Skip to content
  • There are no suggestions because the search field is empty.

How to create PCI DSS 4.0 Reports with Nipper

The Nipper Compliance suite includes a PCI DSS 4.0 report module which provides a risk prioritized evidentiary Pass and Fail assessment report of compliance with specified PCI DSS 4.0 security requirements.

The PCI DSS (Payment Card Industry Data Security Standard) 4.0 comprises security requirements that are designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Nipper can automate the compliance assessment of a number of the PCI DSS 4.0 Security Requirements and testing procedures. For further information on the PCI DSS 4.0 Titania mapping, see the guide here.

The Nipper Compliance suite includes a PCI DSS 4.0 report module which provides a risk prioritized evidentiary Pass and Fail assessment report of compliance with specified PCI DSS 4.0 security requirements. Findings shown within the report and sorted by risk severity, allowing focus on the most critical vulnerabilities first. Each requirement is given a status to indicate the outcome of the analysis for that audit. Three statuses are returned within the report; ‘Pass’, ‘Fail’, ‘Investigate’ or ‘N/A’.

  • Pass – The check has passed all its required elements. For example, If the check states that the Telnet service should be disabled, and it is, then it will be marked as having passed. Alternatively, a ‘Pass’ status will be shown if a check is determined not applicable to a device. For example, if the test requires HTTP to be disabled, but the device does not support HTTP, then it will be not applicable and therefore marked as having passed.

  • Fail – The check has failed to meet some or all the requirements. For example, the check may specify that support for only SSH protocol version 2 must be configured, yet the test finds version 1. In this instance, the check would be marked as having failed.

  • Investigate – The check requires further investigation to determine its status. For example, the test may require port security to be enabled on a network switch port or physically secured. If the check is unable to verify this through the device configuration provided, then investigation of the physical security would need to be carried out. In this case, the check would be marked as requiring further investigation.

  • N/A – The check is not applicable to the device being audited. For example, where a security control is testing functionality that is not available on the device.

The Risk severity returned will be CriticalHighMediumLow or No Rating Available.

  • Critical – These findings can pose a very significant security risk. The findings that have a critical impact are typically those that would allow an attacker to gain full administrative access to the device.

  • High – These findings pose a significant risk to security but have some limitations on the extent to which they can be abused. User level access to a device and a DoS vulnerability in a critical service would fall into this category.

  • Medium – These findings have significant limitations on the direct impact they can cause. Typically, these findings would include significant information leakage findings, less significant DoS findings or those that provide significantly limited access.

  • Low – These findings represent a low-level security risk. A typical finding would involve information leakage that could be useful to an attacker, such as a list of users or version details.

  • No Rating Available – The findings are returned when an additional report is used to determine the outcome of the Check For example, where a configuration report needs to be examined by an Auditor to determine a setting, the report will be included in the report, but Nipper will not be able to determine a rating.

 

Generating the PCI DSS 4.0 Compliance Report:

  1. From the home screen, select the New Report option.

  2. On the following pop-up screen, you will be prompted to select any devices and configurations that you wish to run the audit against. Select the configuration file(s), directories, or remote devices that the report is to be generated for.

  3. Click Next to progress to the next screen.

  4. From the ‘Select Report(s)’ screen, ensure the PCI DSS 4.0 option is chosen and click Next to proceed.

  5. Nipper provides the ability to compare the report being run with one previously generated. If this option is required, navigate to the location of the report to be compared and click Open to return to this screen. Clicking on Next will progress to the final screen in the report wizard.

  6. Depending on the device being audited, Nipper will display options prior to generating the report. These settings allow you to specify the status of specific features/confirm the setup of the device which help Nipper determine the outcome of any related checks used in the audit.

  7. A summary ‘Finished’ screen is displayed, confirming number of devices imported along with report selection, save details and elapsed creation time. Clicking on Finish will take you to the generated report.

 

Viewing the PCI DSS 4.0 Compliance report

The PCI DSS 4.0 report will be displayed in HTML format by default, within the Nipper Report Browser. From here, the user can scroll through the report, navigate to key sections via the navigation window shown to the right of the screen and search for key text or phrases within the report. The user also has the option to save the report in several formats.

The report is broken down into several sections:

Summary

This section lists the device(s) audited and provides a high-level visual summary of the findings, broken down by status. Each control is then detailed within tables based on status (Failures first, followed by Passes and then Investigates). Within the table itself, each finding is given a STIG Risk rating (CAT I, CAT II, CAT III) and the table is prioritized based on these (most severe to least).

PCI_DSS_4_0_User_Guide_9

Contents

Clickable list of report contents.

PCI_DSS_4_0_User_Guide_10

Your Report

Section providing information around conventions used, compliance statuses and STIG Ratings.

Main Report Body

The main report is made up of the relevant requirement families - for example, Requirement 1: Install and Maintain Network Security Controls). Within these, individual requirements that can be audited in Nipper are detailed, under the following headings:

  • Defined Approach Requirements and Defined Approach Testing Procedures – describes the method for implementing and validating PCI DSS using the requirements and testing procedures defined in the standard.

  • Affected Devices – Tabular view of the device audited, together with the specific, defined testing requirements carried out and the overall result and rating.

  • Findings – Tabular view of the check(s) carried out, with description(s), finding(s) and result(s) for each one. Where the requirement is assessed using an additional audit (e.g. configuration report) the report includes a link to the specific section.

Appendix

Glossary providing details of Protocols, IP Options, Services, Logging Severity Level, Common Time Zones, and Abbreviations used in the report.

Saving the report

All reports within Nipper can be saved in several formats: 

  • ASCII Text

  • HTML

  • JSON

  • LaTeX

  • Table to CSV, Excel, JSON, SQL, XML

  • XML

For more information on saving Nipper reports, please see Saving Your Reports .