The High Security (HS) module facilitates enforcing high security and compliance with the PCI DSS 1.2 specification, which provides detailed security compliance guidelines that can be used to provide hardened security for EFT Server, no matter which rules or standards by which your organization is measured. The PCI DSS Requirements section provides an overview of each requirement and describes how the HS module helps comply with the requirement.
You can download the PCI DSS Security Audit Procedures from https://www.pcisecuritystandards.org/
From the PCI DSS Security Auditing Procedures document:
Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a technical specification of a requirement, but has sufficiently mitigated the associated risk.
When EFT Server warns you of a non-compliant setting, if you do not choose a setting that satisfies the requirement, you must specify the compensating controls (hardware, software, or policy) you are using. The information that you provide will appear in the Compliance report, which you can provide to Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs), individuals who are certified by the PCI Security Standards Council as being qualified to validate compliance to the PCI DSS standards.
The PCI DSS Compliance Report provides administrators and managers with a summary of the security controls at work on EFT Server, as well as areas where security could be further hardened. PCI DSS compliance is an ongoing process, not a "set-it-and-forget-it" project. Periodic self-assessment is an important part of identifying non-compliance and identifying areas that need improvement, and can help save costs if an assessor is required for validation of PCI DSS compliance.
The PCI DSS requires that you track and monitor all access to network resources and cardholder data (requirement 10) and regularly test security systems and processes (requirement 11).
The HS module, in conjunction with the Auditing and Reporting module (ARM), helps you maintain compliance by identifying areas that are out of compliance and automatically e-mailing you a daily PCI DSS Compliance report that includes all successes, warnings, failures, and compensating controls, based on multiple evaluation criteria.
You can also run the PCI DSS Compliance report "on the fly" in the Administrator.
EFT Server facilitates compliance with applicable PCI DSS requirements. The PCI DSS requirements related to physical security and cardholder database security are not applicable to EFT Server; however, you should place the Server computer in a secured area, such as a locked server room or network operations center.