Detection rules for PCI compliance monitoring
The following table lists the PCI requirements for each governance control and the supported correlation search in the Splunk app for PCI Compliance and Splunk Enterprise Security: The following table lists the supported detection rules that helps to monitor PCI DSS 3.2.1 requirements in the Splunk app for PCI compliance and Splunk Enterprise Security. Additionally, the Splunk App for PCI compliance and the following default detection rules have scorecards and reports to support PCI compliance for each of the requirements.
The effectiveness of the detection rules depends on your data availability and your ability to meet these requirements. Your use of the PCI app is not an assurance of compliance.
|PCI requirement||Governance control||PCI requirements||Supported correlation search|
|Requirement 1: Install and maintain network security controls||1.1.1||Verify that you have a formal process to test and approve all network connections and changes to firewall and router configurations. Interview the responsible personnel and review your records to get a sample of network connections and to verify that all network connections are approved and tested.|
|1.1.4||Review the firewall configuration standards to verify that the standards require a firewall at each internet connection and between any demilitarized zone network (DMZ) and the internal network zone.
Verify that the current network diagram is consistent with the firewall configuration standards. Verify network configurations to ensure that a firewall is available for each internet connection and between any demilitarized zone (DMZ) and the internal network zone, in accordance with the documented configuration standards and network diagrams."
|1.2.1||Review the firewall and router configuration standards to verify that they identify inbound and outbound traffic that is required for the cardholder data environment.
Also, verify that the inbound and outbound traffic is limited to what is essential to the cardholder data environment. Additionally, verify that all other inbound and outbound traffic is denied.
|1.2.2||Review the router configuration files to verify that they are secure from unauthorized access. Additionally, review the router configurations to verify that they are synchronized.|
|1.2.3||Review the firewall and router configurations to verify that perimeter firewalls are installed between all wireless networks and the cardholder data environment. Additionally, verify that the firewalls deny all unauthorized access. If traffic is necessary for business purposes, the firewalls must permit only authorized traffic between the wireless environment and the cardholder data environment.|
|1.3.2||Review the firewall and router configurations to verify that the inbound internet traffic is limited to IP addresses within the DMZ.|
|1.3.3||Review the firewall and router configurations to verify that anti-spoofing measures are implemented. For example, ensure that internal addresses do not pass from the internet into the DMZ.|
|1.3.4||Review the firewall and router configurations to verify that the outbound traffic from the cardholder data environment to the internet is explicitly authorized.|
|1.3.5||Review the firewall and router configurations to verify that the firewall permits only established connections into the internal network and denies any inbound connections that are not associated with a previously established session.|
|Requirement 2: Apply secure configurations to all system components||2.1.0||Select a sample of system components and try to log onto the devices and applications using default vendor-supplied accounts and passwords to verify that all default passwords are changed. For this sample of system components, verify that all unnecessary default accounts are removed or disabled. Also, interview personnel and review supporting documentation to verify that all the vendor defaults are changed before a system is installed on the network. Additionally, verify that all redundant default accounts are removed or disabled before a system is installed on the network.|
|2.1.1||Interview personnel and review supporting documentation to verify that the encryption keys are changed from their default value during installation. Ensure that the encryption keys are changed every time that an employee, who has knowledge of the keys, leaves the company or changes role.
Interview personnel and review policies and procedures to verify that the requirements include the default SNMP community strings must be changed upon installation. Additionally, ensure that the default passwords or passphrases on access points are also changed upon installation. Review the vendor documentation and log in to wireless devices with assistance from the system administrator to verify that the default SNMP community strings are not used. Also, ensure that the default passwords or passphrases on access points are not used. Review the vendor documentation and review the wireless configuration settings to verify that the firmware on wireless devices is updated to support strong encryption for authentication over wireless networks and transmission over wireless networks. Review the vendor documentation and review the wireless configuration settings to verify that all security related wireless vendor default values were changed where applicable.
|2.2.1||Select a sample of system components and inspect the system configurations to verify that only one primary function is implemented for each server. If you use virtualization technologies, inspect the system configurations to verify that only one primary function is implemented for each virtual system component or device.|
|2.2.2||Select a sample of system components and inspect the enabled system services, daemons, and protocols to verify that only the required services or protocols are enabled. Review all enabled insecure services, daemons, or protocols and interview personnel to verify that they are justified based on the documented configuration standards.|
|2.2.3||Inspect the configuration settings to verify that all security features are documented and implemented for all the insecure services, daemons, or protocols.|
|2.2.4||Interview the system administrators and security managers to verify that they know the common security parameter settings for system components. Review the system configuration standards to verify that the common security parameter settings are included. Select a sample of system components and inspect the common security parameters to verify that they are configured based on the configuration standards.|
|2.3.0||Select a sample of system components and verify that non-console administrative access is encrypted using the following guidelines:
|Requirement 3: Protect stored account data||3.3.0||Review the written policies and procedures used to mask the display of PANs and verify the following:
|3.4.d||Review a sample of audit logs, including payment application logs, to confirm that PAN is rendered unreadable or is not present in the logs.|
|Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks||4.1.0||"Identify all locations where cardholder data is transmitted or received over open, public networks. Review documented standards and compare to system configurations to verify the use of security protocols and strong cryptography for all locations.
Review documented policies and procedures to verify processes are specified for acceptance of only trusted keys and/or certificates, protocol in use to only support secure versions and configurations, implementation of proper encryption strength per the encryption methodology in use. Select and observe a sample of inbound and outbound transmissions as they occur to verify that all cardholder data is encrypted with strong cryptography during transit. Review the keys and certificates to verify that only trusted keys and/or certificates are accepted. Review the system configurations to verify that the protocol is implemented to use only secure configurations and does not support insecure versions or configurations. Review the system configurations to verify that the proper encryption strength is implemented for the encryption methodology in use."
|4.2.0||If the end-user messaging technologies are used to send cardholder data, review the processes for sending PAN. Review a sample of outbound transmissions as they occur to verify that PAN is rendered unreadable or is secured with strong cryptography whenever it is sent using end-user messaging technologies. Review the written policies to verify that the policies require unprotected PANs to not be sent using end-user messaging technologies.|
|Requirement 5: Protect all systems and networks from malicious software||5.1.1||Review the vendor documentation and review anti-virus configurations to verify that anti-virus programs detect, remove, and protect against all known types of malicious software.|
|5.1.2||Interview personnel to verify that evolving malware threats are monitored and evaluated for systems even though they might not be impacted by malicious software to ensure that these systems do not require anti-virus software.|
|5.2.0||Review the policies and procedures to verify they indicate that anti-virus software and definitions must be up to date.
Review the anti-virus configurations, including the master installation of the software to verify anti-virus mechanisms are configured to perform automatic updates and periodic scans. Review a sample of system components, including all operating system types commonly affected by malicious software, to verify that the anti-virus software and definitions are current and periodic scans are performed. Review the anti-virus configurations, including the master installation of the software and a sample of system components, to verify that anti-virus software log generation is enabled and logs are retained in accordance with PCI DSS 10.7.
|5.3.0||Review the anti-virus configurations, including the master installation of the software and a sample of system components, to verify the following:
Interview responsible personnel and observe processes to verify that anti-virus software cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
|Requirement 6: Develop and maintain secure systems and software||6.1||Review the the policies and procedures to verify that processes are defined for the following:
Interview responsible personnel and observe processes to verify the following:
|6.2||Review the policies and procedures related to security patch installation to verify that processes are defined for the installation of applicable critical vendor-supplied security patches within one month of release or within an appropriate timeframe.
For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list. and verify that applicable critical vendor-supplied security patches are installed within one month of release or within an appropriate time frame.
|6.3.1||Review the written software-development procedures and interview responsible personnel to verify that pre-production and custom application accounts, user IDs, and passwords are removed before an application goes into production or is released to customers.|
|Requirement 7: Restrict access to system components and cardholder data||7.1||Review the written policy for access control and verify that the policy incorporates the following requirements:
|7.2||Review the system settings and vendor documentation to verify that an access control system is implemented.|
|Requirement 8: Identify users and authenticate access to system components||8.1.4||Review the user accounts to verify that any inactive accounts over 90 days old are either removed or disabled.|
|8.3||Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.|
|8.4||Review the procedures and interview personnel to verify that authentication policies and procedures are distributed to all users.
Review authentication policies and procedures that are distributed to the users and verify that they include the following:
Interview a sample of users to verify that they are familiar with the authentication policies and procedures.
|8.5.0||For a sample of system components, review that the user ID lists and verify the following:
Review the authentication policies and procedures to verify that authentication credentials do not use group IDs, shared IDs, passwords, and other authentication methods. Interview system administrators to verify that group, shared IDs, passwords, and other authentication methods are not distributed, even if requested
|8.5.1||Review the authentication policies and procedures and interview personnel to verify that different authentication credentials are used to access each customer.|
|Requirement 9: Restrict physical access to cardholder data||9.3.0||For a sample of onsite personnel with physical access to sensitive areas, interview responsible personnel and observe access control lists to verify that:
Observe personnel accessing sensitive areas to verify that all personnel are authorized before being granted access. Select a sample of recently terminated employees and review access control lists to verify that the personnel do not have physical access to sensitive areas.
|Requirement 10: Log and monitor all access to system components and cardholder data||10.1.0||Verify through observation and interviewing the system administrator that the following conditions are met:
|10.2.1||Verify that all individual access to cardholder data is logged.|
|10.2.6||Verify that the following are logged:
|10.4.0||Review the configuration standards and processes to verify that time-synchronization technology is implemented and is current based on the PCI DSS Requirements 6.1 and 6.2.|
|10.4.1||Review the process to acquire, distribute, and store the correct time within the organization and verify the following:
|10.6.0||Review logs and security events for all system components to identify anomalies or suspicious activity.|
|Requirement 11: Test security of systems and networks regularly||11.1.0||Review the policies and procedures to verify that processes are defined for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis.
Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including the following:
If wireless scanning is utilized, review that the output from the recent wireless scans verify the following:
When automated monitoring is utilized, verify that the configuration generates alerts to notify personnel.
|11.4.0||Review the system configurations and network diagrams to verify that all traffic is monitored at the perimeter and at the critical points in the cardholder data environment.
Review the system configurations and interview responsible personnel to confirm that the intrusion detection and intrusion prevention techniques alert personnel of suspected compromises. Review the IDS/IPS configurations and vendor documentation to verify that the intrusion detection and the intrusion prevention techniques are configured, maintained, and updated based on vendor instructions to ensure optimal protection.
You can map new or existing correlation searches to the relevant PCI DSS controls by adding governance to the search. For more information, see Add governance to a correlation search.
This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.1.1, 5.1.2, 5.2.0