Related Answers
Download topic as PDF
Detection rules for PCI compliance monitoring
The following table lists the PCI requirements for each governance control and the supported correlation search in the Splunk app for PCI Compliance and Splunk Enterprise Security: The following table lists the supported detection rules that helps to monitor PCI DSS 3.2.1 requirements in the Splunk app for PCI compliance and Splunk Enterprise Security. Additionally, the Splunk App for PCI compliance and the following default detection rules have scorecards and reports to support PCI compliance for each of the requirements.
The effectiveness of the detection rules depends on your data availability and your ability to meet these requirements. Your use of the PCI app is not an assurance of compliance.
| PCI requirement | Governance control | PCI requirements | Supported correlation search |
|---|---|---|---|
| Requirement 1: Install and maintain network security controls | 1.1.1 | Verify that you have a formal process to test and approve all network connections and changes to firewall and router configurations. Interview the responsible personnel and review your records to get a sample of network connections and to verify that all network connections are approved and tested. | Network - Policy Or Configuration Change - Rule
|
| 1.1.4 | Review the firewall configuration standards to verify that the standards require a firewall at each internet connection and between any demilitarized zone network (DMZ) and the internal network zone.
Verify that the current network diagram is consistent with the firewall configuration standards. Verify network configurations to ensure that a firewall is available for each internet connection and between any demilitarized zone (DMZ) and the internal network zone, in accordance with the documented configuration standards and network diagrams. |
Asset - Asset Ownership Unspecified - Rule
| |
| 1.2.1 | Review the firewall and router configuration standards to verify that they identify inbound and outbound traffic that is required for the cardholder data environment.
Also, verify that the inbound and outbound traffic is limited to what is essential to the cardholder data environment. Additionally, verify that all other inbound and outbound traffic is denied. |
Unauthorized or Insecure Communication Permitted - Rule
| |
| 1.2.2 | Review the router configuration files to verify that they are secure from unauthorized access. Additionally, review the router configurations to verify that they are synchronized. | Network - Network Device Rebooted - Rule
| |
| 1.2.3 | Review the firewall and router configurations to verify that perimeter firewalls are installed between all wireless networks and the cardholder data environment. Additionally, verify that the firewalls deny all unauthorized access. If traffic is necessary for business purposes, the firewalls must permit only authorized traffic between the wireless environment and the cardholder data environment. | Unauthorized Wireless Device Detected - Rule
| |
| 1.3.2 | Review the firewall and router configurations to verify that the inbound internet traffic is limited to IP addresses within the DMZ. | Unauthorized or Insecure Communication Permitted - Rule
| |
| 1.3.3 | Review the firewall and router configurations to verify that anti-spoofing measures are implemented. For example, ensure that internal addresses do not pass from the internet into the DMZ. | Unauthorized or Insecure Communication Permitted - Rule
| |
| 1.3.4 | Review the firewall and router configurations to verify that the outbound traffic from the cardholder data environment to the internet is explicitly authorized. | Unauthorized or Insecure Communication Permitted - Rule
| |
| 1.3.5 | Review the firewall and router configurations to verify that the firewall permits only established connections into the internal network and denies any inbound connections that are not associated with a previously established session. | Unauthorized or Insecure Communication Permitted - Rule
| |
| 1.4.2 | Review the vendor documentation and configuration of network security controls (NSCs) to verify that inbound traffic from untrusted networks to trusted networks is restricted in accordance with all elements specified in this requirement. Also, ensure that public access to a system component is specifically authorized to reduce the risk of system components being unnecessarily exposed to untrusted networks. System components that provide publicly accessible services, such as email, web, and DNS servers must be placed within a dedicated trusted network that is public facing. such as a DMZ but separated from more sensitive internal systems using NSCs. | Inbound traffic from untrusted network to trusted network-Rule
| |
| Requirement 2: Apply secure configurations to all system components | 2.1.0 | Select a sample of system components and try to log onto the devices and applications using default vendor-supplied accounts and passwords to verify that all default passwords are changed. For this sample of system components, verify that all unnecessary default accounts are removed or disabled. Also, interview personnel and review supporting documentation to verify that all the vendor defaults are changed before a system is installed on the network. Additionally, verify that all redundant default accounts are removed or disabled before a system is installed on the network. |
|
| 2.1.1 | Interview personnel and review supporting documentation to verify that the encryption keys are changed from their default value during installation. Ensure that the encryption keys are changed every time that an employee, who has knowledge of the keys, leaves the company or changes role.
Interview personnel and review policies and procedures to verify that the requirements include the default SNMP community strings must be changed upon installation. Additionally, ensure that the default passwords or passphrases on access points are also changed upon installation. Review the vendor documentation and log in to wireless devices with assistance from the system administrator to verify that the default SNMP community strings are not used. Also, ensure that the default passwords or passphrases on access points are not used. Review the vendor documentation and review the wireless configuration settings to verify that the firmware on wireless devices is updated to support strong encryption for authentication over wireless networks and transmission over wireless networks. Review the vendor documentation and review the wireless configuration settings to verify that all security related wireless vendor default values were changed where applicable. |
Unencrypted Traffic on Wireless Network - Rule
| |
| 2.2.1 | Select a sample of system components and inspect the system configurations to verify that only one primary function is implemented for each server. If you use virtualization technologies, inspect the system configurations to verify that only one primary function is implemented for each virtual system component or device. | Endpoint - Multiple Primary Functions Detected - Rule
| |
| 2.2.2 | Select a sample of system components and inspect the enabled system services, daemons, and protocols to verify that only the required services or protocols are enabled. Review all enabled insecure services, daemons, or protocols and interview personnel to verify that they are justified based on the documented configuration standards. |
| |
| 2.2.3 | Inspect the configuration settings to verify that all security features are documented and implemented for all the insecure services, daemons, or protocols. |
| |
| 2.2.4 | Interview the system administrators and security managers to verify that they know the common security parameter settings for system components. Review the system configuration standards to verify that the common security parameter settings are included. Select a sample of system components and inspect the common security parameters to verify that they are configured based on the configuration standards. |
| |
| 2.3.0 | Select a sample of system components and verify that non-console administrative access is encrypted using the following guidelines:
|
| |
| Requirement 3: Protect stored account data | 3.3.0 | Review the written policies and procedures used to mask the display of PANs and verify the following:
|
Credit Card Data Transmitted In Clear - Rule
|
| 3.4.d | Review a sample of audit logs, including payment application logs, to confirm that PAN is rendered unreadable or is not present in the logs. | Audit - Personally Identifiable Information Detection - Rule
| |
| Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks | 4.1.0 | "Identify all locations where cardholder data is transmitted or received over open, public networks. Review documented standards and compare to system configurations to verify the use of security protocols and strong cryptography for all locations.
Review documented policies and procedures to verify processes are specified for acceptance of only trusted keys and/or certificates, protocol in use to only support secure versions and configurations, implementation of proper encryption strength per the encryption methodology in use. Select and observe a sample of inbound and outbound transmissions as they occur to verify that all cardholder data is encrypted with strong cryptography during transit. Review the keys and certificates to verify that only trusted keys and/or certificates are accepted. Review the system configurations to verify that the protocol is implemented to use only secure configurations and does not support insecure versions or configurations. Review the system configurations to verify that the proper encryption strength is implemented for the encryption methodology in use." |
|
| 4.2.0 | If the end-user messaging technologies are used to send cardholder data, review the processes for sending PAN. Review a sample of outbound transmissions as they occur to verify that PAN is rendered unreadable or is secured with strong cryptography whenever it is sent using end-user messaging technologies. Review the written policies to verify that the policies require unprotected PANs to not be sent using end-user messaging technologies. | Credit Card Data Transmitted In Clear - Rule
| |
| Requirement 5: Protect all systems and networks from malicious software | 5.1.1 | Review the vendor documentation and review anti-virus configurations to verify that anti-virus programs detect, remove, and protect against all known types of malicious software. |
|
| 5.1.2 | Interview personnel to verify that evolving malware threats are monitored and evaluated for systems even though they might not be impacted by malicious software to ensure that these systems do not require anti-virus software. |
| |
| 5.2.0 | Review the policies and procedures to verify they indicate that anti-virus software and definitions must be up to date.
Review the anti-virus configurations, including the master installation of the software to verify anti-virus mechanisms are configured to perform automatic updates and periodic scans. Review a sample of system components, including all operating system types commonly affected by malicious software, to verify that the anti-virus software and definitions are current and periodic scans are performed. Review the anti-virus configurations, including the master installation of the software and a sample of system components, to verify that anti-virus software log generation is enabled and logs are retained in accordance with PCI DSS 10.7. |
| |
| 5.3.0 | Review the anti-virus configurations, including the master installation of the software and a sample of system components, to verify the following:
Interview responsible personnel and observe processes to verify that anti-virus software cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. |
| |
| 5.3.4 | Review anti-malware solutions configurations to verify that logs are enabled and retained in accordance with Requirement 10.5.1. Track the effectiveness of the anti-malware mechanisms by confirming that updates and scans are performed as expected and malware is identified and addressed. Audit logs also allow an entity to determine how malware entered the environment and track its activity when inside the entity's network. |
| |
| 5.3.2c |
| ||
| 5.3.3b |
| ||
| 5.2.1a and 5.2.3c |
| ||
| Requirement 6: Develop and maintain secure systems and software | 6.1 | Review the the policies and procedures to verify that processes are defined for the following:
Interview responsible personnel and observe processes to verify the following:
|
|
| 6.2 | Review the policies and procedures related to security patch installation to verify that processes are defined for the installation of applicable critical vendor-supplied security patches within one month of release or within an appropriate timeframe.
For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list. and verify that applicable critical vendor-supplied security patches are installed within one month of release or within an appropriate time frame. |
| |
| 6.3.1 | Review the written software-development procedures and interview responsible personnel to verify that pre-production and custom application accounts, user IDs, and passwords are removed before an application goes into production or is released to customers. | Access - Default Account Usage - Rule
| |
| 6.3.3a | Medium and low security in more than 30 days - Rule
| ||
| 6.3 | Open High Vulnerabilities in the last 60 days - Rule
| ||
| 6.3 | Open Critical Vulnerabilities in the last 30 days - Rule
| ||
| 6.4.1 | For public-facing web applications, review that either one of the required methods is in place as follows:
Common assessment tools include specialized web scanners that perform automatic analysis of web application protection. When using automated technical solutions, it is important to include processes that facilitate timely responses to alerts generated by the solutions so that any detected attacks can be mitigated. |
No vulnerability logging with patch info in last 7 days - Rule
| |
| 6.4.2 | For public-facing web applications, review the system configuration settings and audit logs, and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks is in place When using automated technical solutions, it is important to include processes that facilitate timely responses to alerts generated by the solutions so that any detected attacks can be mitigated. Such solutions may also be used to automate mitigation, for example rate-limiting controls, which can be implemented to mitigate against brute-force attacks and enumeration attacks. | Web data was not logged in last 7 days - Rule
| |
| Requirement 7: Restrict access to system components and cardholder data | 7.1 | Review the written policy for access control and verify that the policy incorporates the following requirements:
|
|
| 7.2 | Review the system settings and vendor documentation to verify that an access control system is implemented. |
| |
| Requirement 8: Identify users and authenticate access to system components | 8.1.4 | Review the user accounts to verify that any inactive accounts over 90 days old are either removed or disabled. | Access - Completely Inactive Account - Rule
|
| Requirement 8: Identify users and authenticate access to system components | 8.2.4 | Review documented authorizations across various phases of the account lifecycle such as additions, modifications, and deletions. Additionally, examine system settings to verify the activity is managed such that only authorized accounts can perform functions, actions are auditable, and privileges are limited to only what is required. |
|
| 8.3 | Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication. |
| |
| 8.3.4a | For user account lockout after 10 invalid login attempts, review system configuration settings to verify that authentication parameters are set such that user accounts are locked out after not more than 10 invalid log on attempts. Examine system configuration settings to verify that password parameters are set to require that once a user account is locked out, it remains locked for a minimum of 30 minutes or until the user's identity is confirmed. |
| |
| 8.3.10.1 | If passwords/passphrases are used as the only authentication factor for customer user access, inspect system configuration settings to verify that passwords or passphrases are managed in accordance with one of the elements specified in this requirement. Periodically changing passwords offers less time for a malicious individual to crack a password/passphrase and less time to use a compromised password. Dynamically analyzing an account's security posture is another option that allows for more rapid detection and response to address potentially compromised credentials. Such analysis takes a number of data points which might include device integrity, location, access times, and the resources accessed to determine in real time whether an account can be granted access to a requested resource. In this way, access can be denied and accounts blocked if it is suspected that account credentials have been compromised. | Sample set of users showing password changes for every 90 days - Rule
| |
| 8.4 | Review the procedures and interview personnel to verify that authentication policies and procedures are distributed to all users.
Review authentication policies and procedures that are distributed to the users and verify that they include the following:
Interview a sample of users to verify that they are familiar with the authentication policies and procedures. | ||
| 8.4. 1 and 8.4.1b | Review network and system configurations to verify that MFA is required for all non-console into the cardholder data environment (CDE) for personnel with administrative access. Monitor administrator personnel logging into the CDE and verify that MFA is required. Requiring more than one type of authentication factor reduces the probability that an attacker can gain access to a system by masquerading as a legitimate user. | Access to CDE without MFA/2FA - Rule
| |
| 8.5.0 | For a sample of system components, review that the user ID lists and verify the following:
Review the authentication policies and procedures to verify that authentication credentials do not use group IDs, shared IDs, passwords, and other authentication methods. Interview system administrators to verify that group, shared IDs, passwords, and other authentication methods are not distributed, even if requested |
| |
| 8.5.1 | Review the authentication policies and procedures and interview personnel to verify that different authentication credentials are used to access each customer. | Access - Account Deleted - Rule
| |
| Requirement 9: Restrict physical access to cardholder data | 9.3.0 | For a sample of onsite personnel with physical access to sensitive areas, interview responsible personnel and observe access control lists to verify that:
Observe personnel accessing sensitive areas to verify that all personnel are authorized before being granted access. Select a sample of recently terminated employees and review access control lists to verify that the personnel do not have physical access to sensitive areas. |
Identity - Activity from Expired User Identity - Rule
|
| Requirement 10: Log and monitor all access to system components and cardholder data | 10.1.0 | Verify through observation and interviewing the system administrator that the following conditions are met:
|
Audit - Expected Host Not Reporting - Rule
|
| 10.2.1 | Verify that all individual access to cardholder data is logged. | Access - Default Accounts At Rest - Rule
| |
| 10.2.6 | Verify that the following are logged:
|
Audit - Anomalous Audit Trail Activity Detected - Rule
| |
| 10.4.0 | Review the configuration standards and processes to verify that time-synchronization technology is implemented and is current based on the PCI DSS Requirements 6.1 and 6.2. | Endpoint - Should Timesync Host Not Syncing - Rule
| |
| 10.4.1 | Review the process to acquire, distribute, and store the correct time within the organization and verify the following:
|
Endpoint - Should Timesync Host Not Syncing - Rule
| |
| 10.6.0 | Review logs and security events for all system components to identify anomalies or suspicious activity. | Audit - Anomalous Audit Trail Activity Detected - Rule
| |
| 10.7.0 | Review logs to detect and report failures of critical security control systems. | Data logging for all the listed solution in last 6 hrs - Rule
| |
| Requirement 11: Test security of systems and networks regularly | 11.1.0 | Review the policies and procedures to verify that processes are defined for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis.
Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including the following:
If wireless scanning is utilized, review that the output from the recent wireless scans verify the following:
When automated monitoring is utilized, verify that the configuration generates alerts to notify personnel. |
Rogue Wireless Device - Rule
|
| 11.3 |
|
Open High Vulnerabilities in the last 60 days - Rule
| |
| 11.3.1 | Review internal scan report results from the last 12 months to verify that internal scans occurred at least once every three months in the most recent 12-month period. Examine internal scan report results from each scan and re-scan in the last 12 months to verify that all high-risk and critical vulnerabilities are resolved. Examine scan tool configurations and interview personnel to verify that the scan tool is kept up to date with the latest vulnerability information. Interview responsible personnel to verify that the scan was performed by a qualified internal resource(s) or qualified external third party and that organizational independence of the tester exists. | Vulnerability scan is older than 3 months - Rule
| |
| 11.4.0 | Review the system configurations and network diagrams to verify that all traffic is monitored at the perimeter and at the critical points in the cardholder data environment.
Review the system configurations and interview responsible personnel to confirm that the intrusion detection and intrusion prevention techniques alert personnel of suspected compromises. Review the IDS/IPS configurations and vendor documentation to verify that the intrusion detection and the intrusion prevention techniques are configured, maintained, and updated based on vendor instructions to ensure optimal protection. |
|
You can map new or existing correlation searches to the relevant PCI DSS controls by adding governance to the search. For more information, see Add governance to a correlation search.
|
PREVIOUS Search macros |
NEXT Updates to detection rules and reports by requirements |
This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.3.1
Feedback submitted, thanks!