PCI DSS checklists

SCM is organized through checklists that assess and manage the endpoint and server configurations. Each compliance checklist is distributed by BigFix as an external Fixlet site.

SCM provides a large number of checklists to report compliance and remediate endpoint security configurations based on industry best practices, such as Center of Internet Security (CIS) and Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG). HCL BigFix Compliance also provides security configuration checklists for Payment Card Industry Data Security Standard (PCI DSS) compliance.

Each PCI DSS checklist contains technical checks that are based on the PCI standard. For details on PCI standard, see PCI DSS Requirements and Security Assessment Procedures.

Note: The checks that are specific to PCI DSS Requirements and Security Assessment Procedures v3.2 are considered as best practices until they become mandatory in 2018. You can exclude those checks from the compliance report using the standard exception mechanism available in BigFix Compliance Analytics (formerly known as SCA). For more information, see Creating exceptions.

These technical checks assess security policies and configurations on each endpoint, provide remediation steps to fix vulnerabilities, and provide reporting capabilities. Compliance data can be explored from the reports that provide the requirements perspective or the prioritized approach. For BigFix Compliance Analytics V2.0 or later, see Viewing the Policy View List report. For BigFix Compliance Analytics V1.8 or earlier, see Viewing custom reports.

Note: PCI DSS requirements 9, 11, and 12, which are process-oriented in nature, are not covered in SCM.

For a detailed PCI DSS checklists on operating systems, refer to PCI DSS Checklists.

For more details on released PCI DSS checklists, refer to Release announcement PCI-Addon.

PCI DSS checklist content

You can access a checklist by subscribing to the external Fixlet sites that are provided by SCM. A single site can contain checks for multiple requirements.

Each site contains a set of Fixlets and Analyses, where Fixlets or checks correspond to a specific configuration setting in accordance with the PCI DSS requirements. A Fixlet evaluates a system setting against a specific policy value and displays the compliance state of an endpoint. An analysis is associated to each Fixlet that retrieves the actual state of each configuration item on an endpoint.

Most of the Fixlets have a parameterized setting to enable customization for compliance evaluation.

Each Fixlet contains instructions on how to manually remediate a non-compliant endpoint. These steps can be found in the Description tab. Some of these Fixlets provide actions that you can take to automatically remediate non-compliant settings on endpoints. For more information about remediation support, see the PCI DSS Checklists.

The compliance status of each PCI DSS check and checklist is calculated by Security and Compliance Analytics (SCA), which is now known as BigFix Compliance Analytics, during a periodic Extract Transform and Load (ETL) process. Some checklists require you to run the Environment Setup Task. For more information, see Configuring endpoints.