Warnings for PCI DSS Violations

When EFT warns you of a non-compliant setting, if you do not specify a setting that meets the PCI DSS requirement, you can specify the compensating controls (hardware, software, or policy) you are using to satisfy the requirement. The information that you provide in the warning message appears in the PCI DSS Compliance Report, which you can provide to Qualified Security Assessors (QSAs) or Approved Scanning Vendors (ASVs), individuals who are certified by the PCI Security Standards Council as being qualified to validate compliance to the PCI DSS requirements.

For Sites created using the "strict security settings" option, if you attempt to change a setting that would cause EFT to no longer meet PCI DSS requirements, when you click Apply to save the changes on EFT, EFT does not commit the change, and a warning message appears that describes one or more violations.

If you do not activate the Advanced Security module (for EFT Enterprise) or the Express Security module (for EFT Express), this feature is disabled when the 30-day trial is expired.

For each violation identified in the PCI DSS Violations dialog box, you can accept the non-compliant setting (Apply this change anyway) and provide a reason for accepting each setting (e.g., if you are using an alternate solution) or you can discard the change (Don't apply this change). If you accept the change and provide a reason, the warning and the reason that you provided appear in the PCI DSS Compliance Report.

Related settings are audited and reported on as a group (e.g., all of the SSL-related settings or all of the account-related settings). For example, suppose that on Monday you disable the account lockout settings for a user and specified in the PCI DSS Violations dialog box your reason for allowing this non-compliant setting. Then on Wednesday, you change a complex password setting. The PCI DSS Violations dialog box appears and displays both of these settings, as well as others for which you provided a reason, and you will be required to allow the change and specify a reason or discard the changes for each of the non-compliant settings before EFT commits the changes. (That is, the allow or discard flag is separate, but they are audited and reported on as a group.) This functionality is designed to remind you of the non-compliant settings in case you want to bring them into compliance in EFT.

If PCI DSS Violations are detected

  1. Click a violation in the list, then do one of the following for each of the violations listed:

  2. Click Continue. You must address each violation in the list before you can click Continue.

Reporting of failed items occurs at the highest level of failure only, except in the case of an explicit setting that violates compliance. For example:

EFT stores PCI DSS compensating controls information provided in its auditing database (ARM). If ARM is disabled, violations are still identified in the report; however, the justifications that you type when you accept a non-compliant setting are not recorded in the database. You can still run the report, but the justifications that you provide will not appear in the report. When settings are changed via the COM API that violate PCI DSS compliance, EFT will reject the change and return the error code "error 53."