While compliance with PCI DSS requirements has no direct link to finding vulnerabilities, it is important to understand that the purpose of this standard is to ensure that the network is secure.

Cytrix meets its relevant PCI DSS requirements automatically and continuously, and part of this is also carried out through the Penetration Tests that the tool performs.

PCI DSS Requirements that should be assessed for compliance:

• Insecure Remote Access: Ensuring that remote access to the network is secured, preferably with multi-factor authentication and strong encryption – Something that CYTRIX maintains by using OTP (multi-factor authentication) and other mechanisms in the authentication process.
• Outdated or Unpatched Systems: Checking that all systems and software are up-to-date with the latest security patches applied – CYTRIX always updates its Database, as well as its features in accordance with the current and most recommended security standards. The system also identifies certain systems and tools used by the client, which are not updated or meet the standards and are thus vulnerable – And informs them accordingly.
• Default Credentials and Weak Passwords: Ensuring that no systems are using default usernames and passwords – CYTRIX looks for “weak” passwords and keys that can be used and makes sure the client is aware of their existence and that strong password policies are in place.
• Unencrypted Transmission of Cardholder Data: Making sure that cardholder data is encrypted during transmission over open, public networks.
• Cardholder Data Storage: Verifying that cardholder data is not stored unnecessarily, and if it is stored, it must be encrypted properly and according to the required standards.
• SQL Injection: Testing web applications for SQL injection vulnerabilities which could allow attackers to access or corrupt cardholder data – Which CYTRIX tests for during its scans and helps the application’s developers prevent such attacks on their assets.
• Cross-site Scripting (XSS): Checking for XSS flaws that could be used to steal session cookies or perform actions on behalf of users – Which is another vulnerability that CYTRIX looks for during the scan and if found, presents the findings in full to the user and includes a Payload and a Screenshot that functions as a POC.
• Insecure Deserialization: Ensuring that applications are not vulnerable to insecure deserialization attacks that could lead to remote code execution (RCE) or replay attacks – CYTRIX detects and assist in preventing many types of RCE-based attacks.
• Missing or Misconfigured Firewalls: Ensuring that firewalls are properly configured to protect the Cardholder Data Environment (CDE) – CYTRIX is able to detect for the existence/non-existence of different WAFs (Web-Application-Firewall), as well as the option to “bypass” these through the use of different Login Methods.
• Lack of Network Segmentation: Checking if the cardholder data environment is adequately segmented from the rest of the network to reduce the scope of compliance.
• Improperly Configured Security Systems: Verifying that intrusion detection/prevention, antivirus, and other security systems are configured correctly and actively protecting the network.
• Failure to Monitor and Log Access: Ensuring that all access to network resources and cardholder data is logged and that the logs are reviewed regularly- Regularly performing penetration tests can assist in this.
• Inadequate Security Policies and Procedures: Reviewing the organization’s security policies and procedures to ensure they meet the requirements of PCI DSS – CYTRIX always looks for various security policies that do not meet the required standards.
• Social Engineering and Phishing: Testing employee awareness and resistance to social engineering and phishing attacks.
• Physical Security Weaknesses: Verifying that there is sufficient physical security to protect against unauthorized access to systems in the cardholder data environment.