Possible PCI DSS Compliance Report Outcomes

The PCI DSS compliance report displays the requirement name, status (PASSED, FAILED, WARNING), description of the requirement, notes that you typed in the Warning box (explanation, justification, or compensating control), report name, and date the report was generated, and description of the report. The report is organized by PCI DSS Section/Requirement, then by Status (Warnings followed by Errors), then by Scope (Site followed by Settings Level, followed by User), with data elements for the names of the items (Site, Settings Level, or User) sorted alphabetically.

If the report is generated after the HS-PCI Module trial has expired, the report contains the following statement instead of the standard report:

The HS-PCI Module has expired. Please contact your GlobalSCAPE sales representative or visit http://www.globalscape.com/eft for more details.

The status of the PCI DSS requirements described below appear in the report:

HS PCI Data in the DMZ

EFT Server determines whether EFT DMZ Gateway is enabled, and whether a socket connection to the DMZ Gateway can be made. Possible outcomes include:

Requirement

Status

Description

PCI DSS 1.3.4 Perimeter Security

PASSED

EFT Server's DMZ Gateway enabled and connected

PCI DSS 1.3.4 Perimeter Security

WARNING

EFT Server's DMZ Gateway IP and port defined; however EFT Server cannot connect to the DMZ Gateway

PCI DSS 1.3.4 Perimeter Security

WARNING

EFT Server's DMZ Gateway is disabled. If EFT Server is deployed in the DMZ, ensure that sensitive data is segregated from the DMZ or risk non-compliance with this requirement.

Contents

Default Values

EFT Server determines whether any default values are specified for Admin login port (1100), DMZ Gateway port (44500), FTP banner message, or SFTP Secure File Transfer Protocol; SSH file transfer protocol, a network protocol designed by the IETF to provide secure file transfer and manipulation facilities over the secure shell (SSH) protocol. banner message. Possible report outcomes include:

Requirement

Status

Description

PCI DSS 2.1 Change Vendor Defaults

PASSED

No EFT Server supplied default values are being used (ports and banner messages checked)

PCI DSS 2.1 Change Vendor Defaults

FAILED

 [Admin Login Port, DMZ Gateway Connection Port, Default FTP Banner Message, or Default SFTP Secure File Transfer Protocol; SSH file transfer protocol, a network protocol designed by the IETF to provide secure file transfer and manipulation facilities over the secure shell (SSH) protocol. Banner Message] is the same as the default supplied. You should change the default port to a value between 1024 and 65535.

 

A separate failure description appears in the report for each setting that uses a default value.

Contents

Disabling Unsecure Protocols

EFT Server determines whether any non-secure protocols are enabled at the Site Level (SL), Settings Level (SL) and User Account Level (UAL) and reports for each Site, SL, or UAL failed. Possible report outcomes include:

Requirement

Status

Description

PCI DSS 2.2.2 Disable all non-secure protocols

PASSED

Only secure protocols are being used for this Site.

PCI DSS 2.2.2 Disable all non-secure protocols

FAILED

[FTP or HTTP] protocol is enabled for [Site, User Settings Level, or specific user name]. You should disable these protocols. Alternatively you must have ample justification and documentation per PCI 1.1.6 and 1.1.7 for continued use of non-secure protocols.

Contents

Disk Quota and Auto-Ban Meter

EFT Server determines whether disk quota is enabled, auto-ban meter is set to Off, Very Low, or Low, or the option to pass login credentials to Event Rules is enabled, and whether site-to-site transfers are enabled. Possible report outcomes include:

Requirement

Status

Description

PCI DSS 2.2.3 Configure security system parameters set to prevent misuse

PASSED

System security parameters are configured to prevent misuse.

PCI DSS 2.2.3 Configure security system parameters set to prevent misuse

WARNING

The option to pass user login credentials as an event rule variable (Site settings) should be disabled to comply with PCI 2.2.3

PCI DSS 2.2.3 Configure security system parameters set to prevent misuse

WARNING

Auto-ban connection flood sensitivity is too low. Please set to Medium, High, or Very High to better comply with this requirement.

PCI DSS 2.2.3 Configure security system parameters set to prevent misuse

WARNING

You have not specified a disk quota at a user or settings level. A malicious user could upload more data than available disk space, effectively disabling EFT Server.

PCI DSS 2.2.3 Configure security system parameters set to prevent misuse

WARNING

Anti-timeout blocking is currently disabled for [Site].

PCI DSS 2.2.3 Configure security system parameters set to prevent misuse

WARNING

Site-to-site transfers are currently allowed for [Site].

PCI DSS 2.2.3 Configure security system parameters set to prevent misuse

WARNING

NOOP FTP command is currently allowed for [Site].

Contents

Encrypt Console Access

EFT Server determines whether remote administration is enabled, and if so, if SSL is enabled. Possible report outcomes include:

Requirement

Status

Description

PCI DSS 2.3 Encrypt all non-console access

PASSED

Non-console administrative access is securely configured.

PCI DSS 2.3 Encrypt all non-console access

FAILED

Remote administration is enabled without SSL turned on. Either enable SSL or disable remote access.

Contents

Cardholder Data Storage

EFT Server determines whether any Clean-up Actions are defined, and warns if none is found. Possible report outcomes include:

Requirement

Status

Description

PCI DSS 3.1 Develop a data retention and disposal policy

PASSED

Does not appear in report if passed.

PCI DSS 3.1 Develop a data retention and disposal policy

WARNING

No disk quota is set for [Site]. Enable disk quotas to limit data storage amounts to what is required for business purposes according to your company's data retention policy.

PCI DSS 3.1 Develop a data retention and disposal policy

WARNING

No Clean-up Action was found. Define a Clean-up Action in a Scheduler (Timer) Event Rule to automate the disposal of deprecated data.

Contents

Encrypting File System (EFS) File Sharing

EFT Server determines whether the EFS option is enabled on the VFS root folder and physical virtual subfolders only (not on the files within those folders) and warns if EFS is enabled. Possible report outcomes include:

Requirement

Status

Description

PCI DSS 3.4.1 Logical access and decryption keys disk must be managed independently for disk-level encryption

PASSED

Encrypting File System (EFS) is not enabled through EFT Administrator.

PCI DSS 3.4.1 Logical access and decryption keys disk must be managed independently for disk-level encryption

WARNING

Encrypted File Store (EFS) is enabled in the Virtual File System. Make sure you are using an alternate disk or file encryption method as EFS encryption does not comply with PCI 3.4.1

Contents

Generate Strong Keys

EFT Server determines whether the primary SSL or SFTP key is using a 512-bit or fewer key length. Possible report outcomes include:

Requirement

Status

Description

PCI DSS 3.6.1 Generation of strong keys

PASSED

Strong server SSL/SFTP keys used.

PCI DSS 3.6.1 Generation of strong keys

WARNING

Site [SSL|SFTP] certificate key has a length of 1024 bits. While 1024 bits is acceptable, 2048 or higher bit-length keys are recommended.

PCI DSS 3.6.1 Generation of strong keys

FAILED

Server administration [SSL|SFTP] certificate key has a length of [n] bits. While 1024 bits is acceptable, 2048 or higher bit-length keys are recommended.

Contents

Key management, destruction, or revocation of old keys

EFT Server determines whether certificate keys used on EFT Server are current. The HS-PCI module checks the key length and expiration date only for the Server's SSL certificates (i.e. administration certificate and site certificates); client certificates (i.e. trusted certificates) are not checked. Possible report outcomes include:

Requirement

Status

Description

PCI DSS 3.6.4,9 - Key management, destruction, or revocation of old keys

PASSED

All certificates are current.

PCI DSS 3.6.4,9 - Key management, destruction, or revocation of old keys

WARNING

One or more SSL certificates or SFTP keys have expired. You should remove that key from the key manager and replace it with a current version.

  

Contents

Use Strong Ciphers and Protocol Versions

EFT Server determines whether any weak ciphers (<128 bit) or any version other than TLS or SSLv3 are enabled. Possible report outcomes include:

Requirement

Status

Description

PCI DSS 4.1 Use strong cryptographic ciphers for transport protocols

PASSED

Strong ciphers and protocols are being used.

PCI DSS 4.1 Use strong cryptographic ciphers for transport protocols

FAILED

SSL cipher string was manually defined or unable to ascertain which ciphers were chosen. Please select SSL ciphers from the provided list (Security page in Server tab).

PCI DSS 4.1 Use strong cryptographic ciphers for transport protocols

FAILED

One or more ciphers are less than 128 bit. Choose only 128-bit or higher ciphers for SSL and SFTP protocols.

PCI DSS 4.1 Use strong cryptographic ciphers for transport protocols

FAILED

The SSL version is set to auto-negotiable or use SSLv2. You must set the protocol version to SSlv3 and/or TLS only per PCI 4.1 requirements.

Contents

Limit Access to Computing Resources

EFT Server determines whether more than one EFT Server administrator account has full control over EFT Server. Possible report outcomes include:

Requirement

Status

Description

PCI DSS 7.1 - Limit access to computing resources only to those whose job requires such access

PASSED

Only one administrative account exists with full control over EFT Server

PCI DSS 7.1 - Limit access to computing resources only to those whose job requires such access

WARNING

There is more than one administrator with full control over the server. Ensure that only the minimum level of privileges necessary are granted to administrator accounts

Contents

Password Auditing and Reporting

EFT Server determines whether force password reset is enabled and audits the results.

Because EFT Server does manage NT/LDAP accounts, when you create an HS-PCI-enabled Site that uses LDAP or Windows Active Directory authentication, the Password Reset feature is not available and not audited for the HS-PCI Report. The report will indicate that the requirement has passed.

Possible report outcomes include:

Requirement

Status

Description

PCI DSS 8.5.3 Users must reset their passwords upon first use  

PASSED

Password expiration and forced reset is enabled

PCI DSS 8.5.3 Users must reset their passwords upon first use  

FAILED

Password forced reset is disabled for [Site, User Settings Level, Delegated Administrator].

Contents

Removing Inactive Accounts

EFT Server determines whether the setting to remove user or administrator accounts after 90 days of inactivity option is disabled or set to a value > 90 days (at Admin, Site, SL, UAL). EFT Server reports on whether the user account option is set to Disable rather than Remove; and any removal of administrator or user accounts.

Because EFT Server does manage NT/LDAP accounts, when you create an HS-PCI-enabled Site that uses LDAP or Windows Active Directory authentication, the Removing Inactive User Accounts feature is not available and not audited for the HS-PCI Report. The report will indicate that the requirement has passed.

Possible report outcomes include:

Requirement

Status

Description

PCI DSS 8.5.5 Remove inactive user accounts at least every 90 days

PASSED

Inactive accounts scheduled to be removed at least every 90 days.

PCI DSS 8.5.5 Remove inactive user accounts at least every 90 days

WARNING

The option to disable or expire after <n> days of inactivity for [Site, User Settings Level, user, or Administrators] is set to expire. For strict compliance you should set that option to remove accounts rather than just expire those accounts.

PCI DSS 8.5.5 Remove inactive user accounts at least every 90 days

FAILED

The option to remove or disable inactive accounts at least every 90 days is currently disabled for [Site, User Settings Level, user, or Administrators].

Contents

Anonymous Accounts

EFT Server determines whether any account has an anonymous password type. Possible report outcomes include:

Requirement

Status

Description

PCI DSS 8.5.8 Do not use generic (shared) accounts or passwords

PASSED

No anonymous accounts are present.

PCI DSS 8.5.8 Do not use generic (shared) accounts or passwords

FAILED

The following account: [username] has an Anonymous type password. You should change this users password to a normal or One Time Password type to be in compliance with section 8.5.8 of the PCI specification.

Contents

Expiring Passwords

EFT Server determines whether password expiration is enabled and audits the results.

Because EFT Server does manage NT/LDAP accounts, when you create a HS-PCI-enabled Site that uses LDAP or Windows Active Directory authentication, the Password Reset feature is not available and not audited for the HS-PCI Report. The report will indicate that the requirement has passed.

Possible report outcomes include:

Requirement

Status

Description

PCI DSS 8.5.9 Change user passwords at least every 90 days

PASSED

Passwords are set to expire every <n> days.

PCI DSS 8.5.9 Change user passwords at least every 90 days

FAILED

Passwords are set to expire after a period of time greater than 90 days (the maximum allowed) for %s, in violation of PCI 8.5.9

PCI DSS 8.5.9 Change user passwords at least every 90 days

FAILED

Passwords are not set to expire for [Site, User Settings Level, user, or Administrators].

Contents

Minimum Password Length and Complexity

EFT Server determines whether complex password enforcement is enabled, records the value for the minimum password length used, and determines which password character sub-options are enabled.

Because EFT Server does manage NT/LDAP accounts, when you create a HS-PCI-enabled Site that uses LDAP or Windows Active Directory authentication, the Complex Password  feature is not available and not audited for the HS-PCI Report. The report will indicate that the requirement has passed.

Possible report outcomes include:

Requirement

Status

Description

PCI DSS 8.5.10 - Require a minimum password length

PASSED

Password complexity is enabled and properly configured

PCI DSS 8.5.11 Use alphanumeric passwords

PASSED

Password complexity is enabled and properly configured.

PCI DSS 8.5.10,11 Use only strong passwords

FAILED

Enforce complex passwords is disabled for [Site, User Settings Level, user, or Administrators]. You must enable complex passwords to meet these requirements.

PCI DSS 8.5.10,11 Use only strong passwords

FAILED

Minimum password length is set to less than 7 at [Site, User Settings Level, user, or Administrators]. Passwords must be 7 digits or greater to meet PCI 8.5.10 and 8.5.11.

PCI DSS 8.5.10,11 Use only strong passwords

FAILED

Require alpha chars and digits for passwords are not for [Site, User Settings Level, user, or Administrators]. You must enable those options to comply with PCI 8.5.10 and 8.5.11.

Contents

Password Reuse

EFT Server determines whether password history enforcement is enabled for the administrator, Site, User Setting Level, or user account level.

Because EFT Server does manage NT/LDAP accounts, when you create an HS-PCI-enabled Site that uses LDAP or Windows Active Directory authentication, the Password History  feature is not available and not audited for the HS-PCI Report. The report will indicate that the requirement has passed.

Possible report outcomes include:

Requirement

Status

Description

PCI DSS 8.5.12 - Disallow reuse of previous passwords

PASSED

"Enforce password history" is enabled.

PCI DSS 8.5.12 - Disallow reuse of previous passwords

FAILED

"Enforce password history" is disabled for  [Site, User Settings Level, user, or Administrators]. Enable this option to comply with this requirement.

Contents

Lockout Duration

EFT Server determines whether temporary lockout is enabled or set to a value > 6. Possible report outcomes include:

Requirement

Status

Description

PCI DSS 8.5.13 Limit repeated access attempts to no more than six

PASSED

Temporary lockout duration or account disable is set.

PCI DSS 8.5.13 Limit repeated access attempts to no more than six

FAILED

Account lock occurs after <n> invalid attempts. Please set the value to between 1 and 6 to meet PCI DSS 8.5.13 requirements.

PCI DSS 8.5.13 Limit repeated access attempts to no more than six

FAILED

Temporary account lockout or disable is disabled for accounts that fail repeated login attempts for Administrators.

Contents

Session Timeout

EFT Server determines whether inactivity timeout is enabled, and if enabled, whether it is set to a value that exceeds 15 minutes. Possible report outcomes include:

Requirement

Status

Description

PCI DSS 8.5.15 Idle sessions should timeout and require login credentials to continue

PASSED

Inactivity timeout is enabled and properly configured.

PCI DSS 8.5.15 Idle sessions should timeout and require login credentials to continue

FAILED

Inactivity timeout not enabled or set to value exceeding 15 minutes.

Contents

Data Sanitization

EFT Server determines whether data sanitization is enabled, and if enabled. Possible report outcomes include:

Requirement

Status

Description

PCI DSS 9.10.2 - Destroy electronic media so that cardholder data cannot be reconstructed.

PASSED

Data removal sanitization (wiping) is enabled.

PCI DSS 9.10.2 - Destroy electronic media so that cardholder data cannot be reconstructed.

FAILED

Data sanitization is not enabled. Either enable wiping or make sure you have compensating controls in place to meet this requirement.

Contents

Audit Database Connection and Configuration

EFT Server determines whether the audit database is connected and properly configured. Possible report outcomes include:

Requirement

Status

Description

PCI DSS 10.2.3 - Access to all audit trails  

PASSED

 Server's Database Audit is connected.

PCI DSS 10.2.3 - Access to all audit trails  

WARNING

Server's Database Audit is not connected or is not configured properly