Skip to main content
Skip table of contents

PCI-DSS 3.2 – Requirements

Control Description

Support

AIE Rules/Alerts

Investigations

Reports

1.1.1.a: Examine documented procedures to verify there is a formal process for testing and approval of all:

- Network connections and

- Changes to firewall and router configurations

Augment

N/A

PCI-DSS: Configuration/Policy Change Detail

PCI-DSS: Configuration/Policy Change Summary

PCI-DSS: Configuration/Policy Change Details

1.1.6.a: Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification and approval for each.

Augment

N/A

PCI-DSS: Network Communication Detail

PCI-DSS: Non-Encrypted Protocol Summary

PCI-DSS: Non-Encrypted Protocol Details

1.1.6.b: Identify insecure services, protocols, and ports allowed; and verify that security features are documented for each service.

Direct

N/A

PCI-DSS: Network Communication Detail

PCI-DSS: Non-Encrypted Protocol Summary

PCI-DSS: Non-Encrypted Protocol Details

1.2.1.a: Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment.

Augment

PCI-DSS: Denied CDE => Internet Comm AIE Rule

PCI-DSS: Denied DMZ => Internal Comm AIE Rule

PCI-DSS: Denied Inet => Intrn Comm AIE Rule

PCI-DSS: Denied Internet => CDE Comm AIE Rule

PCI-DSS: Denied Internet

=> DMZ Comm AIE Rule

PCI-DSS: Denied Test => Internal Comm AIE Rule

PCI-DSS: Denied Test => Internet Comm AIE Rule

PCI-DSS: Denied Wireless => CDE Comm AIE Rule

PCI-DSS: Invalid CDE => Internet Comm AIE Rule

PCI-DSS: Invalid DMZ => Internal Comm AIE Rule

PCI-DSS: Invalid Inet => Intrn Comm AIE Rule

PCI-DSS: Invalid Internet => CDE Comm AIE Rule

PCI-DSS: Invalid Internet => DMZ Comm AIE Rule

PCI-DSS: Invalid Test => Internal Comm AIE Rule

PCI-DSS: Invalid Test => Internet Comm AIE Rule

PCI-DSS: AIE Denied CDE => Internet Comm Detail

PCI-DSS: AIE Denied DMZ => Internal Comm Detail

PCI-DSS: AIE Denied Inet => Intrn Comm Detail

PCI-DSS: AIE Denied Internet => CDE Comm Detail

PCI-DSS: AIE Denied Internet => DMZ Comm Detail

PCI-DSS: AIE Denied Test => Inet Comm Detail

PCI-DSS: AIE Invalid CDE => Inet Comm Detail

PCI-DSS: AIE Invalid DMZ => Internal Comm Detail

PCI-DSS: AIE Invalid Inet => CDE Comm Detail

PCI-DSS: AIE Invalid Inet => DMZ Comm Detail

PCI-DSS: AIE Invalid Inet => Intrn Comm Detail

PCI-DSS: AIE Invalid Test => Inet Comm Detail

PCI-DSS: CDE Communication Detail

PCI-DSS: Denied CDE => Internet Comm Detail

PCI-DSS: Denied DMZ => Internal Comm Detail

PCI-DSS: Denied Inet => Intrn Comm Detail

PCI-DSS: Denied Internet => CDE Comm Detail

PCI-DSS: Denied Internet => DMZ Comm Detail

PCI-DSS: Denied Test => Internet Comm Detail

PCI-DSS: DMZ Communication Detail

PCI-DSS: Internet Communication Detail

PCI-DSS: Invalid CDE => Internet Comm Detail

PCI-DSS: Invalid DMZ => Internal Comm Detail

PCI-DSS: Invalid Inet => Intrn Comm Detail

PCI-DSS: Invalid Internet => CDE Comm Detail

PCI-DSS: Invalid Internet => DMZ Comm Detail

PCI-DSS: Invalid Test => Internet Comm Detail

PCI-DSS: Network Communication Detail

PCI-DSS: AIE Denied CDE => Internet Comm Summary

PCI-DSS: AIE Denied DMZ => Internal Comm Summary

PCI-DSS: AIE Denied Inet => Intrn Comm Summary

PCI-DSS: AIE Denied Internet => CDE Comm Summary

PCI-DSS: AIE Denied Internet => DMZ Comm Summary

PCI-DSS: AIE Denied Test => Internet Comm Summary

PCI-DSS: AIE Invalid CDE => Internet Comm Summary

PCI-DSS: AIE Invalid DMZ => Internal Comm Summary

PCI-DSS: AIE Invalid Inet => Intrn Comm Summary

PCI-DSS: AIE Invalid Internet => CDE Comm Summary

PCI-DSS: AIE Invalid Internet => DMZ Comm Summary

PCI-DSS: AIE Invalid Test => Internet Comm Summary

PCI-DSS: Denied CDE => Internet Comm Summary

PCI-DSS: Denied DMZ => Internal Comm Summary

PCI-DSS: Denied Inet => Intrn Comm Summary

PCI-DSS: Denied Internet => CDE Comm Summary

PCI-DSS: Denied Internet => DMZ Comm Summary

PCI-DSS: Denied Test => Internet Comm Summary

PCI-DSS: Invalid CDE => Internet Comm Summary

PCI-DSS: Invalid DMZ => Internal Comm Summary

PCI-DSS: Invalid Inet => Intrn Comm Summary

PCI-DSS: Invalid Internet => CDE Comm Summary

PCI-DSS: Invalid Internet => DMZ Comm Summary

PCI-DSS: Invalid Test => Internet Comm Summary

PCI-DSS: Invalid Test => Internal Comm Summary

PCI-DSS: AIE Denied CDE => Internet Comm Details

PCI-DSS: AIE Denied DMZ => Internal Comm Details

PCI-DSS: AIE Denied Inet => Intrn Comm Details

PCI-DSS: AIE Denied Internet => CDE Comm Details

PCI-DSS: AIE Denied Internet => DMZ Comm Details

PCI-DSS: AIE Denied Test => Internet Comm Details

PCI-DSS: AIE Invalid CDE => Internet Comm Details

PCI-DSS: AIE Invalid DMZ => Internal Comm Details

PCI-DSS: AIE Invalid Inet => Intrn Comm Details

PCI-DSS: AIE Invalid Internet => CDE Comm Details

PCI-DSS: AIE Invalid Internet => DMZ Comm Details

PCI-DSS: AIE Invalid Test => Internet Comm Details

PCI-DSS: Denied CDE => Internet Comm Details

PCI-DSS: Denied DMZ => Internal Comm Details

PCI-DSS: Denied Inet => Intrn Comm Details

PCI-DSS: Denied Internet => CDE Comm Details

PCI-DSS: Denied Internet => DMZ Comm Details

PCI-DSS: Denied Test => Internet Comm Details

PCI-DSS: Invalid CDE => Internet Comm Details

PCI-DSS: Invalid DMZ => Internal Comm Details

PCI-DSS: Invalid Inet => Intrn Comm Details

PCI-DSS: Invalid Internet => CDE Comm Details

PCI-DSS: Invalid Internet => DMZ Comm Details

PCI-DSS: Invalid Test => Internet Comm Details

PCI-DSS: AIE Denied Wireless => CDE Comm Details

1.2.1.b: Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment.

Augment

PCI-DSS: Denied CDE => Internet Comm AIE Rule

PCI-DSS: Denied DMZ => Internal Comm AIE Rule

PCI-DSS: Denied Inet => Intrn Comm AIE Rule

PCI-DSS: Denied Internet => CDE Comm AIE Rule

PCI-DSS: Denied Internet => DMZ Comm AIE Rule

PCI-DSS: Denied Test => Internal Comm AIE Rule

PCI-DSS: Denied Test => Internet Comm AIE Rule

PCI-DSS: Denied Wireless => CDE Comm AIE Rule

PCI-DSS: Invalid CDE => Internet Comm AIE Rule

PCI-DSS: Invalid DMZ => Internal Comm AIE Rule

PCI-DSS: Invalid Inet => Intrn Comm AIE Rule

PCI-DSS: Invalid Internet => CDE Comm AIE Rule

PCI-DSS: Invalid Internet => DMZ Comm AIE Rule

PCI-DSS: Invalid Test => Internal Comm AIE Rule

PCI-DSS: Invalid Test => Internet Comm AIE Rule

PCI-DSS: AIE Denied CDE => Internet Comm Detail

PCI-DSS: AIE Denied DMZ => Internal Comm Detail

PCI-DSS: AIE Denied Inet => Intrn Comm Detail

PCI-DSS: AIE Denied Internet => CDE Comm Detail

PCI-DSS: AIE Denied Internet => DMZ Comm Detail

PCI-DSS: AIE Denied Test => Inet Comm Detail

PCI-DSS: AIE Invalid CDE => Inet Comm Detail

PCI-DSS: AIE Invalid DMZ => Internal Comm Detail

PCI-DSS: AIE Invalid Inet => CDE Comm Detail

PCI-DSS: AIE Invalid Inet => DMZ Comm Detail

PCI-DSS: AIE Invalid Inet => Intrn Comm Detail

PCI-DSS: AIE Invalid Test => Inet Comm Detail

PCI-DSS: CDE Communication Detail

PCI-DSS: Denied CDE => Internet Comm Detail

PCI-DSS: Denied DMZ => Internal Comm Detail

PCI-DSS: Denied Inet => Intrn Comm Detail

PCI-DSS: Denied Internet => CDE Comm Detail

PCI-DSS: Denied Internet => DMZ Comm Detail

PCI-DSS: Denied Test => Internet Comm Detail

PCI-DSS: DMZ Communication Detail

PCI-DSS: Internet Communication Detail

PCI-DSS: Invalid CDE => Internet Comm Detail

PCI-DSS: Invalid DMZ => Internal Comm Detail

PCI-DSS: Invalid Inet => Intrn Comm Detail

PCI-DSS: Invalid Internet => CDE Comm Detail

PCI-DSS: Invalid Internet => DMZ Comm Detail

PCI-DSS: Invalid Test => Internet Comm Detail

PCI-DSS: Network Communication Detail

PCI-DSS: AIE Denied CDE => Internet Comm Summary

PCI-DSS: AIE Denied DMZ => Internal Comm Summary

PCI-DSS: AIE Denied Inet => Intrn Comm Summary

PCI-DSS: AIE Denied Internet => CDE Comm Summary

PCI-DSS: AIE Denied Internet => DMZ Comm Summary

PCI-DSS: AIE Denied Test => Internet Comm Summary

PCI-DSS: AIE Invalid CDE => Internet Comm Summary

PCI-DSS: AIE Invalid DMZ => Internal Comm Summary

PCI-DSS: AIE Invalid Inet => Intrn Comm Summary

PCI-DSS: AIE Invalid Internet => CDE Comm Summary

PCI-DSS: AIE Invalid Internet => DMZ Comm Summary

PCI-DSS: AIE Invalid Test => Internet Comm Summary

PCI-DSS: Denied CDE => Internet Comm Summary

PCI-DSS: Denied DMZ => Internal Comm Summary

PCI-DSS: Denied Inet => Intrn Comm Summary

PCI-DSS: Denied Internet => CDE Comm Summary

PCI-DSS: Denied Internet => DMZ Comm Summary

PCI-DSS: Denied Test => Internet Comm Summary

PCI-DSS: Invalid CDE => Internet Comm Summary

PCI-DSS: Invalid DMZ => Internal Comm Summary

PCI-DSS: Invalid Inet => Intrn Comm Summary

PCI-DSS: Invalid Internet => CDE Comm Summary

PCI-DSS: Invalid Internet => DMZ Comm Summary

PCI-DSS: Invalid Test => Internet Comm Summary

PCI-DSS: Invalid Test => Internal Comm Summary


PCI-DSS: AIE Denied CDE => Internet Comm Details

PCI-DSS: AIE Denied DMZ => Internal Comm Details

PCI-DSS: AIE Denied Inet => Intrn Comm Details

PCI-DSS: AIE Denied Internet => CDE Comm Details

PCI-DSS: AIE Denied Internet => DMZ Comm Details

PCI-DSS: AIE Denied Test => Internet Comm Details

PCI-DSS: AIE Invalid CDE => Internet Comm Details

PCI-DSS: AIE Invalid DMZ => Internal Comm Details

PCI-DSS: AIE Invalid Inet => Intrn Comm Details

PCI-DSS: AIE Invalid Internet => CDE Comm Details

PCI-DSS: AIE Invalid Internet => DMZ Comm Details

PCI-DSS: AIE Invalid Test => Internet Comm Details

PCI-DSS: Denied CDE => Internet Comm Details

PCI-DSS: Denied DMZ => Internal Comm Details

PCI-DSS: Denied Inet => Intrn Comm Details

PCI-DSS: Denied Internet => CDE Comm Details

PCI-DSS: Denied Internet => DMZ Comm Details

PCI-DSS: Denied Test => Internet Comm Details

PCI-DSS: Invalid CDE => Internet Comm Details

PCI-DSS: Invalid DMZ => Internal Comm Details

PCI-DSS: Invalid Inet => Intrn Comm Details

PCI-DSS: Invalid Internet => CDE Comm Details

PCI-DSS: Invalid Internet => DMZ Comm Details

PCI-DSS: Invalid Test => Internet Comm Details

PCI-DSS: AIE Denied Wireless => CDE Comm Details

1.2.1.c: Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement.

Augment

PCI-DSS: Denied CDE => Internet Comm AIE Rule

PCI-DSS: Denied DMZ => Internal Comm AIE Rule

PCI-DSS: Denied Inet => Intrn Comm AIE Rule

PCI-DSS: Denied Internet => CDE Comm AIE Rule

PCI-DSS: Denied Internet => DMZ Comm AIE Rule

PCI-DSS: Denied Test => Internal Comm AIE Rule

PCI-DSS: Denied Test => Internet Comm AIE Rule

PCI-DSS: Denied Wireless => CDE Comm AIE Rule

PCI-DSS: Invalid CDE => Internet Comm AIE Rule

PCI-DSS: Invalid DMZ => Internal Comm AIE Rule

PCI-DSS: Invalid Inet => Intrn Comm AIE Rule

PCI-DSS: Invalid Internet => CDE Comm AIE Rule

PCI-DSS: Invalid Internet => DMZ Comm AIE Rule

PCI-DSS: Invalid Test => Internal Comm AIE Rule

PCI-DSS: Invalid Test => Internet Comm AIE Rule

PCI-DSS: AIE Denied CDE => Internet Comm Detail

PCI-DSS: AIE Denied DMZ => Internal Comm Detail

PCI-DSS: AIE Denied Inet => Intrn Comm Detail

PCI-DSS: AIE Denied Internet => CDE Comm Detail

PCI-DSS: AIE Denied Internet => DMZ Comm Detail

PCI-DSS: AIE Denied Test => Inet Comm Detail

PCI-DSS: AIE Invalid CDE => Inet Comm Detail

PCI-DSS: AIE Invalid DMZ => Internal Comm Detail

PCI-DSS: AIE Invalid Inet => CDE Comm Detail

PCI-DSS: AIE Invalid Inet => DMZ Comm Detail

PCI-DSS: AIE Invalid Inet => Intrn Comm Detail

PCI-DSS: AIE Invalid Test => Inet Comm Detail

PCI-DSS: CDE Communication Detail

PCI-DSS: Denied CDE => Internet Comm Detail

PCI-DSS: Denied DMZ => Internal Comm Detail

PCI-DSS: Denied Inet => Intrn Comm Detail

PCI-DSS: Denied Internet => CDE Comm Detail

PCI-DSS: Denied Internet => DMZ Comm Detail

PCI-DSS: Denied Test => Internet Comm Detail

PCI-DSS: DMZ Communication Detail

PCI-DSS: Internet Communication Detail

PCI-DSS: Invalid CDE => Internet Comm Detail

PCI-DSS: Invalid DMZ => Internal Comm Detail

PCI-DSS: Invalid Inet => Intrn Comm Detail

PCI-DSS: Invalid Internet => CDE Comm Detail

PCI-DSS: Invalid Internet => DMZ Comm Detail

PCI-DSS: Invalid Test => Internet Comm Detail

PCI-DSS: Network Communication Detail

PCI-DSS: AIE Denied CDE => Internet Comm Summary

PCI-DSS: AIE Denied DMZ => Internal Comm Summary

PCI-DSS: AIE Denied Inet => Intrn Comm Summary

PCI-DSS: AIE Denied Internet => CDE Comm Summary

PCI-DSS: AIE Denied Internet => DMZ Comm Summary

PCI-DSS: AIE Denied Test => Internet Comm Summary

PCI-DSS: AIE Invalid CDE => Internet Comm Summary

PCI-DSS: AIE Invalid DMZ => Internal Comm Summary

PCI-DSS: AIE Invalid Inet => Intrn Comm Summary

PCI-DSS: AIE Invalid Internet => CDE Comm Summary

PCI-DSS: AIE Invalid Internet => DMZ Comm Summary

PCI-DSS: AIE Invalid Test => Internet Comm Summary

PCI-DSS: Denied CDE => Internet Comm Summary

PCI-DSS: Denied DMZ => Internal Comm Summary

PCI-DSS: Denied Inet => Intrn Comm Summary

PCI-DSS: Denied Internet => CDE Comm Summary

PCI-DSS: Denied Internet => DMZ Comm Summary

PCI-DSS: Denied Test => Internet Comm Summary

PCI-DSS: Invalid CDE => Internet Comm Summary

PCI-DSS: Invalid DMZ => Internal Comm Summary

PCI-DSS: Invalid Inet => Intrn Comm Summary

PCI-DSS: Invalid Internet => CDE Comm Summary

PCI-DSS: Invalid Internet => DMZ Comm Summary

PCI-DSS: Invalid Test => Internet Comm Summary

PCI-DSS: Invalid Test => Internal Comm Summary

PCI-DSS: AIE Denied CDE => Internet Comm Details

PCI-DSS: AIE Denied DMZ => Internal Comm Details

PCI-DSS: AIE Denied Inet => Intrn Comm Details

PCI-DSS: AIE Denied Internet => CDE Comm Details

PCI-DSS: AIE Denied Internet => DMZ Comm Details

PCI-DSS: AIE Denied Test => Internet Comm Details

PCI-DSS: AIE Invalid CDE => Internet Comm Details

PCI-DSS: AIE Invalid DMZ => Internal Comm Details

PCI-DSS: AIE Invalid Inet => Intrn Comm Details

PCI-DSS: AIE Invalid Internet => CDE Comm Details

PCI-DSS: AIE Invalid Internet => DMZ Comm Details

PCI-DSS: AIE Invalid Test => Internet Comm Details

PCI-DSS: Denied CDE => Internet Comm Details

PCI-DSS: Denied DMZ => Internal Comm Details

PCI-DSS: Denied Inet => Intrn Comm Details

PCI-DSS: Denied Internet => CDE Comm Details

PCI-DSS: Denied Internet => DMZ Comm Details

PCI-DSS: Denied Test => Internet Comm Details

PCI-DSS: Invalid CDE => Internet Comm Details

PCI-DSS: Invalid DMZ => Internal Comm Details

PCI-DSS: Invalid Inet => Intrn Comm Details

PCI-DSS: Invalid Internet => CDE Comm Details

PCI-DSS: Invalid Internet => DMZ Comm Details

PCI-DSS: Invalid Test => Internet Comm Details

PCI-DSS: AIE Denied Wireless => CDE Comm Details

1.2.2.a: Examine router configuration files to verify they are secured from unauthorized access.

Augment

PCI-DSS: Firewall Policy Synch Information AIE Rule

PCI-DSS: Firewall Policy Synch Failure Detail

PCI-DSS: AIE Firewall Policy Synch Summary

PCI-DSS: Firewall Policy Synch Activity Summary

PCI-DSS: AIE Firewall Policy Synch Details

PCI-DSS: Firewall Policy Synch Activity Details

1.2.2.b: Examine router configurations to verify they are synchronized—for example, the running (or active) configuration matches the start-up configuration (used when machines are booted).

Augment

PCI-DSS: Firewall Policy Synch Information AIE Rule

PCI-DSS: Firewall Policy Synch Failure Detail

PCI-DSS: AIE Firewall Policy Synch Summary

PCI-DSS: Firewall Policy Synch Activity Summary

PCI-DSS: AIE Firewall Policy Synch Details

PCI-DSS: Firewall Policy Synch Activity Details

1.2.3.b: Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.

Augment

PCI-DSS: Denied Inet => Intrn Comm AIE Rule

PCI-DSS: Invalid Inet => Intrn Comm AIE Rule

PCI-DSS: AIE Denied Inet => Intrn Comm Detail

PCI-DSS: AIE Invalid Inet => Intrn Comm Detail

PCI-DSS: Denied Inet => Intrn Comm Detail

PCI-DSS: Internet Communication Detail

PCI-DSS: Invalid Inet => Intrn Comm Detail

PCI-DSS: Network Communication Detail

PCI-DSS: AIE Denied Inet => Intrn Comm Summary

PCI-DSS: AIE Invalid Inet => Intrn Comm Summary

PCI-DSS: Denied Inet => Intrn Comm Summary

PCI-DSS: Invalid Inet => Intrn Comm Summary

PCI-DSS: AIE Denied Inet => Intrn Comm Details

PCI-DSS: AIE Invalid Inet => Intrn Comm Details

PCI-DSS: Denied Inet => Intrn Comm Details

PCI-DSS: Invalid Inet => Intrn Comm Details

1.3.1: Examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

Augment

PCI-DSS: Denied Inet => Intrn Comm AIE Rule

PCI-DSS: Invalid Inet => Intrn Comm AIE Rule

PCI-DSS: AIE Denied Inet => Intrn Comm Detail

PCI-DSS: AIE Invalid Inet => Intrn Comm Detail

PCI-DSS: Denied Inet => Intrn Comm Detail

PCI-DSS: Internet Communication Detail

PCI-DSS: Invalid Inet => Intrn Comm Detail

PCI-DSS: Network Communication Detail

PCI-DSS: AIE Denied Inet => Intrn Comm Summary

PCI-DSS: AIE Invalid Inet => Intrn Comm Summary

PCI-DSS: Denied Inet => Intrn Comm Summary

PCI-DSS: Invalid Inet => Intrn Comm Summary

PCI-DSS: AIE Denied Inet => Intrn Comm Details

PCI-DSS: AIE Invalid Inet => Intrn Comm Details

PCI-DSS: Denied Inet => Intrn Comm Details

PCI-DSS: Invalid Inet => Intrn Comm Details

1.3.2: Examine firewall and router configurations to verify that inbound Internet traffic is limited to IP addresses within the DMZ.

Augment

PCI-DSS: Denied Inet => Intrn Comm AIE Rule

PCI-DSS: Invalid Inet => Intrn Comm AIE Rule

PCI-DSS: AIE Denied Inet => Intrn Comm Detail

PCI-DSS: AIE Invalid Inet => Intrn Comm Detail

PCI-DSS: Denied Inet => Intrn Comm Detail

PCI-DSS: Internet Communication Detail

PCI-DSS: Invalid Inet => Intrn Comm Detail

PCI-DSS: Network Communication Detail

PCI-DSS: AIE Denied Inet => Intrn Comm Summary

PCI-DSS: AIE Invalid Inet => Intrn Comm Summary

PCI-DSS: Denied Inet => Intrn Comm Summary

PCI-DSS: Invalid Inet => Intrn Comm Summary

PCI-DSS: AIE Denied Inet => Intrn Comm Details

PCI-DSS: AIE Invalid Inet => Intrn Comm Details

PCI-DSS: Denied Inet => Intrn Comm Details

PCI-DSS: Invalid Inet => Intrn Comm Details

(PCI 3.1 - 1.3.3): Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment.

Augment

PCI-DSS: Denied CDE => Internet Comm AIE Rule

PCI-DSS: Denied DMZ => Internal Comm AIE Rule

PCI-DSS: Denied Internet => CDE Comm AIE Rule

PCI-DSS: Denied Internet => DMZ Comm AIE Rule

PCI-DSS: Invalid CDE => Internet Comm AIE Rule

PCI-DSS: Invalid DMZ => Internal Comm AIE Rule

PCI-DSS: Invalid Internet => CDE Comm AIE Rule

PCI-DSS: Invalid Internet => DMZ Comm AIE Rule

PCI-DSS: AIE Denied CDE => Internet Comm Detail

PCI-DSS: AIE Denied DMZ => Internal Comm Detail

PCI-DSS: AIE Denied Internet => CDE Comm Detail

PCI-DSS: AIE Denied Internet => DMZ Comm Detail

PCI-DSS: AIE Invalid CDE => Inet Comm Detail

PCI-DSS: AIE Invalid DMZ => Internal Comm Detail

PCI-DSS: AIE Invalid Inet => CDE Comm Detail

PCI-DSS: AIE Invalid Inet => DMZ Comm Detail

PCI-DSS: CDE Communication Detail

PCI-DSS: Denied CDE => Internet Comm Detail

PCI-DSS: Denied DMZ => Internal Comm Detail

PCI-DSS: Denied Internet => CDE Comm Detail

PCI-DSS: Denied Internet => DMZ Comm Detail

PCI-DSS: DMZ Communication Detail

PCI-DSS: Invalid CDE => Internet Comm Detail

PCI-DSS: Invalid DMZ => Internal Comm Detail

PCI-DSS: Invalid Internet => CDE Comm Detail

PCI-DSS: Invalid Internet => DMZ Comm Detail

PCI-DSS: Network Communication Detail

PCI-DSS: AIE Denied CDE => Internet Comm Summary

PCI-DSS: AIE Denied DMZ => Internal Comm Summary

PCI-DSS: AIE Denied Internet => CDE Comm Summary

PCI-DSS: AIE Denied Internet => DMZ Comm Summary

PCI-DSS: AIE Invalid CDE => Internet Comm Summary

PCI-DSS: AIE Invalid DMZ => Internal Comm Summary

PCI-DSS: AIE Invalid Internet => CDE Comm Summary

PCI-DSS: AIE Invalid Internet => DMZ Comm Summary

PCI-DSS: Denied CDE => Internet Comm Summary

PCI-DSS: Denied DMZ => Internal Comm Summary

PCI-DSS: Denied Internet => CDE Comm Summary

PCI-DSS: Denied Internet => DMZ Comm Summary

PCI-DSS: Invalid CDE => Internet Comm Summary

PCI-DSS: Invalid DMZ => Internal Comm Summary

PCI-DSS: Invalid Internet => CDE Comm Summary

PCI-DSS: Invalid Internet => DMZ Comm Summary


PCI-DSS: AIE Denied CDE => Internet Comm Details

PCI-DSS: AIE Denied DMZ => Internal Comm Details

PCI-DSS: AIE Denied Internet => CDE Comm Details

PCI-DSS: AIE Denied Internet => DMZ Comm Details

PCI-DSS: AIE Invalid CDE => Internet Comm Details

PCI-DSS: AIE Invalid DMZ => Internal Comm Details

PCI-DSS: AIE Invalid Internet => CDE Comm Details

PCI-DSS: AIE Invalid Internet => DMZ Comm Details

PCI-DSS: Denied CDE => Internet Comm Details

PCI-DSS: Denied DMZ => Internal Comm Details

PCI-DSS: Denied Internet => CDE Comm Details

PCI-DSS: Denied Internet => DMZ Comm Details

PCI-DSS: Invalid CDE => Internet Comm Details

PCI-DSS: Invalid DMZ => Internal Comm Details

PCI-DSS: Invalid Internet => CDE Comm Details

PCI-DSS: Invalid Internet => DMZ Comm Details

PCI-DSS: AIE Denied Wireless => CDE Comm Details

1.3.3 (PCI 3.1 - 1.3.4): Examine firewall and router configurations to verify that anti-spoofing measures are implemented, for example internal addresses cannot pass from the Internet into the DMZ.

Augment

PCI-DSS: Denied DMZ => Internal Comm AIE Rule

PCI-DSS: Denied Internet => DMZ Comm AIE Rule

PCI-DSS: Invalid DMZ

=> Internal Comm AIE Rule

PCI-DSS: Invalid Internet => DMZ Comm AIE Rule

PCI-DSS: AIE Denied DMZ => Internal Comm Detail

PCI-DSS: AIE Invalid Inet => DMZ Comm Detail

PCI-DSS: Denied CDE => Internet Comm Detail

PCI-DSS: Denied DMZ => Internal Comm Detail

PCI-DSS: Denied Internet => DMZ Comm Detail

PCI-DSS: DMZ Communication Detail

PCI-DSS: Invalid Internet => DMZ Comm Detail

PCI-DSS: Network Communication Detail

PCI-DSS: AIE Denied DMZ => Internal Comm Summary

PCI-DSS: AIE Denied Internet => DMZ Comm Summary

PCI-DSS: AIE Invalid DMZ => Internal Comm Summary

PCI-DSS: AIE Invalid Internet => DMZ Comm Summary

PCI-DSS: Denied DMZ => Internal Comm Summary

PCI-DSS: Denied Internet => DMZ Comm Summary

PCI-DSS: Invalid DMZ => Internal Comm Summary

PCI-DSS: Invalid Internet => DMZ Comm Summary

PCI-DSS: AIE Denied DMZ => Internal Comm Details

PCI-DSS: AIE Denied Internet => DMZ Comm Details

PCI-DSS: AIE Invalid DMZ => Internal Comm Details

PCI-DSS: AIE Invalid Internet => DMZ Comm Details

PCI-DSS: Denied DMZ => Internal Comm Details

PCI-DSS: Denied Internet => DMZ Comm Details

PCI-DSS: Invalid DMZ => Internal Comm Details

PCI-DSS: Invalid Internet => DMZ Comm Details

1.3.4 (PCI 3.1 - 1.3.5): Examine firewall and router configurations to verify that outbound traffic from the cardholder data environment to the Internet is explicitly authorized.

Augment

PCI-DSS: Denied CDE => Internet Comm AIE Rule

PCI-DSS: Denied Internet => CDE Comm AIE Rule

PCI-DSS: Invalid CDE => Internet Comm AIE Rule

PCI-DSS: Invalid Internet => CDE Comm AIE Rule

PCI-DSS: AIE Denied CDE => Internet Comm Detail

PCI-DSS: AIE Denied Internet => CDE Comm Detail

PCI-DSS: AIE Invalid CDE => Inet Comm Detail

PCI-DSS: AIE Invalid Inet => CDE Comm Detail

PCI-DSS: CDE Communication Detail

PCI-DSS: Denied CDE => Internet Comm Detail

PCI-DSS: Denied Internet => CDE Comm Detail

PCI-DSS: Invalid CDE => Internet Comm Detail

PCI-DSS: Invalid Internet => CDE Comm Detail

PCI-DSS: Network Communication Detail

PCI-DSS: AIE Denied CDE => Internet Comm Summary

PCI-DSS: AIE Denied Internet => CDE Comm Summary

PCI-DSS: AIE Invalid CDE => Internet Comm Summary

PCI-DSS: AIE Invalid Internet => CDE Comm Summary

PCI-DSS: Denied CDE => Internet Comm Summary

PCI-DSS: Denied Internet => CDE Comm Summary

PCI-DSS: Invalid CDE => Internet Comm Summary

PCI-DSS: Invalid Internet => CDE Comm Summary

PCI-DSS: AIE Denied CDE => Internet Comm Details

PCI-DSS: AIE Denied Internet => CDE Comm Details

PCI-DSS: AIE Invalid CDE => Internet Comm Details

PCI-DSS: AIE Invalid Internet => CDE Comm Details

PCI-DSS: Denied CDE => Internet Comm Details

PCI-DSS: Denied Internet => CDE Comm Details

PCI-DSS: Invalid CDE => Internet Comm Details

PCI-DSS: Invalid Internet => CDE Comm Details

PCI-DSS: AIE Denied Wireless => CDE Comm Details

1.4.a: Examine policies and configuration standards to verify:

- Personal firewall software or equivalent functionality is required for all portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.

- Specific configuration settings are defined for personal firewall (or equivalent functionality).

- Personal firewall (or equivalent functionality) is configured to actively run.

- Personal firewall (or equivalent functionality) is configured to not be alterable by users of the portable computing devices.

Augment

PCI-DSS: Host Firewall Information AIE Rule

PCI-DSS: Host Firewall Failure Detail

PCI-DSS: AIE Host Firewall Activity Summary

PCI-DSS: Host Firewall Activity Summary


PCI-DSS: AIE Host Firewall Activity Details

PCI-DSS: Host Firewall Activity Details

2.1.a: Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor- supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.)

Direct

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: AIE Invalid Account Usage Details

PCI-DSS: Invalid Account Usage Details

2.1.b: For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled.

Direct

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: AIE Invalid Account Usage Details

PCI-DSS: Invalid Account Usage Details

2.2.2.a: Select a sample of system components and inspect enabled system services, daemons, and protocols to verify that only necessary services or protocols are enabled.

Augment

PCI-DSS: Denied CDE => Internet Comm AIE Rule

PCI-DSS: Denied DMZ => Internal Comm AIE Rule

PCI-DSS: Denied Inet => Intrn Comm AIE Rule

PCI-DSS: Denied Internet => CDE Comm AIE Rule

PCI-DSS: Denied Internet => DMZ Comm AIE Rule

PCI-DSS: Denied Intrn => Inet Comm AIE Rule

PCI-DSS: Denied Intrn => Intrn Comm AIE Rule

PCI-DSS: Denied Test => Internal Comm AIE Rule

PCI-DSS: Denied Test => Internet Comm AIE Rule

PCI-DSS: Denied Wireless => CDE Comm AIE Rule

PCI-DSS: Invalid CDE => Internet Comm AIE Rule

PCI-DSS: Invalid DMZ => Internal Comm AIE Rule

PCI-DSS: Invalid Inet => Intrn Comm AIE Rule

PCI-DSS: Invalid Internet => CDE Comm AIE Rule

PCI-DSS: Invalid Internet => DMZ Comm AIE Rule

PCI-DSS: Invalid Intrn => Inet Comm AIE Rule

PCI-DSS: Invalid Intrn => Intrn Comm AIE Rule

PCI-DSS: Invalid Test => Internal Comm AIE Rule

PCI-DSS: Invalid Test => Internet Comm AIE Rule

PCI-DSS: Invalid Wireless => CDE Comm AIE Rule

PCI-DSS: AIE Denied CDE => Internet Comm Detail

PCI-DSS: AIE Denied DMZ => Internal Comm Detail

PCI-DSS: AIE Denied Inet => Intrn Comm Detail

PCI-DSS: AIE Denied Internet => CDE Comm Detail

PCI-DSS: AIE Denied Internet => DMZ Comm Detail

PCI-DSS: AIE Denied Intrn => Inet Comm Detail

PCI-DSS: AIE Denied Intrn => Intrn Comm Detail

PCI-DSS: AIE Denied Test => Inet Comm Detail

PCI-DSS: AIE Denied Test => Intern Comm Detail

PCI-DSS: AIE Denied Wireless => CDE Comm Detail

PCI-DSS: AIE Invalid CDE => Inet Comm Detail

PCI-DSS: AIE Invalid DMZ => Internal Comm Detail

PCI-DSS: AIE Invalid Inet => CDE Comm Detail

PCI-DSS: AIE Invalid Inet => DMZ Comm Detail

PCI-DSS: AIE Invalid Inet => Intrn Comm Detail

PCI-DSS: AIE Invalid Intrn => Inet Comm Detail

PCI-DSS: AIE Invalid Intrn => Intrn Comm Detail

PCI-DSS: AIE Invalid Test => Inet Comm Detail

PCI-DSS: AIE Invalid Test => Intrn Comm Detail

PCI-DSS: AIE Invalid Wless => CDE Comm Detail

PCI-DSS: Application Access Detail

PCI-DSS: CDE Communication Detail

PCI-DSS: Denied CDE => Internet Comm Detail

PCI-DSS: Denied DMZ => Internal Comm Detail

PCI-DSS: Denied Inet => Intrn Comm Detail

PCI-DSS: Denied Internet => CDE Comm Detail

PCI-DSS: Denied Internet => DMZ Comm Detail

PCI-DSS: Denied Intrn => Inet Comm Detail

PCI-DSS: Denied Intrn => Intrn Comm Detail

PCI-DSS: Denied Test => Internal Comm Detail

PCI-DSS: Denied Test => Internet Comm Detail

PCI-DSS: Denied Wireless => CDE Comm Detail

PCI-DSS: DMZ Communication Detail

PCI-DSS: Internal Communication Detail

PCI-DSS: Internet Communication Detail

PCI-DSS: Invalid CDE => Internet Comm Detail

PCI-DSS: Invalid DMZ => Internal Comm Detail

PCI-DSS: Invalid Inet => Intrn Comm Detail

PCI-DSS: Invalid Internet => CDE Comm Detail

PCI-DSS: Invalid Internet => DMZ Comm Detail

PCI-DSS: Invalid Intrn => Inet Comm Detail

PCI-DSS: Invalid Intrn => Intrn Comm Detail

PCI-DSS: Invalid Test => Internal Comm Detail

PCI-DSS: Invalid Test => Internet Comm Detail

PCI-DSS: Invalid Wireless => CDE Comm Detail

PCI-DSS: Network Communication Detail

PCI-DSS: Test Communication Detail

PCI-DSS: Wireless Communication Detail

PCI-DSS: AIE Denied CDE => Internet Comm Summary

PCI-DSS: AIE Denied DMZ => Internal Comm Summary

PCI-DSS: AIE Denied Inet => Intrn Comm Summary

PCI-DSS: AIE Denied Internet => CDE Comm Summary

PCI-DSS: AIE Denied Internet => DMZ Comm Summary

PCI-DSS: AIE Denied Intrn => Inet Comm Summary

PCI-DSS: AIE Denied Intrn => Intrn Comm Summary

PCI-DSS: AIE Denied Test => Internal Comm Summary

PCI-DSS: AIE Denied Test => Internet Comm Summary

PCI-DSS: AIE Denied Wireless => CDE Comm Summary

PCI-DSS: AIE Invalid CDE => Internet Comm Summary

PCI-DSS: AIE Invalid DMZ => Internal Comm Summary

PCI-DSS: AIE Invalid Inet => Intrn Comm Summary

PCI-DSS: AIE Invalid Internet => CDE Comm Summary

PCI-DSS: AIE Invalid Internet => DMZ Comm Summary

PCI-DSS: AIE Invalid Intrn => Inet Comm Summary

PCI-DSS: AIE Invalid Intrn => Intrn Comm Summary

PCI-DSS: AIE Invalid Test => Internal Comm Summary

PCI-DSS: AIE Invalid Test => Internet Comm Summary

PCI-DSS: AIE Invalid Wireless => CDE Comm Summary

PCI-DSS: Denied CDE => Internet Comm Summary

PCI-DSS: Denied DMZ => Internal Comm Summary

PCI-DSS: Denied Inet => Intrn Comm Summary

PCI-DSS: Denied Internet => CDE Comm Summary

PCI-DSS: Denied Internet => DMZ Comm Summary

PCI-DSS: Denied Intrn => Inet Comm Summary

PCI-DSS: Denied Intrn => Intrn Comm Summary

PCI-DSS: Denied Test => Internal Comm Summary

PCI-DSS: Denied Test => Internet Comm Summary

PCI-DSS: Denied Wireless => CDE Comm Summary

PCI-DSS: Invalid CDE => Internet Comm Summary

PCI-DSS: Invalid DMZ => Internal Comm Summary

PCI-DSS: Invalid Inet => Intrn Comm Summary

PCI-DSS: Invalid Internet => CDE Comm Summary

PCI-DSS: Invalid Internet => DMZ Comm Summary

PCI-DSS: Invalid Intrn => Inet Comm Summary

PCI-DSS: Invalid Intrn => Intrn Comm Summary

PCI-DSS: Invalid Test => Internal Comm Summary

PCI-DSS: Invalid Test => Internet Comm Summary

PCI-DSS: Invalid Wireless => CDE Comm Summary

PCI-DSS: AIE Denied CDE => Internet Comm Details

PCI-DSS: AIE Denied DMZ => Internal Comm Details

PCI-DSS: AIE Denied Inet => Intrn Comm Details

PCI-DSS: AIE Denied Internet => CDE Comm Details

PCI-DSS: AIE Denied Internet => DMZ Comm Details

PCI-DSS: AIE Denied Intrn => Inet Comm Details

PCI-DSS: AIE Denied Intrn => Intrn Comm Details

PCI-DSS: AIE Denied Test => Internal Comm Details

PCI-DSS: AIE Denied Test => Internet Comm Details

PCI-DSS: AIE Denied Wireless => CDE Comm Details

PCI-DSS: AIE Invalid CDE => Internet Comm Details

PCI-DSS: AIE Invalid DMZ => Internal Comm Details

PCI-DSS: AIE Invalid Inet => Intrn Comm Details

PCI-DSS: AIE Invalid Internet => CDE Comm Details

PCI-DSS: AIE Invalid Internet => DMZ Comm Details

PCI-DSS: AIE Invalid Intrn => Inet Comm Details

PCI-DSS: AIE Invalid Intrn => Intrn Comm Details

PCI-DSS: AIE Invalid Test => Internal Comm Details

PCI-DSS: AIE Invalid Test => Internet Comm Details

PCI-DSS: AIE Invalid Wireless => CDE Comm Details

PCI-DSS: Denied CDE => Internet Comm Details

PCI-DSS: Denied DMZ => Internal Comm Details

PCI-DSS: Denied Inet => Intrn Comm Details

PCI-DSS: Denied Internet => CDE Comm Details

PCI-DSS: Denied Internet => DMZ Comm Details

PCI-DSS: Denied Intrn => Inet Comm Details

PCI-DSS: Denied Intrn => Intrn Comm Details

PCI-DSS: Denied Test => Internal Comm Details

PCI-DSS: Denied Test => Internet Comm Details

PCI-DSS: Denied Wireless => CDE Comm Details

PCI-DSS: Invalid CDE => Internet Comm Details

PCI-DSS: Invalid DMZ => Internal Comm Details

PCI-DSS: Invalid Inet => Intrn Comm Details

PCI-DSS: Invalid Internet => CDE Comm Details

PCI-DSS: Invalid Internet => DMZ Comm Details

PCI-DSS: Invalid Intrn => Inet Comm Details

PCI-DSS: Invalid Intrn => Intrn Comm Details

PCI-DSS: Invalid Test => Internal Comm Details

PCI-DSS: Invalid Test => Internet Comm Details

PCI-DSS: Invalid Wireless => CDE Comm Details

2.2.2.b: Identify any enabled insecure services, daemons, or protocols and interview personnel to verify they are justified per documented configuration standards.

Augment

PCI-DSS: Denied CDE => Internet Comm AIE Rule

PCI-DSS: Denied DMZ => Internal Comm AIE Rule

PCI-DSS: Denied Inet => Intrn Comm AIE Rule

PCI-DSS: Denied Internet => CDE Comm AIE Rule

PCI-DSS: Denied Internet => DMZ Comm AIE Rule

PCI-DSS: Denied Intrn => Inet Comm AIE Rule

PCI-DSS: Denied Intrn => Intrn Comm AIE Rule

PCI-DSS: Denied Test => Internal Comm AIE Rule

PCI-DSS: Denied Test => Internet Comm AIE Rule

PCI-DSS: Denied Wireless => CDE Comm AIE Rule

PCI-DSS: Invalid CDE => Internet Comm AIE Rule

PCI-DSS: Invalid DMZ => Internal Comm AIE Rule

PCI-DSS: Invalid Inet => Intrn Comm AIE Rule

PCI-DSS: Invalid Internet => CDE Comm AIE Rule

PCI-DSS: Invalid Internet => DMZ Comm AIE Rule

PCI-DSS: Invalid Intrn => Inet Comm AIE Rule

PCI-DSS: Invalid Intrn => Intrn Comm AIE Rule

PCI-DSS: Invalid Test => Internal Comm AIE Rule

PCI-DSS: Invalid Test => Internet Comm AIE Rule

PCI-DSS: Invalid Wireless => CDE Comm AIE Rule

PCI-DSS: AIE Denied CDE => Internet Comm Detail

PCI-DSS: AIE Denied DMZ => Internal Comm Detail

PCI-DSS: AIE Denied Inet => Intrn Comm Detail

PCI-DSS: AIE Denied Internet => CDE Comm Detail

PCI-DSS: AIE Denied Internet => DMZ Comm Detail

PCI-DSS: AIE Denied Intrn => Inet Comm Detail

PCI-DSS: AIE Denied Intrn => Intrn Comm Detail

PCI-DSS: AIE Denied Test => Inet Comm Detail

PCI-DSS: AIE Denied Test => Intern Comm Detail

PCI-DSS: AIE Denied Wireless => CDE Comm Detail

PCI-DSS: AIE Invalid CDE => Inet Comm Detail

PCI-DSS: AIE Invalid DMZ => Internal Comm Detail

PCI-DSS: AIE Invalid Inet => CDE Comm Detail

PCI-DSS: AIE Invalid Inet => DMZ Comm Detail

PCI-DSS: AIE Invalid Inet => Intrn Comm Detail

PCI-DSS: AIE Invalid Intrn => Inet Comm Detail

PCI-DSS: AIE Invalid Intrn => Intrn Comm Detail

PCI-DSS: AIE Invalid Test => Inet Comm Detail

PCI-DSS: AIE Invalid Test => Intrn Comm Detail

PCI-DSS: AIE Invalid Wless => CDE Comm Detail

PCI-DSS: Application Access Detail

PCI-DSS: CDE Communication Detail

PCI-DSS: Denied CDE => Internet Comm Detail

PCI-DSS: Denied DMZ => Internal Comm Detail

PCI-DSS: Denied Inet => Intrn Comm Detail

PCI-DSS: Denied Internet => CDE Comm Detail

PCI-DSS: Denied Internet => DMZ Comm Detail

PCI-DSS: Denied Intrn => Inet Comm Detail

PCI-DSS: Denied Intrn => Intrn Comm Detail

PCI-DSS: Denied Test => Internal Comm Detail

PCI-DSS: Denied Test => Internet Comm Detail

PCI-DSS: Denied Wireless => CDE Comm Detail

PCI-DSS: DMZ Communication Detail

PCI-DSS: Internal Communication Detail

PCI-DSS: Internet Communication Detail

PCI-DSS: Invalid CDE => Internet Comm Detail

PCI-DSS: Invalid DMZ => Internal Comm Detail

PCI-DSS: Invalid Inet => Intrn Comm Detail

PCI-DSS: Invalid Internet => CDE Comm Detail

PCI-DSS: Invalid Internet => DMZ Comm Detail

PCI-DSS: Invalid Intrn => Inet Comm Detail

PCI-DSS: Invalid Intrn => Intrn Comm Detail

PCI-DSS: Invalid Test => Internal Comm Detail

PCI-DSS: Invalid Test => Internet Comm Detail

PCI-DSS: Invalid Wireless => CDE Comm Detail

PCI-DSS: Network Communication Detail

PCI-DSS: Test Communication Detail

PCI-DSS: Wireless Communication Detail

PCI-DSS: AIE Denied CDE => Internet Comm Summary

PCI-DSS: AIE Denied DMZ => Internal Comm Summary

PCI-DSS: AIE Denied Inet => Intrn Comm Summary

PCI-DSS: AIE Denied Internet => CDE Comm Summary

PCI-DSS: AIE Denied Internet => DMZ Comm Summary

PCI-DSS: AIE Denied Intrn => Inet Comm Summary

PCI-DSS: AIE Denied Intrn => Intrn Comm Summary

PCI-DSS: AIE Denied Test => Internal Comm Summary

PCI-DSS: AIE Denied Test => Internet Comm Summary

PCI-DSS: AIE Denied Wireless => CDE Comm Summary

PCI-DSS: AIE Invalid CDE => Internet Comm Summary

PCI-DSS: AIE Invalid DMZ => Internal Comm Summary

PCI-DSS: AIE Invalid Inet => Intrn Comm Summary

PCI-DSS: AIE Invalid Internet => CDE Comm Summary

PCI-DSS: AIE Invalid Internet => DMZ Comm Summary

PCI-DSS: AIE Invalid Intrn => Inet Comm Summary

PCI-DSS: AIE Invalid Intrn => Intrn Comm Summary

PCI-DSS: AIE Invalid Test => Internal Comm Summary

PCI-DSS: AIE Invalid Test => Internet Comm Summary

PCI-DSS: AIE Invalid Wireless => CDE Comm Summary

PCI-DSS: Denied CDE => Internet Comm Summary

PCI-DSS: Denied DMZ => Internal Comm Summary

PCI-DSS: Denied Inet => Intrn Comm Summary

PCI-DSS: Denied Internet => CDE Comm Summary

PCI-DSS: Denied Internet => DMZ Comm Summary

PCI-DSS: Denied Intrn => Inet Comm Summary

PCI-DSS: Denied Intrn => Intrn Comm Summary

PCI-DSS: Denied Test => Internal Comm Summary

PCI-DSS: Denied Test => Internet Comm Summary

PCI-DSS: Denied Wireless => CDE Comm Summary

PCI-DSS: Invalid CDE => Internet Comm Summary

PCI-DSS: Invalid DMZ => Internal Comm Summary

PCI-DSS: Invalid Inet => Intrn Comm Summary

PCI-DSS: Invalid Internet => CDE Comm Summary

PCI-DSS: Invalid Internet => DMZ Comm Summary

PCI-DSS: Invalid Intrn => Inet Comm Summary

PCI-DSS: Invalid Intrn => Intrn Comm Summary

PCI-DSS: Invalid Test => Internal Comm Summary

PCI-DSS: Invalid Test => Internet Comm Summary

PCI-DSS: Invalid Wireless => CDE Comm Summary

PCI-DSS: AIE Denied CDE => Internet Comm Details

PCI-DSS: AIE Denied DMZ => Internal Comm Details

PCI-DSS: AIE Denied Inet => Intrn Comm Details

PCI-DSS: AIE Denied Internet => CDE Comm Details

PCI-DSS: AIE Denied Internet => DMZ Comm Details

PCI-DSS: AIE Denied Intrn => Inet Comm Details

PCI-DSS: AIE Denied Intrn => Intrn Comm Details

PCI-DSS: AIE Denied Test => Internal Comm Details

PCI-DSS: AIE Denied Test => Internet Comm Details

PCI-DSS: AIE Denied Wireless => CDE Comm Details

PCI-DSS: AIE Invalid CDE => Internet Comm Details

PCI-DSS: AIE Invalid DMZ => Internal Comm Details

PCI-DSS: AIE Invalid Inet => Intrn Comm Details

PCI-DSS: AIE Invalid Internet => CDE Comm Details

PCI-DSS: AIE Invalid Internet => DMZ Comm Details

PCI-DSS: AIE Invalid Intrn => Inet Comm Details

PCI-DSS: AIE Invalid Intrn => Intrn Comm Details

PCI-DSS: AIE Invalid Test => Internal Comm Details

PCI-DSS: AIE Invalid Test => Internet Comm Details

PCI-DSS: AIE Invalid Wireless => CDE Comm Details

PCI-DSS: Denied CDE => Internet Comm Details

PCI-DSS: Denied DMZ => Internal Comm Details

PCI-DSS: Denied Inet => Intrn Comm Details

PCI-DSS: Denied Internet => CDE Comm Details

PCI-DSS: Denied Internet => DMZ Comm Details

PCI-DSS: Denied Intrn => Inet Comm Details

PCI-DSS: Denied Intrn => Intrn Comm Details

PCI-DSS: Denied Test => Internal Comm Details

PCI-DSS: Denied Test => Internet Comm Details

PCI-DSS: Denied Wireless => CDE Comm Details

PCI-DSS: Invalid CDE => Internet Comm Details

PCI-DSS: Invalid DMZ => Internal Comm Details

PCI-DSS: Invalid Inet => Intrn Comm Details

PCI-DSS: Invalid Internet => CDE Comm Details

PCI-DSS: Invalid Internet => DMZ Comm Details

PCI-DSS: Invalid Intrn => Inet Comm Details

PCI-DSS: Invalid Intrn => Intrn Comm Details

PCI-DSS: Invalid Test => Internal Comm Details

PCI-DSS: Invalid Test => Internet Comm Details

PCI-DSS: Invalid Wireless => CDE Comm Details

2.2.3.a: Inspect configuration settings to verify that security features are documented and implemented for all insecure services, daemons, or protocols.

Augment

PCI-DSS: TLS Activity

PCI-DSS: SSL Activity

PCI-DSS: TLS/SSL Activity

PCI-DSS: TLS/SSL Summary

PCI-DSS: Early TLS/SSL Version Summary

PCI-DSS: TLS/SSL Detail

PCI-DSS: Early TLS/SSL Version Detail

2.2.3.b: If SSL/early TLS is used, perform testing procedures in Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS.

Augment

PCI-DSS: TLS Activity

PCI-DSS: SSL Activity

PCI-DSS: TLS/SSL Activity

PCI-DSS: TLS/SSL Summary

PCI-DSS: Early TLS/SSL Version Summary

PCI-DSS: TLS/SSL Detail

PCI-DSS: Early TLS/SSL Version Detail

2.3.b: Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access.

Augment

PCI-DSS: Denied Intrn => Inet Comm AIE Rule

PCI-DSS: Denied Intrn => Intrn Comm AIE Rule

PCI-DSS: Invalid Intrn => Inet Comm AIE Rule

PCI-DSS: Invalid Intrn => Intrn Comm AIE Rule

PCI-DSS: AIE Denied Intrn => Inet Comm Detail

PCI-DSS: AIE Denied Intrn => Intrn Comm Detail

PCI-DSS: AIE Invalid Intrn => Inet Comm Detail

PCI-DSS: AIE Invalid Intrn => Intrn Comm Detail

PCI-DSS: Application Access Detail

PCI-DSS: Denied Intrn => Inet Comm Detail

PCI-DSS: Denied Intrn => Intrn Comm Detail

PCI-DSS: Internal Communication Detail

PCI-DSS: Invalid Intrn => Inet Comm Detail

PCI-DSS: Invalid Intrn => Intrn Comm Detail

PCI-DSS: AIE Denied Intrn => Inet Comm Summary

PCI-DSS: AIE Denied Intrn => Intrn Comm Summary

PCI-DSS: AIE Invalid Intrn => Inet Comm Summary

PCI-DSS: AIE Invalid Intrn => Intrn Comm Summary

PCI-DSS: Denied Intrn => Inet Comm Summary

PCI-DSS: Denied Intrn => Intrn Comm Summary

PCI-DSS: Invalid Intrn => Inet Comm Summary

PCI-DSS: Invalid Intrn => Intrn Comm Summary

PCI-DSS: Non-Encrypted Protocol Summary

PCI-DSS: AIE Denied Intrn => Inet Comm Details

PCI-DSS: AIE Denied Intrn => Intrn Comm Details

PCI-DSS: AIE Invalid Intrn => Inet Comm Details

PCI-DSS: AIE Invalid Intrn => Intrn Comm Details

PCI-DSS: Denied Intrn => Inet Comm Details

PCI-DSS: Denied Intrn => Intrn Comm Details

PCI-DSS: Invalid Intrn => Inet Comm Details

PCI-DSS: Invalid Intrn => Intrn Comm Details

PCI-DSS: Non-Encrypted Protocol Details

2.3.e: If SSL/early TLS is used, perform testing procedures in Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS.

Augment

PCI-DSS: TLS Activity

PCI-DSS: SSL Activity

PCI-DSS: TLS/SSL Activity

PCI-DSS: TLS/SSL Summary

PCI-DSS: Early TLS/SSL Version Summary

PCI-DSS: TLS/SSL Detail

PCI-DSS: Early TLS/SSL Version Detail

3.6.7.a: Verify that key- management procedures specify processes to prevent unauthorized substitution of keys.

Augment

PCI-DSS: FIM Add

Activity AIE Rule

PCI-DSS: FIM Delete

Activity AIE Rule

PCI-DSS: FIM Group

Change Activity AIE Rule

PCI-DSS: FIM Modify

Activity AIE Rule

PCI-DSS: FIM Owner

Change Activity AIE Rule

PCI-DSS: FIM Permission Activity AIE Rule

PCI-DSS: AIE FIM ADD/Delete/Mod Activity Detail

PCI-DSS: AIE FIM Permission Change Detail

PCI-DSS: FIM Activity Detail

PCI-DSS: FIM ADD/Delete/Mod Activity Detail

PCI-DSS: FIM Permission Change Detail

PCI-DSS: AIE FIM Activity Summary

PCI-DSS: FIM Activity Summary

PCI-DSS: AIE FIM Activity Details

PCI-DSS: FIM Activity Details

4.1.c: Select and observe a sample of inbound and outbound transmissions as they occur to verify that all cardholder data is encrypted with strong cryptography during transit.

Augment

PCI-DSS: Denied Intrn => Inet Comm AIE Rule

PCI-DSS: Denied Intrn => Intrn Comm AIE Rule

PCI-DSS: Invalid Intrn => Inet Comm AIE Rule

PCI-DSS: Invalid Intrn => Intrn Comm AIE Rule

PCI-DSS: AIE Denied Intrn => Inet Comm Detail

PCI-DSS: AIE Denied Intrn => Intrn Comm Detail

PCI-DSS: AIE Invalid Intrn => Inet Comm Detail

PCI-DSS: AIE Invalid Intrn => Intrn Comm Detail

PCI-DSS: Application Access Detail

PCI-DSS: Denied Intrn => Inet Comm Detail

PCI-DSS: Denied Intrn => Intrn Comm Detail

PCI-DSS: Internal Communication Detail

PCI-DSS: Invalid Intrn => Inet Comm Detail

PCI-DSS: Invalid Intrn => Intrn Comm Detail

PCI-DSS: AIE Denied Intrn => Inet Comm Summary

PCI-DSS: AIE Denied Intrn => Intrn Comm Summary

PCI-DSS: AIE Invalid Intrn => Inet Comm Summary

PCI-DSS: AIE Invalid Intrn => Intrn Comm Summary

PCI-DSS: Denied Intrn => Inet Comm Summary

PCI-DSS: Denied Intrn => Intrn Comm Summary

PCI-DSS: Invalid Intrn => Inet Comm Summary

PCI-DSS: Invalid Intrn => Intrn Comm Summary

PCI-DSS: Non-Encrypted Protocol Summary

PCI-DSS: AIE Denied Intrn => Inet Comm Details

PCI-DSS: AIE Denied Intrn => Intrn Comm Details

PCI-DSS: AIE Invalid Intrn => Inet Comm Details

PCI-DSS: AIE Invalid Intrn => Intrn Comm Details

PCI-DSS: Denied Intrn => Inet Comm Details

PCI-DSS: Denied Intrn => Intrn Comm Details

PCI-DSS: Invalid Intrn => Inet Comm Details

PCI-DSS: Invalid Intrn => Intrn Comm Details

PCI-DSS: Non-Encrypted Protocol Details

4.1.f: Examine system configurations to verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.)

Augment

PCI-DSS: Denied Intrn => Inet Comm AIE Rule

PCI-DSS: Denied Intrn => Intrn Comm AIE Rule

PCI-DSS: Invalid Intrn => Inet Comm AIE Rule

PCI-DSS: Invalid Intrn => Intrn Comm AIE Rule

PCI-DSS: AIE Denied Intrn => Inet Comm Detail

PCI-DSS: AIE Denied Intrn => Intrn Comm Detail

PCI-DSS: AIE Invalid Intrn => Inet Comm Detail

PCI-DSS: AIE Invalid Intrn => Intrn Comm Detail

PCI-DSS: Application Access Detail

PCI-DSS: Denied Intrn => Inet Comm Detail

PCI-DSS: Denied Intrn => Intrn Comm Detail

PCI-DSS: Internal Communication Detail

PCI-DSS: Invalid Intrn => Inet Comm Detail

PCI-DSS: Invalid Intrn => Intrn Comm Detail

PCI-DSS: AIE Denied Intrn => Inet Comm Summary

PCI-DSS: AIE Denied Intrn => Intrn Comm Summary

PCI-DSS: AIE Invalid Intrn => Inet Comm Summary

PCI-DSS: AIE Invalid Intrn => Intrn Comm Summary

PCI-DSS: Denied Intrn => Inet Comm Summary

PCI-DSS: Denied Intrn => Intrn Comm Summary

PCI-DSS: Invalid Intrn => Inet Comm Summary

PCI-DSS: Invalid Intrn => Intrn Comm Summary

PCI-DSS: Non-Encrypted Protocol Summary

PCI-DSS: AIE Denied Intrn => Inet Comm Details

PCI-DSS: AIE Denied Intrn => Intrn Comm Details

PCI-DSS: AIE Invalid Intrn => Inet Comm Details

PCI-DSS: AIE Invalid Intrn => Intrn Comm Details

PCI-DSS: Denied Intrn => Inet Comm Details

PCI-DSS: Denied Intrn => Intrn Comm Details

PCI-DSS: Invalid Intrn => Inet Comm Details

PCI-DSS: Invalid Intrn => Intrn Comm Details

PCI-DSS: Non-Encrypted Protocol Details

4.1.g: For TLS implementations, examine system configurations to verify that TLS is enabled whenever cardholder data is transmitted or received.

For example, for browser- based implementations:

- “HTTPS” appears as the browser Universal Record

- Locator (URL) protocol

Augment

PCI-DSS: TLS Activity

PCI-DSS: SSL Activity

PCI-DSS: TLS/SSL Activity

PCI-DSS: TLS/SSL Summary

PCI-DSS: Early TLS/SSL Version Summary

PCI-DSS: TLS/SSL Detail

PCI-DSS: Early TLS/SSL Version Detail

4.1.h: If SSL/early TLS is used, perform testing procedures in Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS.

Augment

PCI-DSS: TLS Activity

PCI-DSS: SSL Activity

PCI-DSS: TLS/SSL Activity

PCI-DSS: TLS/SSL Summary

PCI-DSS: Early TLS/SSL Version Summary

PCI-DSS: TLS/SSL Detail

PCI-DSS: Early TLS/SSL Version Detail

5.1: For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists.

Augment

PCI-DSS: Antivirus Information AIE Rule

PCI-DSS: Antivirus Failure Detail

PCI-DSS: AIE Antivirus Activity Summary

PCI-DSS: Antivirus Activity Summary

PCI-DSS: AIE Antivirus Activity Details

PCI-DSS: Antivirus Activity Details

5.2.b: Examine anti-virus configurations, including the master installation of the software to verify anti-virus mechanisms are:

- Configured to perform automatic updates, and

- Configured to perform periodic scans.

Augment

PCI-DSS: Antivirus Information AIE Rule

PCI-DSS: Antivirus Failure Detail

PCI-DSS: Signature Update Failure Detail

PCI-DSS: AIE Antivirus Activity Summary

PCI-DSS: Antivirus Activity Summary

PCI-DSS: Signature Update Activity Summary


PCI-DSS: AIE Antivirus Activity Details

PCI-DSS: Antivirus Activity Details

PCI-DSS: Signature Update Activity Details

5.2.c: Examine a sample of system components, including all operating system types commonly affected by malicious software, to verify that:

- The anti-virus software and definitions are current.

- Periodic scans are performed.

Augment

PCI-DSS: Antivirus Information AIE Rule

PCI-DSS: Antivirus Failure Detail

PCI-DSS: Signature Update Failure Detail

PCI-DSS: AIE Antivirus Activity Summary

PCI-DSS: Antivirus Activity Summary

PCI-DSS: Signature Update Activity Summary

PCI-DSS: AIE Antivirus Activity Details

PCI-DSS: Antivirus Activity Details

PCI-DSS: Signature Update Activity Details

5.2.d: Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that:

- Anti-virus software log generation is enabled, and

- Logs are retained in accordance with PCI DSS Requirement 10.7.

Direct

PCI-DSS: Antivirus Information AIE Rule

PCI-DSS: Antivirus Failure Detail

PCI-DSS: Malware Detail

PCI-DSS: Signature Update Failure Detail

PCI-DSS: AIE Antivirus Activity Summary

PCI-DSS: Antivirus Activity Summary

PCI-DSS: Signature Update Activity Summary

PCI-DSS: AIE Antivirus Activity Details

PCI-DSS: Antivirus Activity Details

PCI-DSS: Signature Update Activity Details

6.2.b: For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify the following:

- That applicable critical vendor-supplied security patches are in

Direct

PCI-DSS: Configuration Change Rule

PCI-DSS: Policy Change Rule

PCI-DSS: Software Update Failure Detail

PCI-DSS: Signature Update Failure Inv

PCI-DSS: Patch Update Failure Inv

PCI-DSS: Configuration Change Inv

PCI-DSS: Policy Change Inv

PCI-DSS: Software Update Activity Summary

PCI-DSS: Signature Update Failure Summary

PCI-DSS: Patch Update Failure Summary

PCI-DSS: Configuration Change Summary

PCI-DSS: Policy Change Summary

PCI-DSS: Software Update Activity Details

PCI-DSS: Signature Update Failure Detail

PCI-DSS: Patch Update Failure Detail

PCI-DSS: Configuration Change Detail

PCI-DSS: Policy Change Detail

6.3.a: Examine written software-development processes to verify that the processes are based on industry standards and/or best practices

Augment

N/A

N/A

N/A

6.3.b: Examine written software-development processes to verify that information security is included throughout the life cycle.

Augment

N/A

N/A

N/A

6.3.c: Examine written software-development processes to verify that software applications are developed in accordance with PCI DSS.

Augment

N/A

N/A

N/A

6.3.d: Interview software developers to verify that written software- development processes are implemented.

Augment

N/A

N/A

N/A

6.4.1.a: Examine network documentation and network device configurations to verify that the development/test environments are separate from the production environment(s).

Augment

PCI-DSS: Denied Test => Internal Comm AIE Rule

PCI-DSS: Denied Test => Internet Comm AIE Rule

PCI-DSS: Invalid Test => Internal Comm AIE Rule

PCI-DSS: Invalid Test => Internet Comm AIE Rule

PCI-DSS: AIE Denied Test => Inet Comm Detail

PCI-DSS: AIE Denied Test => Intern Comm Detail

PCI-DSS: AIE Invalid Test => Inet Comm Detail

PCI-DSS: AIE Invalid Test => Intrn Comm Detail

PCI-DSS: Denied Test => Internal Comm Detail

PCI-DSS: Denied Test => Internet Comm Detail

PCI-DSS: Invalid Test => Internal Comm Detail

PCI-DSS: Invalid Test => Internet Comm Detail

PCI-DSS: Test Communication Detail

PCI-DSS: AIE Denied Test => Internal Comm Summary

PCI-DSS: AIE Denied Test => Internet Comm Summary

PCI-DSS: AIE Invalid Test => Internal Comm Summary

PCI-DSS: AIE Invalid Test => Internet Comm Summary

PCI-DSS: Denied Test => Internal Comm Summary

PCI-DSS: Denied Test => Internet Comm Summary

PCI-DSS: Invalid Test => Internal Comm Summary

PCI-DSS: Invalid Test => Internet Comm Summary

PCI-DSS: AIE Denied Test => Internal Comm Details

PCI-DSS: AIE Denied Test => Internet Comm Details

PCI-DSS: AIE Invalid Test => Internal Comm Details

PCI-DSS: AIE Invalid Test => Internet Comm Details

PCI-DSS: Denied Test => Internal Comm Details

PCI-DSS: Denied Test => Internet Comm Details

PCI-DSS: Invalid Test => Internal Comm Details

PCI-DSS: Invalid Test => Internet Comm Details

6.4.1.b: Examine access controls settings to verify that access controls are in place to enforce separation between the development/test environments and the production environment(s).

Augment

PCI-DSS: Denied Test => Internal Comm AIE Rule

PCI-DSS: Denied Test => Internet Comm AIE Rule

PCI-DSS: Invalid Test => Internal Comm AIE Rule

PCI-DSS: Invalid Test => Internet Comm AIE Rule

PCI-DSS: AIE Denied Test => Inet Comm Detail

PCI-DSS: AIE Denied Test => Intern Comm Detail

PCI-DSS: AIE Invalid Test => Inet Comm Detail

PCI-DSS: AIE Invalid Test => Intrn Comm Detail

PCI-DSS: Denied Test => Internal Comm Detail

PCI-DSS: Denied Test => Internet Comm Detail

PCI-DSS: Invalid Test => Internal Comm Detail

PCI-DSS: Invalid Test => Internet Comm Detail

PCI-DSS: Test Communication Detail

PCI-DSS: AIE Denied Test => Internal Comm Summary

PCI-DSS: AIE Denied Test => Internet Comm Summary

PCI-DSS: AIE Invalid Test => Internal Comm Summary

PCI-DSS: AIE Invalid Test => Internet Comm Summary

PCI-DSS: Denied Test => Internal Comm Summary

PCI-DSS: Denied Test => Internet Comm Summary

PCI-DSS: Invalid Test => Internal Comm Summary

PCI-DSS: Invalid Test => Internet Comm Summary

PCI-DSS: AIE Denied Test => Internal Comm Details

PCI-DSS: AIE Denied Test => Internet Comm Details

PCI-DSS: AIE Invalid Test => Internal Comm Details

PCI-DSS: AIE Invalid Test => Internet Comm Details

PCI-DSS: Denied Test => Internal Comm Details

PCI-DSS: Denied Test => Internet Comm Details

PCI-DSS: Invalid Test => Internal Comm Details

PCI-DSS: Invalid Test => Internet Comm Details

6.4.2: Observe processes and interview personnel assigned to development/test environments and personnel assigned to production environments to verify that separation of duties is in place between development/test environments and the production environment.

Augment

PCI-DSS: Denied Test => Internal Comm AIE Rule

PCI-DSS: Denied Test => Internet Comm AIE Rule

PCI-DSS: Invalid Test => Internal Comm AIE Rule

PCI-DSS: Invalid Test => Internet Comm AIE Rule

PCI-DSS: AIE Denied Test => Inet Comm Detail

PCI-DSS: AIE Denied Test => Intern Comm Detail

PCI-DSS: AIE Invalid Test => Inet Comm Detail

PCI-DSS: AIE Invalid Test => Intrn Comm Detail

PCI-DSS: Denied Test => Internal Comm Detail

PCI-DSS: Denied Test => Internet Comm Detail

PCI-DSS: Invalid Test => Internal Comm Detail

PCI-DSS: Invalid Test => Internet Comm Detail

PCI-DSS: Test Communication Detail

PCI-DSS: AIE Denied Test => Internal Comm Summary

PCI-DSS: AIE Denied Test => Internet Comm Summary

PCI-DSS: AIE Invalid Test => Internal Comm Summary

PCI-DSS: AIE Invalid Test => Internet Comm Summary

PCI-DSS: Denied Test => Internal Comm Summary

PCI-DSS: Denied Test => Internet Comm Summary

PCI-DSS: Invalid Test => Internal Comm Summary

PCI-DSS: Invalid Test => Internet Comm Summary

PCI-DSS: AIE Denied Test => Internal Comm Details

PCI-DSS: AIE Denied Test => Internet Comm Details

PCI-DSS: AIE Invalid Test => Internal Comm Details

PCI-DSS: AIE Invalid Test => Internet Comm Details

PCI-DSS: Denied Test => Internal Comm Details

PCI-DSS: Denied Test => Internet Comm Details

PCI-DSS: Invalid Test => Internal Comm Details

PCI-DSS: Invalid Test => Internet Comm Details

6.4.3.a: Observe testing processes and interview personnel to verify procedures are in place to ensure production data (live PANs) are not used for testing or development.

Augment

N/A

N/A

N/A

6.4.3.b: Examine a sample of test data to verify production data (live PANs) is not used for testing or development

Augment

N/A

N/A

N/A

6.4.4.a: Observe testing processes and interview personnel to verify test data and accounts are removed

before a production system becomes active.

Augment

N/A

PCI-DSS: Test Data Activity on Prod Systems Inv

N/A

6.4.4.b: Examine a sample of data and accounts from production systems recently installed or updated to verify test data and accounts are removed before the system

becomes active.

Augment

N/A

PCI-DSS: Test Data Activity on Prod Systems Inv

N/A

6.4.6: For a sample of significant changes, examine change records, interview personnel, and observe the affected systems/networks to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change.

Augment

PCI-DSS: Change Record Statistics

PCI-DSS: Change Record Statistics Inv


6.5.1: Examine software- development policies and procedures and interview responsible personnel to verify that injection flaws are addressed by coding techniques that include:

- Validating input to verify user data cannot modify meaning of commands and queries.

Augment

N/A

PCI-DSS: Vulnerability Detail

N/A

6.5.2: Examine software- development policies and procedures and interview responsible personnel to verify that buffer overflows are addressed by coding techniques that include:

- Validating buffer boundaries.

- Truncating input strings.

Augment

N/A

PCI-DSS: Vulnerability Detail

N/A

6.5.4: Examine software- development policies and procedures and interview responsible personnel to verify that insecure communications are addressed by coding techniques that properly authenticate and encrypt all sensitive communications.

Augment

N/A

PCI-DSS: Vulnerability Detail

PCI-DSS: Non-Encrypted Protocol Summary

PCI-DSS: Non-Encrypted Protocol Details

6.5.5: Examine software- development policies and procedures and interview responsible personnel to verify that improper error handling is addressed by coding techniques that do not leak information via error messages (for example, by returning generic rather than

Augment

N/A

PCI-DSS: Vulnerability Detail

PCI-DSS: Critical/Error Detail

N/A

6.5.6: Examine software- development policies and procedures and interview responsible personnel to verify that coding techniques address any “high risk” vulnerabilities that could affect the application, as identified in PCI DSS

Requirement 6.1.

Augment

N/A

PCI-DSS: Vulnerability Detail

N/A

6.5.7: Examine software- development policies and procedures and interview responsible personnel to verify that cross-site scripting (XSS) is addressed

by coding techniques that include

- Validating all parameters before inclusion

- Utilizing context-sensitive esc

Augment

N/A

PCI-DSS: Vulnerability Detail

N/A

A: direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects with

Augment

N/A

PCI-DSS: Vulnerability Detail

N/A

6.5.9: Examine software development policies and procedures and interview responsible personnel to verify that cross-site request forgery (CSRF) is addressed by coding techniques that ensure applications do not rely on authorization credentials and tokens automatically

Augment

N/A

PCI-DSS: Vulnerability Detail

N/A

6.6: For public-facing web applications, ensure that either one of the following methods is in place as follows:

-- Examine documented processes, interview personnel, and examine records of application security assessments to verify that public-facing web applications are reviewed— using either manual or automated vulnerability security assessment tools or methods—as follows:

- At least annually

- After any changes

- By an organization that specializes in application security

- That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment

- That all vulnerabilities are corrected

- That the application is re- evaluated after the corrections.

-- Examine the system configuration settings and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) is in place as follows:

- Is situated in front of public-facing web applications to detect and prevent web-based attacks.

- Is actively running and up to date as applicable.

- Is generating audit logs.

- Is configured to either block web-based attacks, or generate an alert that is immediately investigated.

Augment

N/A

PCI-DSS: Vulnerability Detail

N/A

7.1.1: Select a sample of roles and verify access needs for each role are defined and include:

- System components and data resources that each role needs to access for their job function

- Identification of privilege necessary for each role to perform their job

Augment

N/A

PCI-DSS: Priv Acct Auth Detail

PCI-DSS: Application Access Detail

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Access Granted/Revoked Details

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: AIE Priv Access Granted/Revoked Details

7.1.2.a: Interview personnel responsible for assigning access to verify that access to privileged user IDs is:

- Assigned only to roles that specifically require such privileged access

- Restricted to least privileges necessary to perform job responsibilities.

Augment

N/A

PCI-DSS: Application Access Detail

PCI-DSS: Access Granted/Revoked Activity Summary

PCI-DSS: Account Management Activity Summary

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Account Management Activity Summary

PCI-DSS: Access Granted/Revoked Activity Details

PCI-DSS: Account Management Activity Details

PCI-DSS: AIE Access Granted/Revoked Details

PCI-DSS: AIE Priv Access Granted/Revoked Details

PCI-DSS: Priv Account Management Activity Details

PCI-DSS: Priv Access Granted/Revoked Details

7.1.2.b: Select a sample of user IDs with privileged access and interview responsible management personnel to verify that privileges assigned are:

- Necessary for that individual’s job function

- Restricted to least privileges necessary to perform job responsibilit

Augment

N/A

PCI-DSS: Application Access Detail

PCI-DSS: Access Granted/Revoked Activity Summary

PCI-DSS: Account Management Activity Summary

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Account Management Activity Summary

PCI-DSS: Access Granted/Revoked Activity Details

PCI-DSS: Account Management Activity Details

PCI-DSS: AIE Access Granted/Revoked Details

PCI-DSS: AIE Priv Access Granted/Revoked Details

PCI-DSS: Priv Account Management Activity Details

PCI-DSS: Priv Access Granted/Revoked Details

8.1.a: Review procedures and confirm they define processes for each of the items below at 8.1.1 through 8.1.8

Augment

N/A

N/A

PCI-DSS: Access Granted/Revoked Activity Summary

PCI-DSS: Account Management Activity Summary

PCI-DSS: AIE Vendor Account Enabled Alert Summary

PCI-DSS: Vendor Account Management Summary

PCI-DSS: Vendor Access Granted/Revoked Summary

PCI-DSS: Database Account Management Summary

PCI-DSS: Database Access Granted/Revoked Summary

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Account Management Activity Summary

PCI-DSS: Account Management Activity Details

PCI-DSS: AIE Access Granted/Revoked Details

PCI-DSS: Access Granted/Revoked Activity Details

PCI-DSS: Account Management Activity Details

PCI-DSS: Vendor Account Management Details

PCI-DSS: Vendor Access Granted/Revoked Details

PCI-DSS: Database Account Management Details

PCI-DSS: Database Access Granted/Revoked Details

PCI-DSS: Priv Account Management Activity Details

PCI-DSS: Priv Access Granted/Revoked Details

PCI-DSS: AIE Priv Access Granted/Revoked Details

8.1.1: Interview administrative personnel to confirm that all users are assigned a unique ID for access to system components or cardholder data.

Augment

N/A

N/A

PCI-DSS: Access Granted/Revoked Activity Summary

PCI-DSS: Account Management Activity Summary

PCI-DSS: AIE Vendor Account Enabled Alert Summary

PCI-DSS: Vendor Account Management Summary

PCI-DSS: Vendor Access Granted/Revoked Summary

PCI-DSS: Database Account Management Summary

PCI-DSS: Database Access Granted/Revoked Summary

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Account Management Activity Summary

PCI-DSS: Account Management Activity Details

PCI-DSS: AIE Access Granted/Revoked Details

PCI-DSS: Access Granted/Revoked Activity Details

PCI-DSS: Account Management Activity Details

PCI-DSS: Vendor Account Management Details

PCI-DSS: Vendor Access Granted/Revoked Details

PCI-DSS: Database Account Management Details

PCI-DSS: Database Access Granted/Revoked Details

PCI-DSS: Priv Account Management Activity Details

PCI-DSS: Priv Access Granted/Revoked Details

PCI-DSS: AIE Priv Access Granted/Revoked Details

8.1.2: For a sample of privileged user IDs and general user IDs, examine associated authorizations and observe system settings to verify each user ID and privileged user ID has been implemented with only the privileges specified on the documented approval.

Augment

N/A

N/A

PCI-DSS: Access Granted/Revoked Activity Summary

PCI-DSS: Account Management Activity Summary

PCI-DSS: AIE Vendor Account Enabled Alert Summary

PCI-DSS: Vendor Account Management Summary

PCI-DSS: Vendor Access Granted/Revoked Summary

PCI-DSS: Database Account Management Summary

PCI-DSS: Database Access Granted/Revoked Summary

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Account Management Activity Summary

PCI-DSS: Account Management Activity Details

PCI-DSS: AIE Access Granted/Revoked Details

PCI-DSS: Access Granted/Revoked Activity Details

PCI-DSS: Account Management Activity Details

PCI-DSS: Vendor Account Management Details

PCI-DSS: Vendor Access Granted/Revoked Details

PCI-DSS: Database Account Management Details

PCI-DSS: Database Access Granted/Revoked Details

PCI-DSS: Priv Account Management Activity Details

PCI-DSS: Priv Access Granted/Revoked Details

PCI-DSS: AIE Priv Access Granted/Revoked Details

8.1.3.a: Select a sample of users terminated in the past six months, and review current user access lists—for both local and remote access—to verify that their IDs have been deactivated or removed from the access lists.

Augment

PCI-DSS: Account Disabled/Locked AIE Rule

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: Account Termination Detail

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: Account Disable/Locked Detail

PCI-DSS: AIE Account Disable/Locked Detail

PCI-DSS: Access Granted/Revoked Activity Summary

PCI-DSS: Account Management Activity Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: AIE Vendor Account Enabled Alert Summary

PCI-DSS: Vendor Account Management Summary

PCI-DSS: Vendor Access Granted/Revoked Summary

PCI-DSS: Database Account Management Summary

PCI-DSS: Database Access Granted/Revoked Summary

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Account Management Activity Summary

PCI-DSS: Access Granted/Revoked Activity Details

PCI-DSS: AIE Access Granted/Revoked Details

PCI-DSS: Account Management Activity Details

PCI-DSS: AIE Invalid Account Usage Details

PCI-DSS: Invalid Account Usage Details

PCI-DSS: Vendor Account Management Details

PCI-DSS: Vendor Access Granted/Revoked Details

PCI-DSS: Database Account Management Details

PCI-DSS: Database Access Granted/Revoked Details

PCI-DSS: Priv Account Management Activity Details

PCI-DSS: Priv Access Granted/Revoked Details

PCI-DSS: AIE Priv Access Granted/Revoked Details

8.1.3.b: Verify all physical authentication methods— such as, smart cards, tokens, etc.—have been returned or

deactivated.

Augment

PCI-DSS: Physical Access Usage AIE Rule

PCI-DSS: Physical Access Failure Detail

PCI-DSS: AIE Physical Security Auth Summary

PCI-DSS: Physical Security Auth Activity Summary

PCI-DSS: AIE Physical Security Auth Details

PCI-DSS: Physical Security Auth Activity Details

8.1.4: Observe user accounts to verify that any inactive accounts over 90 days old are either removed or disabled.

Augment

PCI-DSS: Account Disabled/Locked AIE Rule

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: Account Disable/Locked Detail

PCI-DSS: AIE Account Disable/Locked Detail

PCI-DSS: Access Granted/Revoked Activity Summary

PCI-DSS: Account Management Activity Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: AIE Vendor Account Enabled Alert Summary

PCI-DSS: Vendor Account Management Summary

PCI-DSS: Vendor Access Granted/Revoked Summary

PCI-DSS: Database Account Management Summary

PCI-DSS: Database Access Granted/Revoked Summary

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Account Management Activity Summary

PCI-DSS: Access Granted/Revoked Activity Details

PCI-DSS: AIE Access Granted/Revoked Details

PCI-DSS: Account Management Activity Details

PCI-DSS: AIE Invalid Account Usage Details

PCI-DSS: Invalid Account Usage Details

PCI-DSS: Vendor Account Management Details

PCI-DSS: Vendor Access Granted/Revoked Details

PCI-DSS: Database Account Management Details

PCI-DSS: Database Access Granted/Revoked Details

PCI-DSS: Priv Account Management Activity Details

PCI-DSS: Priv Access Granted/Revoked Details

PCI-DSS: AIE Priv Access Granted/Revoked Details

8.1.5.a: Interview personnel and observe processes for managing accounts used by vendors to access, support, or maintain system components to verify that accounts used by vendors for remote access are:

- Disabled when not in use

- Enabled only when needed by the vendor

Augment

PCI-DSS: Vendor Auth Activity AIE Rule

PCI-DSS: AIE Vendor Access Detail

PCI-DSS: Vendor Access Detail

PCI-DSS: Vendor Account Enabled Detail

PCI-DSS: Vendor Authentication Detail

PCI-DSS: AIE Vendor Account Enabled Alert Summary

PCI-DSS: AIE Vendor Authentication Summary

PCI-DSS: Vendor Account Management Summary

PCI-DSS: Vendor Authentication Summary

PCI-DSS: Vendor Access Failure Summary

PCI-DSS: Vendor Access Granted/Revoked Summary

PCI-DSS: AIE Vendor Authentication Details

PCI-DSS: Vendor Account Management Details

PCI-DSS: Vendor Access Granted/Revoked Details

PCI-DSS: Vendor Authentication Details

PCI-DSS: Vendor Access Failure Detail

8.1.5.b: Interview personnel and observe processes to verify that vendor remote access accounts are monitored while being used.

Augment

PCI-DSS: Vendor Auth Activity AIE Rule

PCI-DSS: AIE Vendor Access Detail

PCI-DSS: Vendor Access Detail

PCI-DSS: Vendor Account Enabled Detail

PCI-DSS: Vendor Authentication Detail

PCI-DSS: AIE Vendor Account Enabled Alert Summary

PCI-DSS: AIE Vendor Authentication Summary

PCI-DSS: Vendor Account Management Summary

PCI-DSS: Vendor Authentication Summary

PCI-DSS: Vendor Access Granted/Revoked Summary

PCI-DSS: Vendor Access Failure Summary

PCI-DSS: AIE Access Granted/Revoked Details

PCI-DSS: AIE Vendor Authentication Details

PCI-DSS: Vendor Account Management Details

PCI-DSS: Vendor Access Granted/Revoked Details

PCI-DSS: Vendor Authentication Details

PCI-DSS: Access Granted/Revoked Activity Details

PCI-DSS: Vendor Access Failure Detail

8.1.6.a: For a sample of system components, inspect system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than six invalid logon attempts.

Augment

PCI-DSS: Account Disabled/Locked AIE Rule

PCI-DSS: Configuration/Policy Change Detail

PCI-DSS: Account Disable/Locked Detail

PCI-DSS: AIE Account Disable/Locked Detail

PCI-DSS: Configuration/Policy Change Summary

PCI-DSS: Access Granted/Revoked Activity Summary

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Vendor Access Granted/Revoked Summary

PCI-DSS: Database Access Granted/Revoked Summary

PCI-DSS: Access Granted/Revoked Activity Details

PCI-DSS: Configuration/Policy Change Details

PCI-DSS: AIE Access Granted/Revoked Details

PCI-DSS: Priv Access Granted/Revoked Details

PCI-DSS: AIE Priv Access Granted/Revoked Details

PCI-DSS: Vendor Access Granted/Revoked Details

PCI-DSS: Database Access Granted/Revoked Summary

8.1.6.b: Additional testing procedure for service provider assessments only: Review internal processes and customer/user documentation, and observe implemented processes to verify that non-consumer customer user accounts are temporarily locked-out after not more th

Augment

PCI-DSS: Vendor Auth Activity AIE Rule

PCI-DSS: Account Disabled/Locked AIE Rule

PCI-DSS: AIE Vendor Access Detail

PCI-DSS: Vendor Authentication Detail

PCI-DSS: Vendor Access Detail

PCI-DSS: Vendor Account Enabled Detail

PCI-DSS: Configuration/Policy Change Detail

PCI-DSS: Account Disable/Locked Detail

PCI-DSS: AIE Account Disable/Locked Detail

PCI-DSS: AIE Vendor Account Enabled Alert Summary

PCI-DSS: AIE Vendor Authentication Summary

PCI-DSS: Vendor Access Failure Summary

PCI-DSS: Vendor Account Management Summary

PCI-DSS: Vendor Authentication Summary

PCI-DSS: Configuration/Policy Change Summary

PCI-DSS: Vendor Access Granted/Revoked Activity Summary

PCI-DSS: AIE Vendor Authentication Details

PCI-DSS: Vendor Account Management Details

PCI-DSS: Vendor Access Granted/Revoked Details

PCI-DSS: Vendor Authentication Details

PCI-DSS: Vendor Access Failure Detail

PCI-DSS: Access Granted/Revoked Activity Details

PCI-DSS: AIE Access Granted/Revoked Details

PCI-DSS: Configuration/Policy Change Details

8.1.7: For a sample of system components, inspect system configuration settings to verify that password parameters are set to require that once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the

Augment

PCI-DSS: Account Disabled/Locked AIE Rule

PCI-DSS: Account Disable/Locked Detail

PCI-DSS: AIE Account Disable/Locked Detail

PCI-DSS: Access Granted/Revoked Activity Summary

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Vendor Access Granted/Revoked Activity Summary

PCI-DSS: Database Access Granted/Revoked Summary

PCI-DSS: Access Granted/Revoked Activity Details

PCI-DSS: AIE Access Granted/Revoked Details

8.2.5.a: For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that new passwords cannot be the same as the four previously used passwords.

Augment

N/A

N/A

PCI-DSS: Access Granted/Revoked Activity Summary

PCI-DSS: Account Management Activity Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: AIE Vendor Account Enabled Alert Summary

PCI-DSS: Vendor Account Management Summary

PCI-DSS: Vendor Access Granted/Revoked Summary

PCI-DSS: Database Account Management Summary

PCI-DSS: Database Access Granted/Revoked Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Account Management Activity Summary

PCI-DSS: Access Granted/Revoked Activity Details

PCI-DSS: AIE Access Granted/Revoked Details

PCI-DSS: Account Management Activity Details

PCI-DSS: AIE Invalid Account Usage Details

PCI-DSS: Invalid Account Usage Details

PCI-DSS: Vendor Account Management Details

PCI-DSS: Vendor Access Granted/Revoked Details

PCI-DSS: Database Account Management Details

PCI-DSS: Database Access Granted/Revoked Details

PCI-DSS: Priv Account Management Activity Details

PCI-DSS: Priv Access Granted/Revoked Details

PCI-DSS: AIE Priv Access Granted/Revoked Details

8.2.5.b: Additional testing procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that new non-consumer customer user passwords cannot be the same as the previous four passwords.

Augment

N/A

N/A

PCI-DSS: Access Granted/Revoked Activity Summary

PCI-DSS: Account Management Activity Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: AIE Vendor Account Enabled Alert Summary

PCI-DSS: Vendor Access Granted/Revoked Summary

PCI-DSS: Vendor Account Management Summary

PCI-DSS: Database Account Management Summary

PCI-DSS: Database Access Granted/Revoked Summary

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Account Management Activity Summary

PCI-DSS: Access Granted/Revoked Activity Details

PCI-DSS: AIE Access Granted/Revoked Details

PCI-DSS: Account Management Activity Details

PCI-DSS: AIE Invalid Account Usage Details

PCI-DSS: Invalid Account Usage Details

PCI-DSS: Vendor Account Management Details

PCI-DSS: Vendor Access Granted/Revoked Details

PCI-DSS: Database Account Management Details

PCI-DSS: Database Access Granted/Revoked Details

PCI-DSS: Priv Account Management Activity Details

PCI-DSS: Priv Access Granted/Revoked Details

PCI-DSS: AIE Priv Access Granted/Revoked Details

8.3.1.b: Observe a sample of administrator personnel login to the CDE and verify that at least two of the three authentication methods are used.

Augment

PCI-DSS: Personel Login Authentication Method Event

PCI-DSS: Personel Login Authentication Method Inv


8.5.c: Interview system administrators to verify that group and shared IDs and/or passwords or other authentication methods are not distributed, even if requested.

Augment

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: Account Termination Detail

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: Access Granted/Revoked Activity Summary

PCI-DSS: Account Management Activity Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: AIE Vendor Account Enabled Alert Summary

PCI-DSS: Vendor Account Management Summary

PCI-DSS: Vendor Access Granted/Revoked Summary

PCI-DSS: Database Account Management Summary

PCI-DSS: Database Access Granted/Revoked Summary

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Account Management Activity Summary

PCI-DSS: Access Granted/Revoked Activity Details

PCI-DSS: AIE Access Granted/Revoked Details

PCI-DSS: Account Management Activity Details

PCI-DSS: AIE Invalid Account Usage Details

PCI-DSS: Invalid Account Usage Details

PCI-DSS: Vendor Account Management Details

PCI-DSS: Vendor Access Granted/Revoked Details

PCI-DSS: Database Account Management Details

PCI-DSS: Database Access Granted/Revoked Details

PCI-DSS: Priv Account Management Activity Details

PCI-DSS: Priv Access Granted/Revoked Details

PCI-DSS: AIE Priv Access Granted/Revoked Details

8.7.a: Review database and application configuration settings and verify that all users are authenticated prior to access.

Augment

PCI-DSS: Database Authentication AIE Rule

PCI-DSS: AIE Database Authentication Detail AIE

PCI-DSS: Database Authentication Detail

PCI-DSS: Database Access Detail

PCI-DSS: AIE Database Authentication Summary

PCI-DSS: Database Account Management Summary

PCI-DSS: Database Authentication Activity Summary

PCI-DSS: Database Access Failure Summary

PCI-DSS: Database Access Granted/Revoked Summary

PCI-DSS: AIE Database Authentication Details

PCI-DSS: Database Account Management Details

PCI-DSS: Database Authentication Activity Details

PCI-DSS: Database Access Failure Detail

PCI-DSS: Database Access Granted/Revoked Detail

8.7.c: Examine database access control settings and database application configuration settings to verify that user direct access to or queries of databases are restricted to database administrators.

Augment

PCI-DSS: Database Authentication AIE Rule

PCI-DSS: AIE Database Authentication Detail AIE

PCI-DSS: Database Authentication Detail

PCI-DSS: Database Access Detail

PCI-DSS: AIE Database Authentication Summary

PCI-DSS: Database Account Management Summary

PCI-DSS: Database Authentication Activity Summary

PCI-DSS: Database Access Failure Summary

PCI-DSS: Database Access Granted/Revoked Summary

PCI-DSS: AIE Database Authentication Details

PCI-DSS: Database Account Management Details

PCI-DSS: Database Authentication Activity Details

PCI-DSS: Database Access Granted/Revoked Detail

PCI-DSS: Database Access Failure Detail

8.7.d: Examine database access control settings, database application configuration settings, and the related application IDs to verify that application IDs can only be used by the applications (and not by individual users or other processes).

Augment

PCI-DSS: Database Authentication AIE Rule

PCI-DSS: AIE Database Authentication Detail AIE

PCI-DSS: Database Authentication Detail

PCI-DSS: Database Access Detail

PCI-DSS: AIE Database Authentication Summary

PCI-DSS: Database Account Management Summary

PCI-DSS: Database Authentication Activity Summary

PCI-DSS: Database Access Failure Summary

PCI-DSS: Database Access Granted/Revoked Summary

PCI-DSS: AIE Database Authentication Details

PCI-DSS: Database Account Management Details

PCI-DSS: Database Authentication Activity Details

PCI-DSS: Database Access Failure Detail

PCI-DSS: Database Access Granted/Revoked Detail

9.1: Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment.

- Verify that access is controlled with badge readers or other devices including authorized badges

Augment

PCI-DSS: Physical Access Usage AIE Rule

PCI-DSS: Physical Access Failure Detail

PCI-DSS: AIE Physical Security Auth Summary

PCI-DSS: Physical Security Auth Activity Summary

PCI-DSS: AIE Physical Security Auth Details

PCI-DSS: Physical Security Auth Activity Details

9.1.1.a: Verify that either video cameras or access control mechanisms (or both) are in place to monitor the entry/exit points to sensitive areas.

Augment

PCI-DSS: Physical Access Usage AIE Rule

PCI-DSS: Physical Access Failure Detail

PCI-DSS: AIE Physical Security Auth Summary

PCI-DSS: Physical Security Auth Activity Summary

PCI-DSS: AIE Physical Security Auth Details

PCI-DSS: Physical Security Auth Activity Details

9.1.2: Interview responsible personnel and observe locations of publicly accessible network jacks to verify that physical and/or logical controls are in place to restrict access to publicly accessible network jacks

Augment

PCI-DSS: Physical Access Usage AIE Rule

PCI-DSS: Physical Access Failure Detail

PCI-DSS: AIE Physical Security Auth Summary

PCI-DSS: Physical Security Auth Activity Summary

PCI-DSS: AIE Physical Security Auth Details

PCI-DSS: Physical Security Auth Activity Details

9.3.c: Select a sample of recently terminated employees and review access control lists to verify the personnel do not have physical access to sensitive areas.

Augment

PCI-DSS: Physical Access Usage AIE Rule

PCI-DSS: Physical Access Failure Detail

PCI-DSS: AIE Physical Security Auth Summary

PCI-DSS: Physical Security Auth Activity Summary


PCI-DSS: AIE Physical Security Auth Details

PCI-DSS: Physical Security Auth Activity Details

9.7.1: Review media inventory logs to verify that logs are maintained and media inventories are performed at least annually.

Augment

PCI-DSS: Backup Information AIE Rule

PCI-DSS: Backup Failure Detail

PCI-DSS: AIE Backup Activity Summary

PCI-DSS: Backup Activity Summary

PCI-DSS: AIE Backup Activity Details

PCI-DSS: Backup Activity Details

9.9: Examine documented policies and procedures to verify they include:

- Maintaining a list of devices

- Periodically inspecting devices to look for tampering or substitution

- Training personnel to be

aware of suspicious behavior and to report tampering or su

Augment

N/A

N/A

N/A

9.9.2.b: Interview responsible personnel and observe inspection processes to verify:

- Personnel are aware of procedures for inspecting devices.

- All devices are periodically inspected for evidence of

tampering and substitution.

Augment

N/A

N/A

N/A

10.1: Verify, through observation and interviewing the system administrator, that:

- Audit trails are enabled and active for system components.

- Access to system components is linked to individual users.

Direct

N/A

PCI-DSS: Priv Acct Auth Detail

PCI-DSS: Priv Access Activity Details

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Account Management Activity Summary

PCI-DSS: Priv Account Management Activity Details

PCI-DSS: AIE Priv Access Granted/Revoked Details

PCI-DSS: Priv Access Granted/Revoked Details

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

10.2: Through interviews of responsible personnel, observation of audit logs, and examination of audit log settings, perform the following:

Direct

N/A

N/A

N/A

10.2.1: All individual user accesses to cardholder data

Direct

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: Database Authentication AIE Rule

PCI-DSS: Vendor Auth Activity AIE Rule

PCI-DSS: Authentication Failure Detail

PCI-DSS: Access Failure Detail

PCI-DSS: Vendor Authentication Detail

PCI-DSS: Vendor Access Detail

PCI-DSS: Database Authentication Detail

PCI-DSS: Database Access Detail

PCI-DSS: Priv Acct Auth Detail

PCI-DSS: Priv Access Activity Details

PCI-DSS: Authentication Failure Summary

PCI-DSS: Access Failure Summary

PCI-DSS: Vendor Access Failure Summary

PCI-DSS: Vendor Authentication Summary

PCI-DSS: AIE Vendor Authentication Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: AIE Database Authentication Summary

PCI-DSS: Database Authentication Activity Summary

PCI-DSS: Database Access Failure Summary

PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Vendor Authentication Details

PCI-DSS: Vendor Access Failure Detail

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

PCI-DSS: Database Authentication Activity Detail

PCI-DSS: Database Access Failure Detail

10.2.2: Verify all actions taken by any individual with root or administrative privileges are logged.

Direct

N/A

PCI-DSS: Configuration/Policy Change Detail

PCI-DSS: Priv Acct Auth Detail

PCI-DSS: Priv Access Activity Details

PCI-DSS: Access Granted/Revoked Activity Summary

PCI-DSS: Account Management Activity Summary

PCI-DSS: Configuration/Policy Change Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: Priv Access Failure Summary

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Account Management Activity Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: Access Granted/Revoked Activity Details

PCI-DSS: AIE Access Granted/Revoked Details

PCI-DSS: Account Management Activity Details

PCI-DSS: Configuration/Policy Change Details

PCI-DSS: Priv Access Granted/Revoked Detail

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

10.2.3: Verify access to all audit trails is logged.

Augment

N/A

N/A

PCI-DSS: LogRhythm Usage Auditing Summary

PCI-DSS: LogRhythm Usage Auditing by Date Details

PCI-DSS: LogRhythm Usage Auditing by User Details

10.2.4: Verify invalid logical access attempts are logged.

Direct

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: Database Authentication AIE Rule

PCI-DSS: Vendor Auth Activity AIE Rule

PCI-DSS: Authentication Failure Detail

PCI-DSS: Access Failure Detail

PCI-DSS: Vendor Authentication Detail

PCI-DSS: Vendor Access Detail

PCI-DSS: Database Authentication Detail

PCI-DSS: Database Access Detail

PCI-DSS: Priv Acct Auth Detail

PCI-DSS: Priv Access Activity Details

PCI-DSS: Audit Exception Detail

PCI-DSS: Authentication Failure Summary

PCI-DSS: Access Failure Summary

PCI-DSS: Vendor Access Failure Summary

PCI-DSS: Vendor Authentication Summary

PCI-DSS: AIE Vendor Authentication Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: AIE Database Authentication Summary

PCI-DSS: Database Authentication Activity Summary

PCI-DSS: Database Access Failure Summary

PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Vendor Authentication Details

PCI-DSS: Vendor Access Failure Detail

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

PCI-DSS: Database Authentication Activity Detail

PCI-DSS: Database Access Failure Detail

10.2.5.a: Verify use of identification and authentication mechanisms is logged.

Direct

N/A

PCI-DSS: Priv Acct Auth Detail

PCI-DSS: Priv Access Activity Details

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: User Priv Escalation (SU & SUDO) Summary

PCI-DSS: User Priv Escalation (Windows) Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: Priv Access Failure Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Account Management Activity Summary

PCI-DSS: Priv Access Granted/Revoked Details

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

10.2.5.b: Verify all elevation of privileges is logged.

Direct

N/A

N/A

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: User Priv Escalation (SU & SUDO) Summary

PCI-DSS: User Priv Escalation (Windows) Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: Priv Access Failure Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Account Management Activity Summary

PCI-DSS: Priv Access Granted/Revoked Details

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

10.2.5.c: Verify all changes, additions, or deletions to any account with root or administrative privileges are logged.

Direct

N/A

N/A

PCI-DSS: Priv Access Granted/Revoked Summary

PCI-DSS: User Priv Escalation (SU & SUDO) Summary

PCI-DSS: User Priv Escalation (Windows) Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: Priv Access Failure Summary

PCI-DSS: AIE Priv Access Granted/Revoked Summary

PCI-DSS: Priv Account Management Activity Summary

PCI-DSS: Priv Access Granted/Revoked Details

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

10.2.6: Verify the following are logged:

- Initialization of audit logs

- Stopping or pausing of audit logs.

Augment

N/A

PCI-DSS: Audit Log Detail

PCI-DSS: Audit Log Summary

PCI-DSS: Audit Log Details

10.2.7: Verify creation and deletion of system level objects are logged.

Augment

PCI-DSS: FIM Add Activity AIE Rule

PCI-DSS: FIM Delete Activity AIE Rule

PCI-DSS: AIE FIM ADD/Delete/Mod Activity Detail

PCI-DSS: AIE FIM Permission Change Detail

PCI-DSS: FIM Activity Detail

PCI-DSS: FIM ADD/Delete/Mod Activity Detail

PCI-DSS: FIM Permission Change Detail

PCI-DSS: Object Disposal Failure Detail

PCI-DSS: AIE FIM Activity Summary

PCI-DSS: FIM Activity Summary

PCI-DSS: Object Creation/Disposal Activity Summary

PCI-DSS: AIE FIM Activity Details

PCI-DSS: FIM Activity Details

PCI-DSS: Object Creation/Disposal Activity Details

10.3: Through interviews and observation of audit logs, for each auditable event (from 10.2), perform the following:

Direct

N/A

N/A

N/A

10.3.1: Verify user identification is included in log entries.

Direct

N/A

N/A

N/A

10.3.2: Verify type of event is included in log entries.

Direct

N/A

N/A

N/A

10.3.3: Verify date and time stamp is included in log entries.

Direct

N/A

N/A

N/A

10.3.4: Verify success or failure indication is included in log entries.

Direct

N/A

N/A

N/A

10.3.5: Verify origination of event is included in log

entries.

Direct

N/A

N/A

N/A

10.3.6: Verify identity or name of affected data, system component, or resources is included in log entries.

Direct

N/A

N/A

N/A

10.4: Examine configuration standards and processes to verify that time- synchronization technology is implemented and kept current per PCI DSS

Requirements 6.1 and 6.2.

Direct

N/A

N/A

N/A

10.4.1.a: Examine the process for acquiring, distributing and storing the correct time within the organization to verify that:

- Only the designated central time server(s) receives time signals from external sources, and time signals from external sources are based

Direct

N/A

PCI-DSS: Configuration/Policy Change Detail

PCI-DSS: Configuration/Policy Change Summary

PCI-DSS: Configuration/Policy Change Details

10.4.2.b: Examine system configurations, time synchronization settings and logs, and processes to verify that any changes to time settings on critical systems are logged, monitored, and reviewed.

Augment

N/A

N/A

PCI-DSS: Time Sync Errors Summary

10.5: Interview system administrators and examine system configurations and permissions to verify that

audit trails are secured so that they cannot be altered as follows:

Direct

N/A

N/A

N/A

10.5.1: Only individuals who have a job-related need can view audit trail files.

Direct

N/A

N/A

N/A

10.5.2: Current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation.

Direct

N/A

N/A

N/A

10.5.3: Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.

Direct

N/A

N/A

N/A

10.5.4: Verify that logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are offloaded or copied onto a secure centralized internal log server or media.

Direct

N/A

N/A

PCI-DSS: Log Volume Summary

10.5.5: Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change-detection software on logs.

Direct

PCI-DSS: FIM Modify Activity AIE Rule

PCI-DSS: FIM Activity Detail

PCI-DSS: AIE FIM Activity Summary

PCI-DSS: FIM Activity Summary

PCI-DSS: AIE FIM Activity Details

PCI-DSS: FIM Activity Details

10.6.1.a: Examine security policies and procedures to verify that procedures are defined for reviewing the following at least daily, either manually or via log tools:

- All security events

- Logs of all system components that store, process, or transmit CHD and/or S

Augment

N/A

N/A

PCI-DSS: LogRhythm Usage Auditing Summary

PCI-DSS: LogRhythm Usage Auditing by Date Details

PCI-DSS: LogRhythm Usage Auditing by User Details

10.6.1.b: Observe processes and interview personnel to verify that the following are reviewed at least daily:

- All security events

- Logs of all system components that store, process, or transmit CHD and/or SAD

- Logs of all critical system components

- Logs of all

Augment

N/A

N/A

PCI-DSS: LogRhythm Usage Auditing Summary

PCI-DSS: LogRhythm Usage Auditing by Date Details

PCI-DSS: LogRhythm Usage Auditing by User Details

10.6.2.a: Examine security policies and procedures to verify that procedures are defined for reviewing logs of all other system components periodically—either manually or via log tools— based on the organization’s policies and risk management strategy.

Augment

N/A

N/A

PCI-DSS: LogRhythm Usage Auditing Summary

PCI-DSS: LogRhythm Usage Auditing by Date Details

PCI-DSS: LogRhythm Usage Auditing by User Details

10.7.b: Interview personnel and examine audit logs to verify that audit logs are

retained for at least one year.

Direct

N/A

N/A

PCI-DSS: Log Volume Summary

10.7.c: Interview personnel and observe processes to verify that at least the last three months’ logs are immediately available for analysis.

Direct

N/A

N/A

PCI-DSS: Log Volume Summary

10.8.b: Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert.

Direct

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: Database Authentication AIE Rule

PCI-DSS: Vendor Auth Activity AIE Rule

PCI-DSS: Service Provider Failure and Critical Inv

PCI-DSS: Authentication Failure Detail

PCI-DSS: Access Failure Detail

PCI-DSS: Vendor Authentication Detail

PCI-DSS: Vendor Access Detail

PCI-DSS: Database Authentication Detail

PCI-DSS: Database Access Detail

PCI-DSS: Priv Acct Auth Detail

PCI-DSS: Priv Access Activity Details

PCI-DSS: Audit Exception Detail

PCI-DSS: Service Provider Failure and Critical Summary

PCI-DSS: Authentication Failure Summary

PCI-DSS: Access Failure Summary

PCI-DSS: Vendor Access Failure Summary

PCI-DSS: Vendor Authentication Summary

PCI-DSS: AIE Vendor Authentication Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: AIE Database Authentication Summary

PCI-DSS: Database Authentication Activity Summary

PCI-DSS: Database Access Failure Summary

PCI-DSS: Service Provider Failure and Critical Detail

PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Vendor Authentication Details

PCI-DSS: Vendor Access Failure Detail

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

PCI-DSS: Database Authentication Activity Detail

PCI-DSS: Database Access Failure Detail

10.8.1.b: Examine records to verify that security control failures are documented to include:

- Identification of cause(s) of the failure, including root cause

- Duration (date and time start and end) of the security failure

- Details of the remediation required to address the root cause

Augment

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: Database Authentication AIE Rule

PCI-DSS: Vendor Auth Activity AIE Rule

PCI-DSS: Service Provider Failure and Critical Inv

PCI-DSS: Authentication Failure Detail

PCI-DSS: Access Failure Detail

PCI-DSS: Vendor Authentication Detail

PCI-DSS: Vendor Access Detail

PCI-DSS: Database Authentication Detail

PCI-DSS: Database Access Detail

PCI-DSS: Priv Acct Auth Detail

PCI-DSS: Priv Access Activity Details

PCI-DSS: Audit Exception Detail

PCI-DSS: Service Provider Failure and Critical Summary

PCI-DSS: Authentication Failure Summary

PCI-DSS: Access Failure Summary

PCI-DSS: Vendor Access Failure Summary

PCI-DSS: Vendor Authentication Summary

PCI-DSS: AIE Vendor Authentication Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: AIE Database Authentication Summary

PCI-DSS: Database Authentication Activity Summary

PCI-DSS: Database Access Failure Summary

PCI-DSS: Service Provider Failure and Critical Detail

PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Vendor Authentication Details

PCI-DSS: Vendor Access Failure Detail

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

PCI-DSS: Database Authentication Activity Detail

PCI-DSS: Database Access Failure Detail

11.1.b: Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:

- WLAN cards inserted into system components

- Portable or mobile devices attached to system components to create

Augment

N/A

PCI-DSS: Rouge WAP Detail

PCI-DSS: Rogue WAP Summary

PCI-DSS: Rogue WAP Detail

11.1.d: If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to notify personnel.

Augment

N/A

PCI-DSS: Rouge WAP Detail

PCI-DSS: Rogue WAP Summary

PCI-DSS: Rogue WAP Detail

11.4.a: Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic:

- At the perimeter of the cardholder data environment

- At critical

Augment

N/A

PCI-DSS: Malware Detail

PCI-DSS: Reconnaissance/Suspicious Detail

PCI-DSS: Security Activity Detail

PCI-DSS: Security Event Detail

PCI-DSS: Signature Update Failure Detail

PCI-DSS: Security Event by Impacted App Summary

PCI-DSS: Security Event by Impacted Host Summary

PCI-DSS: Security Event by Log Source Ent Summary

PCI-DSS: Security Event by Origin Host Summary

PCI-DSS: Signature Update Activity Summary

PCI-DSS: Top Attackers Summary

PCI-DSS: Top Suspicious Users Summary

PCI-DSS: Top Targeted Applications Summary

PCI-DSS: Top Targeted Hosts Summary

PCI-DSS: Security Event by Impacted App Details

PCI-DSS: Security Event by Impacted Host Details

PCI-DSS: Security Event by Log Source Ent Details

PCI-DSS: Security Event by Origin Host Details

PCI-DSS: Signature Update Activity Details

11.4.b: Examine system configurations and interview responsible personnel to confirm intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises.

Augment

N/A

PCI-DSS: Malware Detail

PCI-DSS: Reconnaissance/Suspicious Detail

PCI-DSS: Security Activity Detail

PCI-DSS: Security Event Detail

PCI-DSS: Signature Update Failure Detail

PCI-DSS: Security Event by Impacted App Summary

PCI-DSS: Security Event by Impacted Host Summary

PCI-DSS: Security Event by Log Source Ent Summary

PCI-DSS: Security Event by Origin Host Summary

PCI-DSS: Signature Update Activity Summary

PCI-DSS: Top Attackers Summary

PCI-DSS: Top Suspicious Users Summary

PCI-DSS: Top Targeted Applications Summary

PCI-DSS: Top Targeted Hosts Summary

PCI-DSS: Security Event by Impacted App Details

PCI-DSS: Security Event by Impacted Host Details

PCI-DSS: Security Event by Log Source Ent Details

PCI-DSS: Security Event by Origin Host Details

PCI-DSS: Signature Update Activity Details

11.4.c: Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion-prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection.

Augment

N/A

PCI-DSS: Malware Detail

PCI-DSS: Reconnaissance/Suspicious Detail

PCI-DSS: Security Activity Detail

PCI-DSS: Security Event Detail

PCI-DSS: Signature Update Failure Detail

PCI-DSS: Security Event by Impacted App Summary

PCI-DSS: Security Event by Impacted Host Summary

PCI-DSS: Security Event by Log Source Ent Summary

PCI-DSS: Security Event by Origin Host Summary

PCI-DSS: Signature Update Activity Summary

PCI-DSS: Top Attackers Summary

PCI-DSS: Top Suspicious Users Summary

PCI-DSS: Top Targeted Applications Summary

PCI-DSS: Top Targeted Hosts Summary

PCI-DSS: Security Event by Impacted App Details

PCI-DSS: Security Event by Impacted Host Details

PCI-DSS: Security Event by Log Source Ent Details

PCI-DSS: Security Event by Origin Host Details

PCI-DSS: Signature Update Activity Details

11.5.a: Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities.

Examples of files that should be monitored:

- System executables

- Application executables

- Configuration and parameter files

- Centrally stored, historical or archived, log and audit files

- Additional critical files determined by entity (for example, through risk assessment or other means).

Direct

PCI-DSS: FIM Add Activity AIE Rule

PCI-DSS: FIM Delete Activity AIE Rule

PCI-DSS: FIM Group Change Activity AIE Rule

PCI-DSS: FIM Modify Activity AIE Rule

PCI-DSS: FIM Owner Change Activity AIE Rule

PCI-DSS: FIM Permission Activity AIE Rule

PCI-DSS: AIE FIM ADD/Delete/Mod Activity Detail

PCI-DSS: AIE FIM Permission Change Detail

PCI-DSS: FIM Activity Detail

PCI-DSS: FIM ADD/Delete/Mod Activity Detail

PCI-DSS: FIM Permission Change Detail

PCI-DSS: AIE FIM Activity Summary

PCI-DSS: FIM Activity Summary

PCI-DSS: AIE FIM Activity Details

PCI-DSS: FIM Activity Details

11.5.b: Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly.

Direct

PCI-DSS: FIM Add Activity AIE Rule

PCI-DSS: FIM Delete Activity AIE Rule

PCI-DSS: FIM Group Change Activity AIE Rule

PCI-DSS: FIM Modify Activity AIE Rule

PCI-DSS: FIM Owner Change Activity AIE Rule

PCI-DSS: FIM Permission Activity AIE Rule

PCI-DSS: AIE FIM ADD/Delete/Mod Activity Detail

PCI-DSS: AIE FIM Permission Change Detail

PCI-DSS: FIM Activity Detail

PCI-DSS: FIM ADD/Delete/Mod Activity Detail

PCI-DSS: FIM Permission Change Detail

PCI-DSS: AIE FIM Activity Summary

PCI-DSS: FIM Activity Summary

PCI-DSS: AIE FIM Activity Details

PCI-DSS: FIM Activity Details

12.3.8.b: Examine configurations for remote access technologies to verify that remote access sessions will be automatically disconnected after a specific period of inactivity.

Augment

PCI-DSS: Remote Session Timeout AIE Rule

N/A

PCI-DSS: AIE Remote Session Timeout Summary

PCI-DSS: Remote Session Timeout Activity Summary

PCI-DSS: AIE Remote Session Timeout Details

PCI-DSS: Remote Session Timeout Activity Details

12.3.9: Verify that the usage policies require activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.

Augment

PCI-DSS: Vendor Auth Activity AIE Rule

PCI-DSS: Vendor Access Detail

PCI-DSS: Vendor Authentication Detail

PCI-DSS: Vendor Account Enabled Detail

PCI-DSS: AIE Vendor Account Enabled Alert Summary

PCI-DSS: AIE Vendor Authentication Summary

PCI-DSS: Vendor Account Management Summary

PCI-DSS: Vendor Authentication Summary

PCI-DSS: Vendor Access Failure Summary

PCI-DSS: Vendor Access Granted/Revoked Summary

PCI-DSS: AIE Vendor Authentication Details

PCI-DSS: Vendor Account Management Details

PCI-DSS: Vendor Access Granted/Revoked Details

PCI-DSS: Vendor Authentication Details

PCI-DSS: Vendor Account Management Details

PCI-DSS: Vendor Access Failure Detail

12.10.5: Verify through observation and review of processes that monitoring and responding to alerts from security monitoring systems are covered in the incident response plan.

Augment

PCI-DSS: Backup Information AIE Rule

PCI-DSS: FIM Information AIE Rule

PCI-DSS: Backup Failure Detail

PCI-DSS: FIM Failure Detail

PCI-DSS: Malware Detail

PCI-DSS: Operations Exception Detail

PCI-DSS: Rouge WAP Detail

PCI-DSS: Security Activity Detail

PCI-DSS: Security Event Detail

PCI-DSS: Vulnerability Detail

PCI-DSS: AIE Backup Activity Summary

PCI-DSS: AIE FIM Critical/Error/Info Summary

PCI-DSS: Backup Activity Summary

PCI-DSS: FIM Critical/Error/Information Summary

PCI-DSS: Rogue WAP Summary

PCI-DSS: Security Event by Impacted App Summary

PCI-DSS: Security Event by Impacted Host Summary

PCI-DSS: Security Event by Log Source Ent Summary

PCI-DSS: Security Event by Origin Host Summary

PCI-DSS: Top Attackers Summary

PCI-DSS: Top Suspicious Users Summary

PCI-DSS: Top Targeted Applications Summary

PCI-DSS: Top Targeted Hosts Summary

PCI-DSS: AIE Backup Activity Details

PCI-DSS: FIM Activity Details

PCI-DSS: AIE FIM Critical/Error/Info Details

PCI-DSS: Backup Activity Details

PCI-DSS: FIM Critical/Error/Information Details

PCI-DSS: LogRhythm Alarm And Response Details

PCI-DSS: Rogue WAP Detail

PCI-DSS: Security Event by Impacted App Details

PCI-DSS: Security Event by Impacted Host Details

PCI-DSS: Security Event by Log Source Ent Details

PCI-DSS: Security Event by Origin Host Details

12.11.a: Examine policies and procedures to verify that processes are defined for reviewing and confirming that personnel are following security policies and operational procedures, and that reviews cover:

- Daily log reviews

- Firewall rule-set reviews

- Applying configuration standards to new systems

- Responding to security alerts

- Change management processes

Augment

PCI-DSS: Configuration Change Rule

PCI-DSS: Policy Change Rule

PCI-DSS: Software Update Failure Detail

PCI-DSS: Signature Update Failure Inv

PCI-DSS: Patch Update Failure Inv

PCI-DSS: Configuration Change Inv

PCI-DSS: Policy Change Inv

PCI-DSS: Software Update Activity Summary

PCI-DSS: Signature Update Failure Summary

PCI-DSS: Patch Update Failure Summary

PCI-DSS: Configuration Change Summary

PCI-DSS: Policy Change Summary

PCI-DSS: Software Update Activity Details

PCI-DSS: Signature Update Failure Detail

PCI-DSS: Patch Update Failure Detail

PCI-DSS: Configuration Change Detail

PCI-DSS: Policy Change Detail

A1.1: If a shared hosting provider allows entities (for example, merchants or service providers) to run their own applications, verify these application processes run using the unique ID of the entity. For example:

- No entity on the system can use a shared web server user ID.

- All CGI scripts used by an entity must be created and run as the entity’s unique user ID.

Augment

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: Database Authentication AIE Rule

PCI-DSS: Vendor Auth Activity AIE Rule

PCI-DSS: Authentication Failure Detail

PCI-DSS: Access Failure Detail

PCI-DSS: Vendor Authentication Detail

PCI-DSS: Vendor Access Detail

PCI-DSS: Database Authentication Detail

PCI-DSS: Database Access Detail

PCI-DSS: Priv Acct Auth Detail

PCI-DSS: Priv Access Activity Details

PCI-DSS: Audit Exception Detail

PCI-DSS: Authentication Failure Summary

PCI-DSS: Access Failure Summary

PCI-DSS: Vendor Access Failure Summary

PCI-DSS: Vendor Authentication Summary

PCI-DSS: AIE Vendor Authentication Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: AIE Database Authentication Summary

PCI-DSS: Database Authentication Activity Summary

PCI-DSS: Database Access Failure Summary

PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Vendor Authentication Details

PCI-DSS: Vendor Access Failure Detail

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

PCI-DSS: Database Authentication Activity Detail

PCI-DSS: Database Access Failure Detail

A1.2.b: Verify each entity (merchant, service provider) has read, write, or execute permissions only for files and directories it owns or for necessary system files (restricted via file system permissions, access control lists, chroot, jailshell, etc.) Important: An entity’s files may not be shared by group.

Augment

PCI-DSS: FIM Add Activity AIE Rule

PCI-DSS: FIM Delete Activity AIE Rule

PCI-DSS: FIM Group Change Activity AIE Rule

PCI-DSS: FIM Modify Activity AIE Rule

PCI-DSS: FIM Owner Change Activity AIE Rule

PCI-DSS: FIM Permission Activity AIE Rule

PCI-DSS: AIE FIM ADD/Delete/Mod Activity Detail

PCI-DSS: AIE FIM Permission Change Detail

PCI-DSS: FIM Activity Detail

PCI-DSS: FIM ADD/Delete/Mod Activity Detail

PCI-DSS: FIM Permission Change Detail

PCI-DSS: AIE FIM Activity Summary

PCI-DSS: FIM Activity Summary

PCI-DSS: AIE FIM Activity Details

PCI-DSS: FIM Activity Details

A1.2.c: Verify that an entity’s users do not have write access to shared system binaries.

Augment

PCI-DSS: FIM Add Activity AIE Rule

PCI-DSS: FIM Delete Activity AIE Rule

PCI-DSS: FIM Group Change Activity AIE Rule

PCI-DSS: FIM Modify

Activity AIE Rule

PCI-DSS: FIM Owner Change Activity AIE Rule

PCI-DSS: FIM Permission Activity AIE Rule

PCI-DSS: AIE FIM ADD/Delete/Mod Activity Detail

PCI-DSS: AIE FIM Permission Change Detail

PCI-DSS: FIM Activity Detail

PCI-DSS: FIM ADD/Delete/Mod Activity Detail

PCI-DSS: FIM Permission Change Detail

PCI-DSS: AIE FIM Activity Summary

PCI-DSS: FIM Activity Summary

PCI-DSS: AIE FIM Activity Details

PCI-DSS: FIM Activity Details

A1.3: Verify the shared hosting provider has enabled logging as follows, for each merchant and service provider environment:

- Logs are enabled for common third-party applications.

- Logs are active by default.

- Logs are available for review by the owning entity.

- Log locations are clearly communicated to the owning entity.

Augment

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: Database Authentication AIE Rule

PCI-DSS: Vendor Auth Activity AIE Rule

PCI-DSS: Service Provider Failure and Critical Inv

PCI-DSS: Authentication Failure Detail

PCI-DSS: Access Failure Detail

PCI-DSS: Vendor Authentication Detail

PCI-DSS: Vendor Access Detail

PCI-DSS: Database Authentication Detail

PCI-DSS: Database Access Detail

PCI-DSS: Priv Acct Auth Detail

PCI-DSS: Priv Access Activity Details

PCI-DSS: Audit Exception Detail

PCI-DSS: Service Provider Failure and Critical Summary

PCI-DSS: Authentication Failure Summary

PCI-DSS: Access Failure Summary

PCI-DSS: Vendor Access Failure Summary

PCI-DSS: Vendor Authentication Summary

PCI-DSS: AIE Vendor Authentication Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: AIE Database Authentication Summary

PCI-DSS: Database Authentication Activity Summary

PCI-DSS: Database Access Failure Summary

PCI-DSS: Service Provider Failure and Critical Detail

PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Vendor Authentication Details

PCI-DSS: Vendor Access Failure Detail

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

PCI-DSS: Database Authentication Activity Detail

PCI-DSS: Database Access Failure Detail

A2.1: For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:

- Confirm the entity has documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS.

Or:

- Complete A2.2 below.

Augment

PCI-DSS: TLS Activity

PCI-DSS: SSL Activity

PCI-DSS: TLS/SSL Activity

PCI-DSS: TLS/SSL Summary

PCI-DSS: Early TLS/SSL Version Summary

PCI-DSS: TLS/SSL Detail

PCI-DSS: Early TLS/SSL Version Detail

A2.2: Review the documented Risk Mitigation and Migration Plan to verify it includes:

- Description of usage, including what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment;

- Risk-assessment results and risk-reduction controls in place;

- Description of processes to monitor for new vulnerabilities associated with SSL/early TLS;

- Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments;

- Overview of migration project plan including target migration completion date no later than June 30, 2018.

Augment

PCI-DSS: TLS Activity

PCI-DSS: SSL Activity

PCI-DSS: TLS/SSL Activity

PCI-DSS: TLS/SSL Summary

PCI-DSS: Early TLS/SSL Version Summary

PCI-DSS: TLS/SSL Detail

PCI-DSS: Early TLS/SSL Version Detail

A2.3: Examine system configurations and supporting documentation to verify the service provider offers a secure protocol option for their service.

Augment

PCI-DSS: TLS Activity

PCI-DSS: SSL Activity

PCI-DSS: TLS/SSL Activity

PCI-DSS: TLS/SSL Summary

PCI-DSS: Early TLS/SSL Version Summary

PCI-DSS: Non-Encrypted Protocol Summary

PCI-DSS: TLS/SSL Detail

PCI-DSS: Early TLS/SSL Version Detail

PCI-DSS: Non-Encrypted Protocol Details

A3.1.1.c: Examine executive management and board of directors meeting minutes and/or presentations to ensure PCI DSS compliance initiatives and remediation activities are communicated at least annually.

Augment

Report Packages




A3.2.2.1: For a sample of systems and network changes, examine change records, interview personnel and observe the affected systems/networks to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change.

Augment

Use of Case Management for storing samples

General strategy applied to the following controls:

-6.4.3

-6.4.4

-6.4.6

-8.3.1.b




A3.2.5.b: Examine results from recent data discovery efforts, and interview responsible personnel to verify that data discovery is performed at least quarterly and upon significant changes to the cardholder environment or processes.

Augment

PCI-DSS: Configuration Change Rule

PCI-DSS: Policy Change Rule

PCI-DSS: FIM Add Activity AIE Rule

PCI-DSS: FIM Delete Activity AIE Rule

PCI-DSS: FIM Group Change Activity AIE Rule

PCI-DSS: FIM Modify Activity AIE Rule

PCI-DSS: FIM Owner Change Activity AIE Rule

PCI-DSS: FIM Permission Activity AIE Rule

PCI-DSS: Software Update Failure Detail

PCI-DSS: Signature Update Failure Inv

PCI-DSS: Patch Update Failure Inv

PCI-DSS: Configuration Change Inv

PCI-DSS: Policy Change Inv

PCI-DSS: AIE FIM ADD/Delete/Mod Activity Detail

PCI-DSS: AIE FIM Permission Change Detail

PCI-DSS: FIM Activity Detail

PCI-DSS: FIM ADD/Delete/Mod Activity Detail

PCI-DSS: FIM Permission Change Detail

PCI-DSS: Software Update Activity Summary

PCI-DSS: Signature Update Failure Summary

PCI-DSS: Patch Update Failure Summary

PCI-DSS: Configuration Change Summary

PCI-DSS: Policy Change Summary

PCI-DSS: AIE FIM Activity Summary

PCI-DSS: FIM Activity Summary

PCI-DSS: Software Update Activity Details

PCI-DSS: Signature Update Failure Detail

PCI-DSS: Patch Update Failure Detail

PCI-DSS: Configuration Change Detail

PCI-DSS: Policy Change Detail

PCI-DSS: AIE FIM Activity Details

PCI-DSS: FIM Activity Details

A3.2.6.b: Examine audit logs and alerts, and interview responsible personnel to verify that alerts are investigated.

Augment

Case Management

N/A

N/A

N/A

A3.3.1.a: Examine documented policies and procedures to verify that processes are defined to immediately detect and alert on critical security control failures.

Augment

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: Database Authentication AIE Rule

PCI-DSS: Vendor Auth Activity AIE Rule

PCI-DSS: Service Provider Failure and Critical Inv

PCI-DSS: Authentication Failure Detail

PCI-DSS: Access Failure Detail

PCI-DSS: Vendor Authentication Detail

PCI-DSS: Vendor Access Detail

PCI-DSS: Database Authentication Detail

PCI-DSS: Database Access Detail

PCI-DSS: Priv Acct Auth Detail

PCI-DSS: Priv Access Activity Details

PCI-DSS: Audit Exception Detail

PCI-DSS: Service Provider Failure and Critical Summary

PCI-DSS: Authentication Failure Summary

PCI-DSS: Access Failure Summary

PCI-DSS: Vendor Access Failure Summary

PCI-DSS: Vendor Authentication Summary

PCI-DSS: AIE Vendor Authentication Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: AIE Database Authentication Summary

PCI-DSS: Database Authentication Activity Summary

PCI-DSS: Database Access Failure Summary

PCI-DSS: Service Provider Failure and Critical Detail

PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Vendor Authentication Details

PCI-DSS: Vendor Access Failure Detail

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

PCI-DSS: Database Authentication Activity Detail

PCI-DSS: Database Access Failure Detail

A3.3.1.b: Examine detection and alerting processes and interview personnel to verify that processes are implemented for all critical security controls, and that failure of a critical security control results in the generation of an alert.

Relates to 10.8

Direct

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: Database Authentication AIE Rule

PCI-DSS: Vendor Auth Activity AIE Rule

PCI-DSS: Service Provider Failure and Critical Inv

PCI-DSS: Authentication Failure Detail

PCI-DSS: Access Failure Detail

PCI-DSS: Vendor Authentication Detail

PCI-DSS: Vendor Access Detail

PCI-DSS: Database Authentication Detail

PCI-DSS: Database Access Detail

PCI-DSS: Priv Acct Auth Detail

PCI-DSS: Priv Access Activity Details

PCI-DSS: Audit Exception Detail

PCI-DSS: Service Provider Failure and Critical Summary

PCI-DSS: Authentication Failure Summary

PCI-DSS: Access Failure Summary

PCI-DSS: Vendor Access Failure Summary

PCI-DSS: Vendor Authentication Summary

PCI-DSS: AIE Vendor Authentication Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: AIE Database Authentication Summary

PCI-DSS: Database Authentication Activity Summary

PCI-DSS: Database Access Failure Summary

PCI-DSS: Service Provider Failure and Critical Detail

PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Vendor Authentication Details

PCI-DSS: Vendor Access Failure Detail

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

PCI-DSS: Database Authentication Activity Detail

PCI-DSS: Database Access Failure Detail

A3.3.1.1.b: Examine records to verify that security control failures are documented to include:

- Identification of cause(s) of the failure, including root cause

- Duration (date and time start and end) of the security failure

- Details of the remediation required to address the root cause

Relates to 10.8

Augment

Case Management support

Relates to 10.8.1

N/A

N/A

N/A

A3.3.3.a: Examine policies and procedures to verify that processes are defined for reviewing and verifying BAU activities. Verify the procedures include:

- Confirming that all BAU activities (e.g., A3.2.2, A3.2.6, and A3.3.1) are being performed

- Confirming that personnel are following security policies and operational procedures (for example, daily log reviews, firewall rule-set reviews, configuration standards for new systems, etc.)

- Documenting how the reviews were completed, including how all BAU activities were verified as being in place

- Collecting documented evidence as required for the annual PCI DSS assessment

- Reviewing and sign-off of results by executive management assigned responsibility for PCI DSS governance

- Retaining records and documentation for at least 12 months, covering all BAU activities

Augment

Case Management

N/A

N/A

N/A

A3.3.3.b: Interview responsible personnel and examine records of reviews to verify that:

- Reviews are performed by personnel assigned to the PCI DSS compliance program.

- Reviews are performed at least quarterly.

Augment

Case Management provides the ability to verify that daily reporting is performed.

N/A

N/A

N/A

A3.4.1: Interview responsible personnel and examine supporting documentation to verify that:

- User accounts and access privileges are reviewed at least every six months.

- Reviews confirm that access is appropriate based on job function, and that all access is authorized.

Augment

PCI-DSS: Personel Login Authentication Method Event

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: Database Authentication AIE Rule

PCI-DSS: Vendor Auth Activity AIE Rule

PCI-DSS: Personel Login Authentication Method Inv

PCI-DSS: Service Provider Failure and Critical Inv

PCI-DSS: Authentication Failure Detail

PCI-DSS: Access Failure Detail

PCI-DSS: Vendor Authentication Detail

PCI-DSS: Vendor Access Detail

PCI-DSS: Database Authentication Detail

PCI-DSS: Database Access Detail

PCI-DSS: Priv Acct Auth Detail

PCI-DSS: Priv Access Activity Details

PCI-DSS: Audit Exception Detail

PCI-DSS: Service Provider Failure and Critical Summary

PCI-DSS: Authentication Failure Summary

PCI-DSS: Access Failure Summary

PCI-DSS: Vendor Access Failure Summary

PCI-DSS: Vendor Authentication Summary

PCI-DSS: AIE Vendor Authentication Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: AIE Database Authentication Summary

PCI-DSS: Database Authentication Activity Summary

PCI-DSS: Database Access Failure Summary

PCI-DSS: Service Provider Failure and Critical Detail

PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Vendor Authentication Details

PCI-DSS: Vendor Access Failure Detail

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

PCI-DSS: Database Authentication Activity Detail

PCI-DSS: Database Access Failure Detail

A3.5.1.a: Review documentation and interview personnel to verify a methodology is defined and implemented to identify attack patterns and undesirable behavior across systems in a timely manner, and includes the following:

- Identification of anomalies or suspicious activity as it occurs

- Issuance of timely alerts to responsible personnel

- Response to alerts in accordance with documented response procedures

Augment

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: Database Authentication AIE Rule

PCI-DSS: Vendor Auth Activity AIE Rule

PCI-DSS: Service Provider Failure and Critical Inv

PCI-DSS: Authentication Failure Detail

PCI-DSS: Access Failure Detail

PCI-DSS: Vendor Authentication Detail

PCI-DSS: Vendor Access Detail

PCI-DSS: Database Authentication Detail

PCI-DSS: Database Access Detail

PCI-DSS: Priv Acct Auth Detail

PCI-DSS: Priv Access Activity Details

PCI-DSS: Audit Exception Detail

PCI-DSS: Service Provider Failure and Critical Summary

PCI-DSS: Authentication Failure Summary

PCI-DSS: Access Failure Summary

PCI-DSS: Vendor Access Failure Summary

PCI-DSS: Vendor Authentication Summary

PCI-DSS: AIE Vendor Authentication Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: AIE Database Authentication Summary

PCI-DSS: Database Authentication Activity Summary

PCI-DSS: Database Access Failure Summary

PCI-DSS: Service Provider Failure and Critical Detail

PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Vendor Authentication Details

PCI-DSS: Vendor Access Failure Detail

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

PCI-DSS: Database Authentication Activity Detail

PCI-DSS: Database Access Failure Detail

A3.5.1.b: Examine incident response procedures and interview responsible personnel to verify that:

- On-call personnel receive timely alerts.

- Alerts are responded to per documented response procedures.

Augment

PCI-DSS: Invalid Account Usage AIE Rule

PCI-DSS: Database Authentication AIE Rule

PCI-DSS: Vendor Auth Activity AIE Rule

PCI-DSS: Service Provider Failure and Critical Inv

PCI-DSS: Authentication Failure Detail

PCI-DSS: Access Failure Detail

PCI-DSS: Vendor Authentication Detail

PCI-DSS: Vendor Access Detail

PCI-DSS: Database Authentication Detail

PCI-DSS: Database Access Detail

PCI-DSS: Priv Acct Auth Detail

PCI-DSS: Priv Access Activity Details

PCI-DSS: Audit Exception Detail

PCI-DSS: Service Provider Failure and Critical Summary

PCI-DSS: Authentication Failure Summary

PCI-DSS: Access Failure Summary

PCI-DSS: Vendor Access Failure Summary

PCI-DSS: Vendor Authentication Summary

PCI-DSS: AIE Vendor Authentication Summary

PCI-DSS: AIE Invalid Account Usage Summary

PCI-DSS: Invalid Account Usage Summary

PCI-DSS: Priv Authentication Activity Summary

PCI-DSS: AIE Database Authentication Summary

PCI-DSS: Database Authentication Activity Summary

PCI-DSS: Database Access Failure Summary

PCI-DSS: Service Provider Failure and Critical Detail

PCI-DSS: Authentication Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Access Failure Detail (Do not include accounts on Priv or Vendor List or log source = DB; apply to critical environments)

PCI-DSS: Vendor Authentication Details

PCI-DSS: Vendor Access Failure Detail

PCI-DSS: AIE Invalid Account Usage Detail

PCI-DSS: Invalid Account Usage Detail

PCI-DSS: Priv Authentication Activity Detail

PCI-DSS: Priv Access Failure Detail

PCI-DSS: Database Authentication Activity Detail

PCI-DSS: Database Access Failure Detail

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.