In this section:
The Parasoft PCI DSS Compliance artifact is a set of assets for your DTP infrastructure that enable you to demonstrate compliance with PCI DSS coding requirements. The artifact is shipped as part of the Security Compliance Pack. Contact your Parasoft representative to download and license the Security Compliance Pack.
The Payment Card Industry Data Security Standard (PCI DSS) is a collection of coding requirements for software that processes payment card transactions. The standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. Refer to the the PCI Security Standards Council website for details about the standard: https://www.pcisecuritystandards.org.
Parasoft facilitates PCI DSS standards by re-orienting code analysis checkers to report violations within the context of PCI DSS requirements. Each code analysis checker maps to one or more requirement, which appear in DTP widgets and reports.
Code analysis data is required from one of the following Parasoft tools
See Security Compliance Pack for additional prerequisites information.
The following artifacts are included in the package and added to your DTP environment when you install the Security Compliance Pack.
This file is the custom logic flow for Extension Designer. Installing the Security Compliance Pack adds the flow to the Extension Designer library. You can then add the flow to a service and deploy it to your DTP infrastructure.
Dashboard templates include preconfigured widgets to help you quickly view specific information about your projects. Refer the Dashboards section to learn more about dashboards in DTP. See Adding the PCI DSS Dashboards for details about viewing the widgets that appear in the dashboard templates.
Individual code analysis rules belong to a category, such as Security, Exceptions, etc. The PCI DSS Compliance artifact includes files that map code analysis rules to PCI DSS-specific categories. You can configure widgets to report violations according to the categories defined in the following files to view them according to their PCI DSS category:
Profiles provide a range of functions in a DTP infrastructure, such as providing inputs for custom calculations executed by an extension and providing data for compliance reports. Profiles take their structure from models, which define fields, headers, or other components used in the profile. See Working with Model Profiles for information about understanding profiles in DTP Enterprise Pack.
The following profile files are included with the artifact:
For your convenience, PDFs that show the association between Parasoft rules and PCI DSS requirements are located in the <PACK>/rules/jtest and <PACK>/rules/dottest directories:
The PCI DSS Compliance assets are installed as part of the Security Compliance Pack installation (see Installation for instructions). After installing the artifact, you must deploy the assets to your DTP environment.
The PCI DSS dashboard templates for Java and .NET enable you to quickly add a set of preconfigured widgets that monitor PCI DSS compliance. See Dashboard Templates for a list of the templates included with the artifact.
The dashboard template are deployed to your DTP environment as part of the Security Compliance Pack installation. If you do not see the dashboard template, restart DTP Services (see Stopping DTP Services and Starting DTP Services).
You can add the PCI DSS widgets shipped with the artifact to an an existing dashboard. See Adding Widgets for general instructions on adding widgets to a dashboard. After deploying the artifact, the PCI DSS widgets will appear in the PCI DSS category in the Add Widget overlay:
The following configurations are available:
|Title||Enter a new title to replace the default title that appears on the dashboard.|
|Filter||Choose a specific filter or Dashboard Settings from the drop-down menu. See Creating and Managing Filters for additional information.|
|Target Build||Choose a specific build from the drop-down menu. The build selected for the entire dashboard is selected by default. See Using Build Administration for additional information about understanding builds.|
|Compliance Profile||Specify a compliance profile (see Profile Configuration). The compliance profile data is used in compliance reports.|
See Dashboard Templates for a list of the dashboard templates shipped with the compliance artifact. The following widgets are included on one or more the dashboards:
This widget shows the current state of compliance with PCI DSS.
There are seven possible states:
Click on the widget to open the PCI DSS Compliance Report.
This widget shows the percentage of the code that is in compliance with PCI DSS guidelines. Click on the widget to open the PCI DSS Compliance Report.
This widget shows represents the PCI DSS requirements as a pie chart. The red segment represents the requirements that the analyzed code is not currently complying with. The green segment represents the requirements that the analyzed code is currently complying with. The widget also shows the number of violations and deviations.
You can perform the following actions:
This widget is an implementation of the native DTP Rules in Compliance widget. It shows the percentage of Parasoft rules that are mapped to PCI DSS requirements that are not reporting a violation (are in compliance). See Rules in Compliance - Summary for details about the widget.
The dashboard includes an instance of the native Categories - Top 5 Table widget configured for PCI DSS. It shows the five PCI DSS categories with the most violations. See Categories - Top 5 Table for details about the widget.
Rules - Top 5 Table
The dashboard includes an instance of the native Rules - Top 5 Table widget configured for PCI DSS. It shows the five Parasoft rules mapped to PCI DSS categories with the most violations. See Rules - Top 5 Table for details about the widget.
This widget shows the violations grouped by PCI DSS requirement in a tree map. Each tile is assigned a color and represents a requirement from the guidelines. See Configuring Security Compliance Pack Widgets for details on how to configure this widget.
The main PCI DSS compliance report provides details about your compliance status and serves as the primary document for demonstrating compliance.
You can perform the following actions:
The Requirement Enforcement Plan shows which static analysis rules are used to enforce the PCI DSS requirements. It is intended to describe how you are enforcing each requirement. This report uses the data specified in the compliance profile (see Profile Configuration). In the profile, you can configure the values associated with each weakness property to better reflect the specific challenges associated with your project.
Your code can contain violations and still be PCI DSS-compliant as long as the deviations from the standard are documented and that the safety of the software is unaffected. Deviations are code analysis rules that have been suppressed either directly in the code or in the DTP Violations Explorer. See the dotTEST and Jtest documentation for details on suppressing violations in the code. See Suppressing Violations in the Violations Explorer documentation for information about suppressing violations in DTP.
Click on the Deviations Report link in the PCI DSS Compliance report to open the Deviations Report.
The Deviations Report shows all requirement IDs and headers, but requirements that have been suppressed will show additional information. You can perform the following actions:
The Build Audit Report shows an overview of code analysis violations, as well as test results and coverage information, associated with the build. This report also allows you to download an archive of the data, which is an artifact you can use to demonstrate compliance with PCI DSS during a regulatory audit.
In order to download an archive, the build has to be locked. See Build Audit Report for additional details about this report.
Models and profiles are assets that enable DTP Enterprise Pack to perform custom calculations and data processing tasks. The model defines the attributes to be used in the calculations and acts as the template for a profile. See Working with Model Profiles to learn more about models and profiles.
The PCI DSS Compliance artifact ships with a default model and profile for code analysis results from Parasoft dotTEST and Jtest. Each profile contains categorization information for mapping Parasoft rules to PCI DSS requirements.
The profile includes information necessary for generating compliance reports, as well as displaying data in the widgets shipped with the PCI DSS artifact. You can modify the profile if you want to re-categorize guidelines to meet your specific goals or specify additional metadata for your reports. Changes will be reflected in the Requirement Enforcement Plan.
We recommend creating a copy of the default profile and modifying the copy:
You will be able to choose an alternate profile when configuring the widgets shipped with the PCI DSS artifact.