Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

PCI DSS Compliance

Note: PCI DSS policy framework requires Enterprise Edition.

The Payment Card Industry Data Security Standard (PCI DSS) policy framework detects cardholder data exposure and generates violations according to PCI DSS requirements.

Overview

PCI DSS protects cardholder data during payment card transactions. Aquilon DLP’s PCI DSS policy helps merchants and service providers comply with:

  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data
  • Requirement 12: Maintain information security policy

Cardholder Data Elements

The PCI DSS policy detects:

Data ElementScannerSeverityPCI Category
Primary Account Number (PAN)credit_cardCriticalCHD
Cardholder Namecredit_cardHighCHD
Service Codecredit_cardHighCHD
Expiration Datecredit_cardMediumCHD
CVV/CVC/CVV2cvvCriticalSAD
PIN/PIN BlockpinCriticalSAD
Magnetic Stripe Datamagnetic_stripeCriticalSAD

CHD = Cardholder Data (may be stored if protected) SAD = Sensitive Authentication Data (must never be stored)

KYC and International Compliance

Payment processors and card issuers operating internationally often collect national identification numbers for Know Your Customer (KYC) verification. Aquilon DLP includes 28 country-specific national ID scanners to detect this data.

International Identity Verification

RegionScannersKYC Use Case
Europegermany_steurid, uk_nino, france_nir, + 11 moreEU PSD2 compliance, strong customer authentication
Americasbrazil_cpf, canada_sin, + 2 moreCross-border merchant onboarding
Asia-Pacificindia_aadhaar, india_pan, + 6 moreRegional payment network compliance

Note: While PCI DSS focuses on cardholder data, organizations subject to anti-money laundering (AML) and KYC regulations should monitor for national IDs collected during identity verification.

See Policy Frameworks for the complete list of all 28 national ID scanners.

Scanner Mappings

Critical Severity

Always Critical under PCI DSS:

  • CVV/CVC: Sensitive authentication data - must never be stored
  • Full PAN: Primary account number without masking
  • Magnetic Stripe: Track data must never be stored

High Severity

  • Masked PAN: Partial card numbers (first 6/last 4 may be stored)
  • Cardholder Name: When associated with PAN

Medium Severity

  • Expiration Date: Lower risk when isolated
  • Partial Card Data: Fragments that may indicate CHD

Configuration

Basic Configuration

[policies]
enabled_policies = ["pci_dss"]

Advanced Configuration

[policies.policy_configs.pci_dss]
settings = { merchant_level = "2", version = "4.0", confidence_threshold = "0.85" }

Configuration Options

OptionDescriptionDefault
merchant_levelPCI merchant level (1-4)2
versionPCI DSS version (3.2.1 or 4.0)4.0
confidence_thresholdMinimum scanner confidence0.8
detect_test_cardsFlag test card numbersfalse

PAN Detection

Supported Card Networks

  • Visa (4xxx)
  • Mastercard (51-55xx, 2221-2720)
  • American Express (34xx, 37xx)
  • Discover (6011, 644-649, 65xx)
  • JCB (3528-3589)
  • Diners Club (36xx, 38xx)

Luhn Validation

All detected PANs are validated using the Luhn algorithm to reduce false positives.

Context Analysis

The policy analyzes surrounding details to determine if numbers are actual PANs:

"Order #4111111111111111" → Likely PAN (Critical)
"Transaction ID: 4111111111111111" → Needs review (High)

Violation Metadata

Each PCI DSS violation includes:

{
  "policy": "PCI_DSS",
  "severity": "critical",
  "data_element": "pan",
  "card_network": "visa",
  "requirement": "3.4",
  "is_sad": false,
  "masked_value": "411111******1111"
}

Compliance Reporting

Query Cardholder Data Exposures

-- All unmasked PANs (critical PCI violation)
SELECT path, scanner, timestamp
FROM aquilon_dlp_alerts
WHERE policy = 'PCI_DSS'
  AND severity = 'critical';

-- SAD storage violations (immediate action required)
SELECT * FROM aquilon_dlp_alerts
WHERE policy = 'PCI_DSS'
  AND scanner IN ('cvv', 'magnetic_stripe');

-- CHD exposure by file type
SELECT
  SUBSTR(path, -4) as extension,
  COUNT(*) as count
FROM aquilon_dlp_alerts
WHERE policy = 'PCI_DSS'
GROUP BY extension;

QSA Audit Support

Generate reports for Qualified Security Assessor (QSA) audits:

-- Cardholder Data Environment (CDE) scope
SELECT
  rtrim(path, replace(path, '/', '')) as directory,
  COUNT(*) as finding_count
FROM aquilon_dlp_alerts
WHERE policy = 'PCI_DSS'
GROUP BY directory;

Best Practices

Monitoring Strategy

  1. Immediate alert: CVV, magnetic stripe, PIN data
  2. Same-day review: Full PAN exposures
  3. Weekly audit: Partial PAN, cardholder names

SAD Handling

Sensitive Authentication Data must never be stored:

CVV found → Immediate deletion required
Mag stripe found → Immediate deletion required
PIN found → Immediate deletion required

CDE Scope Reduction

Use findings to identify and reduce Cardholder Data Environment:

  1. Locate all CHD storage
  2. Determine if storage is necessary
  3. Delete or encrypt as appropriate
  4. Update CDE documentation