PCI DSS Compliance¶
Classification: CONFIDENTIAL — Internal Use Only
PCI DSS compliance is implemented via the NIST Cybersecurity Framework (CSF) and NIST SP 800-53 control families. The mapping below shows how each PCI requirement is satisfied.
PCI DSS Control Mapping¶
| PCI DSS Requirement | NIST Control | Implementation |
|---|---|---|
| PCI 1.2.1 — Restrict Inbound Traffic | NIST SC-7 | VPC firewall default-deny; on-prem firewalld drop zone |
| PCI 1.5.1 — Secure Remote Access | NIST SC-8 | Cloud VPN IPSec; Webmin TLS; SSH key-only |
| PCI 2.2.1 — System Configuration Standards | NIST CM-6 | CIS Benchmark Rocky Linux 8 applied to all servers |
| PCI 6.3 — Security Patches | NIST SI-2 | dnf-automatic daily security updates |
| PCI 7.1 — Access to System Components | NIST AC-2, AC-3 | Single named admin per role; sudo audit logging |
| PCI 8.2 — User Authentication | NIST IA-2, IA-5 | SSH key auth; 14-char passwords; lockout policy |
| PCI 10.2 — Audit Logs | NIST AU-2, AU-12 | auditd on all servers; rsyslog → WIND ELK |
| PCI 10.3 — Log Integrity | NIST AU-9 | AIDE daily check; centralized log storage |
| PCI 10.5 — Log Retention | NIST AU-11 | Elasticsearch 90-day retention; GCS backup |
| PCI 11.3 — Vulnerability Scanning | NIST RA-5 | dnf-automatic; AIDE; Prometheus alerting |
| PCI 12.10 — Incident Response Plan | NIST IR-1 | IRP documented — see Incident Response Plan |
Scope Notes¶
The WDC on-premises cluster and GCP environment are currently scoped for internal compliance only. If cardholder data flows are introduced, a formal PCI DSS ROC (Report on Compliance) engagement will be required.
Related Documents¶
Pci Dss · v1.1 · 2026-03-14 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only