Solution mapping for the PCI DSS

How ManageEngine helps you meet PCI DSS v4.0 compliance requirements

Log360 provides out-of-the-box reports for PCI DSS v4.0 compliance.

Requirement Number	Requirement Description	Product	Capability/ Feature	Summary Reports
1.2 Network security controls (NSCs) are configured and maintained	This requirement mandates the establishment of a secure network architecture by implementing appropriate network segmentation and network security controls (NSCs). This involves isolating the cardholder data environment (CDE) from other networks to contain the potential impact of a breach.	Log360		AWS Network Security Groups VPC Activity Route 53 Traffic Analysis Reports Salesforce Overview Network Device Attack Reports Network Device Configuration Reports
1.2.7	Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.	Log360		Router Configuration Report
1.3.1	Inbound traffic to the CDE is restricted to only allow traffic that is necessary. All other traffic is specifically denied.	Log360		Firewall Allowed Traffic Reports
1.3.3	NSCs are installed between all wireless networks and the CDE, regardless of whether thewireless network is a CDE, such that: All wireless traffic from wireless networks into theCDE is denied by default. Only wireless traffic with an authorized businesspurpose is allowed into the CDE.	Log360		Firewall Denied and Allowed Traffic Reports
1.5	Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows: Specific configuration settings are defined to prevent threats being introduced intothe entity’s network. Security controls are actively running. Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period.	Log360		Windows Firewall Auditing Reports
2.2	2.2.4 4 Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.	Log360		New service Installed, Yum installs, Router Top configuration changes, Logon Reports Unix Logon Reports
		ADManager Plus	Password Unchanged, All Users, and Inactive Users reports.
7.1	Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood	Log360		WorkGroup Group Auditing Reports WorkGroup Policy Changes Reports File Permission Reports File Access Failed Attempts MSSQL DDL Changes MSSQL DML Changes PostgreSQL DDL Changes PostgreSQL DML Changes User Administration Activities Mailbox Permission Changes Mail Status Report Organization Traffic By Volume Organization Traffic By Messages IAM Activity AWS Network Security Groups File Changes Audit Salesforce Content Activity
	7.2.1 An access control model is defined and includes granting access as follows: Appropriate access depending on the entity’s business and access needs. Access to system components and data resources that is based on users’ job classification and functions. The least privileges required (for example, user, administrator) to perform a job function.	ADManager Plus	Delegation, NTFS reports
	7.2.2 Access is assigned to users, including privileged users, based on: Job classification and function. Least privileges necessary to perform job responsibilities.	ADManager Plus	Delegation, NTFS reports
	7.2.3 Required privileges are approved by authorized personnel.	ADManager Plus	Access Certification Campaigns
	7.2.4 All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: At least once every six months. To ensure user accounts and access remain appropriate based on job function. Any inappropriate access is addressed. Management acknowledges that access remains appropriate.	ADManager Plus	Access Certification Campaigns, NTFS permissions management and reporting
	7.2.5 All application and system accounts and related access privileges are assigned and managed as follows: Based on the least privileges necessary for the operability of the system or application. Access is limited to the systems, applications, or processes that specifically require their use.	ADManager Plus
	7.2.6 All user access to query repositories of stored cardholder data is restricted as follows: Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges. Only the responsible administrator(s) can directly access or query repositories of stored CHD.	ADManager Plus
	7.3.1 An access control system(s) is in place that restricts access based on a user’s need to know and covers all system components	ADManager Plus	Automation and Access Certification Campaign
	7.3.2 The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function.	ADManager Plus	Access Certification Campaign
8.1	Processes and mechanisms for identifying users and authenticating access to system components are defined and understood	Log360		User Auditing Reports User Management Reports Group Auditing Reports GPO Reports GPO Auditing Reports WorkGroup User Auditing Reports WorkGroup Group Auditing Reports WorkGroup Policy Changes Reports All File / Folder changes File Permission Reports File Access Failed Attempts MSSQL DDL Changes MSSQL Security Changes MSSQL DML Changes Printer Auditing Reports PostgreSQL DDL Changes PostgreSQL DML Changes User Administration Activities Mailbox Permission Changes User Logon Activities IAM Activity AWS Network Security Groups File Changes Audit Cloud User Login Activity Salesforce Setup Audit Trail
	8.2.1 All users are assigned a unique ID beforeaccess to system components or cardholder data isallowed.	ADManager Plus	User management and reporting
	8.2.4 Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed as follows: Authorized with the appropriate approval. Implemented with only the privileges specified on the documented approval.	ADManager Plus	Workflow, Automation, Delegation, Reporting
	8.2.5 Access for terminated users is immediately revoked.	ADManager Plus	Event-driven automation
	8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity	ADManager Plus	User automation, Inactive Users report
	8.2.7 Accounts used by third parties to access, support, or maintain system components via remote access are managed as follows: Enabled only during the time period needed and disabled when not in use. Use is monitored for unexpected activity.	ADManager Plus	Terminal Services management
	8.2.8 If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session.	ADManager Plus	Terminal Services management
	8.3.3 User identity is verified before modifying any authentication factor.	ADSelfServices Plus
	8.3.4 Invalid authentication attempts are limited by: Locking out the user ID after not more than 10 attempts. Setting the lockout duration to a minimum of 30 minutes or until the user’s identity is confirmed.	ADSelfServices Plus
	8.3.5 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user as follows: Set to a unique value for first-time use and upon reset. Forced to be changed immediately after the first use.	ADSelfServices Plus and ADManager Plus	ADManager Plus: User management
	8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters). Contain both numeric and alphabetic characters.	ADSelfServices Plus	ADManager Plus: GPO management
	8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.	ADSelfServices Plus
	8.3.9 If passwords/passphrases are used as the only authentication factor for user access (i.e., inany single-factor authentication implementation) then either: Passwords/passphrases are changed at least once every 90 days,OR• The security posture of accounts is dynamically analyzed, and real-time access to resources isautomatically determined accordingly.	ADManager Plus	Automation
	8.3.10.1 Passwords/passphrases are changed at least once every 90 days,	ADSelfServices Plus
	8.3.11 Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used: Factors are assigned to an individual user andnot shared among multiple users.	ADSelfServices Plus
	8.4.2 MFA is implemented for all access into the CDE.	ADSelfServices Plus
	8.4.3 For remote access, MFA must be implemented either at the system, application, or network level.	ADSelfServices Plus
	8.5.1 MFA systems are implemented as follows: The MFA system is not susceptible to replay attacks. MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period. At least two different types of authentication factors are used. Success of all authentication factors is required before access is granted.	ADSelfServices Plus
	8.6.3 Password change frequency and password complexity must vary based on the risk levels of user identities.	ADSelfServices Plus
8.6	Use of application and system accounts and associated authentication factors is strictly managed	Log360		AD Logon Reports User Administration Activities User Logon Activities AWS Failed/Unauthorized Activity AWS User Activity Cloud User Login Activity Network Device Logon Reports
8.4	MFA is implemented for all remote networkaccess originating from outside the entity’s networkthat could access or impact the CDE as follows: All remote access by all personnel, both usersand administrators, originating from outside theentity’s network. All remote access by third parties and vendors.	Log360		Monitor RADIUS logon acitivity VPN logon acitivity reports
10.1	Processes and mechanisms for logging and monitoring all access to system components and cardholderdata are defined and documented.	Log360		Individual User Action Report AD Logon Reports User Auditing Reports User Management Reports WorkGroup User Auditing Reports File Access Failed Attempts MSSQL DDL Changes MSSQL DML Changes PostgreSQL DDL Changes PostgreSQL DML Changes User Administration Activities Mailbox Permission Changes Mailbox Access User Logon Activities IAM Activity AWS User Activity File Changes Audit Cloud User Login Activity Windows Logon Reports Windows Logon Reports Terminal Service Session Windows User Access Windows Registry Changes Unix Logon Reports Unix User Access File Changes Network Device Logon Reports Network Device Configuration Reports Network Device Security Reports IAM Activity AWS User Activity AWS Failed/Unauthorized Activity File Changes Audit Route 53 Storage Activity Reports WAF Reports EC2 Reports Traffic Analysis Reports Salesforce Setup Audit Trail Cloud User Login Activity
10.2	Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensicanalysis of events.	Log360		File Audit Reports Windows Logon Reports File Changes Unix Logon Reports File Changes Audit Storage Activity Reports Traffic Analysis Reports Cloud User Login Activity Windows Registry Changes AWS Config Reports AD Logon Reports WorkGroup Logon Reports MSSQL DDL Changes MSSQL Security Changes MSSQL DML Changes Printer Auditing Reports PostgreSQL DDL Changes PostgreSQL DML Change User Logon Activities IAM Activity File Changes Audit Network Device Logon Reports Salesforce Report Activity Salesforce Setup Audit Trail Substitute Logon Reports
10.3	Audit logs are protected from destruction and unauthorized modifications.	Log360		Audit Events Dropped Event log automatic backup Security Log Full Error in EventLog Service Event Logging Service Shutdown Security Logs Cleared Event Logger Started Event Logs Cleared
10.4	Audit logs are reviewed to identify anomalies or suspicious activity	Log360		Search based reports
10.5	Audit log history is retained and available for analysis	Log360	Log retention and archiving	File Deleted And Archived
10.6.2	Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment.	Log360		Search based reports
	10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including anyinteractive use of application or system accounts.	ADManager Plus	Admin Audit Report
	10.2.1.4 Audit logs capture all invalid logical access attempts.	ADManager Plus	Failed Logon Attempts report
	10.2.1.5 Audit logs capture all changes to identification and authentication credentials including, but not limited to: Creation of new accounts. Elevation of privileges. All changes, additions, or deletions to accounts with administrative access.	ADManager Plus	Audit report
	10.2.2 Audit logs record the following details for each auditable event: User identification. Type of event. Date and time. Success and failure indication. Origination of event. Identity or name of affected data, system component, resource, or service (for example,name and protocol).	ADManager Plus	Audit report
	10.3.1 Read access to audit logs files is limited to those with a job-related need.	ADManager Plus	Delegation, Audit report
	10.3.2 Audit log files are protected to prevent modifications by individuals.	ADManager Plus	Audit report
11.2	11.2.1.d If automated monitoring is used, examine configuration settings to verify the configuration will generate alerts to notify personnel	Log360	Alerting	Alert Events
		Log360
11.5	11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network as follows: All traffic is monitored at the perimeter of the CDE. All traffic is monitored at critical points in the CDE. Personnel are alerted to suspected compromises. All intrusion-detection and prevention engines, baselines, and signatures are kept up to date.	Log360		Network Device Configuration Reports All File / Folder changesFile Permission Reports File Changes Audit
11.5	11.5.2 A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows: To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files. To perform critical file comparisons at least once weekly.	Log360		Network Device Configuration Reports All File / Folder changes File Permission Reports File Changes Audit WorkGroup Policy Changes Reports File Permission Reports File Access Failed Attempts MSSQL DDL Changes MSSQL DML Changes PostgreSQL DDL Changes PostgreSQL DML Changes File Changes Audit Salesforce Content Activity
12.11	Additional requirement for service providers only: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes: Daily log reviews Firewall rule-set reviews Applying configuration standards to new systems Responding to security alerts Change management processes	Log360		Daily Log Review

Take the lead in data protection best practices with our unified SIEM solution!

Get personalised demo Try Log360 Get a quote

Achieve PCI DSS v4.0 compliance with ManageEngine

How ManageEngine helps you meet PCI DSS v4.0 compliance requirements

Awards & recognition

Features

Support

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Identity and access management

Unified service management

Unified endpoint management and security

IT operations management and observability

Security information and event management

Advanced IT analytics

Low-code app development

Cloud solutions for enterprise IT

IT management for MSPs

Active Directory management Manage, track, and secure Active Directory

Identity governance and administrationOrchestrate user identity management and access controls for Zero Trust

Privileged access managementControl and secure privileged access to critical enterprise systems

Enterprise and IT service managementDeliver a consistent employee experience across business functions

Customer service managementBuild a one-stop portal for customers with efficient account management

IT asset managementCentralize and automate the complete IT asset life cycle

SIEM Spot, investigate, and neutralize security threats

Log and compliance managementGain deeper visibility into security events and ensure compliance

Security auditingAudit Active Directory, cloud platforms and files to enhance your security posture

Endpoint management and protection platform (UEM and EPP)Secure and manage endpoints to protect your IT assets effectively

Endpoint managementAchieve intelligent IT device management with zero user intervention

Endpoint securityDefend against threat actors with proactive and reactive measures

Full-stack observability and digital experience monitoringAchieve end-to-end visibility, proactive issue resolution, and enhanced security

Network and server performance monitoringEnsure network, server, and storage reliability with AI-powered insights

IT incident managementEfficiently manage and resolve IT incidents while ensuring transparency

DNS and DHCP managementOptimize IP address and domain management

Cloud cost managementRight-size and take control of your cloud costs

IT analyticsConnect to your IT applications and visualize all facets of your IT

Cloud-native solutions for IT managementMonitor, manage, audit, and secure your multi-cloudand hybrid infrastructure

Business applications for ITBoost productivity and improve team collaboration

Custom solution builderBuild tailor-made apps to automate operations at your organization

Solutions for MSPsGrow your MSP business with scalable and secure IT management solutions

Achieve PCI DSS v4.0 compliance with ManageEngine

How ManageEngine helps you meet PCI DSS v4.0 compliance requirements

Awards & recognition

Features

Support

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Active Directory
management Manage, track, and secure Active Directory

Identity governance
and administrationOrchestrate user identity management and access controls for Zero Trust

Privileged access
managementControl and secure privileged access to critical enterprise systems

Enterprise and IT service
managementDeliver a consistent employee experience across business functions

Customer service
managementBuild a one-stop portal for customers with efficient account management

IT asset
managementCentralize and automate the complete IT asset life cycle

Network and server
performance monitoringEnsure network, server, and storage reliability with AI-powered insights

IT incident
managementEfficiently manage and resolve IT incidents while ensuring transparency

Cloud-native solutions for IT managementMonitor, manage, audit, and secure your multi-cloud
and hybrid infrastructure