PCI Configuration Report

by Stephanie Dunn
August 20, 2015

As the adoption of mobile and cloud-based payment solutions continues to increase, so has the amount of sensitive cardholder data being transferred across networks. Many organizations have struggled to keep up with rapidly evolving payment landscape, and continue to face challenges with securing cardholder data. Security breaches and credit card fraud cases have reached epidemic proportions over the past few years. As a result, many organizations have been breached due to inadequate security controls, lack of knowledge, and underestimating the impact of security breach incidents. The impact of a data breach can potentially cripple an organization with negative publicity, lawsuits, and increased breach related expenses.

In 2004, in a collaborative effort with Visa, MasterCard, American Express, JCB, and Discover, established the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS was created address to the alarming increase credit card fraud, and provides a global standard on how organizations can maintain a secure environment for cardholder data throughout the transaction process.  All organizations regardless of size that accepts debit or credit cards are required to comply with the PCI DSS. Organizations that fail to comply with the PCI DSS may be subject to significant fines, recurring fees, and loss of business sales and customers due to non-compliance.

The PCI Configuration Report leverages Nessus PCI system configuration audit policy files, and can assist the analyst in proactively identifying non-compliant PCI hosts, and remediate issues with non-compliant hosts. The PCI DSS is a set of 12 high-level requirements that addresses areas such as security management, end-to-end encryption, policies and procedures, network architecture, and software design. This report is split into twelve groups, which correspond with PCI requirements 1 through 12. For each group, the configuration settings relevant to that PCI section are considered. 

  • A list of hosts with findings, and settings that require additional action, ranked by a non-compliance score.
  • A list of compliant settings and a count of each.
  • A list of non-compliant settings and a count of each.
  • A list of compliant settings that require additional actions to be taken.

Although the Nessus audit configuration settings map to most parts of the PCI DSS, there are many operating systems that do not have configuration settings for each setting. This means that some sections will be empty of compliant or non-compliant results.

The report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the SecurityCenter Feed under the category Compliance & Configuration Assessment. The report requirements are:

  • SecurityCenter 4.8.2
  • Nessus 6.2.1
  • Nessus PCI Audit File
  • Compliance Data

While no organization is completely immune from the damages of a data breach, the PCI DSS requires an ongoing effort to remain compliant. By ensuring continuous compliance with PCI DSS, organizations will be able to maintain a positive reputation with cardholders in knowing that sensitive data remains protected and secured.

Tenable's SecurityCenter Continuous View (SecurityCenter CV) is the market-defining continuous network monitoring platform. SecurityCenter CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable's Passive Vulnerability Scanner (PVS), as well as log correlation with Tenable's Log Correlation Engine (LCE). Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of its network, in order to adhere to and maintain PCI DSS compliance.

The following chapters are included in the report:

  • Executive Summary - As organizations evolve from traditional e-commerce to mobile and cloud-based payment solutions, the need to adapt, protect, secure cardholder data is vital in maintaining a business.  The Executive Summary chapter provides details on the PCI non-compliance status that have failed, passed (for those requirements reviewed), or require additional action on hosts within an organization. This information can assist the analyst in maintaining PCI compliance by developing effective strategies to mitigate any vulnerability associated with the PCI DSS requirements.
  • PCI DSS Requirements - The PCI DSS Requirements chapter displays a series of tables and matrices that corresponds with PCI DSS requirements 1 through 12. The information presented provides information on which PCI requirements able to be audited your systems are compliant with, and which require additional actions to be taken for compliance. It is accomplished by performing credentialed Nessus configuration audits of your PCI systems; this SecurityCenter report can then be used to track which controls are currently being met or not.