PCI Compliance Audit

ecommerce-pci · v1.1.0 · paid

Assesses infrastructure and compliance posture for cardholder data environments including network segmentation, access controls, encryption, vulnerability management, and PCI DSS monitoring alignment.

Cardholder Data Environment

cardholder-data · weight 0.3

Cardholder data is stored only in isolated, documented environment
ab-001177
critical
Database encryption is enabled for sensitive data at rest
ab-001178
critical
All default credentials are removed from infrastructure components
ab-001179
critical
SSL/TLS 1.2+ is enforced for all cardholder data in transit
ab-001180
critical

Access Control & Authentication

access-control · weight 0.25

Multi-factor authentication is enforced for admin and CDE access
ab-001181
high
Role-based access control (RBAC) is documented and enforced
ab-001182
high
Service accounts follow the principle of least privilege
ab-001183
low
Password policy enforces minimum complexity and rotation
ab-001184
low
PCI compliance documentation and policies documented
ab-001185
high

Network & Infrastructure Security

network-security · weight 0.25

Network segmentation isolates CDE from non-cardholder systems
ab-001186
high
Firewall rules explicitly allow only necessary CDE traffic
ab-001187
high
Vulnerability scanning is scheduled for CDE infrastructure
ab-001188
high
DMZ is properly configured between CDE and internet
ab-001189
medium

Monitoring & Compliance

monitoring-compliance · weight 0.2

Network monitoring and IDS/IPS is configured for CDE
ab-001190
medium
Audit logs are enabled and retained for minimum 90 days
ab-001191
medium
Log centralization and integrity verification is implemented
ab-001192
medium
Incident response plan includes cardholder data breach procedures
ab-001193
medium
Patch management process is documented for critical updates
ab-001194
high
Penetration testing has been performed within the last 12 months
ab-001195
low
Third-party service providers are validated for PCI compliance
ab-001196
low
Data retention policy limits CDE storage to business requirements
ab-001197
low
Annual risk assessment is documented for cardholder data environment
ab-001198
info