Benchmark: 3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization
Description
These values should be known only to the card owner or bank that issued the card. If this data is stolen, malicious individuals can execute fraudulent PIN-based debit transactions (for example, ATM withdrawals). For a sample of system components, examine data sources, including but not limited to the following and verify that PINs and encrypted PIN blocks are not stored after authorization: incoming transaction data, all logs (for example, transaction, history, debugging, error), history files, trace files, several database schemas, database contents
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_3_2_3Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.pci_dss_v321_requirement_3_2_3 --shareControls
- API Gateway stage logging should be enabled
- At least one multi-region AWS CloudTrail should be present in an account
- At least one enabled trail should be present in a region
- CloudTrail trails should be integrated with CloudWatch logs
- ELB application and classic load balancer logging should be enabled
- Database logging should be enabled
- WAF web ACL logging should be enabled
- Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)