PCI-DSS Compliance

Review
Report Date: April 5, 2019 15:17
Data Range: 2019-03-31 00:00 2019-04-05 15:17 PDT (FAZ local)
 Table of Contents

PCI-DSS Compliance Review 2

About PCI DSS 2

PCI-DSS Requirements Compliance 3

PCI Compliance Summary 3
Non-Compliant Requirements by Severity 3
Compliant Requirements by Severity 3

Fortinet Security Best Practice 4

Fortinet Security Best Practice Summary 4
Failed Fortinet Security Best Practices by Severity 4
Passed Fortinet Security Best Practices by Severity 4

PCI-DSS Requirements Compliance Details 5

Fortinet Security Best Practice Details 7
Appendix A 8
Devices 8

PCI-DSS Compliance Review (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 1 of 8
PCI-DSS Compliance Review
This report is designed to help meet PCI-DSS requirements by providing a view of compliant and non-compliant
security systems and processes that are regularly tested under Fortinet Best Practice controls. The validations in this
report are in accordance with the requirements for PCI-DSS version 3.1

About PCI DSS

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of policies and procedures, mandated by the
four major credit-card companies: Visa, MasterCard, Discover and American Express, with the intention of
improving the security of credit and debit card transactions and protect cardholders against theft and misuse of
their personal information. Any company that is involved in the transmission, processing or storage of credit card
data, must be compliant with PCI-DSS.

PCI is divided into 12 main requirements, and further broken down into approximately 200 control areas.

Goals PCI DSS Requirements

1. Install and maintain a firewall configuration to protect cardholder data

Build and Maintain a Secure Network
2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

Protect Cardholder Data
4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management 5. Use and regularly update anti-virus software or programs

Program 6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-to-know

Implement Strong Access Control
8. Assign a unique ID to each person with computer access
Measure
9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data
Regularly Monitor and Test Networks
11. Regularly test security systems and processes

Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors

There are different levels of PCI Compliance depending on the number of transactions that are being processed by
the company.

PCI Compliance Level 1

Over 6 million Visa and/or MasterCard transactions processed per year

PCI Compliance Level 2

1 million to 6 million Visa and/or MasterCard transactions processed per year

PCI Compliance Level 3

20,000 to 1 million Visa and/or MasterCard e-commerce transactions processed per year

PCI Compliance Level 4

Less than 20,000 to 1 million Visa and/or MasterCard e-commerce transactions processed per year

PCI-DSS Compliance Review (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 2 of 8
PCI-DSS Requirements Compliance

PCI Compliance Summary

12.50 % Compliant

Non-Compliant 21
Compliant 3
24

Non-Compliant Requirements by Severity

The following provides a summary of the number of PCI requirements that are non-compliant, by Fortinet Security
Best Practice Severities.

High 15
Critical 2
Low 2
21
Medium 2

Compliant Requirements by Severity

The following provides a summary of the number of PCI requirements that are compliant, by Fortinet Security Best
Practice Severities.

High 3 3

PCI-DSS Compliance Review (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 3 of 8
Fortinet Security Best Practice

Fortinet Security Best Practice Summary

27.27 % Passed

Failed 16
Passed 6
22

Failed Fortinet Security Best Practices by Severity

The following are the Fortinet Security Best Practice requirements that did not passed verification, by Severity Level.

Critical 10
Low 3
High 2
16
Medium 1

Passed Fortinet Security Best Practices by Severity

The following are the Fortinet Security Best Practice requirements that passed verification, by Severity Level.

Critical 3
Low 3
6

PCI-DSS Compliance Review (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 4 of 8
PCI-DSS Requirements Compliance Details
The following provides a breakdown of the standards that are compliant and non-compliant with PCI requirements,
as verified by Fortinet Best Practice controls.

Fortinet PCI ID PCI Requirement PCI Compliance FTNT Best Practice IDs
80010105 1.1 Establish and implement firewall and router configuration Non-Compliant FTNT-030152,FTNT-0301
standards that include the following:1.1.5 Description of 53,FTNT-030171
groups, roles, and responsibilities for management of network
components
80010107 1.1 Establish and implement firewall and router configuration Non-Compliant FTNT-030152,FTNT-0301
standards that include the following:1.1.7 Requirement to 53
review firewall and router rule sets at least every six months
80010201 1.2.1 Restrict inbound and outbound traffic to that which is Non-Compliant FTNT-050112,FTNT-0501
necessary for the cardholder data environment, and 13,FTNT-050118,FTNT-0
specifically deny all other traffic. 50126,FTNT-050129,FTN
T-050131,FTNT-050132
80010306 1.3.6 Implement stateful inspection, also known as dynamic Non-Compliant FTNT-030165
packet filtering. (That is, only established connections are
allowed into the network.)
80040100 4.1 Use strong cryptography and security protocols (for Non-Compliant FTNT-040102
example, TLS, IPSEC, SSH, etc.) to safeguard sensitive
cardholder data during transmission over open, public
networks.
80050200 5.2 Ensure that all anti-virus mechanisms are maintained. Compliant FTNT-030171
80060100 6.1 Establish a process to identify security vulnerabilities, using Compliant FTNT-040114
reputable outside sources for security vulnerability
information, and assign a risk ranking.
80060600 6.6 For public-facing web applications, address new threats Non-Compliant FTNT-050142
and vulnerabilities on an ongoing basis and ensure these
applications are protected against known attacks.
80080106 8.1.6 Limit repeated access attempts by locking out the user ID Compliant FTNT-030160
after not more than six attempts.
80080107 8.1.7 Set the lockout duration to a minimum of 30 minutes or Non-Compliant FTNT-030162,FTNT-0301
until an administrator enables the user ID. 63
80100201 10.2 Implement automated audit trails for all system Compliant FTNT-030171
components to reconstruct the following events:10.2.1 All
individual user accesses to cardholder data
80100202 10.2 Implement automated audit trails for all system Compliant FTNT-030171
components to reconstruct the following events:10.2.2 All
actions taken by any individual with root or administrative
privileges
80100203 10.2 Implement automated audit trails for all system Compliant FTNT-030171
components to reconstruct the following events:10.2.3 Access
to all audit trails
80100204 10.2 Implement automated audit trails for all system Compliant FTNT-030171
components to reconstruct the following events:10.2.4 Invalid
logical access attempts
80100205 10.2 Implement automated audit trails for all system Compliant FTNT-030171
components to reconstruct the following events:10.2.5 Use of
and changes to identification and authentication mechanisms,
including but not limited to creation of new accounts and
elevation of privileges, and all changes, additions, or deletions
to accounts with root or administrative privileges.

PCI-DSS Compliance Review (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 5 of 8
 Fortinet PCI ID PCI Requirement PCI Compliance FTNT Best Practice IDs
80100206 10.2 Implement automated audit trails for all system Compliant FTNT-030171
components to reconstruct the following events:10.2.6
Initialization, stopping, or pausing of the audit logs

80100207 10.2 Implement automated audit trails for all system Compliant FTNT-030171
components to reconstruct the following events:10.2.7
Creation and deletion of system-level objects
80100301 10.3 Record at least the following audit trail entries for all Compliant FTNT-030171
system components for each event:10.3.1 User identification
80100302 10.3 Record at least the following audit trail entries for all Compliant FTNT-030171
system components for each event:10.3.2 Type of event
80100303 10.3 Record at least the following audit trail entries for all Compliant FTNT-030171
system components for each event:10.3.3 Date and time
80100304 10.3 Record at least the following audit trail entries for all Compliant FTNT-030171
system components for each event:10.3.4 Success or failure
indication
80100305 10.3 Record at least the following audit trail entries for all Compliant FTNT-030171
system components for each event:10.3.5 Origination of event
80100306 10.3 Record at least the following audit trail entries for all Compliant FTNT-030171
system components for each event:10.3.6 Identity or name of
affected data, system component, or resource.
80100700 10.7 Retain audit trail history for at least one year, with a Compliant FTNT-030171
minimum of three months immediately available for analysis
(for example, online, archived, or restorable from backup).
80110201 11.2.1 Perform quarterly internal vulnerability scans and Non-Compliant FTNT-040103,FTNT-0401
rescans as needed, until all high-risk vulnerabilities (as 13,FTNT-040114
identified in Requirement 6.1) are resolved. Scans must be
performed by qualified personnel.
80110203 11.2.3 Perform internal and external scans, and rescans as Non-Compliant FTNT-040103,FTNT-0401
needed, after any significant change. Scans must be performed 13,FTNT-040114
by qualified personnel.
80110400 11.4 Use intrusion-detection and/or intrusion-prevention Non-Compliant FTNT-040106,FTNT-0401
techniques to detect and/or prevent intrusions into the 09,FTNT-040110,FTNT-0
network. Monitor all traffic at the perimeter of the cardholder 40114
data environment as well as at critical points in the cardholder
data environment, and alert personnel to suspected
compromises.

PCI-DSS Compliance Review (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 6 of 8
Fortinet Security Best Practice Details
FTNT ID Description/Goal Severity Feature Category
FTNT-030152 Check that each Firewall rule has a Name defined High Firewall
FTNT-030153 Check that each Firewall rule has a Comment defined Low Firewall
FTNT-030160 Check that Administrators are locked out after 3 login failures Low Firewall
FTNT-030162 Check that Administrators' accounts are unlocked after 30 minutes Low Firewall
FTNT-030163 Check that a message is displayed to locked out Administrators Low Firewall
FTNT-030165 Check the dropped out-of-state TCP packets are logged Critical Firewall
FTNT-030171 Check that all audit trails include date, time and user identification Critical Firewall
FTNT-040102 Check the default IPS profiles have the default action set to block Critical IPS
FTNT-040103 Check the IPS protection is enabled on Firewall policy Critical IPS
FTNT-040106 Check the Severity-based Protections in the IPS Policy Critical IPS
FTNT-040109 Check that the IPS Profile includes Protocol Anomalies protections Low IPS
FTNT-040110 Check that there are no general exclusions to the activated IPS protections Critical IPS
FTNT-040113 Check that FGT performs IPS inspection on all traffic Medium IPS
FTNT-040114 Check that the IPS module has an updated IPS signature package Low IPS
FTNT-050112 Check that P2P file sharing sites-related sites are being blocked by a WF Critical WF
policy
FTNT-050113 Check that Spam-related sites are being blocked by a WF policy Critical WF
FTNT-050118 Check that Hacking-related sites are being blocked by a WF policy Critical WF
FTNT-050126 Check that proxy related sites are being blocked by a WF policy Critical WF
FTNT-050129 Check that Bot net-related sites are being blocked by a WF policy Critical WF
FTNT-050131 Check that Phishing-related sites are being blocked by a WF policy Critical WF
FTNT-050132 Check that Spyware / Malicious sites are being blocked by a WF policy Critical WF
FTNT-050142 Check SSH-SSL deep inspection with WF enabled drops traffic from servers High WF
with invalid server certificates

PCI-DSS Compliance Review (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 7 of 8
Appendix A
Devices

Corp_SMTP_Master
FCTEMS0000097517
FCTEMS0573290902[fcm_root]
FCTEMS0573290902[root]
FCTEMS3897481880[fcm_root]
FCTEMS3897481880[root]
FG101E4Q17003734
FI400B3913000032
FI800B3913000032
FL-1KD3A15000422
FSA1KD3A14000038
FSA1KD3A14000106[None]
FSA1KD3A14000106[one]
FSA1KD3A14000106[root]
FSA3KD3R15000021
FSA3KD3R16000215
FWB-Srv172_16_100_FV-1KD
New_Van_Office_Wifi
PM-Sandbox
Van_Office_FW2[fcm_root]
Van_Office_FW2[roo]
Van_Office_FW2[root]
Van_Office_QA
Weixiang_WiFi[lab]
Weixiang_WiFi[root]
Weixiang_WiFi[tp]
Weixiang_WiFi[vd1]
CorpFW
csf-v62

PCI-DSS Compliance Review (by admin) - FortiAnalyzer Host Name: FAZ3900E-105 page 8 of 8