The PCI DSS Compliance Report displays the requirement name, status (PASSED, FAILED, WARNING), description of the requirement, notes that you typed in the Warning box (explanation, justification, or compensating control), report name, and date the report was generated, and description of the report. The report is grouped by and sorted by PCI DSS Requirement.
If the report is generated after the trial has expired, the report contains a statement stating that the module has expired instead of the standard report.
When in trial or after the module is activate, the report contains the following information:
The status of audited PCI DSS requirements appears in the report.
1.x – DMZ Gateway disabled or no connectivity
2.x – Remote administrator enabled by not secure, vendor defaults in use, insecure protocols in use (FTP, HTTP) or insecure settings (NOOP and FXP), auto-ban/flood detection set too low or disabled, and login credential persistence enabled.
3.x – Disk quotas not present for limiting storage amounts, missing clean-up rule for data retention and disposal compliance.
4.x – Weak cryptography in use (SSL version, cipher strength, manually specified ciphers, weak HMACs), insecure settings such as SSL clear command clear data channel in use.
5.x – No checks
6.x – No checks
7.x – Presence of more than one full-control admin account
8.x – Password length or complexity not enforced, password reuse allowed, idle session timeout disabled or set to high, inactive accounts not disabled or removed after 90 days, failed logins not resulting in account lockout after six (or less) attempts, password reset not allowed, password reset not forced on initial login, anonymous accounts present, and passwords not expiring after 90 days or sooner.
9.x – Secure wiping of deleted data not enabled
10.x – ARM not enabled or no connectivity
11.x – No checks
12.x – No checks
Refer to How EFT Addresses PCI DSS Requirements for details of each requirement.