How does EchelonGraph detect PCI DSS 1.2 violations?

EchelonGraph automatically detects PCI DSS 1.2 violations using scanner rule PCI-1-2. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for PCI DSS 1.2?

Show approved network services + ports for CDE. What is the default-deny posture? Last quarterly NSC review evidence? Are temporary exceptions tracked + expired?

💳PCI DSS 1.2Rule: PCI-1-2high

Network Security Control Configuration

Description

Network security control (NSC) configurations are defined, reviewed, and maintained — including approved network services, port whitelists, and protocols.

⚠️ Risk Impact

Default-permit network rules allow unintended services to reach the cardholder data environment. Adversaries probe for these gaps with automated scanners 24/7.

🔍 How EchelonGraph Detects This

PCI-1-2Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Document approved network services + ports. Enforce default-deny on CDE perimeter. Review NSC rules quarterly. Apply admission policy (Kyverno, OPA) for K8s deployments touching CDE.

💀 Real-World Attack Scenario

A retailer's CDE perimeter security group allowed all TCP ports to internal-facing IPs 'temporarily' during a migration. The exception persisted for 14 months. An attacker who compromised a corporate workstation found the open path via internal scanning + extracted 4M card numbers. Investigation: PCI 1.2 NSC configuration deficiency.

💰 Cost of Non-Compliance

PCI breach with 4M+ cards: avg cost $115/record = $460M+ (Verizon DBIR 2024). PCI 1.2 violations: $5K-$100K/month fines + acquiring bank scrutiny.

📋 Audit Questions

1.Show approved network services + ports for CDE.
2.What is the default-deny posture?
3.Last quarterly NSC review evidence?
4.Are temporary exceptions tracked + expired?

🎯 MITRE ATT&CK Mapping

T1078 — Valid AccountsT1021 — Remote Services

⚡ Common Pitfalls

⛔Temporary exceptions that become permanent
⛔No quarterly review — drift accumulates
⛔Audit-mode admission policy that doesn't block

📈 Business Value

Network security control discipline is foundational to PCI compliance + reduces lateral-movement risk.

⏱️ Effort Estimate

Manual

20-40 hours initial NSC review + quarterly

With EchelonGraph

EchelonGraph evaluates security group + firewall rules continuously

🔗 Cross-Framework References

SOC2-CC6.6NIST-SC-7

Automate PCI DSS 1.2 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →