PCI Compliance Report

The PCI Compliance Report presents your findings based on Payment Card Industry Data Security Standard (PCI-DSS) 3.2.1 requirements, which represent a common set of industry tools and measurements that help ensure the safe handling of cardholder data. The PCI-DSS consists of 12 overall requirements, which are logically organized into the following groups:

  1. Building and maintaining a secure network
  2. Protecting cardholder data
  3. Maintaining a vulnerable management program
  4. Implementing strong access control measures
  5. Monitoring and testing networks regularly
  6. Maintaining an information security policy

The PCI Compliance Report describes where an organization stands in terms of compliance with PCI-DSS requirements related to groups 1, 3, and 4. The report provides coverage for a select subset of requirements within each group. It outlines the target's status for using default vendor settings, applying the latest security patches, and implementing strong user and password policies. The report presents compliance results by indicating a pass or fail status for each PCI-DSS requirement. The findings should be used as an appendix for PCI requirements testing and not as an actual audit.

To help you navigate through the data to find key information, the report is organized into the following sections:

  • Executive Summary
  • Requirements Status Summary
  • Host Status Summary
  • Detailed Findings

Executive Summary

The Executive Summary briefly describes the contents of the report.

Requirements Status Summary

The Requirements Status Summary presents a pass or fail status for the following PCI-DSS requirements:

  • 2.2.1 – The organization implements only one primary function per server to prevent functions that require different security levels from co-existing on the same server.
  • 2.3 – The organization encrypts all non-console administrative access such as browser or web-based management tools.
  • 6.2 – The organization ensures that all system components and software have the latest vendor supplied security patches installed. Deploy critical patches within a month of release.
  • 8.2 – The organization employs at least one of these to authenticate all users: password or passphrase or two-factor authentication.
  • 8.2.1 – The organization renders all passwords unreadable for all system components both in storage and during transmission using strong cryptography based on approved standards.
  • 8.2.3 - The organization requires a minimum password length of at least seven characters that contains both numeric and alphabetic characters.
  • 8.5 - The organization does not use group, shared, or generic accounts and passwords, or other authentication methods.

Host Status Summary

The Host Status Summary presents the pass or fail results for each host in the project. A host will have a pass status if it passes every PCI-DSS requirement that Metasploit Pro reports on; otherwise, it will have a fail status.

Detailed Findings

The Detailed Findings section provides the technical details for each FISMA requirement. For each FISMA requirement, the report lists each host that did not meet the criteria set by each standard.

PCI Requirement 2.2.1

This requirement mandates that hosts should only have one primary function. Each function should be implemented on separate servers. This section lists the hosts that have more than one listening service defined as a major system component.

For each host that failed this requirement, this section reports the following information:

  • The host IP address and name
  • The operating system running on the host
  • The services and ports that were discovered on the host

PCI Requirement 2.3

This requirement mandates that all non-console administrative access, such as Telnet and rlogin, be encrypted using strong cryptography, such as SSH or SSL. This section lists the hosts that do not enforce strong encryption methods or have HTTP listening on Cisco devices.

For each host that failed this requirement, this section reports the following information:

  • The host IP address and name
  • The operating system running on the host
  • The services and ports that were discovered on the host

PCI Requirement 6.2

This requirement mandates that all known vulnerabilities must have the latest vendor security patches applied. This section displays all hosts that have exploitable vulnerabilities.

For each host that failed this requirement, this section reports the following information:

  • The host IP address and name
  • The operating system running on the host
  • The services and ports that were discovered on the host

PCI Requirement 8.2

This section displays hosts that do not use password authentication or two-factor authentication. By failing this requirement, the target indicates that it does not enforce passwords/passphrases or authentication via token device.

For each credential that failed this requirement, this section reports the following information:

  • The host IP address and name
  • The operating system running on the host
  • The public value, private type, private value, origin type, and origin detail for the credential

PCI Requirement 8.2.1

This requirement mandates that passwords should be encrypted during storage. This section displays hosts that have private data stored for validated logins.

For each credential that failed this requirement, this section reports the following information:

  • The host IP address and name
  • The operating system running on the host
  • The public value, private type, private value, origin type, and origin detail for the credential

PCI Requirement 8.2.3

This requirement mandates that all passwords contain both numeric and alphabetic characters and have a minimum character length of at least seven characters. This section displays validated passwords that do not contain both alphabetic and numeric characters and passwords that contain less than seven characters.

For each credential that failed this requirement, this section reports the following information:

  • The host IP address and name on which the credential was validated
  • The operating system running on the host
  • The public value, private type, private value, origin type, and origin detail for the credential

PCI Requirement 8.5

This requirement mandates that group, shared, or generic IDs, passwords are not used. This section displays the credentials that have the any of the following usernames:

  • user
  • root
  • administrator
  • admin
  • tomcat
  • cisco
  • manager
  • sa
  • postgres
  • guest

For each credential that failed this requirement, this section reports the following information:

  • The host IP address and name on which the credential was validated
  • The operating system running on the host
  • The public value, private type, private value, origin type, and origin detail for the credential

PCI Compliance Report Options

Settings

Options

Output formats

PDF, HTML, WORD, RTF

Report options

Mask discovered credentials - Masks all credentials, including plain text passwords, hashes, and SSH keys, from the report. The PCI Compliance report will replace the password with *BLANK*.

Report sections

Executive Summary

Requirements Status Summary

Host Status Summary

Detailed Findings