PCI DSS in Yandex Cloud
Note
This feature is at the Preview stage.
These rules help you automate compliance with data security standards designed to protect payment card data.
The standard was established by the Payment Card Industry Security Standards Council (PCI SSC) founded by major international payment systems including Visa, MasterCard, American Express, Discover, and JCB.
To ensure PCI DSS compliance, use the following rules:
|
Requirement ID |
Security standard requirement |
Check IDs in the CSPM module |
|
1. Installing and maintaining network security controls |
||
|
1.2 |
Configuration and maintenance of network security controls (NSCs) |
cspm.network.firewall |
|
1.3 |
Restricted network access to and from the cardholder data environment (CDE) |
cspm.network.db-security-group |
|
1.4 |
Control of network connections between trusted and untrusted networks |
|
|
2. Applying secure configurations to all system components |
||
|
2.2 |
Secure configuration and management of system components |
cspm.data.storage-https |
|
3. Protecting stored account data |
||
|
3.2, 3.3, 3.4 |
Minimized storage time, prohibition to store SAD, masked PAN display |
|
|
3.5 |
Ensuring that stored PANs are unreadable |
cspm.data.object-storage-encryption |
|
3.6, 3.7 |
Protection and management of cryptographic keys |
cspm.crypto.sa-key-rotation |
|
4. Protecting transmission of cardholder data over public networks with strong cryptography |
||
|
4.2 |
Protection of PANs with strong cryptography during transmission |
cspm.data.storage-https |
|
5. Protecting all systems and networks against malware |
||
|
5.2, 5.3 |
Prevention, detection, and removal of malware; ensuring the mechanisms are actively running |
|
|
5.4 |
Protecting users against phishing attacks |
|
|
6. Developing and maintaining secure systems and software |
||
|
6.3 |
Detecting and addressing security vulnerabilities |
cspm.active.ip-vulnerability-scan |
|
6.4 |
Protecting public-facing web applications against attacks |
cspm.appsec.use-sws |
|
7. Restricting access to system components and cardholder data based on need to know |
||
|
7.2 |
Proper identification of system components and data and provision of access to them |
cspm.access.min-privileges |
|
7.3 |
Managing access to system components and data via one or more access management systems |
|
|
8. User identification and authentication for access to system components |
||
|
8.3 |
Reliable authentication for users and administrators |
|
|
8.6 |
Managing the use of application or system accounts |
|
|
10. Recording and monitoring all access events to system components and cardholder data |
||
|
10.2 |
Generating security event logs with required details |
cspm.o11y.audit-trails |
|
11. Regular testing of system and network security |
||
|
11.3 |
Regular detection, prioritization, and elimination of external and internal vulnerabilities |
|
|
12. Maintaining information security with organizational policies and programs |
||
|
12.10 |
Incident response |
|