Compliance with the PCI DSS Multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. is an ongoing process, not a "set-it-and-forget-it" project. As part of maintaining compliance, you need to identify areas in which your organization is not in compliance. You can also use the PCI DSS compliance requirements to address key information security issues and risks, especially in relation to other relevant regulations (e.g., HIPAA, GLBA, state privacy/disclosure laws, CALEA). In addition to maintaining compliance, periodic self-assessment is an important tool for identifying areas that need improvement, and can help save costs if an assessor is required for validation of PCI DSS compliance.
Both trial and full versions of the HS-PCI module include the ability to audit EFT Server for compliance with the PCI DSS requirements. EFT Server's Auditing and Reporting module (ARM) scans all PCI DSS requirements addressed in EFT Server, and reports on the compliance status of each (Pass, Fail, or Warning). The report also provides a description of the requirement tested for each item. For failed requirements, the report presents a reason the non-compliant setting was used, if you provided one at the time that particular setting was disabled/changed.
The ARM is used to store the PCI DSS violations. If the ARM is disabled, the violations are still recorded; however, the justifications that you type when you accept a non-compliant setting are not recorded in the database. You can still run the compliance report, but the justifications that you provide will not appear in the report.
Reporting of failed items occurs at the highest level of failure only, except in the case of an explicit setting that violates compliance. For example:
If a Site failed compliance because Enforce strong (complex) passwords was disabled, the report is generated for the entire Site.
If Enforce strong (complex) passwords was enabled for the Site, but was disabled for a User Setting Level, the report is generated for the User Settings Level.
If Enforce strong (complex) passwords was enabled at the Site and User Setting Level, but disabled for some users, EFT Server reports for each of those users.
If Enforce strong (complex) passwords was disabled at the Site level, enabled at the User Setting Level, and disabled for a user (as shown below), the warning appears for the Site violation and for the user account that is in violation.
To generate the PCI DSS compliance report
To generate the report in real time, do one of the following:
On the main menu, click Report > PCI DSS HS Compliance Report. A report is generated for each PCI DSS-enabled Site.
In the Site's Event Rule node, click Report Event. In the right pane, click Run Now. The report is e-mailed to the e-mail address defined in the Rule.
To generate the report on a recurring schedule, define a Scheduler Timer Event Rule with the Generate Report Action. In the Event Rule (used to specify an action to occur when an event takes place and/or a condition is present, e.g., send an e-mail when a file is uploaded), you can define whether to e-mail the report and/or save the report to a file. A report is generated specific to the Site on which the Event Rule is configured.
For a description of each PCI DSS requirement covered in the report, see Possible PCI DSS Compliance Report Outcomes.
For details of creating and generating reports, see Auditing and Reporting Module (ARM).
Warnings for PCI DSS Violations