Supported rules for Payment Card Industry Data Security Standard v4.0.1

(SPE2501)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect cardholder data from breaches and fraud. It requires businesses to adopt consistent data security measures globally to secure systems, protect stored data, encrypt data transmission, and implement strong access controls. Compliance helps ensure the safety and security of credit card transactions.

PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.

Related topic

Compliance-testing

Using

BMC AMI Security Policy Manager supports automatic audits of multiple settings on z/OS to ensure compliance with PCI-DSS v4.0.1, to save hundreds of employee-hours and help businesses adhere to the highest security standards. SPM provides a consolidated PCI-DSS report that displays the controls in place to adhere to the common payment regulation that businesses must comply and align with. 

In SPM, the PCI DSS reports are identified by the PR4nnn naming convention. For example, for compliance rule PR4222:

  • P = PCI DSS
  • R = RACF
  • 4 = version 4.0.1
  • 222 = report 2.2.2

SPM supports compliance testing for the following PCI DSS rules:

PCI DSS Requirement

Rule description

Reference in SPM

Additional information with regards to SPM

10.5

Audit log history is retained and available for analysis.

PR4105

You cannot modify the audit log history.

The SMF Dump file is restricted for UPDATE or greater access to a user associated with the IFASMFDP dump job only.

10.3

Audit logs are protected from destruction and unauthorized modifications.

PR4103

SMF data sets MAN1 MAN2 must be protected. These are load balancing SMF logging data sets.

A user must never be granted UPDATE or higher access to these data sets.

10.2

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

PR4102

SMF type 80, 81, and 83 records are enabled. This ensures that granting of elevated privileges and access controls to general resources are logged.

Make sure that SMF logging is active.

8.6.3

Passwords/passphrases for any application and system accounts are protected against misuse as follows:

  • Passwords/passphrases are changed periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise.
  • Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases.

PR4863

Ensure the following SETROPTS settings:

  • The password must be enabled for MIXEDCASE and SPECIALCHARS.
  • ENCRYPTION must be set to KDFAES or DES.
  • The password INTERVAL must be set to less than 90 days.
  • REVOKE must be set to a maximum of 10 unsuccessful password attempts.
  • Password HISTORY must be set to 4 or a greater value.

8.3.6

If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity:

  • A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters).
  • Contain both numeric and alphabetic characters.

PR4836

The password must be alphanumeric and a minimum of 8 characters in length.

If ENCRYPTION is set to KDFAES, then the passphrase must have a minimum of 9 characters.

8.3.4

Invalid authentication attempts are limited by locking out the user ID after not more than 10 attempts.

PR4834

The REVOKE parameter must be set to a maximum of 10 unsuccessful password attempts before account lock out.

8.2.6

Inactive user accounts are removed or disabled within 90 days of inactivity.

PR4826

The SETROPTS INACTIVE parameter must be set to less than 90 days.

Users who are active but with last access date greater than 90 days must be reported, and revoked or disabled.

2.2.2

Vendor default accounts are managed as follows:

  • If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6.
  • If the vendor default account(s) will not be used, the account is removed or disabled.

PR4222

The default password of the vendor ID must be changed and revoked.

Important

Currently, only the IBMUSER vendor ID is supported.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*