Warnings for PCI DSS Violations

When EFT warns you of a non-compliant setting, if you do not specify a setting that meets the PCI DSS requirement, you can specify the compensating controls (hardware, software, or policy) you are using to satisfy the requirement. The information that you provide in the warning message appears in the PCI DSS Compliance Report, which you can provide to Qualified Security Assessors (QSAs) or Approved Scanning Vendors (ASVs), individuals who are certified by the PCI Security Standards Council as being qualified to validate compliance to the PCI DSS requirements.

For Sites created using the "strict security settings" option, if you attempt to change a setting that would cause EFT to no longer meet PCI DSS requirements, when you click Apply to save the changes on EFT, EFT does not commit the change, and a warning message appears that describes one or more violations.

If you do not activate the Regulatory Compliance Module (RCM), this feature is disabled when the trial has expired.

For each violation identified in the PCI DSS Violations dialog box, you can accept the non-compliant setting (Apply this change anyway) and provide a reason for accepting each setting (for example, if you are using an alternate solution) or you can discard the change (Don't apply this change). If you accept the change and provide a reason, the warning and the reason that you provided appear in the PCI DSS Compliance Report.

Related settings are audited and reported on as a group (for example, all of the SSL-related settings or all of the account-related settings). For example, suppose that on Monday you disable the account lockout settings for a user and specified in the PCI DSS Violations dialog box your reason for allowing this non-compliant setting. Then on Wednesday, you change a complex password setting. The PCI DSS Violations dialog box appears and displays both of these settings, as well as others for which you provided a reason, and you will be required to allow the change and specify a reason or discard the changes for each of the non-compliant settings before EFT commits the changes. (That is, the allow or discard flag is separate, but they are audited and reported on as a group.) This functionality is designed to remind you of the non-compliant settings in case you want to bring them into compliance in EFT.

If PCI DSS Violations are detected

  1. Click a violation in the list, then do one of the following for each of the violations listed:

    • If you want to correct the violation, click Don't apply this change, click Continue, correct the setting, and then click Apply.

    • If you want to keep the non-compliant setting, click Apply this change anyway, then in the Provide justification and describe compensating control box, type the reason for keeping the non-compliant setting. The description will appear in the PCI DSS Compliance report.

  2. Click Continue. You must address each violation in the list before you can click Continue.

Reporting of failed items occurs at the highest level of failure only, except in the case of an explicit setting that violates compliance. For example:

  • If a Site failed compliance because Enforce strong (complex) passwords was disabled (check box cleared), the report is generated for the entire Site.

  • If Enforce strong (complex) passwords was enabled for the Site, but was disabled for a Settings Template, the report is generated for the Settings Template.

  • If Enforce strong (complex) passwords was enabled for the Site and Settings Template, but disabled for some users, EFT reports for each of those users.

  • If Enforce strong (complex) passwords was disabled for the Site, enabled for the Settings Template, and disabled for a user, the warning appears for the Site violation and for the user account that is in violation.

EFT stores PCI DSS compensating controls information provided in its auditing database (ARM). If ARM is disabled, violations are still identified in the report; however, the justifications that you type when you accept a non-compliant setting are not recorded in the database. You can still run the report, but the justifications that you provide will not appear in the report. When settings are changed via the COM API that violate PCI DSS compliance, EFT will reject the change and return the error code "error 53."