The Payment Card Industry Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designed to protect account data.
To read more about PCI DSS Requirements, please visit PCI home page .
PCI DSS v4.0 non-compliance issues (30)
| Severity | Non-Compliance | Region | Resource | Issue | Remediation | Read more | Action | |
|---|---|---|---|---|---|---|---|---|
| Compute | Medium | CIS 7.2 PCI DSS 3.5 HIPAA (Encryption) | westus2 | data-disk | Disk Volume is not encrypted. | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, ensure that all VM disks are encrypted. | More info | |
| Networking | Medium | CIS 6.5 PCI DSS 10.2 HIPAA (Audit) | eastus | basicNsgtest-scale-set_group-vnet-nic01 | Network Security Group (NSG) has flow log retention set to 31 days, while the recommended limit is 90 days. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that NSGs have a sufficient flow log retention period, i.e. 90 days or more. | More info | |
| Networking | Medium | PCI DSS 4.2 HIPAA (Encryption) | eastus | my-load-balancer | Network Load Balancer has no HTTPS configured, while other ports are open. | To fulfill HIPAA requirements for all data to be transmitted over secure channels, ensure that each Load Balancer is configured to only accept HTTPS connections. | More info | |
| Networking | Medium | PCI DSS 4.2 HIPAA (Encryption) | global | — | CDN Profile endpoint allows insecure HTTP origin. | To fulfill HIPAA and PCI DSS requirements on strong cryptographic and security protocols for transmitting user data, enable HTTPS and disable HTTP for each custom origin endpoint for each CDN Profile. | More info | |
| Networking | Medium | PCI DSS 4.2 HIPAA (Encryption) | global | — | CDN Profile endpoint allows insecure HTTP origin. | To fulfill HIPAA and PCI DSS requirements on strong cryptographic and security protocols for transmitting user data, enable HTTPS and disable HTTP for each custom origin endpoint for each CDN Profile. | More info | |
| Storage | Medium | CIS 3.8 PCI DSS (Networking) HIPAA (Networking) | centralus | prevasioteststorageacc | Storage Account is configured to allow access to traffic from all networks (including Internet traffic). | To fulfill PCI requirements on segmenting networks using firewalls and HIPAA access controls that require data access to be restricted to known sources, configure your Storage Account to deny access to traffic from all networks by default. | More info | |
| Storage | Medium | CIS 3.15 PCI DSS (Old Protocols) | eastus | prevasiostorageaccount | Storage Account has TLS version 1.0, which is lower than the desired TLS version 1.2. | To comply with the industry standards, ensure your Storage Account uses TLS 1.2 or higher for all TLS connections. | More info | |
| Storage | Medium | CIS 3.1 PCI DSS 4.2 HIPAA (Encryption) | eastus | prevasiostorageaccount | Storage Account allows insecure HTTP origin. | To fulfill HIPAA and PCI DSS requirements on strong cryptographic and security protocols for transmitting user data, ensures HTTPS-only traffic is allowed to Storage Account endpoints. | More info | |
| Storage | Medium | CIS 3.8 PCI DSS (Networking) HIPAA (Networking) | eastus | sqlvan5orkhoarubfu | Storage Account is configured to allow access to traffic from all networks (including Internet traffic). | To fulfill PCI requirements on segmenting networks using firewalls and HIPAA access controls that require data access to be restricted to known sources, configure your Storage Account to deny access to traffic from all networks by default. | More info | |
| Storage | Medium | CIS 3.7 PCI DSS (Networking) HIPAA (Networking) | global | test-storage-container | Storage Blob Container allows public access. | To fulfill HIPAA and PCI DSS requirements on strict access controls to all data, ensure that all Blob Containers have anonymous public access disabled. | More info | |
| Web | Medium | CIS 9.1 PCI DSS 10.2 HIPAA (Audit) | eastus | prevasio-web-app | App Service has Authentication feature disabled. | To add an extra layer of security to the authentication process, ensure that your App Services have Authentication feature enabled. | More info | |
| Web | Medium | CIS 9.3 PCI DSS (Old Protocols) | eastus | prevasio-web-app | App Service has TLS version 1.1, which is lower than the desired TLS version 1.2. | To comply with the industry standards, ensure TLS 1.2 or higher is used for all TLS connections to App Services. | More info | |
| Web | Medium | CIS 9.2 PCI DSS 4.2 HIPAA (Encryption) | eastus | prevasio-web-app | App Service is not enforcing HTTPS-only traffic. | To redirect all non-secure HTTP requests to HTTPS so that the traffic between the web application servers and the application clients cannot be decrypted, enforce HTTPS-only traffic for your App Services. | More info | |
| SQL | Medium | CIS 4.1.1 PCI DSS 10.2 HIPAA (Audit) | eastus | my-sql-db | SQL Database has Database Auditing disabled. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that SQL Database Auditing is enabled. | More info | |
| SQL | Medium | CIS 4.4.2 PCI DSS (Old Protocols) HIPAA (Encryption) | eastus | prevasio-sql-server | SQL Server has TLS version 1.1, which is lower than the desired TLS version 1.2. | To comply with the industry standards, ensure TLS 1.2 or higher is used for all TLS connections to SQL Servers. | More info | |
| SQL | Medium | CIS 4.1.6 PCI DSS 10.2 HIPAA (Audit) | eastus | prevasio-sql-server | SQL Server Auditing retention is 10 days, while the recommended limit is 90 days. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that SQL Servers have a sufficient log data retention period, i.e. 90 days or more. | More info | |
| SQL | Medium | CIS 4.1.1 PCI DSS 10.2 HIPAA (Audit) | westus | master | SQL Database has Database Auditing disabled. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that SQL Database Auditing is enabled. | More info | |
| SQL | Medium | CIS 4.4.2 PCI DSS (Old Protocols) HIPAA (Encryption) | westus | prevasio-sql-server2 | SQL Server has TLS version set to EnforcementDisabled, while the desired TLS version is 1.2. | To comply with the industry standards, ensure TLS 1.2 or higher is used for all TLS connections to SQL Servers. | More info | |
| SQL | Medium | CIS 4.1.1 PCI DSS 10.2 HIPAA (Audit) | westus | prevasio-sql-server2 | SQL Server has Database Auditing disabled. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that SQL Server Auditing is enabled. | More info | |
| SQL | Medium | PCI DSS 10.2 HIPAA (Audit) | westus | prevasio-sql-server2 | SQL Server has Audit Action and Groups disabled. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure SQL Server Audit Action and Groups is configured to at least include SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP and BATCH_COMPLETED_GROUP. | More info | |
| MySQL | High | CIS 4.4.1 PCI DSS 4.2 HIPAA (Encryption) | eastus | prevasio-mysql-server | MySQL Server is not configured to have its data in-transit encrypted. | To fulfill HIPAA requirements for all data to be transmitted over secure channels, ensure that MySQL Server is set to use SSL for data transmission. | More info | |
| PostgreSQL | High | CIS 4.3.1 PCI DSS 4.2 HIPAA (Encryption) | eastus2 | prevasio-postgresql-server | PostgreSQL Server is not configured to have its data in-transit encrypted. | To fulfill HIPAA requirements for all data to be transmitted over secure channels, ensure that PostgreSQL Server is set to use SSL for data transmission. | More info | |
| Cache for Redis | Medium | PCI DSS (Old Protocols) HIPAA (Encryption) | westus2 | prevasio2 | Redis Cache has TLS version 1.0, which is lower than the desired TLS version 1.2. | To comply with the industry standards, ensure Redis Cache uses TLS 1.2 or higher for all TLS connections. | More info | |
| Cache for Redis | High | PCI DSS 4.2 HIPAA (Encryption) | westus2 | prevasio2 | Redis Cache is not configured to use SSL connection. | To fulfill HIPAA requirements for all data to be transmitted over secure channels, ensure that the SSL connection to your Redis Cache servers is enabled. | More info | |
| Cache for Redis | Medium | PCI DSS (Old Protocols) HIPAA (Encryption) | westus2 | prevasio | Redis Cache allows all TLS versions. | To comply with the industry standards, ensure Redis Cache uses TLS 1.2 or higher for all TLS connections. | More info | |
| Security | Medium | PCI DSS 4.2 HIPAA (Encryption) | eastus | prevasio-key-vault-2 | Key Vault has Soft Delete retention period set to 7 days, while the recommended limit is 90 days. | To fulfill HIPAA requirements on protecting all encryption mechanisms against loss of modification, ensure that Key Vaults have a recommended Soft Delete retention period, i.e. 90 days. | More info | |
| Security | Low | CIS 5.1.5 PCI DSS 10.2 HIPAA (Audit) | eastus | prevasio-key-vault | Key Vault has no AuditEvent logging enabled. | To fulfill HIPAA requirements on secure audit record for read/write/delete activities in the system, ensure that AuditEvent logging is enabled for each Key Vault. | More info | |
| Monitor | Low | PCI DSS 10.2 HIPAA (Audit) | global | default | Log Profile does not archive your activity log from Australia, Brazil. | To fulfill HIPAA and PCI requirements on secure audit record for environments containing sensitive data, ensures the Log Profile is configured to export all activities from all Azure locations. | More info | |
| Monitor | Low | PCI DSS 10.2 HIPAA (Audit) | global | default | Log Profile does not collect logs for "Delete" event categories. | To fulfill HIPAA and PCI requirements on secure audit record for environments containing sensitive data, ensure the Log Profile is configured to collect logs for "Write", "Delete" and "Action" event categories. | More info | |
| Monitor | Medium | PCI DSS 10.2 HIPAA (Audit) | global | default | Log Profile has a retention period of 0 days. | To fulfill HIPAA and PCI requirements on retaining logs for a minimum of 365 days, ensure that the Log Profile created for your activity log has a retention period set either to 0 (retain data forever) or 365 days or more. | More info |