.b: Verify all physical authentication methods— such as, smart cards, tokens, etc.—have been returned or deactivated. | Augment | PCI-DSS: Physical Access Usage AIE Rule | PCI-DSS: Physical Access Failure Detail | PCI-DSS: AIE Physical Security Auth Summary PCI-DSS: Physical Security Auth Activity Summary PCI-DSS: AIE Physical Security Auth Details PCI-DSS: Physical Security Auth Activity Details |
8.1.4: Observe user accounts to verify that any inactive accounts over 90 days old are either removed or disabled. | Augment | PCI-DSS: Account Disabled/Locked AIE Rule PCI-DSS: Invalid Account Usage AIE Rule | PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail PCI-DSS: Account Disable/Locked Detail PCI-DSS: AIE Account Disable/Locked Detail | PCI-DSS: Access Granted/Revoked Activity Summary PCI-DSS: Account Management Activity Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: AIE Vendor Account Enabled Alert Summary PCI-DSS: Vendor Account Management Summary PCI-DSS: Vendor Access Granted/Revoked Summary PCI-DSS: Database Account Management Summary PCI-DSS: Database Access Granted/Revoked Summary PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Account Management Activity Summary PCI-DSS: Access Granted/Revoked Activity Details PCI-DSS: AIE Access Granted/Revoked Details PCI-DSS: Account Management Activity Details PCI-DSS: AIE Invalid Account Usage Details PCI-DSS: Invalid Account Usage Details PCI-DSS: Vendor Account Management Details PCI-DSS: Vendor Access Granted/Revoked Details PCI-DSS: Database Account Management Details PCI-DSS: Database Access Granted/Revoked Details PCI-DSS: Priv Account Management Activity Details PCI-DSS: Priv Access Granted/Revoked Details PCI-DSS: AIE Priv Access Granted/Revoked Details |
8.1.5.a: Interview personnel and observe processes for managing accounts used by vendors to access, support, or maintain system components to verify that accounts used by vendors for remote access are: - Disabled when not in use - Enabled only when needed by the vendor | Augment | PCI-DSS: Vendor Auth Activity AIE Rule | PCI-DSS: AIE Vendor Access Detail PCI-DSS: Vendor Access Detail PCI-DSS: Vendor Account Enabled Detail PCI-DSS: Vendor Authentication Detail | PCI-DSS: AIE Vendor Account Enabled Alert Summary PCI-DSS: AIE Vendor Authentication Summary PCI-DSS: Vendor Account Management Summary PCI-DSS: Vendor Authentication Summary PCI-DSS: Vendor Access Failure Summary PCI-DSS: Vendor Access Granted/Revoked Summary PCI-DSS: AIE Vendor Authentication Details PCI-DSS: Vendor Account Management Details PCI-DSS: Vendor Access Granted/Revoked Details PCI-DSS: Vendor Authentication Details PCI-DSS: Vendor Access Failure Detail |
8.1.5.b: Interview personnel and observe processes to verify that vendor remote access accounts are monitored while being used. | Augment | PCI-DSS: Vendor Auth Activity AIE Rule | PCI-DSS: AIE Vendor Access Detail PCI-DSS: Vendor Access Detail PCI-DSS: Vendor Account Enabled Detail PCI-DSS: Vendor Authentication Detail | PCI-DSS: AIE Vendor Account Enabled Alert Summary PCI-DSS: AIE Vendor Authentication Summary PCI-DSS: Vendor Account Management Summary PCI-DSS: Vendor Authentication Summary PCI-DSS: Vendor Access Granted/Revoked Summary PCI-DSS: Vendor Access Failure Summary PCI-DSS: AIE Access Granted/Revoked Details PCI-DSS: AIE Vendor Authentication Details PCI-DSS: Vendor Account Management Details PCI-DSS: Vendor Access Granted/Revoked Details PCI-DSS: Vendor Authentication Details PCI-DSS: Access Granted/Revoked Activity Details PCI-DSS: Vendor Access Failure Detail |
8.1.6.a: For a sample of system components, inspect system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than six invalid logon attempts. | Augment | PCI-DSS: Account Disabled/Locked AIE Rule | PCI-DSS: Configuration/Policy Change Detail PCI-DSS: Account Disable/Locked Detail PCI-DSS: AIE Account Disable/Locked Detail | PCI-DSS: Configuration/Policy Change Summary PCI-DSS: Access Granted/Revoked Activity Summary PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Vendor Access Granted/Revoked Summary PCI-DSS: Database Access Granted/Revoked Summary PCI-DSS: Access Granted/Revoked Activity Details PCI-DSS: Configuration/Policy Change Details PCI-DSS: AIE Access Granted/Revoked Details PCI-DSS: Priv Access Granted/Revoked Details PCI-DSS: AIE Priv Access Granted/Revoked Details PCI-DSS: Vendor Access Granted/Revoked Details PCI-DSS: Database Access Granted/Revoked Summary |
8.1.6.b: Additional testing procedure for service provider assessments only: Review internal processes and customer/user documentation, and observe implemented processes to verify that non-consumer customer user accounts are temporarily locked-out after not more th | Augment | PCI-DSS: Vendor Auth Activity AIE Rule PCI-DSS: Account Disabled/Locked AIE Rule | PCI-DSS: AIE Vendor Access Detail PCI-DSS: Vendor Authentication Detail PCI-DSS: Vendor Access Detail PCI-DSS: Vendor Account Enabled Detail PCI-DSS: Configuration/Policy Change Detail PCI-DSS: Account Disable/Locked Detail PCI-DSS: AIE Account Disable/Locked Detail | PCI-DSS: AIE Vendor Account Enabled Alert Summary PCI-DSS: AIE Vendor Authentication Summary PCI-DSS: Vendor Access Failure Summary PCI-DSS: Vendor Account Management Summary PCI-DSS: Vendor Authentication Summary PCI-DSS: Configuration/Policy Change Summary PCI-DSS: Vendor Access Granted/Revoked Activity Summary PCI-DSS: AIE Vendor Authentication Details PCI-DSS: Vendor Account Management Details PCI-DSS: Vendor Access Granted/Revoked Details PCI-DSS: Vendor Authentication Details PCI-DSS: Vendor Access Failure Detail PCI-DSS: Access Granted/Revoked Activity Details PCI-DSS: AIE Access Granted/Revoked Details PCI-DSS: Configuration/Policy Change Details |
8.1.7: For a sample of system components, inspect system configuration settings to verify that password parameters are set to require that once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the | Augment | PCI-DSS: Account Disabled/Locked AIE Rule | PCI-DSS: Account Disable/Locked Detail PCI-DSS: AIE Account Disable/Locked Detail | PCI-DSS: Access Granted/Revoked Activity Summary PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Vendor Access Granted/Revoked Activity Summary PCI-DSS: Database Access Granted/Revoked Summary PCI-DSS: Access Granted/Revoked Activity Details PCI-DSS: AIE Access Granted/Revoked Details |
8.2.5.a: For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that new passwords cannot be the same as the four previously used passwords. | Augment | N/A | N/A | PCI-DSS: Access Granted/Revoked Activity Summary PCI-DSS: Account Management Activity Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: AIE Vendor Account Enabled Alert Summary PCI-DSS: Vendor Account Management Summary PCI-DSS: Vendor Access Granted/Revoked Summary PCI-DSS: Database Account Management Summary PCI-DSS: Database Access Granted/Revoked Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Account Management Activity Summary PCI-DSS: Access Granted/Revoked Activity Details PCI-DSS: AIE Access Granted/Revoked Details PCI-DSS: Account Management Activity Details PCI-DSS: AIE Invalid Account Usage Details PCI-DSS: Invalid Account Usage Details PCI-DSS: Vendor Account Management Details PCI-DSS: Vendor Access Granted/Revoked Details PCI-DSS: Database Account Management Details PCI-DSS: Database Access Granted/Revoked Details PCI-DSS: Priv Account Management Activity Details PCI-DSS: Priv Access Granted/Revoked Details PCI-DSS: AIE Priv Access Granted/Revoked Details |
8.2.5.b: Additional testing procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that new non-consumer customer user passwords cannot be the same as the previous four passwords. | Augment | N/A | N/A | PCI-DSS: Access Granted/Revoked Activity Summary PCI-DSS: Account Management Activity Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: AIE Vendor Account Enabled Alert Summary PCI-DSS: Vendor Access Granted/Revoked Summary PCI-DSS: Vendor Account Management Summary PCI-DSS: Database Account Management Summary PCI-DSS: Database Access Granted/Revoked Summary PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Account Management Activity Summary PCI-DSS: Access Granted/Revoked Activity Details PCI-DSS: AIE Access Granted/Revoked Details PCI-DSS: Account Management Activity Details PCI-DSS: AIE Invalid Account Usage Details PCI-DSS: Invalid Account Usage Details PCI-DSS: Vendor Account Management Details PCI-DSS: Vendor Access Granted/Revoked Details PCI-DSS: Database Account Management Details PCI-DSS: Database Access Granted/Revoked Details PCI-DSS: Priv Account Management Activity Details PCI-DSS: Priv Access Granted/Revoked Details PCI-DSS: AIE Priv Access Granted/Revoked Details |
8.3.1.b: Observe a sample of administrator personnel login to the CDE and verify that at least two of the three authentication methods are used. | Augment | PCI-DSS: Personel Login Authentication Method Event | PCI-DSS: Personel Login Authentication Method Inv | |
8.5.c: Interview system administrators to verify that group and shared IDs and/or passwords or other authentication methods are not distributed, even if requested. | Augment | PCI-DSS: Invalid Account Usage AIE Rule | PCI-DSS: Account Termination Detail PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail | PCI-DSS: Access Granted/Revoked Activity Summary PCI-DSS: Account Management Activity Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: AIE Vendor Account Enabled Alert Summary PCI-DSS: Vendor Account Management Summary PCI-DSS: Vendor Access Granted/Revoked Summary PCI-DSS: Database Account Management Summary PCI-DSS: Database Access Granted/Revoked Summary PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Account Management Activity Summary PCI-DSS: Access Granted/Revoked Activity Details PCI-DSS: AIE Access Granted/Revoked Details PCI-DSS: Account Management Activity Details PCI-DSS: AIE Invalid Account Usage Details PCI-DSS: Invalid Account Usage Details PCI-DSS: Vendor Account Management Details PCI-DSS: Vendor Access Granted/Revoked Details PCI-DSS: Database Account Management Details PCI-DSS: Database Access Granted/Revoked Details PCI-DSS: Priv Account Management Activity Details PCI-DSS: Priv Access Granted/Revoked Details PCI-DSS: AIE Priv Access Granted/Revoked Details |
8.7.a: Review database and application configuration settings and verify that all users are authenticated prior to access. | Augment | PCI-DSS: Database Authentication AIE Rule | PCI-DSS: AIE Database Authentication Detail AIE PCI-DSS: Database Authentication Detail PCI-DSS: Database Access Detail | PCI-DSS: AIE Database Authentication Summary PCI-DSS: Database Account Management Summary PCI-DSS: Database Authentication Activity Summary PCI-DSS: Database Access Failure Summary PCI-DSS: Database Access Granted/Revoked Summary PCI-DSS: AIE Database Authentication Details PCI-DSS: Database Account Management Details PCI-DSS: Database Authentication Activity Details PCI-DSS: Database Access Failure Detail PCI-DSS: Database Access Granted/Revoked Detail |
8.7.c: Examine database access control settings and database application configuration settings to verify that user direct access to or queries of databases are restricted to database administrators. | Augment | PCI-DSS: Database Authentication AIE Rule | PCI-DSS: AIE Database Authentication Detail AIE PCI-DSS: Database Authentication Detail PCI-DSS: Database Access Detail | PCI-DSS: AIE Database Authentication Summary PCI-DSS: Database Account Management Summary PCI-DSS: Database Authentication Activity Summary PCI-DSS: Database Access Failure Summary PCI-DSS: Database Access Granted/Revoked Summary PCI-DSS: AIE Database Authentication Details PCI-DSS: Database Account Management Details PCI-DSS: Database Authentication Activity Details PCI-DSS: Database Access Granted/Revoked Detail PCI-DSS: Database Access Failure Detail |
8.7.d: Examine database access control settings, database application configuration settings, and the related application IDs to verify that application IDs can only be used by the applications (and not by individual users or other processes). | Augment | PCI-DSS: Database Authentication AIE Rule | PCI-DSS: AIE Database Authentication Detail AIE PCI-DSS: Database Authentication Detail PCI-DSS: Database Access Detail | PCI-DSS: AIE Database Authentication Summary PCI-DSS: Database Account Management Summary PCI-DSS: Database Authentication Activity Summary PCI-DSS: Database Access Failure Summary PCI-DSS: Database Access Granted/Revoked Summary PCI-DSS: AIE Database Authentication Details PCI-DSS: Database Account Management Details PCI-DSS: Database Authentication Activity Details PCI-DSS: Database Access Failure Detail PCI-DSS: Database Access Granted/Revoked Detail |
9.1: Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment. - Verify that access is controlled with badge readers or other devices including authorized badges | Augment | PCI-DSS: Physical Access Usage AIE Rule | PCI-DSS: Physical Access Failure Detail | PCI-DSS: AIE Physical Security Auth Summary PCI-DSS: Physical Security Auth Activity Summary PCI-DSS: AIE Physical Security Auth Details PCI-DSS: Physical Security Auth Activity Details |
9.1.1.a: Verify that either video cameras or access control mechanisms (or both) are in place to monitor the entry/exit points to sensitive areas. | Augment | PCI-DSS: Physical Access Usage AIE Rule | PCI-DSS: Physical Access Failure Detail | PCI-DSS: AIE Physical Security Auth Summary PCI-DSS: Physical Security Auth Activity Summary PCI-DSS: AIE Physical Security Auth Details PCI-DSS: Physical Security Auth Activity Details |
9.1.2: Interview responsible personnel and observe locations of publicly accessible network jacks to verify that physical and/or logical controls are in place to restrict access to publicly accessible network jacks | Augment | PCI-DSS: Physical Access Usage AIE Rule | PCI-DSS: Physical Access Failure Detail | PCI-DSS: AIE Physical Security Auth Summary PCI-DSS: Physical Security Auth Activity Summary PCI-DSS: AIE Physical Security Auth Details PCI-DSS: Physical Security Auth Activity Details |
9.3.c: Select a sample of recently terminated employees and review access control lists to verify the personnel do not have physical access to sensitive areas. | Augment | PCI-DSS: Physical Access Usage AIE Rule | PCI-DSS: Physical Access Failure Detail | PCI-DSS: AIE Physical Security Auth Summary PCI-DSS: Physical Security Auth Activity Summary PCI-DSS: AIE Physical Security Auth Details PCI-DSS: Physical Security Auth Activity Details |
9.7.1: Review media inventory logs to verify that logs are maintained and media inventories are performed at least annually. | Augment | PCI-DSS: Backup Information AIE Rule | PCI-DSS: Backup Failure Detail | PCI-DSS: AIE Backup Activity Summary PCI-DSS: Backup Activity Summary PCI-DSS: AIE Backup Activity Details PCI-DSS: Backup Activity Details |
9.9: Examine documented policies and procedures to verify they include: - Maintaining a list of devices - Periodically inspecting devices to look for tampering or substitution - Training personnel to be aware of suspicious behavior and to report tampering or su | Augment | N/A | N/A | N/A |
9.9.2.b: Interview responsible personnel and observe inspection processes to verify: - Personnel are aware of procedures for inspecting devices. - All devices are periodically inspected for evidence of tampering and substitution. | Augment | N/A | N/A | N/A |
10.1: Verify, through observation and interviewing the system administrator, that: - Audit trails are enabled and active for system components. - Access to system components is linked to individual users. | Direct | N/A | PCI-DSS: Priv Acct Auth Detail PCI-DSS: Priv Access Activity Details | PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Account Management Activity Summary PCI-DSS: Priv Account Management Activity Details PCI-DSS: AIE Priv Access Granted/Revoked Details PCI-DSS: Priv Access Granted/Revoked Details PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail |
10.2: Through interviews of responsible personnel, observation of audit logs, and examination of audit log settings, perform the following: | Direct | N/A | N/A | N/A |
10.2.1: All individual user accesses to cardholder data | Direct | PCI-DSS: Invalid Account Usage AIE Rule PCI-DSS: Database Authentication AIE Rule PCI-DSS: Vendor Auth Activity AIE Rule | PCI-DSS: Authentication Failure Detail PCI-DSS: Access Failure Detail PCI-DSS: Vendor Authentication Detail PCI-DSS: Vendor Access Detail PCI-DSS: Database Authentication Detail PCI-DSS: Database Access Detail PCI-DSS: Priv Acct Auth Detail PCI-DSS: Priv Access Activity Details | PCI-DSS: Authentication Failure Summary PCI-DSS: Access Failure Summary PCI-DSS: Vendor Access Failure Summary PCI-DSS: Vendor Authentication Summary PCI-DSS: AIE Vendor Authentication Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: AIE Database Authentication Summary PCI-DSS: Database Authentication Activity Summary PCI-DSS: Database Access Failure Summary PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Vendor Authentication Details PCI-DSS: Vendor Access Failure Detail PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail PCI-DSS: Database Authentication Activity Detail PCI-DSS: Database Access Failure Detail |
10.2.2: Verify all actions taken by any individual with root or administrative privileges are logged. | Direct | N/A | PCI-DSS: Configuration/Policy Change Detail PCI-DSS: Priv Acct Auth Detail PCI-DSS: Priv Access Activity Details | PCI-DSS: Access Granted/Revoked Activity Summary PCI-DSS: Account Management Activity Summary PCI-DSS: Configuration/Policy Change Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: Priv Access Failure Summary PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Account Management Activity Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: Access Granted/Revoked Activity Details PCI-DSS: AIE Access Granted/Revoked Details PCI-DSS: Account Management Activity Details PCI-DSS: Configuration/Policy Change Details PCI-DSS: Priv Access Granted/Revoked Detail PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail |
10.2.3: Verify access to all audit trails is logged. | Augment | N/A | N/A | PCI-DSS: LogRhythm Usage Auditing Summary PCI-DSS: LogRhythm Usage Auditing by Date Details PCI-DSS: LogRhythm Usage Auditing by User Details |
10.2.4: Verify invalid logical access attempts are logged. | Direct | PCI-DSS: Invalid Account Usage AIE Rule PCI-DSS: Database Authentication AIE Rule PCI-DSS: Vendor Auth Activity AIE Rule | PCI-DSS: Authentication Failure Detail PCI-DSS: Access Failure Detail PCI-DSS: Vendor Authentication Detail PCI-DSS: Vendor Access Detail PCI-DSS: Database Authentication Detail PCI-DSS: Database Access Detail PCI-DSS: Priv Acct Auth Detail PCI-DSS: Priv Access Activity Details PCI-DSS: Audit Exception Detail | PCI-DSS: Authentication Failure Summary PCI-DSS: Access Failure Summary PCI-DSS: Vendor Access Failure Summary PCI-DSS: Vendor Authentication Summary PCI-DSS: AIE Vendor Authentication Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: AIE Database Authentication Summary PCI-DSS: Database Authentication Activity Summary PCI-DSS: Database Access Failure Summary PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Vendor Authentication Details PCI-DSS: Vendor Access Failure Detail PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail PCI-DSS: Database Authentication Activity Detail PCI-DSS: Database Access Failure Detail |
10.2.5.a: Verify use of identification and authentication mechanisms is logged. | Direct | N/A | PCI-DSS: Priv Acct Auth Detail PCI-DSS: Priv Access Activity Details | PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: User Priv Escalation (SU & SUDO) Summary PCI-DSS: User Priv Escalation (Windows) Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: Priv Access Failure Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Account Management Activity Summary PCI-DSS: Priv Access Granted/Revoked Details PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail |
10.2.5.b: Verify all elevation of privileges is logged. | Direct | N/A | N/A | PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: User Priv Escalation (SU & SUDO) Summary PCI-DSS: User Priv Escalation (Windows) Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: Priv Access Failure Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Account Management Activity Summary PCI-DSS: Priv Access Granted/Revoked Details PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail |
10.2.5.c: Verify all changes, additions, or deletions to any account with root or administrative privileges are logged. | Direct | N/A | N/A | PCI-DSS: Priv Access Granted/Revoked Summary PCI-DSS: User Priv Escalation (SU & SUDO) Summary PCI-DSS: User Priv Escalation (Windows) Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: Priv Access Failure Summary PCI-DSS: AIE Priv Access Granted/Revoked Summary PCI-DSS: Priv Account Management Activity Summary PCI-DSS: Priv Access Granted/Revoked Details PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail |
10.2.6: Verify the following are logged: - Initialization of audit logs - Stopping or pausing of audit logs. | Augment | N/A | PCI-DSS: Audit Log Detail | PCI-DSS: Audit Log Summary PCI-DSS: Audit Log Details |
10.2.7: Verify creation and deletion of system level objects are logged. | Augment | PCI-DSS: FIM Add Activity AIE Rule PCI-DSS: FIM Delete Activity AIE Rule | PCI-DSS: AIE FIM ADD/Delete/Mod Activity Detail PCI-DSS: AIE FIM Permission Change Detail PCI-DSS: FIM Activity Detail PCI-DSS: FIM ADD/Delete/Mod Activity Detail PCI-DSS: FIM Permission Change Detail PCI-DSS: Object Disposal Failure Detail | PCI-DSS: AIE FIM Activity Summary PCI-DSS: FIM Activity Summary PCI-DSS: Object Creation/Disposal Activity Summary PCI-DSS: AIE FIM Activity Details PCI-DSS: FIM Activity Details PCI-DSS: Object Creation/Disposal Activity Details |
10.3: Through interviews and observation of audit logs, for each auditable event (from 10.2), perform the following: | Direct | N/A | N/A | N/A |
10.3.1: Verify user identification is included in log entries. | Direct | N/A | N/A | N/A |
10.3.2: Verify type of event is included in log entries. | Direct | N/A | N/A | N/A |
10.3.3: Verify date and time stamp is included in log entries. | Direct | N/A | N/A | N/A |
10.3.4: Verify success or failure indication is included in log entries. | Direct | N/A | N/A | N/A |
10.3.5: Verify origination of event is included in log entries. | Direct | N/A | N/A | N/A |
10.3.6: Verify identity or name of affected data, system component, or resources is included in log entries. | Direct | N/A | N/A | N/A |
10.4: Examine configuration standards and processes to verify that time- synchronization technology is implemented and kept current per PCI DSS Requirements 6.1 and 6.2. | Direct | N/A | N/A | N/A |
10.4.1.a: Examine the process for acquiring, distributing and storing the correct time within the organization to verify that: - Only the designated central time server(s) receives time signals from external sources, and time signals from external sources are based | Direct | N/A | PCI-DSS: Configuration/Policy Change Detail | PCI-DSS: Configuration/Policy Change Summary PCI-DSS: Configuration/Policy Change Details |
10.4.2.b: Examine system configurations, time synchronization settings and logs, and processes to verify that any changes to time settings on critical systems are logged, monitored, and reviewed. | Augment | N/A | N/A | PCI-DSS: Time Sync Errors Summary |
10.5: Interview system administrators and examine system configurations and permissions to verify that audit trails are secured so that they cannot be altered as follows: | Direct | N/A | N/A | N/A |
10.5.1: Only individuals who have a job-related need can view audit trail files. | Direct | N/A | N/A | N/A |
10.5.2: Current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation. | Direct | N/A | N/A | N/A |
10.5.3: Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter. | Direct | N/A | N/A | N/A |
10.5.4: Verify that logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are offloaded or copied onto a secure centralized internal log server or media. | Direct | N/A | N/A | PCI-DSS: Log Volume Summary |
10.5.5: Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change-detection software on logs. | Direct | PCI-DSS: FIM Modify Activity AIE Rule | PCI-DSS: FIM Activity Detail | PCI-DSS: AIE FIM Activity Summary PCI-DSS: FIM Activity Summary PCI-DSS: AIE FIM Activity Details PCI-DSS: FIM Activity Details |
10.6.1.a: Examine security policies and procedures to verify that procedures are defined for reviewing the following at least daily, either manually or via log tools: - All security events - Logs of all system components that store, process, or transmit CHD and/or S | Augment | N/A | N/A | PCI-DSS: LogRhythm Usage Auditing Summary PCI-DSS: LogRhythm Usage Auditing by Date Details PCI-DSS: LogRhythm Usage Auditing by User Details |
10.6.1.b: Observe processes and interview personnel to verify that the following are reviewed at least daily: - All security events - Logs of all system components that store, process, or transmit CHD and/or SAD - Logs of all critical system components - Logs of all | Augment | N/A | N/A | PCI-DSS: LogRhythm Usage Auditing Summary PCI-DSS: LogRhythm Usage Auditing by Date Details PCI-DSS: LogRhythm Usage Auditing by User Details |
10.6.2.a: Examine security policies and procedures to verify that procedures are defined for reviewing logs of all other system components periodically—either manually or via log tools— based on the organization’s policies and risk management strategy. | Augment | N/A | N/A | PCI-DSS: LogRhythm Usage Auditing Summary PCI-DSS: LogRhythm Usage Auditing by Date Details PCI-DSS: LogRhythm Usage Auditing by User Details |
10.7.b: Interview personnel and examine audit logs to verify that audit logs are retained for at least one year. | Direct | N/A | N/A | PCI-DSS: Log Volume Summary |
10.7.c: Interview personnel and observe processes to verify that at least the last three months’ logs are immediately available for analysis. | Direct | N/A | N/A | PCI-DSS: Log Volume Summary |
10.8.b: Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert. | Direct | PCI-DSS: Invalid Account Usage AIE Rule PCI-DSS: Database Authentication AIE Rule PCI-DSS: Vendor Auth Activity AIE Rule | PCI-DSS: Service Provider Failure and Critical Inv PCI-DSS: Authentication Failure Detail PCI-DSS: Access Failure Detail PCI-DSS: Vendor Authentication Detail PCI-DSS: Vendor Access Detail PCI-DSS: Database Authentication Detail PCI-DSS: Database Access Detail PCI-DSS: Priv Acct Auth Detail PCI-DSS: Priv Access Activity Details PCI-DSS: Audit Exception Detail | PCI-DSS: Service Provider Failure and Critical Summary PCI-DSS: Authentication Failure Summary PCI-DSS: Access Failure Summary PCI-DSS: Vendor Access Failure Summary PCI-DSS: Vendor Authentication Summary PCI-DSS: AIE Vendor Authentication Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: AIE Database Authentication Summary PCI-DSS: Database Authentication Activity Summary PCI-DSS: Database Access Failure Summary PCI-DSS: Service Provider Failure and Critical Detail PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Vendor Authentication Details PCI-DSS: Vendor Access Failure Detail PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail PCI-DSS: Database Authentication Activity Detail PCI-DSS: Database Access Failure Detail |
10.8.1.b: Examine records to verify that security control failures are documented to include: - Identification of cause(s) of the failure, including root cause - Duration (date and time start and end) of the security failure - Details of the remediation required to address the root cause | Augment | PCI-DSS: Invalid Account Usage AIE Rule PCI-DSS: Database Authentication AIE Rule PCI-DSS: Vendor Auth Activity AIE Rule | PCI-DSS: Service Provider Failure and Critical Inv PCI-DSS: Authentication Failure Detail PCI-DSS: Access Failure Detail PCI-DSS: Vendor Authentication Detail PCI-DSS: Vendor Access Detail PCI-DSS: Database Authentication Detail PCI-DSS: Database Access Detail PCI-DSS: Priv Acct Auth Detail PCI-DSS: Priv Access Activity Details PCI-DSS: Audit Exception Detail | PCI-DSS: Service Provider Failure and Critical Summary PCI-DSS: Authentication Failure Summary PCI-DSS: Access Failure Summary PCI-DSS: Vendor Access Failure Summary PCI-DSS: Vendor Authentication Summary PCI-DSS: AIE Vendor Authentication Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: AIE Database Authentication Summary PCI-DSS: Database Authentication Activity Summary PCI-DSS: Database Access Failure Summary PCI-DSS: Service Provider Failure and Critical Detail PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Vendor Authentication Details PCI-DSS: Vendor Access Failure Detail PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail PCI-DSS: Database Authentication Activity Detail PCI-DSS: Database Access Failure Detail |
11.1.b: Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following: - WLAN cards inserted into system components - Portable or mobile devices attached to system components to create | Augment | N/A | PCI-DSS: Rouge WAP Detail | PCI-DSS: Rogue WAP Summary PCI-DSS: Rogue WAP Detail |
11.1.d: If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to notify personnel. | Augment | N/A | PCI-DSS: Rouge WAP Detail | PCI-DSS: Rogue WAP Summary PCI-DSS: Rogue WAP Detail |
11.4.a: Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic: - At the perimeter of the cardholder data environment - At critical | Augment | N/A | PCI-DSS: Malware Detail PCI-DSS: Reconnaissance/Suspicious Detail PCI-DSS: Security Activity Detail PCI-DSS: Security Event Detail PCI-DSS: Signature Update Failure Detail | PCI-DSS: Security Event by Impacted App Summary PCI-DSS: Security Event by Impacted Host Summary PCI-DSS: Security Event by Log Source Ent Summary PCI-DSS: Security Event by Origin Host Summary PCI-DSS: Signature Update Activity Summary PCI-DSS: Top Attackers Summary PCI-DSS: Top Suspicious Users Summary PCI-DSS: Top Targeted Applications Summary PCI-DSS: Top Targeted Hosts Summary PCI-DSS: Security Event by Impacted App Details PCI-DSS: Security Event by Impacted Host Details PCI-DSS: Security Event by Log Source Ent Details PCI-DSS: Security Event by Origin Host Details PCI-DSS: Signature Update Activity Details |
11.4.b: Examine system configurations and interview responsible personnel to confirm intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises. | Augment | N/A | PCI-DSS: Malware Detail PCI-DSS: Reconnaissance/Suspicious Detail PCI-DSS: Security Activity Detail PCI-DSS: Security Event Detail PCI-DSS: Signature Update Failure Detail | PCI-DSS: Security Event by Impacted App Summary PCI-DSS: Security Event by Impacted Host Summary PCI-DSS: Security Event by Log Source Ent Summary PCI-DSS: Security Event by Origin Host Summary PCI-DSS: Signature Update Activity Summary PCI-DSS: Top Attackers Summary PCI-DSS: Top Suspicious Users Summary PCI-DSS: Top Targeted Applications Summary PCI-DSS: Top Targeted Hosts Summary PCI-DSS: Security Event by Impacted App Details PCI-DSS: Security Event by Impacted Host Details PCI-DSS: Security Event by Log Source Ent Details PCI-DSS: Security Event by Origin Host Details PCI-DSS: Signature Update Activity Details |
11.4.c: Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion-prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection. | Augment | N/A | PCI-DSS: Malware Detail PCI-DSS: Reconnaissance/Suspicious Detail PCI-DSS: Security Activity Detail PCI-DSS: Security Event Detail PCI-DSS: Signature Update Failure Detail | PCI-DSS: Security Event by Impacted App Summary PCI-DSS: Security Event by Impacted Host Summary PCI-DSS: Security Event by Log Source Ent Summary PCI-DSS: Security Event by Origin Host Summary PCI-DSS: Signature Update Activity Summary PCI-DSS: Top Attackers Summary PCI-DSS: Top Suspicious Users Summary PCI-DSS: Top Targeted Applications Summary PCI-DSS: Top Targeted Hosts Summary PCI-DSS: Security Event by Impacted App Details PCI-DSS: Security Event by Impacted Host Details PCI-DSS: Security Event by Log Source Ent Details PCI-DSS: Security Event by Origin Host Details PCI-DSS: Signature Update Activity Details |
11.5.a: Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities. Examples of files that should be monitored: - System executables - Application executables - Configuration and parameter files - Centrally stored, historical or archived, log and audit files - Additional critical files determined by entity (for example, through risk assessment or other means). | Direct | PCI-DSS: FIM Add Activity AIE Rule PCI-DSS: FIM Delete Activity AIE Rule PCI-DSS: FIM Group Change Activity AIE Rule PCI-DSS: FIM Modify Activity AIE Rule PCI-DSS: FIM Owner Change Activity AIE Rule PCI-DSS: FIM Permission Activity AIE Rule | PCI-DSS: AIE FIM ADD/Delete/Mod Activity Detail PCI-DSS: AIE FIM Permission Change Detail PCI-DSS: FIM Activity Detail PCI-DSS: FIM ADD/Delete/Mod Activity Detail PCI-DSS: FIM Permission Change Detail | PCI-DSS: AIE FIM Activity Summary PCI-DSS: FIM Activity Summary PCI-DSS: AIE FIM Activity Details PCI-DSS: FIM Activity Details |
11.5.b: Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly. | Direct | PCI-DSS: FIM Add Activity AIE Rule PCI-DSS: FIM Delete Activity AIE Rule PCI-DSS: FIM Group Change Activity AIE Rule PCI-DSS: FIM Modify Activity AIE Rule PCI-DSS: FIM Owner Change Activity AIE Rule PCI-DSS: FIM Permission Activity AIE Rule | PCI-DSS: AIE FIM ADD/Delete/Mod Activity Detail PCI-DSS: AIE FIM Permission Change Detail PCI-DSS: FIM Activity Detail PCI-DSS: FIM ADD/Delete/Mod Activity Detail PCI-DSS: FIM Permission Change Detail | PCI-DSS: AIE FIM Activity Summary PCI-DSS: FIM Activity Summary PCI-DSS: AIE FIM Activity Details PCI-DSS: FIM Activity Details |
12.3.8.b: Examine configurations for remote access technologies to verify that remote access sessions will be automatically disconnected after a specific period of inactivity. | Augment | PCI-DSS: Remote Session Timeout AIE Rule | N/A | PCI-DSS: AIE Remote Session Timeout Summary PCI-DSS: Remote Session Timeout Activity Summary PCI-DSS: AIE Remote Session Timeout Details PCI-DSS: Remote Session Timeout Activity Details |
12.3.9: Verify that the usage policies require activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use. | Augment | PCI-DSS: Vendor Auth Activity AIE Rule | PCI-DSS: Vendor Access Detail PCI-DSS: Vendor Authentication Detail PCI-DSS: Vendor Account Enabled Detail | PCI-DSS: AIE Vendor Account Enabled Alert Summary PCI-DSS: AIE Vendor Authentication Summary PCI-DSS: Vendor Account Management Summary PCI-DSS: Vendor Authentication Summary PCI-DSS: Vendor Access Failure Summary PCI-DSS: Vendor Access Granted/Revoked Summary PCI-DSS: AIE Vendor Authentication Details PCI-DSS: Vendor Account Management Details PCI-DSS: Vendor Access Granted/Revoked Details PCI-DSS: Vendor Authentication Details PCI-DSS: Vendor Account Management Details PCI-DSS: Vendor Access Failure Detail |
12.10.5: Verify through observation and review of processes that monitoring and responding to alerts from security monitoring systems are covered in the incident response plan. | Augment | PCI-DSS: Backup Information AIE Rule PCI-DSS: FIM Information AIE Rule | PCI-DSS: Backup Failure Detail PCI-DSS: FIM Failure Detail PCI-DSS: Malware Detail PCI-DSS: Operations Exception Detail PCI-DSS: Rouge WAP Detail PCI-DSS: Security Activity Detail PCI-DSS: Security Event Detail PCI-DSS: Vulnerability Detail | PCI-DSS: AIE Backup Activity Summary PCI-DSS: AIE FIM Critical/Error/Info Summary PCI-DSS: Backup Activity Summary PCI-DSS: FIM Critical/Error/Information Summary PCI-DSS: Rogue WAP Summary PCI-DSS: Security Event by Impacted App Summary PCI-DSS: Security Event by Impacted Host Summary PCI-DSS: Security Event by Log Source Ent Summary PCI-DSS: Security Event by Origin Host Summary PCI-DSS: Top Attackers Summary PCI-DSS: Top Suspicious Users Summary PCI-DSS: Top Targeted Applications Summary PCI-DSS: Top Targeted Hosts Summary PCI-DSS: AIE Backup Activity Details PCI-DSS: FIM Activity Details PCI-DSS: AIE FIM Critical/Error/Info Details PCI-DSS: Backup Activity Details PCI-DSS: FIM Critical/Error/Information Details PCI-DSS: LogRhythm Alarm And Response Details PCI-DSS: Rogue WAP Detail PCI-DSS: Security Event by Impacted App Details PCI-DSS: Security Event by Impacted Host Details PCI-DSS: Security Event by Log Source Ent Details PCI-DSS: Security Event by Origin Host Details |
12.11.a: Examine policies and procedures to verify that processes are defined for reviewing and confirming that personnel are following security policies and operational procedures, and that reviews cover: - Daily log reviews - Firewall rule-set reviews - Applying configuration standards to new systems - Responding to security alerts - Change management processes | Augment | PCI-DSS: Configuration Change Rule PCI-DSS: Policy Change Rule | PCI-DSS: Software Update Failure Detail PCI-DSS: Signature Update Failure Inv PCI-DSS: Patch Update Failure Inv PCI-DSS: Configuration Change Inv PCI-DSS: Policy Change Inv | PCI-DSS: Software Update Activity Summary PCI-DSS: Signature Update Failure Summary PCI-DSS: Patch Update Failure Summary PCI-DSS: Configuration Change Summary PCI-DSS: Policy Change Summary PCI-DSS: Software Update Activity Details PCI-DSS: Signature Update Failure Detail PCI-DSS: Patch Update Failure Detail PCI-DSS: Configuration Change Detail PCI-DSS: Policy Change Detail |
A1.1: If a shared hosting provider allows entities (for example, merchants or service providers) to run their own applications, verify these application processes run using the unique ID of the entity. For example: - No entity on the system can use a shared web server user ID. - All CGI scripts used by an entity must be created and run as the entity’s unique user ID. | Augment | PCI-DSS: Invalid Account Usage AIE Rule PCI-DSS: Database Authentication AIE Rule PCI-DSS: Vendor Auth Activity AIE Rule | PCI-DSS: Authentication Failure Detail PCI-DSS: Access Failure Detail PCI-DSS: Vendor Authentication Detail PCI-DSS: Vendor Access Detail PCI-DSS: Database Authentication Detail PCI-DSS: Database Access Detail PCI-DSS: Priv Acct Auth Detail PCI-DSS: Priv Access Activity Details PCI-DSS: Audit Exception Detail | PCI-DSS: Authentication Failure Summary PCI-DSS: Access Failure Summary PCI-DSS: Vendor Access Failure Summary PCI-DSS: Vendor Authentication Summary PCI-DSS: AIE Vendor Authentication Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: AIE Database Authentication Summary PCI-DSS: Database Authentication Activity Summary PCI-DSS: Database Access Failure Summary PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Vendor Authentication Details PCI-DSS: Vendor Access Failure Detail PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail PCI-DSS: Database Authentication Activity Detail PCI-DSS: Database Access Failure Detail |
A1.2.b: Verify each entity (merchant, service provider) has read, write, or execute permissions only for files and directories it owns or for necessary system files (restricted via file system permissions, access control lists, chroot, jailshell, etc.) Important: An entity’s files may not be shared by group. | Augment | PCI-DSS: FIM Add Activity AIE Rule PCI-DSS: FIM Delete Activity AIE Rule PCI-DSS: FIM Group Change Activity AIE Rule PCI-DSS: FIM Modify Activity AIE Rule PCI-DSS: FIM Owner Change Activity AIE Rule PCI-DSS: FIM Permission Activity AIE Rule | PCI-DSS: AIE FIM ADD/Delete/Mod Activity Detail PCI-DSS: AIE FIM Permission Change Detail PCI-DSS: FIM Activity Detail PCI-DSS: FIM ADD/Delete/Mod Activity Detail PCI-DSS: FIM Permission Change Detail | PCI-DSS: AIE FIM Activity Summary PCI-DSS: FIM Activity Summary PCI-DSS: AIE FIM Activity Details PCI-DSS: FIM Activity Details |
A1.2.c: Verify that an entity’s users do not have write access to shared system binaries. | Augment | PCI-DSS: FIM Add Activity AIE Rule PCI-DSS: FIM Delete Activity AIE Rule PCI-DSS: FIM Group Change Activity AIE Rule PCI-DSS: FIM Modify Activity AIE Rule PCI-DSS: FIM Owner Change Activity AIE Rule PCI-DSS: FIM Permission Activity AIE Rule | PCI-DSS: AIE FIM ADD/Delete/Mod Activity Detail PCI-DSS: AIE FIM Permission Change Detail PCI-DSS: FIM Activity Detail PCI-DSS: FIM ADD/Delete/Mod Activity Detail PCI-DSS: FIM Permission Change Detail | PCI-DSS: AIE FIM Activity Summary PCI-DSS: FIM Activity Summary PCI-DSS: AIE FIM Activity Details PCI-DSS: FIM Activity Details |
A1.3: Verify the shared hosting provider has enabled logging as follows, for each merchant and service provider environment: - Logs are enabled for common third-party applications. - Logs are active by default. - Logs are available for review by the owning entity. - Log locations are clearly communicated to the owning entity. | Augment | PCI-DSS: Invalid Account Usage AIE Rule PCI-DSS: Database Authentication AIE Rule PCI-DSS: Vendor Auth Activity AIE Rule | PCI-DSS: Service Provider Failure and Critical Inv PCI-DSS: Authentication Failure Detail PCI-DSS: Access Failure Detail PCI-DSS: Vendor Authentication Detail PCI-DSS: Vendor Access Detail PCI-DSS: Database Authentication Detail PCI-DSS: Database Access Detail PCI-DSS: Priv Acct Auth Detail PCI-DSS: Priv Access Activity Details PCI-DSS: Audit Exception Detail | PCI-DSS: Service Provider Failure and Critical Summary PCI-DSS: Authentication Failure Summary PCI-DSS: Access Failure Summary PCI-DSS: Vendor Access Failure Summary PCI-DSS: Vendor Authentication Summary PCI-DSS: AIE Vendor Authentication Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: AIE Database Authentication Summary PCI-DSS: Database Authentication Activity Summary PCI-DSS: Database Access Failure Summary PCI-DSS: Service Provider Failure and Critical Detail PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Vendor Authentication Details PCI-DSS: Vendor Access Failure Detail PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail PCI-DSS: Database Authentication Activity Detail PCI-DSS: Database Access Failure Detail |
A2.1: For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS: - Confirm the entity has documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS. Or: - Complete A2.2 below. | Augment | PCI-DSS: TLS Activity PCI-DSS: SSL Activity | PCI-DSS: TLS/SSL Activity | PCI-DSS: TLS/SSL Summary PCI-DSS: Early TLS/SSL Version Summary PCI-DSS: TLS/SSL Detail PCI-DSS: Early TLS/SSL Version Detail |
A2.2: Review the documented Risk Mitigation and Migration Plan to verify it includes: - Description of usage, including what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; - Risk-assessment results and risk-reduction controls in place; - Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; - Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments; - Overview of migration project plan including target migration completion date no later than June 30, 2018. | Augment | PCI-DSS: TLS Activity PCI-DSS: SSL Activity | PCI-DSS: TLS/SSL Activity | PCI-DSS: TLS/SSL Summary PCI-DSS: Early TLS/SSL Version Summary PCI-DSS: TLS/SSL Detail PCI-DSS: Early TLS/SSL Version Detail |
A2.3: Examine system configurations and supporting documentation to verify the service provider offers a secure protocol option for their service. | Augment | PCI-DSS: TLS Activity PCI-DSS: SSL Activity | PCI-DSS: TLS/SSL Activity | PCI-DSS: TLS/SSL Summary PCI-DSS: Early TLS/SSL Version Summary PCI-DSS: Non-Encrypted Protocol Summary PCI-DSS: TLS/SSL Detail PCI-DSS: Early TLS/SSL Version Detail PCI-DSS: Non-Encrypted Protocol Details |
A3.1.1.c: Examine executive management and board of directors meeting minutes and/or presentations to ensure PCI DSS compliance initiatives and remediation activities are communicated at least annually. | Augment Report Packages | |||
A3.2.2.1: For a sample of systems and network changes, examine change records, interview personnel and observe the affected systems/networks to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change. | Augment Use of Case Management for storing samples General strategy applied to the following controls: -6.4.3 -6.4.4 -6.4.6 -8.3.1.b | |||
A3.2.5.b: Examine results from recent data discovery efforts, and interview responsible personnel to verify that data discovery is performed at least quarterly and upon significant changes to the cardholder environment or processes. | Augment | PCI-DSS: Configuration Change Rule PCI-DSS: Policy Change Rule PCI-DSS: FIM Add Activity AIE Rule PCI-DSS: FIM Delete Activity AIE Rule PCI-DSS: FIM Group Change Activity AIE Rule PCI-DSS: FIM Modify Activity AIE Rule PCI-DSS: FIM Owner Change Activity AIE Rule PCI-DSS: FIM Permission Activity AIE Rule | PCI-DSS: Software Update Failure Detail PCI-DSS: Signature Update Failure Inv PCI-DSS: Patch Update Failure Inv PCI-DSS: Configuration Change Inv PCI-DSS: Policy Change Inv PCI-DSS: AIE FIM ADD/Delete/Mod Activity Detail PCI-DSS: AIE FIM Permission Change Detail PCI-DSS: FIM Activity Detail PCI-DSS: FIM ADD/Delete/Mod Activity Detail PCI-DSS: FIM Permission Change Detail | PCI-DSS: Software Update Activity Summary PCI-DSS: Signature Update Failure Summary PCI-DSS: Patch Update Failure Summary PCI-DSS: Configuration Change Summary PCI-DSS: Policy Change Summary PCI-DSS: AIE FIM Activity Summary PCI-DSS: FIM Activity Summary PCI-DSS: Software Update Activity Details PCI-DSS: Signature Update Failure Detail PCI-DSS: Patch Update Failure Detail PCI-DSS: Configuration Change Detail PCI-DSS: Policy Change Detail PCI-DSS: AIE FIM Activity Details PCI-DSS: FIM Activity Details |
A3.2.6.b: Examine audit logs and alerts, and interview responsible personnel to verify that alerts are investigated. | Augment Case Management | N/A | N/A | N/A |
A3.3.1.a: Examine documented policies and procedures to verify that processes are defined to immediately detect and alert on critical security control failures. | Augment | PCI-DSS: Invalid Account Usage AIE Rule PCI-DSS: Database Authentication AIE Rule PCI-DSS: Vendor Auth Activity AIE Rule | PCI-DSS: Service Provider Failure and Critical Inv PCI-DSS: Authentication Failure Detail PCI-DSS: Access Failure Detail PCI-DSS: Vendor Authentication Detail PCI-DSS: Vendor Access Detail PCI-DSS: Database Authentication Detail PCI-DSS: Database Access Detail PCI-DSS: Priv Acct Auth Detail PCI-DSS: Priv Access Activity Details PCI-DSS: Audit Exception Detail | PCI-DSS: Service Provider Failure and Critical Summary PCI-DSS: Authentication Failure Summary PCI-DSS: Access Failure Summary PCI-DSS: Vendor Access Failure Summary PCI-DSS: Vendor Authentication Summary PCI-DSS: AIE Vendor Authentication Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: AIE Database Authentication Summary PCI-DSS: Database Authentication Activity Summary PCI-DSS: Database Access Failure Summary PCI-DSS: Service Provider Failure and Critical Detail PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Vendor Authentication Details PCI-DSS: Vendor Access Failure Detail PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail PCI-DSS: Database Authentication Activity Detail PCI-DSS: Database Access Failure Detail |
A3.3.1.b: Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert. Relates to 10.8 | Direct | PCI-DSS: Invalid Account Usage AIE Rule PCI-DSS: Database Authentication AIE Rule PCI-DSS: Vendor Auth Activity AIE Rule | PCI-DSS: Service Provider Failure and Critical Inv PCI-DSS: Authentication Failure Detail PCI-DSS: Access Failure Detail PCI-DSS: Vendor Authentication Detail PCI-DSS: Vendor Access Detail PCI-DSS: Database Authentication Detail PCI-DSS: Database Access Detail PCI-DSS: Priv Acct Auth Detail PCI-DSS: Priv Access Activity Details PCI-DSS: Audit Exception Detail | PCI-DSS: Service Provider Failure and Critical Summary PCI-DSS: Authentication Failure Summary PCI-DSS: Access Failure Summary PCI-DSS: Vendor Access Failure Summary PCI-DSS: Vendor Authentication Summary PCI-DSS: AIE Vendor Authentication Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: AIE Database Authentication Summary PCI-DSS: Database Authentication Activity Summary PCI-DSS: Database Access Failure Summary PCI-DSS: Service Provider Failure and Critical Detail PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Vendor Authentication Details PCI-DSS: Vendor Access Failure Detail PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail PCI-DSS: Database Authentication Activity Detail PCI-DSS: Database Access Failure Detail |
A3.3.1.1.b: Examine records to verify that security control failures are documented to include: - Identification of cause(s) of the failure, including root cause - Duration (date and time start and end) of the security failure - Details of the remediation required to address the root cause Relates to 10.8 | Augment Case Management support Relates to 10.8.1 | N/A | N/A | N/A |
A3.3.3.a: Examine policies and procedures to verify that processes are defined for reviewing and verifying BAU activities. Verify the procedures include: - Confirming that all BAU activities (e.g., A3.2.2, A3.2.6, and A3.3.1) are being performed - Confirming that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.) - Documenting how the reviews were completed, including how all BAU activities were verified as being in place - Collecting documented evidence as required for the annual PCI DSS assessment - Reviewing and sign-off of results by executive management assigned responsibility for PCI DSS governance - Retaining records and documentation for at least 12 months, covering all BAU activities | Augment Case Management | N/A | N/A | N/A |
A3.3.3.b: Interview responsible personnel and examine records of reviews to verify that: - Reviews are performed by personnel assigned to the PCI DSS compliance program. - Reviews are performed at least quarterly. | Augment Case Management provides the ability to verify that daily reporting is performed. | N/A | N/A | N/A |
A3.4.1: Interview responsible personnel and examine supporting documentation to verify that: - User accounts and access privileges are reviewed at least every six months. - Reviews confirm that access is appropriate based on job function, and that all access is authorized. | Augment | PCI-DSS: Personel Login Authentication Method Event PCI-DSS: Invalid Account Usage AIE Rule PCI-DSS: Database Authentication AIE Rule PCI-DSS: Vendor Auth Activity AIE Rule | PCI-DSS: Personel Login Authentication Method Inv PCI-DSS: Service Provider Failure and Critical Inv PCI-DSS: Authentication Failure Detail PCI-DSS: Access Failure Detail PCI-DSS: Vendor Authentication Detail PCI-DSS: Vendor Access Detail PCI-DSS: Database Authentication Detail PCI-DSS: Database Access Detail PCI-DSS: Priv Acct Auth Detail PCI-DSS: Priv Access Activity Details PCI-DSS: Audit Exception Detail | PCI-DSS: Service Provider Failure and Critical Summary PCI-DSS: Authentication Failure Summary PCI-DSS: Access Failure Summary PCI-DSS: Vendor Access Failure Summary PCI-DSS: Vendor Authentication Summary PCI-DSS: AIE Vendor Authentication Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: AIE Database Authentication Summary PCI-DSS: Database Authentication Activity Summary PCI-DSS: Database Access Failure Summary PCI-DSS: Service Provider Failure and Critical Detail PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Vendor Authentication Details PCI-DSS: Vendor Access Failure Detail PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail PCI-DSS: Database Authentication Activity Detail PCI-DSS: Database Access Failure Detail |
A3.5.1.a: Review documentation and interview personnel to verify a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a timely manner, and includes the following: - Identification of anomalies or suspicious activity as it occurs - Issuance of timely alerts to responsible personnel - Response to alerts in accordance with documented response procedures | Augment | PCI-DSS: Invalid Account Usage AIE Rule PCI-DSS: Database Authentication AIE Rule PCI-DSS: Vendor Auth Activity AIE Rule | PCI-DSS: Service Provider Failure and Critical Inv PCI-DSS: Authentication Failure Detail PCI-DSS: Access Failure Detail PCI-DSS: Vendor Authentication Detail PCI-DSS: Vendor Access Detail PCI-DSS: Database Authentication Detail PCI-DSS: Database Access Detail PCI-DSS: Priv Acct Auth Detail PCI-DSS: Priv Access Activity Details PCI-DSS: Audit Exception Detail | PCI-DSS: Service Provider Failure and Critical Summary PCI-DSS: Authentication Failure Summary PCI-DSS: Access Failure Summary PCI-DSS: Vendor Access Failure Summary PCI-DSS: Vendor Authentication Summary PCI-DSS: AIE Vendor Authentication Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: AIE Database Authentication Summary PCI-DSS: Database Authentication Activity Summary PCI-DSS: Database Access Failure Summary PCI-DSS: Service Provider Failure and Critical Detail PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Vendor Authentication Details PCI-DSS: Vendor Access Failure Detail PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail PCI-DSS: Database Authentication Activity Detail PCI-DSS: Database Access Failure Detail |
A3.5.1.b: Examine incident response procedures and interview responsible personnel to verify that: - On-call personnel receive timely alerts. - Alerts are responded to per documented response procedures. | Augment | PCI-DSS: Invalid Account Usage AIE Rule PCI-DSS: Database Authentication AIE Rule PCI-DSS: Vendor Auth Activity AIE Rule | PCI-DSS: Service Provider Failure and Critical Inv PCI-DSS: Authentication Failure Detail PCI-DSS: Access Failure Detail PCI-DSS: Vendor Authentication Detail PCI-DSS: Vendor Access Detail PCI-DSS: Database Authentication Detail PCI-DSS: Database Access Detail PCI-DSS: Priv Acct Auth Detail PCI-DSS: Priv Access Activity Details PCI-DSS: Audit Exception Detail | PCI-DSS: Service Provider Failure and Critical Summary PCI-DSS: Authentication Failure Summary PCI-DSS: Access Failure Summary PCI-DSS: Vendor Access Failure Summary PCI-DSS: Vendor Authentication Summary PCI-DSS: AIE Vendor Authentication Summary PCI-DSS: AIE Invalid Account Usage Summary PCI-DSS: Invalid Account Usage Summary PCI-DSS: Priv Authentication Activity Summary PCI-DSS: AIE Database Authentication Summary PCI-DSS: Database Authentication Activity Summary PCI-DSS: Database Access Failure Summary PCI-DSS: Service Provider Failure and Critical Detail PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments) PCI-DSS: Vendor Authentication Details PCI-DSS: Vendor Access Failure Detail PCI-DSS: AIE Invalid Account Usage Detail PCI-DSS: Invalid Account Usage Detail PCI-DSS: Priv Authentication Activity Detail PCI-DSS: Priv Access Failure Detail PCI-DSS: Database Authentication Activity Detail PCI-DSS: Database Access Failure Detail |