PCI 4.0 Compliance Report

The Sentinel PCI 4.0 Compliance Report documents compliance with the Payment Card Industry’s Data Security Standard (PCI-DSS Version 4.0), which includes requirements that web applications be built to secure coding guidelines and that applications be subject to routine vulnerability checks.

List of Sites

The PCI 4.0 Compliance Report provides a list of sites included in this report, shown below.

pci compliance list of assets

Sites are marked as compliant or not compliant based on passing or not passing the tests that are performed at that service level. True PCI compliance is dependent on all tests being performed. Sites at the BE or SE service levels cannot be described as fully PCI compliant based on the BE or SE testing. However, they will be described as compliant in this table if the tests performed passed.

PCI Compliance Summary

This table lists the requirements specified by the PCI-DSS for Web applications, and whether your site complies with requirement 6.2.4.

pci 4 compliance table

This report is extremely useful for those cases when it is necessary for you to demonstrate that a site is PCI-compliant.

Open Vulnerabilities

Listed below in the table are the open vulnerabilities for this site.

pci 4 vuln table obscured

Appendix: PCI-DSS Requirements

The Sentinel PCI 4.0 Compliance report documents compliance with PCI-DSS (4.0) requirements as follows:

  • Injection Attacks

  • Attacks on Data and Data Structures

  • Attacks on Cryptography Usage

  • Attacks on Business Logic

  • Attacks on Access Control Mechanisms

  • Attacks via any "high-risk" vulnerabilities

The report contains appendix pages for each requirement, these appendix pages include:

  • Environments Affected

  • Vulnerability

  • Verifying Security

  • Protection

  • Samples

  • Related Articles

  • How to Protect Yourself

  • References

Appendix - Vulnerability Level Definitions (by Risk)

This section details how the vulnerability levels are defined. Risk Levels for the Sentinel Source solution are based on the OWASP risk rating methodology, based on the standard risk model (Risk = Likelihood x Impact) with several factors contributing to the likelihood and impact. The following tables show how the vulnerability ratings are calculated in The PCI 4.0 Compliance Report.

impact level table

The Impact can be broken down into the Technical Impact and Business Impact.

  • Technical impact considers the traditional areas of security: confidentiality, integrity, availability, and accountability.

  • The business impact stems from the technical impact and considers things such as: financial damage, reputational damage, non-compliance, and privacy violations.

After scoring the Likelihood and Impact, the Risk Rating is determined using the following table:

likelihood level table

Risk ratings are defined below:

risk level table

For more information on generating reports, please see The Continuous Dynamic Portal Menu - Reports.