PCI Security Standards

Standard Endpoint Protection - Data Loss Prevention

Standard Endpoint Protection includes Data Loss Prevention (DLP) features that can detect and prevent unauthorized actions with cardholder data. DLP filters logs at the endpoint to retain no more than the first six and last four digits of cardholder data.

However, the optional "Forensic Evidence Collection" feature introduces a critical compliance risk. When activated, this feature can capture complete data payloads, potentially including unmasked cardholder data.

Disable the "Forensic Evidence Collection" feature.

For more information, see Apex One Data Loss Prevention Policies.

Zero Trust Secure Access - Private Access

ZTSA Private Access provides SASE-based VPN services between remote endpoints and internal applications through the use of Private Access Connectors deployed in your corporate environment. Traffic from endpoints to Private Access Connectors is not encrypted by default for traffic sent using an unencrypted protocol. If encryption is not enabled, ZTSA Private Access could potentially transmit cardholder data in an unencrypted format.

Enable Encrypt app traffic transmitted using unencrypted protocols in the configurations for your internal applications.

For more information, see Adding an internal application to Private Access.

Zero Trust Secure Access - Internet Access

ZTSA Internet Access offers a proxy-based service to facilitate secure public internet access for users. The service decrypts all HTTPS traffic by default to enforce policies and conduct security checks, a process that temporarily exposes cardholder data within the proxy infrastructure.

Exclude any domains which may transmit cardholder data by adding them to inspection exceptions.

For more information, see Inspection exceptions.