Splunk® App for PCI Compliance

User Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Detection rules for PCI compliance monitoring

The following table lists the PCI requirements for each governance control and the supported correlation search in the Splunk app for PCI Compliance and Splunk Enterprise Security: The following table lists the supported detection rules that helps to monitor PCI DSS 3.2.1 requirements in the Splunk app for PCI compliance and Splunk Enterprise Security. Additionally, the Splunk App for PCI compliance and the following default detection rules have scorecards and reports to support PCI compliance for each of the requirements.

The effectiveness of the detection rules depends on your data availability and your ability to meet these requirements. Your use of the PCI app is not an assurance of compliance.

PCI requirement Governance control PCI requirements Supported correlation search
Requirement 1: Install and maintain network security controls 1.1.1 Verify that you have a formal process to test and approve all network connections and changes to firewall and router configurations. Interview the responsible personnel and review your records to get a sample of network connections and to verify that all network connections are approved and tested. Network - Policy Or Configuration Change - Rule
1.1.4 Review the firewall configuration standards to verify that the standards require a firewall at each internet connection and between any demilitarized zone network (DMZ) and the internal network zone.

Verify that the current network diagram is consistent with the firewall configuration standards. Verify network configurations to ensure that a firewall is available for each internet connection and between any demilitarized zone (DMZ) and the internal network zone, in accordance with the documented configuration standards and network diagrams."

Asset - Asset Ownership Unspecified - Rule
1.2.1 Review the firewall and router configuration standards to verify that they identify inbound and outbound traffic that is required for the cardholder data environment.

Also, verify that the inbound and outbound traffic is limited to what is essential to the cardholder data environment. Additionally, verify that all other inbound and outbound traffic is denied.

Unauthorized or Insecure Communication Permitted - Rule
1.2.2 Review the router configuration files to verify that they are secure from unauthorized access. Additionally, review the router configurations to verify that they are synchronized. Network - Network Device Rebooted - Rule
1.2.3 Review the firewall and router configurations to verify that perimeter firewalls are installed between all wireless networks and the cardholder data environment. Additionally, verify that the firewalls deny all unauthorized access. If traffic is necessary for business purposes, the firewalls must permit only authorized traffic between the wireless environment and the cardholder data environment. Unauthorized Wireless Device Detected - Rule
1.3.2 Review the firewall and router configurations to verify that the inbound internet traffic is limited to IP addresses within the DMZ. Unauthorized or Insecure Communication Permitted - Rule
1.3.3 Review the firewall and router configurations to verify that anti-spoofing measures are implemented. For example, ensure that internal addresses do not pass from the internet into the DMZ. Unauthorized or Insecure Communication Permitted - Rule
1.3.4 Review the firewall and router configurations to verify that the outbound traffic from the cardholder data environment to the internet is explicitly authorized. Unauthorized or Insecure Communication Permitted - Rule
1.3.5 Review the firewall and router configurations to verify that the firewall permits only established connections into the internal network and denies any inbound connections that are not associated with a previously established session. Unauthorized or Insecure Communication Permitted - Rule
Requirement 2: Apply secure configurations to all system components 2.1.0 Select a sample of system components and try to log onto the devices and applications using default vendor-supplied accounts and passwords to verify that all default passwords are changed. For this sample of system components, verify that all unnecessary default accounts are removed or disabled. Also, interview personnel and review supporting documentation to verify that all the vendor defaults are changed before a system is installed on the network. Additionally, verify that all redundant default accounts are removed or disabled before a system is installed on the network.
  • Access - Default Account Usage - Rule
  • Access - Default Accounts At Rest - Rule
2.1.1 Interview personnel and review supporting documentation to verify that the encryption keys are changed from their default value during installation. Ensure that the encryption keys are changed every time that an employee, who has knowledge of the keys, leaves the company or changes role.

Interview personnel and review policies and procedures to verify that the requirements include the default SNMP community strings must be changed upon installation. Additionally, ensure that the default passwords or passphrases on access points are also changed upon installation. Review the vendor documentation and log in to wireless devices with assistance from the system administrator to verify that the default SNMP community strings are not used. Also, ensure that the default passwords or passphrases on access points are not used. Review the vendor documentation and review the wireless configuration settings to verify that the firmware on wireless devices is updated to support strong encryption for authentication over wireless networks and transmission over wireless networks. Review the vendor documentation and review the wireless configuration settings to verify that all security related wireless vendor default values were changed where applicable.

Unencrypted Traffic on Wireless Network - Rule
2.2.1 Select a sample of system components and inspect the system configurations to verify that only one primary function is implemented for each server. If you use virtualization technologies, inspect the system configurations to verify that only one primary function is implemented for each virtual system component or device. Endpoint - Multiple Primary Functions Detected - Rule
2.2.2 Select a sample of system components and inspect the enabled system services, daemons, and protocols to verify that only the required services or protocols are enabled. Review all enabled insecure services, daemons, or protocols and interview personnel to verify that they are justified based on the documented configuration standards.
  • System Misconfigured - Rule
  • Endpoint - Prohibited Process Detection - Rule
  • Endpoint - Prohibited Service Detection - Rule
2.2.3 Inspect the configuration settings to verify that all security features are documented and implemented for all the insecure services, daemons, or protocols.
  • System Misconfigured - Rule
  • Weak Encrypted Communication Detected - Rule
2.2.4 Interview the system administrators and security managers to verify that they know the common security parameter settings for system components. Review the system configuration standards to verify that the common security parameter settings are included. Select a sample of system components and inspect the common security parameters to verify that they are configured based on the configuration standards.
  • System Misconfigured - Rule
  • Prohibited or Insecure Port Detected - Rule
  • Endpoint - Prohibited Process Detection - Rule
  • Endpoint - Prohibited Service Detection - Rule
2.3.0 Select a sample of system components and verify that non-console administrative access is encrypted using the following guidelines:
  • Review the administrator log on each system and review the system configurations to verify that a strong encryption method is invoked before the administrator's password is requested.
  • Review the services and parameter files on the systems to determine that Telnet and other insecure remote login commands are not available for non-console access.
  • Review the administrator log on each system to verify that administrator access to any web-based management interfaces is encrypted with strong cryptography.
  • Review vendor documentation and interview personnel to verify that strong cryptography for the technology in use is implemented according to industry best practices and vendor recommendations."
  • Weak Encrypted Communication Detected - Rule
  • Access - Insecure Or Cleartext Authentication - Rule
Requirement 3: Protect stored account data 3.3.0 Review the written policies and procedures used to mask the display of PANs and verify the following:
  • A list of roles that need access to more than the first six or the last four (including full PAN) is documented. Additionally, a legitimate business need for each role to get this access must also be documented.
  • PAN must be masked when displayed so that only personnel with a legitimate business need can view more than the first six or the last four digits of the PAN.
  • All roles that are not specifically authorized to see the full PAN can only see the masked PANs.
  • Review the system configurations to verify that the full PAN is only displayed for users and roles that have a documented business need. Additionally, PAN must be masked for all other requests.
  • Review displays of PAN to verify that PANs are masked when displaying cardholder data, and that only those personnel with a legitimate business need are able to see more than the first six or the last four digits of the PAN.
Credit Card Data Transmitted In Clear - Rule
3.4.d Review a sample of audit logs, including payment application logs, to confirm that PAN is rendered unreadable or is not present in the logs. Audit - Personally Identifiable Information Detection - Rule
Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks 4.1.0 "Identify all locations where cardholder data is transmitted or received over open, public networks. Review documented standards and compare to system configurations to verify the use of security protocols and strong cryptography for all locations.

Review documented policies and procedures to verify processes are specified for acceptance of only trusted keys and/or certificates, protocol in use to only support secure versions and configurations, implementation of proper encryption strength per the encryption methodology in use. Select and observe a sample of inbound and outbound transmissions as they occur to verify that all cardholder data is encrypted with strong cryptography during transit. Review the keys and certificates to verify that only trusted keys and/or certificates are accepted. Review the system configurations to verify that the protocol is implemented to use only secure configurations and does not support insecure versions or configurations. Review the system configurations to verify that the proper encryption strength is implemented for the encryption methodology in use."

  • Weak Encrypted Communication Detected - Rule
  • Credit Card Data Transmitted In Clear - Rule
  • Endpoint - Prohibited Process Detection - Rule
  • Endpoint - Prohibited Service Detection - Rule
4.2.0 If the end-user messaging technologies are used to send cardholder data, review the processes for sending PAN. Review a sample of outbound transmissions as they occur to verify that PAN is rendered unreadable or is secured with strong cryptography whenever it is sent using end-user messaging technologies. Review the written policies to verify that the policies require unprotected PANs to not be sent using end-user messaging technologies. Credit Card Data Transmitted In Clear - Rule
Requirement 5: Protect all systems and networks from malicious software 5.1.1 Review the vendor documentation and review anti-virus configurations to verify that anti-virus programs detect, remove, and protect against all known types of malicious software.
  • Endpoint - Outbreak Observed - Rule
  • Endpoint - Recurring Malware Infection - Rule
5.1.2 Interview personnel to verify that evolving malware threats are monitored and evaluated for systems even though they might not be impacted by malicious software to ensure that these systems do not require anti-virus software.
  • Endpoint - Anomalous New Processes - Rule
  • Endpoint - Anomalous New Services - Rule
  • Network - Substantial Increase in an Event - Rule
  • Network - Substantial Increase in Port Activity (By Destination) - Rule
5.2.0 Review the policies and procedures to verify they indicate that anti-virus software and definitions must be up to date.

Review the anti-virus configurations, including the master installation of the software to verify anti-virus mechanisms are configured to perform automatic updates and periodic scans. Review a sample of system components, including all operating system types commonly affected by malicious software, to verify that the anti-virus software and definitions are current and periodic scans are performed. Review the anti-virus configurations, including the master installation of the software and a sample of system components, to verify that anti-virus software log generation is enabled and logs are retained in accordance with PCI DSS 10.7.

  • Inactive Antivirus Client Detected - Rule
  • Endpoint - High Number of Hosts Not Updating Malware Signatures - Rule
5.3.0 Review the anti-virus configurations, including the master installation of the software and a sample of system components, to verify the following:
  • anti-virus software is actively running
  • anti-virus software cannot be disabled or altered by users

Interview responsible personnel and observe processes to verify that anti-virus software cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

  • Inactive Antivirus Client Detected - Rule
  • Endpoint - High Number of Hosts Not Updating Malware Signatures - Rule
Requirement 6: Develop and maintain secure systems and software 6.1 Review the the policies and procedures to verify that processes are defined for the following:
  • To identify new security vulnerabilities
  • To assign a risk ranking to vulnerabilities that includes identification of all high risk and critical vulnerabilities
  • To use reputable outside sources for security vulnerability information

Interview responsible personnel and observe processes to verify the following:

  • New security vulnerabilities are identified
  • A risk ranking is assigned to vulnerabilities that includes identification of all high risk and critical vulnerabilities
  • Processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information
  • Anomalous Update Service Detected - Rule
  • High/Critical Update Missing - Rule
6.2 Review the policies and procedures related to security patch installation to verify that processes are defined for the installation of applicable critical vendor-supplied security patches within one month of release or within an appropriate timeframe.

For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list. and verify that applicable critical vendor-supplied security patches are installed within one month of release or within an appropriate time frame.

  • Anomalous Update Service Detected - Rule
  • High/Critical Update Missing - Rule
6.3.1 Review the written software-development procedures and interview responsible personnel to verify that pre-production and custom application accounts, user IDs, and passwords are removed before an application goes into production or is released to customers. Access - Default Account Usage - Rule
Requirement 7: Restrict access to system components and cardholder data 7.1 Review the written policy for access control and verify that the policy incorporates the following requirements:
  • Defining access needs and privilege assignments for each role
  • Restriction of access to privileged user IDs to the minimum level necessary to perform job responsibilities
  • Assignment of access based on individual personnel's job classification and function
  • Documented approval by authorized parties for all access, including the listing of the specific privileges approved.
  • Access - Brute Force Access Behavior Detected - Rule
  • Access - Excessive Failed Logins - Rule
  • Access - Inactive Account Usage - Rule
7.2 Review the system settings and vendor documentation to verify that an access control system is implemented.
  • Access - Brute Force Access Behavior Detected - Rule
  • Access - Excessive Failed Logins - Rule
  • Access - Inactive Account Usage - Rule
Requirement 8: Identify users and authenticate access to system components 8.1.4 Review the user accounts to verify that any inactive accounts over 90 days old are either removed or disabled. Access - Completely Inactive Account - Rule
8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication. Privileged Authentication Without Multifactor - Rule
8.4 Review the procedures and interview personnel to verify that authentication policies and procedures are distributed to all users.

Review authentication policies and procedures that are distributed to the users and verify that they include the following:

  • Guidance on selecting strong authentication credentials
  • Guidance on how users can protect their authentication credentials
  • Instructions for users not to reuse previously used passwords
  • Instructions to change passwords in case of suspicion that the password can be compromised

Interview a sample of users to verify that they are familiar with the authentication policies and procedures.

8.5.0 For a sample of system components, review that the user ID lists and verify the following:
  • Generic user IDs are disabled or removed
  • Shared user IDs for system administration activities and other critical functions do not exist
  • Shared and generic user IDs are not used to administer any system components

Review the authentication policies and procedures to verify that authentication credentials do not use group IDs, shared IDs, passwords, and other authentication methods. Interview system administrators to verify that group, shared IDs, passwords, and other authentication methods are not distributed, even if requested

Access - Account Deleted - Rule
8.5.1 Review the authentication policies and procedures and interview personnel to verify that different authentication credentials are used to access each customer. Access - Account Deleted - Rule
Requirement 9: Restrict physical access to cardholder data 9.3.0 For a sample of onsite personnel with physical access to sensitive areas, interview responsible personnel and observe access control lists to verify that:
  • Access to the sensitive area is authorized
  • Access is required for the individual's job function

Observe personnel accessing sensitive areas to verify that all personnel are authorized before being granted access. Select a sample of recently terminated employees and review access control lists to verify that the personnel do not have physical access to sensitive areas.

Identity - Activity from Expired User Identity - Rule
Requirement 10: Log and monitor all access to system components and cardholder data 10.1.0 Verify through observation and interviewing the system administrator that the following conditions are met:
  • Audit trails are enabled and active for system components
  • Access to system components is linked to individual users.
Audit - Expected Host Not Reporting - Rule
10.2.1 Verify that all individual access to cardholder data is logged. Access - Default Accounts At Rest - Rule
10.2.6 Verify that the following are logged:
  • Initialization of audit logs
  • Stopping or pausing of audit logs
Audit - Anomalous Audit Trail Activity Detected - Rule
10.4.0 Review the configuration standards and processes to verify that time-synchronization technology is implemented and is current based on the PCI DSS Requirements 6.1 and 6.2. Endpoint - Should Timesync Host Not Syncing - Rule
10.4.1 Review the process to acquire, distribute, and store the correct time within the organization and verify the following:
  • Only the designated central time servers receive time signals from external sources, and time signals from external sources are based on the International Atomic Time or UTC
  • If there is more than one designated time server, the time servers peer with one another to keep accurate time
  • Systems receive time information only from designated central time servers
Endpoint - Should Timesync Host Not Syncing - Rule
10.6.0 Review logs and security events for all system components to identify anomalies or suspicious activity. Audit - Anomalous Audit Trail Activity Detected - Rule
Requirement 11: Test security of systems and networks regularly 11.1.0 Review the policies and procedures to verify that processes are defined for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis.

Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including the following:

  • WLAN cards inserted into system components
  • Portable or mobile devices attached to system components to create a wireless access point
  • Wireless devices attached to a network port or network device.

If wireless scanning is utilized, review that the output from the recent wireless scans verify the following:

  • Authorized and unauthorized wireless access points are identified
  • The scan is performed at least quarterly for all system components and facilities

When automated monitoring is utilized, verify that the configuration generates alerts to notify personnel.

Rogue Wireless Device - Rule
11.4.0 Review the system configurations and network diagrams to verify that all traffic is monitored at the perimeter and at the critical points in the cardholder data environment.

Review the system configurations and interview responsible personnel to confirm that the intrusion detection and intrusion prevention techniques alert personnel of suspected compromises. Review the IDS/IPS configurations and vendor documentation to verify that the intrusion detection and the intrusion prevention techniques are configured, maintained, and updated based on vendor instructions to ensure optimal protection.

  • Network - Substantial Increase in an Event - Rule
  • Network - Vulnerability Scanner Detection (by event) - Rule
  • Network - Vulnerability Scanner Detection (by targets) - Rule

You can map new or existing correlation searches to the relevant PCI DSS controls by adding governance to the search. For more information, see Add governance to a correlation search.

Last modified on 12 December, 2023
PREVIOUS
Search macros
  NEXT
Updates to detection rules and reports by requirements

This documentation applies to the following versions of Splunk® App for PCI Compliance: 5.1.1, 5.1.2, 5.2.0, 5.3.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters