| Severity | Category | Resource | Type | Finding | Recommendation | Est. Cost | Subscription |
|---|---|---|---|---|---|---|---|
| HIGH | Compliance | PCI-DSS Req 1.1 | Compliance | PCI-DSS 1.1: Install & maintain network security controls — evidence shows non-compliance | Review evidence and remediate for PCI-DSS 1.1 compliance | - | All |
| HIGH | Compliance | PCI-DSS Req 1.2 | Compliance | PCI-DSS 1.2: Network security controls configured & maintained — evidence shows non-compliance | Review evidence and remediate for PCI-DSS 1.2 compliance | - | All |
| HIGH | Compliance | PCI-DSS Req 1.3 | Compliance | PCI-DSS 1.3: Network access restricted (cardholder data) — evidence shows non-compliance | Review evidence and remediate for PCI-DSS 1.3 compliance | - | All |
| HIGH | Compliance | PCI-DSS Req 1.4 | Compliance | PCI-DSS 1.4: Network connections controlled — evidence shows non-compliance | Review evidence and remediate for PCI-DSS 1.4 compliance | - | All |
| HIGH | Compliance | PCI-DSS Req 2.1 | Compliance | PCI-DSS 2.1: Secure configurations applied to all components — evidence shows non-compliance | Review evidence and remediate for PCI-DSS 2.1 compliance | - | All |
| HIGH | Compliance | PCI-DSS Req 2.2 | Compliance | PCI-DSS 2.2: System components configured securely — evidence shows non-compliance | Review evidence and remediate for PCI-DSS 2.2 compliance | - | All |
| Framework | Control | Description | Status | Details |
|---|---|---|---|---|
| PCI_DSS | Req 1.1 | Install & maintain network security controls | ✘ FAIL | Evidence: 4 items |
| PCI_DSS | Req 1.2 | Network security controls configured & maintained | ✘ FAIL | Evidence: 4 items |
| PCI_DSS | Req 1.3 | Network access restricted (cardholder data) | ✘ FAIL | Evidence: 4 items |
| PCI_DSS | Req 1.4 | Network connections controlled | ✘ FAIL | Evidence: 4 items |
| PCI_DSS | Req 2.1 | Secure configurations applied to all components | ✘ FAIL | Evidence: 1 items |
| PCI_DSS | Req 2.2 | System components configured securely | ✘ FAIL | Evidence: 1 items |
| PCI_DSS | Req 3.1 | Account data storage minimized | ⚠ CHECK | Evidence: 2 items |
| PCI_DSS | Req 3.3 | Sensitive authentication data not stored post-auth | ⚠ CHECK | Evidence: 2 items |
| PCI_DSS | Req 3.4 | Access to stored cardholder data restricted | ⚠ CHECK | Evidence: 2 items |
| PCI_DSS | Req 3.5 | PAN secured wherever stored | ⚠ CHECK | Evidence: 2 items |
| PCI_DSS | Req 4.1 | Strong cryptography protects cardholder data during transmission | ✔ PASS | Evidence: 1 items |
| PCI_DSS | Req 4.2 | PAN secured during transmission | ✔ PASS | Evidence: 1 items |
| PCI_DSS | Req 5.1 | Malicious software prevented/detected/addressed | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 5.2 | Anti-malware mechanisms maintained | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 5.3 | Anti-malware active on all systems | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 6.1 | Secure development processes established | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 6.2 | Bespoke & custom software developed securely | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 6.3 | Security vulnerabilities identified & addressed | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 7.1 | Access to system components restricted by business need | ✔ PASS | Evidence: 20 items |
| PCI_DSS | Req 7.2 | Access appropriately defined & assigned | ✔ PASS | Evidence: 20 items |
| PCI_DSS | Req 7.3 | Access to system components managed via access control | ✔ PASS | Evidence: 20 items |
| PCI_DSS | Req 8.1 | User identification & account management | ✔ PASS | Evidence: 21 items |
| PCI_DSS | Req 8.2 | User identification managed for users & admins | ✔ PASS | Evidence: 21 items |
| PCI_DSS | Req 8.3 | Strong authentication established | ✔ PASS | Evidence: 21 items |
| PCI_DSS | Req 8.4 | MFA implemented for CDE access | ✔ PASS | Evidence: 21 items |
| PCI_DSS | Req 8.5 | MFA configured to prevent misuse | ✔ PASS | Evidence: 21 items |
| PCI_DSS | Req 9.1 | Physical access to cardholder data restricted | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 10.1 | Logging mechanisms track access | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 10.2 | Audit logs record user activities | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 10.3 | Audit logs protected from destruction | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 10.4 | Audit logs reviewed for anomalies | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 10.5 | Audit log history retained | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 11.1 | Wireless access points tested | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 11.3 | Vulnerabilities identified via external/internal scanning | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 11.4 | Penetration testing performed regularly | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 12.1 | Information security policy established | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 12.3 | Risks to cardholder data environment formally identified | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 12.8 | Third-party service provider risk managed | ⚠ CHECK | Manual evidence needed |
| PCI_DSS | Req 12.10 | Security incidents responded to immediately | ⚠ CHECK | Manual evidence needed |
| HIPAA | 164.312(a)(1) | Access Control | ✔ PASS | Evidence: 20 items |
| HIPAA | 164.312(a)(2)(iv) | Encryption at Rest | ✔ PASS | Evidence: 1 items |
| HIPAA | 164.312(b) | Audit Controls | ⚠ CHECK | Manual review required |
| HIPAA | 164.312(c)(1) | Integrity Controls | ✔ PASS | Evidence: 1 items |
| HIPAA | 164.312(d) | Authentication | ✔ PASS | Evidence: 21 items |
| HIPAA | 164.312(e)(1) | Transmission Security | ✔ PASS | Evidence: 1 items |
| HIPAA | 164.308(a)(1) | Security Management | ✔ PASS | Evidence: 21 items |
| HIPAA | 164.308(a)(3) | Workforce Security | ✔ PASS | Evidence: 20 items |
| HIPAA | 164.308(a)(4) | Information Access | ✔ PASS | Evidence: 20 items |
| HIPAA | 164.308(a)(5) | Security Awareness | ✔ PASS | Evidence: 21 items |
| HIPAA | 164.308(a)(6) | Incident Procedures | ⚠ CHECK | Manual review required |
| HIPAA | 164.310(a) | Facility Access | ⚠ CHECK | Manual review required |
| HIPAA | 164.310(b) | Workstation Use | ✔ PASS | Evidence: 1 items |
| HIPAA | 164.310(c) | Workstation Security | ✔ PASS | Evidence: 1 items |
| HIPAA | 164.310(d) | Device & Media Controls | ✔ PASS | Evidence: 2 items |
No remediation actions.
The organization demonstrates significant compliance deficiencies across both PCI DSS and HIPAA frameworks, with critical security gaps that pose substantial risk to cardholder data and protected health information. Out of 54 total controls assessed, only 32 have adequate evidence, leaving 22 controls with documentation gaps. The environment reveals fundamental weaknesses in access management, encryption implementation, and security monitoring capabilities. Immediate remediation is required for high-severity findings including unrestricted database access, unencrypted data transmission, missing multi-factor authentication, and inadequate logging mechanisms. The current compliance posture presents unacceptable risk levels that could result in regulatory sanctions, data breaches, and significant financial penalties. A comprehensive remediation program with executive sponsorship and dedicated resources is essential to achieve compliance within acceptable timeframes.