PCI-DSSv3.2.1 Audit Summary (Explore)

The Payment Card Industry Security Standards Council (PCI SSC) maintains, evolves, and promotes Payment Card Industry standards for the safety of cardholder data across the globe. The PCI SSC provides technical and operational requirements for organizations accepting or processing payment transactions. The guidance also applies to software developers and manufacturers of applications and devices used in those transactions. The Payment Card Industry Data Security Standard (PCI DSS) helps entities understand and implement standards for security policies, technologies, and ongoing processes that protect payment systems from breaches and theft of cardholder data. The standards have historically been revised on a 2-3 year cycle, but the PCI SSC is transitioning to a posture of revising the PCI DSS as required based on changes to the current threat landscape. 

This dashboard provides organizations with information which specifically measures against the compliance standards related to the Payment Card Industry Data Security Standard (PCI DSS).  The PCI DSS security standard was formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International, and American Express and governed by the Payment Card Industry Security Standards Council (PCI SSC).  While the PCI SSC has no legal authority to compel compliance, the goal is to secure  credit and debit card transactions against theft.  However, compliance with the PCI DSS standard is a requirement for any business that processes credit or debit card transactions.  

This dashboard references controls contained in PCI DSS v3.2.1, which was released in Q2 of 2018.  Version 3.2.1 contains minor updates to v3.2.  Updates include, but are limited to, migration dates for SSL/early TLS, and the removal of multi-factor authentication (MFA) from the compensating control example in Appendix B, as MFA is not required for all non-console administrative access.

Tenable provides several solutions for organizations to better understand vulnerability management. Security leaders need to SEE everything, PREDICT what matters most and ACT to address cyber risk and effectively align cybersecurity initiatives with business objectives. Tenable Vulnerability Management (formerly Tenable.io) discovers and analyzes assets continuously to provide an accurate and unified view of an organization's security posture. The requirements for this dashboard are: Tenable Vulnerability Management.

Widgets: 

• Framework Result Summary: This widget provides organizations with information which specifically measures against the compliance standards related to the Payment Card Industry Data Security Standard (PCI DSS). 
• Control Summary: This widget provides compliance results for each control family within the compliance standard. Each family displays information highlighting the result count and a bar chart displaying a visual overview of the results.
• Audit Check Type Summary: This widget provides compliance results for Windows and Unix hosts within the compliance standard. The rows display information highlighting the result count and a bar chart displaying a visual overview of the results.
• Build and Maintain a Secure Network and Systems: This widget focuses on the category Build and Maintain a Secure Network and Systems, which covers topics within PCI requirement 1 and 2. This requirements covers firewall configurations to protect cardholder data and the use of vendor supplied default password use.
• Implement Strong Access Control Measures: This widget focuses on the category Implement Strong Access Control Measures, which covers topics within PCI requirement 7, 8 and 9. However requirement 9 to restrict access to cardholder is not measured. This requirement covers restricting access to cardholder data, and the identification and authentication to access system components.
• Maintain a Vulnerability Management Program: This widget focuses on the category Maintain a Vulnerability Management Program, which covers topics within PCI requirement 5 and 6. Both of these requirements cover protecting all systems against malware, regularly updating anti-virus software, and developing and maintaining secure systems and applications.
• Protect Cardholder Data: This widget focuses on the category Protect Cardholder Data, which covers topics within PCI requirement 3 and 4. This requirements covers protecting stored cardholder data and the encryption of cardholder data across public networks.
• Regularly Monitor and Test Networks: This widget focuses on the category Regularly Monitor and Test Networks, which covers topics within PCI requirement 10. This requirements covers tracking and monitoring all access to network resources and cardholder data, and the regular testing of security systems and processes.