PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) v4.0 is the global security standard for any organization that stores, processes, or transmits cardholder data (CHD) or sensitive authentication data. Compliance is required by Visa, Mastercard, American Express, Discover, and other card brands.
Infracast ships 78 automated rules mapped to all 12 PCI DSS requirements, with particular depth in network segmentation, firewall auditing, and encryption validation.
PCI DSS v4.0 Overviewβ
PCI DSS v4.0 (released March 2022, mandatory since March 2024) introduced several new requirements around multi-factor authentication, targeted risk analysis, and customized implementation options.
The 12 Requirementsβ
| Req | Title | Infracast Rules |
|---|---|---|
| 1 | Install and Maintain Network Security Controls | 12 |
| 2 | Apply Secure Configurations to All System Components | 9 |
| 3 | Protect Stored Account Data | 8 |
| 4 | Protect Cardholder Data with Strong Cryptography During Transmission | 7 |
| 5 | Protect All Systems and Networks from Malicious Software | 5 |
| 6 | Develop and Maintain Secure Systems and Software | 6 |
| 7 | Restrict Access to System Components and Cardholder Data | 6 |
| 8 | Identify Users and Authenticate Access to System Components | 8 |
| 9 | Restrict Physical Access to Cardholder Data | 0 (attestation) |
| 10 | Log and Monitor All Access to System Components and CHD | 7 |
| 11 | Test Security of Systems and Networks Regularly | 5 |
| 12 | Support Information Security with Organizational Policies | 5 |
Network Segmentation Validationβ
PCI DSS Requirement 1 mandates strict network segmentation between the Cardholder Data Environment (CDE) and other networks. Infracast validates this automatically using the infrastructure graph:
Security Group Auditingβ
// Finding: PCI-REQ1-SSH-FROM-INTERNET
{
"rule_id": "PCI-REQ1-SSH-FROM-INTERNET",
"control_id": "PCI-DSS v4.0 Req 1.3.2",
"severity": "CRITICAL",
"title": "Security group allows SSH (port 22) from 0.0.0.0/0",
"description": "Security group 'sg-0abc123' allows unrestricted inbound SSH from the internet.",
"remediation": "Restrict SSH access to known admin CIDR ranges or a bastion host."
}
CDE Boundary Mappingβ
Use Infracast's application layer to define your CDE boundary, then scope all PCI checks to in-scope systems:
# Define CDE as an application
POST /api/v1/tenants/{tenantID}/applications
{
"name": "Cardholder Data Environment",
"tags": ["pci-in-scope", "cde"]
}
# Run the path tracer to validate segmentation
POST /api/v1/tenants/{tenantID}/pathtracer/trace
{
"source_node_id": "aws:us-east-1:aws.ec2.instance:dev-server",
"destination_cidr": "10.1.2.0/24",
"port": 5432,
"protocol": "tcp"
}
If the trace finds a reachable path from out-of-scope systems to the CDE, this is flagged as a finding.
Firewall Rule Auditingβ
Infracast evaluates every security group, network ACL, and firewall rule in your infrastructure graph against PCI requirements:
| Rule | Requirement | What's Checked |
|---|---|---|
PCI-REQ1-NO-ANY-ANY | 1.3.1 | Deny-all default, allow by exception |
PCI-REQ1-SSH-RESTRICTED | 1.3.2 | SSH not allowed from 0.0.0.0/0 |
PCI-REQ1-RDP-RESTRICTED | 1.3.2 | RDP (3389) not open to internet |
PCI-REQ1-DEFAULT-SG-CLEAN | 1.3.3 | Default security group has no traffic rules |
PCI-REQ1-NACL-RESTRICT | 1.3.4 | NACLs restrict inbound traffic |
Sample Findings Queryβ
# Get all PCI DSS firewall-related findings
curl -H "Authorization: Bearer $TOKEN" \
"$API_URL/api/v1/tenants/$TENANT/findings?framework=pci-dss&control_family=req1"
Encryption Checksβ
PCI DSS Requirements 3 and 4 mandate strong cryptography for stored and transmitted cardholder data:
Encryption at Rest (Req 3.5)β
| Rule | What's Checked |
|---|---|
PCI-REQ3-EBS-ENCRYPTION | EBS volumes must be encrypted |
PCI-REQ3-RDS-ENCRYPTION | RDS instances must have encryption at rest |
PCI-REQ3-S3-ENCRYPTION | S3 buckets must use SSE-S3 or SSE-KMS |
PCI-REQ3-S3-PUBLIC-BLOCK | S3 bucket public access must be blocked |
PCI-REQ3-SECRETS-NO-PLAINTEXT | No credentials in EC2 user data or environment vars |
Encryption in Transit (Req 4.2)β
| Rule | What's Checked |
|---|---|
PCI-REQ4-ELB-HTTPS-ONLY | Load balancers must enforce HTTPS |
PCI-REQ4-S3-TLS-ONLY | S3 buckets must deny non-TLS requests |
PCI-REQ4-CLOUDFRONT-HTTPS | CloudFront distributions must enforce HTTPS |
PCI-REQ4-RDS-TLS | RDS must require TLS connections |
PCI-REQ4-NO-WEAK-CIPHERS | No TLS 1.0/1.1 or weak cipher suites |
Example Findingβ
{
"rule_id": "PCI-REQ3-EBS-ENCRYPTION",
"control_id": "PCI-DSS v4.0 Req 3.5.1",
"severity": "HIGH",
"title": "EBS volume not encrypted at rest",
"description": "EBS volume 'vol-0abc123def' attached to 'prod-web-01' is not encrypted.",
"remediation": "Enable EBS encryption. Create an encrypted snapshot and restore, or use encrypted replacement volume."
}
Terraform fix:
resource "aws_ebs_volume" "data" {
availability_zone = "us-east-1a"
size = 100
encrypted = true # Add this
kms_key_id = aws_kms_key.ebs.arn
}
Access Control (Req 7 & 8)β
PCI DSS v4.0 now requires MFA for all access to the CDE, not just remote access:
| Rule | Requirement | Check |
|---|---|---|
PCI-REQ8-ROOT-MFA | 8.4.1 | Root/admin accounts must have MFA |
PCI-REQ8-ALL-USER-MFA | 8.4.2 | All users must have MFA enabled |
PCI-REQ8-PASSWORD-LENGTH | 8.3.6 | Password minimum length β₯ 12 characters |
PCI-REQ8-ACCOUNT-LOCKOUT | 8.3.4 | Account lockout after 6 failed attempts |
PCI-REQ7-LEAST-PRIVILEGE | 7.2.1 | IAM policies follow least privilege |
Compliance Reportingβ
Generate PCI DSS reports for your QSA (Qualified Security Assessor):
# Generate PCI DSS compliance report
POST /api/v1/tenants/{tenantID}/reports/generate
{
"type": "framework",
"framework": "pci-dss",
"format": "pdf",
"options": {
"include_evidence": true,
"include_remediation": true
}
}
Report of Compliance (RoC) Supportβ
While Infracast does not generate a full RoC (which requires QSA sign-off), the generated reports include:
- Control-by-control status with pass/fail/exempt
- Evidence artifacts with timestamps
- Remediation recommendations
- Risk acceptance documentation
- Historical trend data
Schedule quarterly PCI DSS reports to track remediation progress and demonstrate continuous compliance to your QSA.
PCI Compliance Scoreβ
GET /api/v1/tenants/{tenantID}/compliance/summary?framework=pci-dss
{
"framework": "pci-dss",
"version": "4.0",
"score": 88,
"requirements": {
"req1": { "score": 83, "rules": 12, "passing": 10 },
"req2": { "score": 89, "rules": 9, "passing": 8 },
"req3": { "score": 87, "rules": 8, "passing": 7 },
"req4": { "score": 100, "rules": 7, "passing": 7 },
"req8": { "score": 75, "rules": 8, "passing": 6 }
}
}
PCI DSS SAQ Generatorβ
Infracast auto-generates a PCI DSS v4.0 Self-Assessment Questionnaire (SAQ) with your merchant and infrastructure details pre-filled.
SAQ type is auto-detected from infrastructure topology:
- SAQ A β Card-not-present merchants, no cardholder data on systems; fully outsourced
- SAQ B β Imprint-only or standalone dial-out terminals
- SAQ C β Merchants with payment application systems connected to the internet
- SAQ D β All other merchants (catches everything not covered above)
The auto-detection logic checks for: internet-facing nodes in the CDE subnet, direct card processing components, and segmentation evidence in the topology graph.
Whatβs included:
- Merchant information (from questionnaire)
- Cardholder Data Environment (CDE) description (auto-populated from scoped nodes)
- All applicable SAQ control sections with pass/fail per discovered configuration
- Network segmentation evidence summary
- Compensating controls worksheet (where applicable)
Generate via UI: Documents β Generate β PCI DSS SAQ
DocType: pci_saq
Required questionnaire fields: Merchant legal name, CDE description, SAQ type confirmation (or accept auto-detected), segmentation attestation. (Template: pci_scope)
Next Stepsβ
- CIS Benchmarks β Hardening that supports PCI network controls
- API: Findings β Query PCI findings programmatically
- API: Reports β Generate QSA-ready reports