Splunk® App for PCI Compliance

User Manual

Detection rules for PCI compliance monitoring

The following table lists the PCI requirements for each governance control and the supported correlation search in the Splunk app for PCI Compliance and Splunk Enterprise Security: The following table lists the supported detection rules that helps to monitor PCI DSS 4.0 requirements in the Splunk app for PCI compliance and Splunk Enterprise Security. Additionally, the Splunk App for PCI compliance and the following default detection rules have scorecards and reports to support PCI compliance for each of the requirements.

The effectiveness of the detection rules depends on your data availability and your ability to meet these requirements. Your use of the PCI app is not an assurance of compliance.

PCI requirement Governance control PCI requirements Supported correlation search
Requirement 1: Install and maintain network security controls 1.1.1 Verify that you have a formal process to test and approve all network connections and changes to firewall and router configurations. Interview the responsible personnel and review your records to get a sample of network connections and to verify that all network connections are approved and tested. Network - Policy Or Configuration Change - Rule
1.1.4 Review the firewall configuration standards to verify that the standards require a firewall at each internet connection and between any demilitarized zone network (DMZ) and the internal network zone.

Verify that the current network diagram is consistent with the firewall configuration standards. Verify network configurations to ensure that a firewall is available for each internet connection and between any demilitarized zone (DMZ) and the internal network zone, in accordance with the documented configuration standards and network diagrams.

Asset - Asset Ownership Unspecified - Rule
1.2.1 Review the firewall and router configuration standards to verify that they identify inbound and outbound traffic that is required for the cardholder data environment.

Also, verify that the inbound and outbound traffic is limited to what is essential to the cardholder data environment. Additionally, verify that all other inbound and outbound traffic is denied.

Unauthorized or Insecure Communication Permitted - Rule
1.2.2 Review the router configuration files to verify that they are secure from unauthorized access. Additionally, review the router configurations to verify that they are synchronized. Network - Network Device Rebooted - Rule
1.2.3 Review the firewall and router configurations to verify that perimeter firewalls are installed between all wireless networks and the cardholder data environment. Additionally, verify that the firewalls deny all unauthorized access. If traffic is necessary for business purposes, the firewalls must permit only authorized traffic between the wireless environment and the cardholder data environment. Unauthorized Wireless Device Detected - Rule
1.3.2 Review the firewall and router configurations to verify that the inbound internet traffic is limited to IP addresses within the DMZ. Unauthorized or Insecure Communication Permitted - Rule
1.3.3 Review the firewall and router configurations to verify that anti-spoofing measures are implemented. For example, ensure that internal addresses do not pass from the internet into the DMZ. Unauthorized or Insecure Communication Permitted - Rule
1.3.4 Review the firewall and router configurations to verify that the outbound traffic from the cardholder data environment to the internet is explicitly authorized. Unauthorized or Insecure Communication Permitted - Rule
1.3.5 Review the firewall and router configurations to verify that the firewall permits only established connections into the internal network and denies any inbound connections that are not associated with a previously established session. Unauthorized or Insecure Communication Permitted - Rule
1.4.2 Review the vendor documentation and configuration of network security controls (NSCs) to verify that inbound traffic from untrusted networks to trusted networks is restricted in accordance with all elements specified in this requirement. Also, ensure that public access to a system component is specifically authorized to reduce the risk of system components being unnecessarily exposed to untrusted networks. System components that provide publicly accessible services, such as email, web, and DNS servers must be placed within a dedicated trusted network that is public facing. such as a DMZ but separated from more sensitive internal systems using NSCs. Inbound traffic from untrusted network to trusted network-Rule
Requirement 2: Apply secure configurations to all system components 2.1.0 Select a sample of system components and try to log onto the devices and applications using default vendor-supplied accounts and passwords to verify that all default passwords are changed. For this sample of system components, verify that all unnecessary default accounts are removed or disabled. Also, interview personnel and review supporting documentation to verify that all the vendor defaults are changed before a system is installed on the network. Additionally, verify that all redundant default accounts are removed or disabled before a system is installed on the network.
  • Access - Default Account Usage - Rule
  • Access - Default Accounts At Rest - Rule
2.1.1 Interview personnel and review supporting documentation to verify that the encryption keys are changed from their default value during installation. Ensure that the encryption keys are changed every time that an employee, who has knowledge of the keys, leaves the company or changes role.

Interview personnel and review policies and procedures to verify that the requirements include the default SNMP community strings must be changed upon installation. Additionally, ensure that the default passwords or passphrases on access points are also changed upon installation. Review the vendor documentation and log in to wireless devices with assistance from the system administrator to verify that the default SNMP community strings are not used. Also, ensure that the default passwords or passphrases on access points are not used. Review the vendor documentation and review the wireless configuration settings to verify that the firmware on wireless devices is updated to support strong encryption for authentication over wireless networks and transmission over wireless networks. Review the vendor documentation and review the wireless configuration settings to verify that all security related wireless vendor default values were changed where applicable.

Unencrypted Traffic on Wireless Network - Rule
2.2.1 Select a sample of system components and inspect the system configurations to verify that only one primary function is implemented for each server. If you use virtualization technologies, inspect the system configurations to verify that only one primary function is implemented for each virtual system component or device. Endpoint - Multiple Primary Functions Detected - Rule
2.2.2 Select a sample of system components and inspect the enabled system services, daemons, and protocols to verify that only the required services or protocols are enabled. Review all enabled insecure services, daemons, or protocols and interview personnel to verify that they are justified based on the documented configuration standards.
  • System Misconfigured - Rule
  • Endpoint - Prohibited Process Detection - Rule
  • Endpoint - Prohibited Service Detection - Rule
2.2.3 Inspect the configuration settings to verify that all security features are documented and implemented for all the insecure services, daemons, or protocols.
  • System Misconfigured - Rule
  • Weak Encrypted Communication Detected - Rule
2.2.4 Interview the system administrators and security managers to verify that they know the common security parameter settings for system components. Review the system configuration standards to verify that the common security parameter settings are included. Select a sample of system components and inspect the common security parameters to verify that they are configured based on the configuration standards.
  • System Misconfigured - Rule
  • Prohibited or Insecure Port Detected - Rule
  • Endpoint - Prohibited Process Detection - Rule
  • Endpoint - Prohibited Service Detection - Rule
2.3.0 Select a sample of system components and verify that non-console administrative access is encrypted using the following guidelines:
  • Review the administrator log on each system and review the system configurations to verify that a strong encryption method is invoked before the administrator's password is requested.
  • Review the services and parameter files on the systems to determine that Telnet and other insecure remote login commands are not available for non-console access.
  • Review the administrator log on each system to verify that administrator access to any web-based management interfaces is encrypted with strong cryptography.
  • Review vendor documentation and interview personnel to verify that strong cryptography for the technology in use is implemented according to industry best practices and vendor recommendations."
  • Weak Encrypted Communication Detected - Rule
  • Access - Insecure Or Cleartext Authentication - Rule
Requirement 3: Protect stored account data 3.3.0 Review the written policies and procedures used to mask the display of PANs and verify the following:
  • A list of roles that need access to more than the first six or the last four (including full PAN) is documented. Additionally, a legitimate business need for each role to get this access must also be documented.
  • PAN must be masked when displayed so that only personnel with a legitimate business need can view more than the first six or the last four digits of the PAN.
  • All roles that are not specifically authorized to see the full PAN can only see the masked PANs.
  • Review the system configurations to verify that the full PAN is only displayed for users and roles that have a documented business need. Additionally, PAN must be masked for all other requests.
  • Review displays of PAN to verify that PANs are masked when displaying cardholder data, and that only those personnel with a legitimate business need are able to see more than the first six or the last four digits of the PAN.
 Credit Card Data Transmitted In Clear - Rule
3.4.d Review a sample of audit logs, including payment application logs, to confirm that PAN is rendered unreadable or is not present in the logs. Audit - Personally Identifiable Information Detection - Rule
Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks 4.1.0 "Identify all locations where cardholder data is transmitted or received over open, public networks. Review documented standards and compare to system configurations to verify the use of security protocols and strong cryptography for all locations.

Review documented policies and procedures to verify processes are specified for acceptance of only trusted keys and/or certificates, protocol in use to only support secure versions and configurations, implementation of proper encryption strength per the encryption methodology in use. Select and observe a sample of inbound and outbound transmissions as they occur to verify that all cardholder data is encrypted with strong cryptography during transit. Review the keys and certificates to verify that only trusted keys and/or certificates are accepted. Review the system configurations to verify that the protocol is implemented to use only secure configurations and does not support insecure versions or configurations. Review the system configurations to verify that the proper encryption strength is implemented for the encryption methodology in use."

  • Weak Encrypted Communication Detected - Rule
  • Credit Card Data Transmitted In Clear - Rule
  • Endpoint - Prohibited Process Detection - Rule
  • Endpoint - Prohibited Service Detection - Rule
4.2.0 If the end-user messaging technologies are used to send cardholder data, review the processes for sending PAN. Review a sample of outbound transmissions as they occur to verify that PAN is rendered unreadable or is secured with strong cryptography whenever it is sent using end-user messaging technologies. Review the written policies to verify that the policies require unprotected PANs to not be sent using end-user messaging technologies. Credit Card Data Transmitted In Clear - Rule
Requirement 5: Protect all systems and networks from malicious software 5.1.1 Review the vendor documentation and review anti-virus configurations to verify that anti-virus programs detect, remove, and protect against all known types of malicious software.
  • Endpoint - Outbreak Observed - Rule
  • Endpoint - Recurring Malware Infection - Rule
5.1.2 Interview personnel to verify that evolving malware threats are monitored and evaluated for systems even though they might not be impacted by malicious software to ensure that these systems do not require anti-virus software.
  • Endpoint - Anomalous New Processes - Rule
  • Endpoint - Anomalous New Services - Rule
  • Network - Substantial Increase in an Event - Rule
  • Network - Substantial Increase in Port Activity (By Destination) - Rule
5.2.0 Review the policies and procedures to verify they indicate that anti-virus software and definitions must be up to date.

Review the anti-virus configurations, including the master installation of the software to verify anti-virus mechanisms are configured to perform automatic updates and periodic scans. Review a sample of system components, including all operating system types commonly affected by malicious software, to verify that the anti-virus software and definitions are current and periodic scans are performed. Review the anti-virus configurations, including the master installation of the software and a sample of system components, to verify that anti-virus software log generation is enabled and logs are retained in accordance with PCI DSS 10.7.

  • Inactive Antivirus Client Detected - Rule
  • Endpoint - High Number of Hosts Not Updating Malware Signatures - Rule
5.3.0 Review the anti-virus configurations, including the master installation of the software and a sample of system components, to verify the following:
  • anti-virus software is actively running
  • anti-virus software cannot be disabled or altered by users

Interview responsible personnel and observe processes to verify that anti-virus software cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

  • Inactive Antivirus Client Detected - Rule
  • Endpoint - High Number of Hosts Not Updating Malware Signatures - Rule
5.3.4 Review anti-malware solutions configurations to verify that logs are enabled and retained in accordance with Requirement 10.5.1. Track the effectiveness of the anti-malware mechanisms by confirming that updates and scans are performed as expected and malware is identified and addressed. Audit logs also allow an entity to determine how malware entered the environment and track its activity when inside the entity's network.
  • Intrusion detection data is not ingested in the last 1 hour
5.3.2c
  • Anti-malware scan incomplete or did not run - Rule
5.3.3b
  • Anti-malware disabled on host with removable electronic media connected - Rule
5.2.1a and 5.2.3c
  • Anti-malware solution(s) not detected on system - Rule
Requirement 6: Develop and maintain secure systems and software 6.1 Review the the policies and procedures to verify that processes are defined for the following:
  • To identify new security vulnerabilities
  • To assign a risk ranking to vulnerabilities that includes identification of all high risk and critical vulnerabilities
  • To use reputable outside sources for security vulnerability information

Interview responsible personnel and observe processes to verify the following:

  • New security vulnerabilities are identified
  • A risk ranking is assigned to vulnerabilities that includes identification of all high risk and critical vulnerabilities
  • Processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information
  • Anomalous Update Service Detected - Rule
  • High/Critical Update Missing - Rule
6.2 Review the policies and procedures related to security patch installation to verify that processes are defined for the installation of applicable critical vendor-supplied security patches within one month of release or within an appropriate timeframe.

For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list. and verify that applicable critical vendor-supplied security patches are installed within one month of release or within an appropriate time frame.

  • Anomalous Update Service Detected - Rule
  • High/Critical Update Missing - Rule
6.3.1 Review the written software-development procedures and interview responsible personnel to verify that pre-production and custom application accounts, user IDs, and passwords are removed before an application goes into production or is released to customers. Access - Default Account Usage - Rule
6.3.3a Medium and low security in more than 30 days - Rule
6.3 Open High Vulnerabilities in the last 60 days - Rule
6.3 Open Critical Vulnerabilities in the last 30 days - Rule
6.4.1 For public-facing web applications, review that either one of the required methods is in place as follows:
  • If manual or automated security assessment tools or methods are used, examine documented processes, interview personnel, and records of application security assessments to verify that public-facing web applications are reviewed.
  • If an automated technical solution is installed that continually detects and prevents web-based attacks, examine the system configuration settings and audit logs, and interview responsible personnel to verify that the automated technical solution is installed.

Common assessment tools include specialized web scanners that perform automatic analysis of web application protection. When using automated technical solutions, it is important to include processes that facilitate timely responses to alerts generated by the solutions so that any detected attacks can be mitigated.

No vulnerability logging with patch info in last 7 days - Rule
6.4.2 For public-facing web applications, review the system configuration settings and audit logs, and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks is in place When using automated technical solutions, it is important to include processes that facilitate timely responses to alerts generated by the solutions so that any detected attacks can be mitigated. Such solutions may also be used to automate mitigation, for example rate-limiting controls, which can be implemented to mitigate against brute-force attacks and enumeration attacks. Web data was not logged in last 7 days - Rule
Requirement 7: Restrict access to system components and cardholder data 7.1 Review the written policy for access control and verify that the policy incorporates the following requirements:
  • Defining access needs and privilege assignments for each role
  • Restriction of access to privileged user IDs to the minimum level necessary to perform job responsibilities
  • Assignment of access based on individual personnel's job classification and function
  • Documented approval by authorized parties for all access, including the listing of the specific privileges approved.
  • Access - Brute Force Access Behavior Detected - Rule
  • Access - Excessive Failed Logins - Rule
  • Access - Inactive Account Usage - Rule
7.2 Review the system settings and vendor documentation to verify that an access control system is implemented.
  • Access - Brute Force Access Behavior Detected - Rule
  • Access - Excessive Failed Logins - Rule
  • Access - Inactive Account Usage - Rule
Requirement 8: Identify users and authenticate access to system components 8.1.4 Review the user accounts to verify that any inactive accounts over 90 days old are either removed or disabled. Access - Completely Inactive Account - Rule
Requirement 8: Identify users and authenticate access to system components 8.2.4 Review documented authorizations across various phases of the account lifecycle such as additions, modifications, and deletions. Additionally, examine system settings to verify the activity is managed such that only authorized accounts can perform functions, actions are auditable, and privileges are limited to only what is required.
  1. Addition of user IDs without approvals - Rule
  2. Modification of user IDs without approvals - Rule
  3. Deletion of user IDs without approvals - Rule
8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.
  1. Privileged Authentication Without Multifactor - Rule
  2. All Authentication without multi-factor
8.3.4a For user account lockout after 10 invalid login attempts, review system configuration settings to verify that authentication parameters are set such that user accounts are locked out after not more than 10 invalid log on attempts. Examine system configuration settings to verify that password parameters are set to require that once a user account is locked out, it remains locked for a minimum of 30 minutes or until the user's identity is confirmed.
  1. Privileged Authentication Without Multifactor - Rule
  2. All Authentication without multi-factor
8.3.10.1 If passwords/passphrases are used as the only authentication factor for customer user access, inspect system configuration settings to verify that passwords or passphrases are managed in accordance with one of the elements specified in this requirement. Periodically changing passwords offers less time for a malicious individual to crack a password/passphrase and less time to use a compromised password. Dynamically analyzing an account's security posture is another option that allows for more rapid detection and response to address potentially compromised credentials. Such analysis takes a number of data points which might include device integrity, location, access times, and the resources accessed to determine in real time whether an account can be granted access to a requested resource. In this way, access can be denied and accounts blocked if it is suspected that account credentials have been compromised. Sample set of users showing password changes for every 90 days - Rule
8.4 Review the procedures and interview personnel to verify that authentication policies and procedures are distributed to all users.

Review authentication policies and procedures that are distributed to the users and verify that they include the following:

  • Guidance on selecting strong authentication credentials
  • Guidance on how users can protect their authentication credentials
  • Instructions for users not to reuse previously used passwords
  • Instructions to change passwords in case of suspicion that the password can be compromised

Interview a sample of users to verify that they are familiar with the authentication policies and procedures.

8.4. 1 and 8.4.1b Review network and system configurations to verify that MFA is required for all non-console into the cardholder data environment (CDE) for personnel with administrative access. Monitor administrator personnel logging into the CDE and verify that MFA is required. Requiring more than one type of authentication factor reduces the probability that an attacker can gain access to a system by masquerading as a legitimate user. Access to CDE without MFA/2FA - Rule
8.5.0 For a sample of system components, review that the user ID lists and verify the following:
  • Generic user IDs are disabled or removed
  • Shared user IDs for system administration activities and other critical functions do not exist
  • Shared and generic user IDs are not used to administer any system components

Review the authentication policies and procedures to verify that authentication credentials do not use group IDs, shared IDs, passwords, and other authentication methods. Interview system administrators to verify that group, shared IDs, passwords, and other authentication methods are not distributed, even if requested

  1. Access - Account Deleted - Rule
  2. MFA replay attack detected - Rule
8.5.1 Review the authentication policies and procedures and interview personnel to verify that different authentication credentials are used to access each customer. Access - Account Deleted - Rule
Requirement 9: Restrict physical access to cardholder data 9.3.0 For a sample of onsite personnel with physical access to sensitive areas, interview responsible personnel and observe access control lists to verify that:
  • Access to the sensitive area is authorized
  • Access is required for the individual's job function

Observe personnel accessing sensitive areas to verify that all personnel are authorized before being granted access. Select a sample of recently terminated employees and review access control lists to verify that the personnel do not have physical access to sensitive areas.

Identity - Activity from Expired User Identity - Rule
Requirement 10: Log and monitor all access to system components and cardholder data 10.1.0 Verify through observation and interviewing the system administrator that the following conditions are met:
  • Audit trails are enabled and active for system components
  • Access to system components is linked to individual users.
 Audit - Expected Host Not Reporting - Rule
10.2.1 Verify that all individual access to cardholder data is logged. Access - Default Accounts At Rest - Rule
10.2.6 Verify that the following are logged:
  • Initialization of audit logs
  • Stopping or pausing of audit logs
 Audit - Anomalous Audit Trail Activity Detected - Rule
10.4.0 Review the configuration standards and processes to verify that time-synchronization technology is implemented and is current based on the PCI DSS Requirements 6.1 and 6.2. Endpoint - Should Timesync Host Not Syncing - Rule
10.4.1 Review the process to acquire, distribute, and store the correct time within the organization and verify the following:
  • Only the designated central time servers receive time signals from external sources, and time signals from external sources are based on the International Atomic Time or UTC
  • If there is more than one designated time server, the time servers peer with one another to keep accurate time
  • Systems receive time information only from designated central time servers
 Endpoint - Should Timesync Host Not Syncing - Rule
10.6.0 Review logs and security events for all system components to identify anomalies or suspicious activity. Audit - Anomalous Audit Trail Activity Detected - Rule
10.7.0 Review logs to detect and report failures of critical security control systems. Data logging for all the listed solution in last 6 hrs - Rule
Requirement 11: Test security of systems and networks regularly 11.1.0 Review the policies and procedures to verify that processes are defined for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis.

Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including the following:

  • WLAN cards inserted into system components
  • Portable or mobile devices attached to system components to create a wireless access point
  • Wireless devices attached to a network port or network device.

If wireless scanning is utilized, review that the output from the recent wireless scans verify the following:

  • Authorized and unauthorized wireless access points are identified
  • The scan is performed at least quarterly for all system components and facilities

When automated monitoring is utilized, verify that the configuration generates alerts to notify personnel.

Rogue Wireless Device - Rule
11.3
  1. Review internal scan report results from the last 12 months to verify that internal scans occurred at least once every three months in the most recent 12-month period.
  2. Examine internal scan report results from each scan and re-scan run in the last 12 months to verify that all high-risk and critical vulnerabilities are resolved.
  3. Examine scan tool configurations and interview personnel to verify that the scan tool is kept up to date with the latest vulnerability information.
  4. Interview responsible personnel to verify that the scan was performed by a qualified internal resources or qualified external third party and that organizational independence of the tester exists.
 Open High Vulnerabilities in the last 60 days - Rule

Open Critical Vulnerabilities in the last 30 days - Rule

11.3.1 Review internal scan report results from the last 12 months to verify that internal scans occurred at least once every three months in the most recent 12-month period. Examine internal scan report results from each scan and re-scan in the last 12 months to verify that all high-risk and critical vulnerabilities are resolved. Examine scan tool configurations and interview personnel to verify that the scan tool is kept up to date with the latest vulnerability information. Interview responsible personnel to verify that the scan was performed by a qualified internal resource(s) or qualified external third party and that organizational independence of the tester exists. Vulnerability scan is older than 3 months - Rule
11.4.0 Review the system configurations and network diagrams to verify that all traffic is monitored at the perimeter and at the critical points in the cardholder data environment.

Review the system configurations and interview responsible personnel to confirm that the intrusion detection and intrusion prevention techniques alert personnel of suspected compromises. Review the IDS/IPS configurations and vendor documentation to verify that the intrusion detection and the intrusion prevention techniques are configured, maintained, and updated based on vendor instructions to ensure optimal protection.

  • Network - Substantial Increase in an Event - Rule
  • Network - Vulnerability Scanner Detection (by event) - Rule
  • Network - Vulnerability Scanner Detection (by targets) - Rule

You can map new or existing correlation searches to the relevant PCI DSS controls by adding governance to the search. For more information, see Add governance to a correlation search.

Last modified on 01 May, 2024
Search macros   Updates to detection rules and reports by requirements

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.3.1, 5.3.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters