Compliance Report

PCI DSS Compliance Report

Both trial and full versions of the HSM include the ability to audit EFT Server for compliance with the PCI DSS requirements. EFT Server scans all PCI DSS requirements addressed in EFT Server, and then reports on the compliance status of each requirement (Pass, Fail, or Warning). The report also provides a description of the requirement tested for each item. For failed requirements, the report presents a reason the non-compliant setting was used, if you provided one at the time that particular setting was disabled/changed.

Reporting of failed items occurs at the highest level of failure only, except in the case of an explicit setting that violates compliance. For example:

If a Site failed compliance because Enforce strong (complex) passwords was disabled, the report is generated for the entire Site.
If Enforce strong (complex) passwords was enabled for the Site, but was disabled for a Settings Template, the report is generated for the Settings Template.
If Enforce strong (complex) passwords was enabled for the Site and Settings Template, but disabled for some users, EFT Server reports for each of those users.
If Enforce strong (complex) passwords was disabled for the Site, enabled for the Settings Template, and disabled for a user (as shown below), the warning appears for the Site violation and for the user account that is in violation.

EFT Server stores PCI DSS compensating controls information provided in its auditing database (ARM). If ARM is disabled, violations are still identified in the report; however, the justifications that you type when you accept a non-compliant setting are not recorded in the database. You can still run the report, but the justifications that you provide will not appear in the report. When settings are changed via the COM API that violate PCI DSS compliance, EFT Server will reject the change and return the error code "error 53." Refer to the GlobalSCAPE Server COM API user guide for details of the COM API.

To generate the PCI DSS Compliance report

To generate the report in real time, do one of the following:
- On the main menu, click Report > PCI DSS Compliance Report. A report is generated for each PCI DSS Site.
- In the Site's Event Rule node, click Report Event. In the right pane, click Run Now. The report is e-mailed to the e-mail address defined in the Rule.
To generate the report on a recurring schedule, define a Scheduler Timer Event Rule with the Generate Report Action. In the Event Rule, you can define whether to e-mail the report and/or save the report to a file. A report is generated specific to the Site on which the Event Rule is configured.

For a description of each PCI DSS requirement covered in the report, refer to Possible PCI DSS Compliance Report Outcomes.

For details of generating reports, refer to Generating a Report.