Benchmark: PCI DSS 3.2.1
Overview
The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards, including PCI DSS.
Compliance with PCI DSS is required for any organization that stores, processes, or transmits cardholder data, which, at a minimum, consists of the full primary account number (PAN) – a unique payment card number that identifies the issuer and the particular cardholder account. Cardholder data may also appear in the form of a full PAN plus additional information such as cardholder name, expiration date, and service codes. Sensitive authentication data that may be transmitted or processed (but not stored) as part of a payment transaction contains additional data elements that must also be protected, including track data from card chip or magnetic stripe, PINs, PIN blocks, and so on.
The PCI DSS designates four levels of compliance based on transaction volume, with Service Provider Level 1 corresponding to the highest volume of transactions at more than 6 million a year. The assessment results in an Attestation of Compliance (AoC), which is available to customers and Report on Compliance (RoC) issued by an approved Qualified Security Assessor (QSA). The effective period for compliance begins upon passing the audit and receiving the AoC from the QSA and ends one year from the date the AoC is signed.
Microsoft Azure maintains a PCI DSS validation using an approved Qualified Security Assessor (QSA), and is certified as compliant under PCI DSS version 3.2.1 at Service Provider Level 1. The Attestation of Compliance (AOC) produced by the QSA is available for download. If you want to develop a cardholder data environment (CDE) or card processing service, you can rely on the Azure validation, thereby reducing the associated effort and costs of getting your own PCI DSS validation.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select PCI DSS 3.2.1.
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.pci_dss_v321Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.pci_dss_v321 --shareBenchmarks
- Requirement 1 - Install and maintain a firewall configuration to protect cardholder data
- Requirement 3 - Protect stored cardholder data
- Requirement 4 - Encrypt transmission of cardholder data across open, public networks
- Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs
- Requirement 6 - Develop and maintain secure systems and applications
- Requirement 7 - Restrict access to cardholder data by business need-to-know
- Requirement 8 - Identify and authenticate access to system components
- Requirement 10 - Track and monitor all access to network resources and cardholder data
- Requirement 11 - Regularly test security systems and processes