PCI-DSS v4.0.1
35 rules checking Payment Card Industry Data Security Standard v4.0.1 compliance, covering network segmentation, insecure protocols, service exposure, and documentation requirements.
| Rule ID | Severity | PCI Reference | Category | Summary |
|---|---|---|---|---|
| PCI-NET-001 | CRITICAL | 1.3.1, 1.3.2 | Default-Deny / Overly Permissive | Any source + all ports |
| PCI-NET-002 | HIGH | 1.3.2 | Default-Deny / Overly Permissive | Unrestricted outbound from internal network |
| PCI-NET-003 | HIGH | 1.2.1, 1.3.1 | Default-Deny / Overly Permissive | Overly broad source or destination address |
| PCI-NET-004 | HIGH | 1.2.1, 2.2.4 | Default-Deny / Overly Permissive | Wide port range exceeds 20 ports |
| PCI-NET-005 | HIGH | 1.2.1, 2.2.4 | Default-Deny / Overly Permissive | Protocol ANY permits all protocols |
| PCI-NET-010 | CRITICAL | 2.2.4, 4.2.1 | Insecure Protocols | FTP transmits credentials in plaintext |
| PCI-NET-011 | CRITICAL | 2.2.4, 4.2.1 | Insecure Protocols | Telnet transmits all data in plaintext |
| PCI-NET-012 | HIGH | 4.2.1 | Insecure Protocols | HTTP unencrypted traffic |
| PCI-NET-013 | HIGH | 2.2.4, 4.2.1 | Insecure Protocols | POP3/IMAP transmit credentials in plaintext |
| PCI-NET-014 | HIGH | 2.2.4 | Insecure Protocols | SNMP v1/v2c community strings in plaintext |
| PCI-NET-015 | HIGH | 2.2.4, 4.2.1 | Insecure Protocols | LDAP plaintext directory queries |
| PCI-NET-016 | MEDIUM | 2.2.4, 4.2.1 | Insecure Protocols | SMTP plaintext may transmit cardholder data |
| PCI-NET-017 | MEDIUM | 2.2.4, 2.2.5 | Insecure Protocols | Syslog over UDP unencrypted |
| PCI-NET-018 | HIGH | 2.2.4 | Insecure Protocols | TFTP no authentication or encryption |
| PCI-NET-019 | CRITICAL | 2.2.4 | Insecure Protocols | r-services plaintext trust-based authentication |
| PCI-NET-030 | MEDIUM | 1.3.1, 1.3.2, 11.5.1 | Tunneling & Exfiltration | SSH tunneling risk from broad/public source |
| PCI-NET-031 | HIGH | 1.3.1, 1.3.2, 11.5.1 | Tunneling & Exfiltration | VPN tunneling prevents IDS/IPS inspection |
| PCI-NET-032 | INFO | 11.5.1 | Tunneling & Exfiltration | Outbound HTTPS inspection blind spot |
| PCI-NET-033 | MEDIUM | 1.3.2, 11.5.1 | Tunneling & Exfiltration | DNS as covert channel for data exfiltration |
| PCI-NET-040 | CRITICAL | 1.3.1, 1.4.1 | Network Segmentation | Direct internet-to-internal bypasses DMZ |
| PCI-NET-042 | HIGH | 1.3.2 | Network Segmentation | Unrestricted outbound internet from internal |
| PCI-NET-050 | HIGH | 1.3.1, 1.3.2 | Database & Service Exposure | Database ports exposed to broad/public source |
| PCI-NET-051 | CRITICAL | 1.3.1, 8.4.2 | Remote Access Exposure | RDP exposed to internet |
| PCI-NET-052 | CRITICAL | 1.3.1, 1.3.2 | Ransomware & Lateral Movement | SMB ransomware propagation vector |
| PCI-NET-053 | HIGH | 2.2.4 | Legacy Service Exposure | NetBIOS exposed across network boundary |
| PCI-NET-054 | CRITICAL | 1.3.1, 2.2.4 | Container & Orchestration Exposure | Docker API accessible |
| PCI-NET-055 | CRITICAL | 1.3.1, 2.2.4 | Container & Orchestration Exposure | Kubernetes API/Kubelet accessible |
| PCI-NET-056 | CRITICAL | 1.3.1, 2.2.4 | ICS/SCADA Isolation | ICS/SCADA protocols lack authentication |
| PCI-NET-057 | CRITICAL | 1.3.1, 2.2.4 | Out-of-Band Management | IPMI/BMC hardware control exposed |
| PCI-NET-060 | HIGH | 8.4.2 | Remote Access Exposure | Remote management from internet without MFA |
| PCI-NET-061 | HIGH | 1.3.1, 2.2.4, 4.2.1 | Remote Access Exposure | VNC unencrypted with weak authentication |
| PCI-NET-062 | HIGH | 2.2.4, 4.2.1 | Remote Access Exposure | WinRM HTTP unencrypted commands |
| PCI-NET-070 | MEDIUM | 1.2.5 | Rule Documentation | No application name or business justification |
| PCI-NET-091 | MEDIUM | 1.3.1 | Anti-Spoofing & ICMP Control | ICMP Redirect exploitable for MITM attacks |