If you do not activate the HSM, this feature is disabled when the 30-day trial is expired.
When EFT Server warns you of a non-compliant setting, if you do not specify a setting that meets the PCI DSS requirement, you can specify the compensating controls (hardware, software, or policy) you are using to satisfy the requirement. The information that you provide in the warning message appears in the PCI DSS Compliance Report, which you can provide to Qualified Security Assessors (QSAs) or Approved Scanning Vendors (ASVs), individuals who are certified by the PCI Security Standards Council as being qualified to validate compliance to the PCI DSS requirements.
For Sites created using the "strict security settings" option, if you attempt to change a setting that would cause EFT Server to no longer meet PCI DSS requirements, when you click Apply to save the changes on EFT Server, EFT Server does not commit the change, and a warning message appears that describes one or more violations.
|
|
If you do not activate the HSM, this feature is disabled when the 30-day trial is expired. |
For each violation identified in the PCI DSS Violations dialog box, you can accept the non-compliant setting (Apply this change anyway) and provide a reason for accepting each setting (e.g., if you are using an alternate solution) or you can discard the change (Don't apply this change). If you accept the change and provide a reason, the warning and the reason that you provided appear in the PCI DSS Compliance Report.
Related settings are audited and reported on as a group (e.g., all of the SSL-related settings or all of the account-related settings). For example, suppose on Monday you disable the account lockout settings for a user and specified in the PCI DSS Violations dialog box your reason for allowing this non-compliant setting. Then on Wednesday you change a complex password setting. The PCI DSS Violations dialog box appears and displays both of these settings, as well as others for which you provided a reason, and you will be required to allow the change and specify a reason or discard the changes for each of the non-compliant settings before EFT Server commits the changes. (That is, the allow or discard flag is separate, but they are audited and reported on as a group.) This functionality is designed to remind you of the non-compliant settings in case you want to bring them into compliance in EFT Server.
If PCI DSS Violations are detected
Click a violation in the list, then do one of the following for each of the violations listed:
If you want to correct the violation, click Don't apply this change, click Continue, correct the setting, then click Apply.
If you want to keep the non-compliant setting, click Apply this change anyway, then in the Provide justification and describe compensating control box, type the reason for keeping the non-compliant setting. The description will appear in the PCI DSS Compliance report.
Click Continue. You must address each violation in the list before you can click Continue.
Reporting of failed items occurs at the highest level of failure only, except in the case of an explicit setting that violates compliance. For example:
If a Site failed compliance because Enforce strong (complex) passwords was disabled (check box cleared), the report is generated for the entire Site.
If Enforce strong (complex) passwords was enabled for the Site, but was disabled for a Settings Template, the report is generated for the Settings Template.
If Enforce strong (complex) passwords was enabled for the Site and Settings Template, but disabled for some users, EFT Server reports for each of those users.
If Enforce strong (complex) passwords was disabled for the Site, enabled for the Settings Template, and disabled for a user, the warning appears for the Site violation and for the user account that is in violation.