• Control Objective 2: Protect Account Data
• • PCI Requirements Under This Objective Supported by Tenable
  • Compliance Audit Files
  • Secure Sockets Layer
  • Web Application Scanning

Control Objective 2: Protect Account Data

This includes protecting stored cardholder data, encrypting transmission of cardholder data across networks, and ensuring encryption keys are stored properly. This control objectives covers the following PCI DSS requirements:

Requirement 3: and passively detected assets

Requirement 4: Asset discovery statistics

Note: Notes related to Requirement 3. This requirement is related to the controls around account data that is printed or stored in any form. Account data is both cardholder data and sensitive authentication data. While this requirement is not supported by Tenable directly, the recommended practice here is to keep storage of account data to a minimum. Do not store sensitive authentication data (SAD) after authorization. Restrict the display of the full primary account number (PAN) and cardholder data. And secure the PAN, account data, and any cryptographic keys used to protect the data when they are stored.

PCI Requirements Under This Objective Supported by Tenable

Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks

Requirement 4 applies only to the transmissions of PAN unless specifically called out in an individual requirement. PAN transmissions can be protected by encrypting the data before transmission, or by encrypting the session over which the data is transmitted or both. PCI DSS v4 does not require that strong cryptography be applied at both the data level and the session level, but they do recommend both.

At the session level, system configurations should be verified to ensure strong cryptography and security protocols are implemented, and that keys and/or certificates that can not be verified are rejected. Some protocol implementations, such as SSL, SSH v1.0, and earlier versions of TLS have known vulnerabilities. Entities should be aware of industry defined depreciation dates for the cipher suites that are in use. Certificates should be verified to ensure integrity of all secure connections.

For Tenable Vulnerability Management the Protect Account Data widget provides details on each of the compliance controls for the compliance family group being referenced.

This widget focuses on the category Protect Account Data, which covers topics within PCI requirement 3 and 4. Both of these requirements cover protecting stored cardholder data, and the encrypted transmission of cardholder data. This widget provides details on each of the compliance controls for the compliance family group being referenced. The compliance control reference number is followed by a count, and compliance result for the compliance control. The specific controls being referenced are: 4.2.1 | 3.5.1 | 3.3.2 | 3.2.1

Compliance Audit Files

Additionally, audit files such as the TNS File Analysis - Credit Card Number audit file contains a number of file content checks. Files such as pdf, docx, txt, xls and more, are searched using this audit file for major credit cards (American Express, Discover, Maestro, MasterCard, VISA, UnionPay) and any potential credit card number, CVV or PIN. This .audit file searches the first 50k bytes looking for valid credit card numbers using regular expressions. Since potential credit card data may be found only the last four digits of the number are shown in the output. An example is shown below:

<item>
 type           : FILE_CONTENT_CHECK
 description    : "PII - Determine if a file contains a valid American Express credit card number."
 file_extension : "pdf" | "doc" | "xls" | "xlsx" | "xlsm" | "xlsb" | "xml" | "xltx" | "xltm" | "docx" | "docm" | "dotx" | "dot" | "txt"
 regex          : "([^0-9-]|^)(3[47][0-9]{2}( |-|)[0-9]{6}( |-|)[0-9]{5})([^0-9-]|$)"
 expect         : "American Express" | "CCAX" | "amex" | "credit" | "AMEX" | "CCN"
 max_size       : "50K"
 only_show      : "4"
 regex_replace  : "\3"
</item>
            

Secure Sockets Layer

SSL and TLS are both cryptographic protocols which provide data encryption between network devices. The National Institute of Standards and Technology has stated that Secure Sockets Layer (SSL) v3.0 is no longer acceptable for protection of data due to inherent weakness within the protocol. As such, no version of SSL meets the PCI DSS definition of “strong cryptography."

SSL remains a common component of web security to encrypt data being transmitted between a browser and website, ensuring that sensitive information, such as login information and payment details are protected from eavesdropping. Therefore organizations should assess all their SSL/TLS implementations. Dashboards such as the Maintaining Data Protection Controls for Tenable Security Center, contain components which report on SSL/TLS, Encryption, Certificate Status, and more, assisting organizations in demonstrating to third parties and regulatory bodies that sensitive data is protected in accordance with Data Loss Prevention requirements.

Tenable Vulnerability Management widgets such as the SSL Certs That are Expired or Soon-to-Expire and the SSL -TLS Insecure Communications Issues and Info widgets, list assets that have SSL Certificates that have already expired or will soon expire and current SSL and TLS insecure communication exposures in the environment respectively.

Web Application Scanning

Tenable Web App Scanning contains a predefined scan policy which allows for deep analysis of the SSL configuration of a web server on the public internet. This scan result provides insight into the organization's SSL/TLS configuration based on industry standards.