on May 25, 2016The Payment Card Industry (PCI) Data Security Standard applies to all payment card industry members, merchants, and service providers that store, process, or transmit payment cardholder data. Additionally, these security requirements apply to all "system components" - any network component, server, or application included in, or connected to, the cardholder data environment.
Dependencies
The PCI compliance reports have the following dependencies.
| SA Rules | SA Lists | App Rules |
|---|---|---|
| Accounts Created Accounts Deleted Accounts Modified Admin Access to Compliance Systems Details Admin Access to Compliance Systems Summary Antivirus Signature Update Change in Audit Settings Encryption Failures Encryption Key Generation and Changes Failed Escalation of Privileges Details Firewall Configuration Changes Firmware Changes on Wireless Devices Group Management Inbound Network Traffic Logon Failures Details Logon Failures Summary Outbound Network Traffic Password Changes Router Configuration Changes Successful Escalation of Privileges Details System Clock Synchronization User Access Revoked User Access to Compliance Systems Details User Access to Compliance Systems Summary User Session Terminated Summary | Administrative Users Compliance Systems | account:created account:deleted account:modified account:logon-success av:signature-update config:change-audit-setting encryption:failures encryption:key-gen-and-changes access:privilege-escalation-failure config:fw-config-changes config:firmware-config-changes account:group-management alm:inbound-network-traffic account:logon-failure alm:outbound-network-traffic account:password-change config:router-change access:privilege-escalation-success alm:system-clock-synch access:user-access-revoked account:logout |
Citations
The PCI reports have the following Citations.
| Report Rule | Citation Number | Citation Description |
|---|---|---|
| Antivirus Signature Update | § 5.2 | 5.2 Ensure that all antivirus mechanisms are current, actively running, and generating audit logs. |
| Access to Compliance Data - Detail Access to Compliance Data - Top 25 | § 10.2.1 | 10.2.1 All individual accesses to cardholder data. |
| Accounts Created | § 8.5 | 8.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components. |
| Accounts Deleted | § 8.5 | 8.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components. |
| Accounts Modified | § 8.5 | 8.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components. |
| Admin Access to Compliance Systems - Detail | § 10.2.2 | 10.2.2 All actions taken by any individual with root or administrative privileges |
| Admin Access to Compliance Systems - Top 25 | § 10.2.2 | 10.2.2 All actions taken by any individual with root or administrative privileges. |
| Change in Audit Settings | § 2.2.3 | 2.2.3 Configure system security parameters to prevent misuse. |
| Encryption Failures | § 4 | Requirement 4: Encrypt transmission of cardholder data across open, public networks. |
| Key Generation and Changes | § 4 | Requirement 4: Encrypt transmission of cardholder data across open, public networks. |
| Escalation of Privileges - Detail Failed Escalation of Privileges - Top 25 | § 7.1 | 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. |
| Firewall Configuration Changes | § 6.4 | 6.4 Follow change control processes and procedures for all changes to system components. |
| Firmware Changes Wireless Devices | § 6.4 | 6.4 Follow change control processes and procedures for all changes to system components. |
| Group Management | § 7.1 | 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. |
| Inbound Network Traffic - Top 25 | § 1.2.1 | 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. |
| Logon Failures - Detail | § 10.2.4 | 10.2.4 Invalid logical access attempts. |
| Logon Failures - Top 25 | § 10.2.4 | 10.2.4 Invalid logical access attempts. |
| Outbound Network Traffic - Top 25 | § 1.2.1 | 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. |
| Password Changes - Detail Password Changes - Top 25 | § 8.5 | 8.5 Ensure proper user identification and authentication management for nonconsumer users and administrators on all system components. |
| Router Configuration Changes | § 6.4 | 6.4 Follow change control processes and procedures for all changes to system components. |
| System Clock Synchronization | § 10.4 | 10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time. |
| User Access Revoked | § 8.5.4 | 8.5.4 Immediately revoke access for any terminated users |
| User Access to Compliance Systems - Detail | § 10.2.1 | 10.2.1 Verify all individual access to cardholder data is logged. |
| User Access to Compliance Systems - Top 25 | § 10.2.1 | 10.2.1 Verify all individual access to cardholder data is logged. |
| Account Management | § 8.5 | 8.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components. |
| User Session Terminated - Top 25 | § 8.5.15 | 8.5.15 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. |
