Are NetMaster versions 12.2 and 13.0 compliant with the PCI DSS “6.5.5 Improper error handling” standard that suggests that applications return generic rather than specific error details for failed logins? This is also known as User Enumeration vulnerability

Both the releases are compliant to that standard via the LOGONMSG parameter of the SXCTL parameter file (you must use NMSAF or NMSAFF security solutions in NetMaster):

LOGONMSG

{ 

STD

 | PCI }

Specifies the message text that appears when users attempt to log in to the product with an incorrect user name or password.

 

 

STD

 

(Default) Displays one of the following messages, whichever applies:

• N20E01 USERID XXXXXXXX IS NOT KNOWN, REENTER OR LOGOFF
• N20E02 PASSWORD IS INVALID, RE-ENTER

 

PCI

 

Displays this message: NSX957 USERID OR PASSWORD DETAILS INCORRECT.

 

This message complies with Payment Card Industry Data Security Standards (PCI DSS). These standards specify that users who attempt to log in to a product with an incorrect password or an incorrect user name receive a generic failure message that one of these credentials is incorrect. These standards enhance security by not informing potential hackers of which credential (user name or password) is valid.