PCI Compliance Report
The PCI Compliance Report presents your findings based on Payment Card Industry Data Security Standard (PCI-DSS) v4.0.1 requirements, which represent a common set of industry tools and measurements that help ensure the safe handling of cardholder data. The PCI-DSS consists of 12 overall requirements, which are logically organized into the following groups:
- Building and maintaining a secure network
- Protecting cardholder data
- Maintaining a vulnerable management program
- Implementing strong access control measures
- Monitoring and testing networks regularly
- Maintaining an information security policy
The PCI Compliance Report describes where an organization stands in terms of compliance with PCI-DSS requirements related to groups 1, 3, and 4. The report provides coverage for a select subset of requirements within each group. It outlines the target's status for using default vendor settings, applying the latest security patches, and implementing strong user and password policies. The report presents compliance results by indicating a pass or fail status for each PCI-DSS requirement. The findings should be used as an appendix for PCI requirements testing and not as an actual audit.
To help you navigate through the data to find key information, the report is organized into the following sections:
- Executive Summary
- Requirements Status Summary
- Host Status Summary
- Detailed Findings
Executive Summary
The Executive Summary briefly describes the contents of the report.
Requirements Status Summary
The Requirements Status Summary presents a pass or fail status for the following PCI-DSS requirements:
- 2.2.3 – The organization implements only one primary function per server to prevent functions that require different security levels from co-existing on the same server.
- 2.2.7 – The organization encrypts all non-console administrative access such as browser or web-based management tools.
- 8.3.1 – The organization employs at least one of these to authenticate all users: password or passphrase or two-factor authentication.
- 8.3.2 – The organization renders all passwords unreadable for all system components both in storage and during transmission using strong cryptography based on approved standards.
- 8.3.6 - The organization requires a minimum password length of at least twelve characters (or eight if the system does not support twelve characters) that contains both numeric and alphabetic characters.
Host Status Summary
The Host Status Summary presents the pass or fail results for each host in the project. A host will have a pass status if it passes every PCI-DSS requirement that Metasploit Pro reports on; otherwise, it will have a fail status.
Detailed Findings
The Detailed Findings section provides the technical details for each PCI-DSS requirement. For each PCI-DSS requirement, the report lists each host that did not meet the criteria set by each standard.
PCI Requirement 2.2.3
This requirement mandates that hosts should only have one primary function. Each function should be implemented on separate servers. This section lists the hosts that have more than one listening service defined as a major system component.
For each host that failed this requirement, this section reports the following information:
- The host IP address and name
- The operating system running on the host
- The services and ports that were discovered on the host
PCI Requirement 2.2.7
This requirement mandates that all non-console administrative access, such as Telnet and rlogin, be encrypted using strong cryptography, such as SSH or SSL. This section lists the hosts that do not enforce strong encryption methods or have HTTP listening on Cisco devices.
For each host that failed this requirement, this section reports the following information:
- The host IP address and name
- The operating system running on the host
- The services and ports that were discovered on the host
PCI Requirement 8.3.1
This section displays hosts that do not use password authentication or two-factor authentication. By failing this requirement, the target indicates that it does not enforce passwords/passphrases or authentication via token device.
For each credential that failed this requirement, this section reports the following information:
- The host IP address and name
- The operating system running on the host
- The public value, private type, private value, origin type, and origin detail for the credential
PCI Requirement 8.3.2
This requirement mandates that passwords should be encrypted during storage. This section displays hosts that have private data stored for validated logins.
For each credential that failed this requirement, this section reports the following information:
- The host IP address and name
- The operating system running on the host
- The public value, private type, private value, origin type, and origin detail for the credential
PCI Requirement 8.3.6
This requirement mandates that all passwords contain both numeric and alphabetic characters and have a minimum character length of at least twelve characters (or eight if the system does not support twelve characters) characters. This section displays validated passwords that do not contain both alphabetic and numeric characters and passwords that contain less than seven characters.
For each credential that failed this requirement, this section reports the following information:
- The host IP address and name on which the credential was validated
- The operating system running on the host
- The public value, private type, private value, origin type, and origin detail for the credential
PCI Compliance Report Options
Settings | Options |
---|---|
Output formats | PDF, HTML, WORD, RTF |
Report options | Mask discovered credentials - Masks all credentials, including plain text passwords, hashes, and SSH keys, from the report. The PCI Compliance report will replace the password with |
Report sections | Executive Summary |