Learn

pci-dss-v4

Browse 240 published controls in this framework.

Control IDTitle
1.1.1PCI DSS 1.1.1: Document Network Security Policies
1.1.2PCI DSS 1.1.2: Assign Network Security Roles
1.2.1PCI DSS 1.2.1: NSC Configuration Standards
1.2.2PCI DSS 1.2.2: Identify Approved Services and Ports
1.2.3PCI DSS 1.2.3: Maintain Accurate Network Diagrams
1.2.4PCI DSS 1.2.4: Maintain Accurate Data-Flow Diagrams
1.2.5PCI DSS 1.2.5: Document Business Need for Allowed Services
1.2.6PCI DSS 1.2.6: Secure Risky Services and Protocols
1.2.7PCI DSS 1.2.7: NSC Configuration Review Requirements
1.2.8PCI DSS 1.2.8: Secure NSC Configuration Files
1.2.9PCI DSS 1.2.9: Annual Network Diagram Reviews
1.3.1PCI DSS 1.3.1: Restrict Inbound Traffic to CDE
1.3.2PCI DSS 1.3.2: Restrict Outbound CDE Traffic
1.3.3PCI DSS 1.3.3: Isolate Wireless Networks from CDE
1.4.1PCI DSS 1.4.1: Network Segmentation Controls (NSCs)
1.4.2PCI DSS 1.4.2: Restrict Inbound Traffic from Untrusted Networks
1.4.3PCI DSS 1.4.3: Anti-Spoofing Measures for Network Security
1.4.4PCI DSS 1.4.4: Prevent Direct Access to Cardholder Data
1.4.5PCI DSS 1.4.5: Limit Internal IP Address Disclosure
1.5.1PCI DSS 1.5.1: Secure Computing Devices in CDE
10.1.1PCI DSS 10.1.1: Document Logging & Monitoring Policies
10.1.2PCI DSS 10.1.2: Assign Logging and Monitoring Roles
10.2.1PCI DSS 10.2.1: Audit Logs for Cardholder Data Access
10.2.1.1PCI DSS 10.2.1.1: Log Administrative & Root Actions
10.2.1.2PCI DSS 10.2.1.2: Audit Log Access Control
10.2.1.3PCI DSS 10.2.1.3: Log Invalid Access Attempts
10.2.1.4PCI DSS 10.2.1.4: Log Authentication Mechanism Changes
10.2.1.5PCI DSS 10.2.1.5: Log System-Level Object Changes
10.2.1.6PCI DSS 10.2.1.6: Audit Log Initialization & Stopping
10.2.1.7PCI DSS 10.2.1.7: Log System Object Creation & Deletion
10.2.2PCI DSS 10.2.2: Audit Log Entry Requirements
10.3.1PCI DSS 10.3.1: Restrict Audit Log Read Access
10.3.2PCI DSS 10.3.2: Protect Audit Logs from Modification
10.3.3PCI DSS 10.3.3: Secure Audit Log Backup
10.3.4PCI DSS 10.3.4: File Integrity Monitoring for Audit Logs
10.4.1PCI DSS 10.4.1: Daily Security Event Log Review
10.4.1.1PCI DSS 10.4.1.1: Automate Audit Log Reviews
10.4.2PCI DSS 10.4.2: Periodic System Component Log Review
10.4.2.1PCI DSS 10.4.2.1: Define Log Review Frequency
10.4.3PCI DSS 10.4.3: Address Log Review Exceptions & Anomalies
10.5.1PCI DSS 10.5.1: Audit Log Retention Requirements
10.5.1.1PCI DSS 10.5.1.1: 12-Month Audit Log Retention
10.5.1.2PCI DSS 10.5.1.2: Protect Audit Log Integrity
10.6.1PCI DSS 10.6.1: System Clock Synchronization with NTP
10.6.1.1PCI DSS 10.6.1.1: Protect Time Signals from Manipulation
10.6.3PCI DSS 10.6.3: Protect Time Synchronization Settings
10.7.1PCI DSS 10.7.1: Detect & Respond to Critical Control Failures
10.7.2PCI DSS 10.7.2: Detect & Respond to Control Failures
10.7.3PCI DSS 10.7.3: Restore Security Functions After Failure
11.1.1PCI DSS 11.1.1: Security Testing Policy Documentation
11.1.2PCI DSS 11.1.2: Assign Security Testing Roles
11.1.3PCI DSS 11.1.3: Manage Non-Critical Vulnerabilities
11.2.1PCI DSS 11.2.1: Wireless AP Detection & Management
11.2.2PCI DSS 11.2.2: Wireless Access Point Inventory
11.2.3PCI DSS 11.2.3: Quarterly Wireless AP Testing
11.3.1PCI DSS 11.3.1: Quarterly External Vulnerability Scans
11.3.1.1PCI DSS 11.3.1.1: Internal Authenticated Scanning
11.3.1.2PCI DSS 11.3.1.2: Vulnerability Scans After Changes
11.3.1.3PCI DSS 11.3.1.3: Clean External Vulnerability Scans
11.3.2PCI DSS 11.3.2: Internal Vulnerability Scans
11.3.2.1PCI DSS 11.3.2.1: Vulnerability Rescan After Changes
11.4.1PCI DSS 11.4.1: Define Penetration Testing Methodology
11.4.2PCI DSS 11.4.2: Internal Penetration Testing Requirements
11.4.3PCI DSS 11.4.3: External Penetration Testing Requirements
11.4.4PCI DSS 11.4.4: Correct Penetration Test Findings
11.4.5PCI DSS 11.4.5: Annual Segmentation Penetration Testing
11.4.6PCI DSS 11.4.6: Semi-Annual Segmentation Penetration Tests
11.4.7PCI DSS 11.4.7: Multi-Tenant Penetration Testing Support
11.5.1PCI DSS 11.5.1: Intrusion Detection & Prevention
11.5.1.1PCI DSS 11.5.1.1: Detect Covert Malware Communication Channels
11.5.2PCI DSS 11.5.2: File Integrity Monitoring for Critical Files
11.6.1PCI DSS 11.6.1: Payment Page Tamper-Detection Mechanism
12.1.1PCI DSS 12.1.1: Establish Information Security Policy
12.1.2PCI DSS 12.1.2: Annual Security Policy Review
12.1.3PCI DSS 12.1.3: Define Security Roles & Responsibilities
12.1.4PCI DSS 12.1.4: Assign Executive Information Security Responsibility
12.10.1PCI DSS 12.10.1: Incident Response Plan Requirements
12.10.2PCI DSS 12.10.2: Annual Incident Response Plan Testing
12.10.3PCI DSS 12.10.3: 24/7 Incident Response Personnel
12.10.4PCI DSS 12.10.4: Incident Response Personnel Training
12.10.4.1PCI DSS 12.10.4.1: Incident Response Training Frequency
12.10.5PCI DSS 12.10.5: Security Monitoring Alerts in IR Plan
12.10.6PCI DSS 12.10.6: Update IR Plan Based on Lessons Learned
12.10.7PCI DSS 12.10.7: Respond to Unexpected PAN Discovery
12.2.1PCI DSS 12.2.1: Acceptable Use Policies for End-User Technologies
12.3.1PCI DSS 12.3.1: Risk Analysis for Flexible Requirements
12.3.2PCI DSS 12.3.2: Risk Analysis for Customized Approaches
12.3.3PCI DSS 12.3.3: Annual Cryptographic Cipher Suite Review
12.3.4PCI DSS 12.3.4: Annual Hardware & Software Review
12.4.1PCI DSS 12.4.1: Executive Responsibility for CHD Protection
12.4.2PCI DSS 12.4.2: Quarterly Compliance Reviews for Service Providers
12.4.2.1PCI DSS 12.4.2.1: Document Quarterly Reviews (Service Providers)
12.5.1PCI DSS 12.5.1: Hardware & Software Inventory Management
12.5.2PCI DSS 12.5.2: Annual Scope Confirmation Guide
12.5.2.1PCI DSS 12.5.2.1: Semi-Annual Scope Confirmation for Service Providers
12.5.3PCI DSS 12.5.3: Review Scope Impact of Organizational Changes
12.6.1PCI DSS 12.6.1: Security Awareness Program Implementation
12.6.2PCI DSS 12.6.2: Annual Security Awareness Program Review
12.6.3PCI DSS 12.6.3: Security Awareness Training Requirements
12.6.3.1PCI DSS 12.6.3.1: Threat Awareness Training | GRCWatch
12.6.3.2PCI DSS 12.6.3.2: Acceptable Use in Security Training
12.7.1PCI DSS 12.7.1: Background Checks for CDE Access
12.8.1PCI DSS 12.8.1: Third-Party Service Provider List
12.8.2PCI DSS 12.8.2: Third-Party Service Provider Agreements
12.8.3PCI DSS 12.8.3: TPSP Due Diligence Requirements
12.8.4PCI DSS 12.8.4: Annual TPSP Compliance Monitoring
12.8.5PCI DSS 12.8.5: Document TPSP Responsibility Ownership
12.9.1PCI DSS 12.9.1: TPSP Written Acknowledgment of CHD Responsibility
12.9.2PCI DSS 12.9.2: TPSP Customer Compliance Monitoring
2.1.1PCI DSS 2.1.1: Document Secure Configuration Policies
2.1.2PCI DSS 2.1.2: Assign Secure Configuration Roles
2.2.1PCI DSS 2.2.1: Configuration Standards | GRCWatch
2.2.2PCI DSS 2.2.2: Manage Vendor Default Accounts
2.2.3PCI DSS 2.2.3: Manage Multiple-Function System Components
2.2.4PCI DSS 2.2.4: Disable Unnecessary Services & Protocols
2.2.5PCI DSS 2.2.5: Document Insecure Services Business Justification
2.2.6PCI DSS 2.2.6: Configure System Security Parameters
2.2.7PCI DSS 2.2.7: Encrypt Non-Console Admin Access
2.3.1PCI DSS 2.3.1: Change Wireless Vendor Defaults
2.3.2PCI DSS 2.3.2: Wireless Encryption Key Management
3.5.1.1PCI DSS 3.5.1.1: Keyed Cryptographic Hashes for PAN
3.5.1.2PCI DSS 3.5.1.2: Disk-Level Encryption Management
3.5.1.3PCI DSS 3.5.1.3: Disk Encryption for Removable Media
3.6.1.1PCI DSS 3.6.1.1: Document Cryptographic Architecture
3.6.1.2PCI DSS 3.6.1.2: Cryptographic Key Retirement & Replacement
3.6.1.3PCI DSS 3.6.1.3: Split Knowledge for Cryptographic Keys
3.7.7PCI DSS 3.7.7: Prevent Unauthorized Key Substitution
3.7.8PCI DSS 3.7.8: Key Custodian Formal Acknowledgment
3.7.9PCI DSS 3.7.9: Key-Sharing Guidance for Service Providers
4.1.1PCI DSS 4.1.1: Document Transmission Protection Policies
4.1.2PCI DSS 4.1.2: Assign Transmission Protection Roles
4.2.1PCI DSS 4.2.1: Strong Cryptography for PAN Transmission
4.2.1.1PCI DSS 4.2.1.1: Certificate Inventory Management
4.2.1.2PCI DSS 4.2.1.2: Validate Transmission Certificates
4.2.2PCI DSS 4.2.2: Secure PAN in End-User Messaging
5.1.1PCI DSS 5.1.1: Document Anti-Malware Policies | GRCWatch
5.1.2PCI DSS 5.1.2: Assign Anti-Malware Roles & Responsibilities
5.2.1PCI DSS 5.2.1: Anti-Malware Deployment Guide
5.2.2PCI DSS 5.2.2: Detect All Known Malware Types
5.2.3PCI DSS 5.2.3: Evaluate Low-Risk System Components
5.2.3.1PCI DSS 5.2.3.1: Define Evaluation Frequency in Risk Analysis
5.3.1PCI DSS 5.3.1: Anti-Malware Automatic Updates
5.3.2PCI DSS 5.3.2: Periodic & Real-Time Malware Scans
5.3.2.1PCI DSS 5.3.2.1: Define Periodic Scan Frequency
5.3.3PCI DSS 5.3.3: Removable Media Scan Requirements
5.3.4PCI DSS 5.3.4: Anti-Malware Audit Logs | GRCWatch
5.3.5PCI DSS 5.3.5: Prevent Users from Disabling Anti-Malware
5.4.1PCI DSS 5.4.1: Anti-Phishing Controls for Payment Security
6.1.1PCI DSS 6.1.1: Document Secure Development Policies
6.1.2PCI DSS 6.1.2: Assign Secure Development Roles
6.2.1PCI DSS 6.2.1: Secure Software Development Standards
6.2.2PCI DSS 6.2.2: Developer Secure Coding Training
6.2.3PCI DSS 6.2.3: Code Review Before Production
6.2.3.1PCI DSS 6.2.3.1: Independent Code Review Requirements
6.2.4PCI DSS 6.2.4: Prevent Common Software Attack Vulnerabilities
6.3.1PCI DSS 6.3.1: Identify & Manage Security Vulnerabilities
6.3.2PCI DSS 6.3.2: Bespoke Software Inventory Management
6.3.3PCI DSS 6.3.3: Security Patch Management
6.4.1PCI DSS 6.4.1: Address Web Application Threats Continuously
6.4.2PCI DSS 6.4.2: Automated Web Application Defense
6.4.3PCI DSS 6.4.3: Manage Payment Page Scripts
6.5.1PCI DSS 6.5.1: Production Change Management Procedures
6.5.2PCI DSS 6.5.2: Software Change Control Management
6.5.3PCI DSS 6.5.3: Separate Pre-Production from Production
6.5.4PCI DSS 6.5.4: Separate Roles Production vs Pre-Production
6.5.5PCI DSS 6.5.5: Prevent Live PANs in Pre-Production
6.5.6PCI DSS 6.5.6: Remove Test Data Before Production
7.1.1PCI DSS 7.1.1: Document Access Control Policies
7.1.2PCI DSS 7.1.2: Assign Access Control Roles
7.1.3PCI DSS 7.1.3: Define Your Access Control Model
7.1.4PCI DSS 7.1.4: Access Control System Implementation
7.1.5PCI DSS 7.1.5: Semi-Annual User Account & Privilege Review
7.2.1PCI DSS 7.2.1: Default Deny All Access Control
7.2.2PCI DSS 7.2.2: Role-Based Access Control | GRCWatch
7.2.3PCI DSS 7.2.3: Privilege Approval Requirements
7.2.4PCI DSS 7.2.4: Semi-Annual User Access Reviews
7.2.5PCI DSS 7.2.5: Least Privilege for System Accounts
7.2.5.1PCI DSS 7.2.5.1: System Account Access Review
7.2.6PCI DSS 7.2.6: Restrict CHD Repository Query Access
7.3.1PCI DSS 7.3.1: Role-Based Access Control System
7.3.2PCI DSS 7.3.2: Job-Based Access Control
7.3.3PCI DSS 7.3.3: Deny by Default Access Control
8.1.1PCI DSS 8.1.1: Document Identity & Authentication Policies
8.1.2PCI DSS 8.1.2: Assign Authentication Management Roles
8.1.3PCI DSS 8.1.3: Manage User IDs Across Account Lifecycle
8.2.1PCI DSS 8.2.1: Assign Unique User IDs | GRCWatch
8.2.2PCI DSS 8.2.2: Restrict Shared Accounts to Exceptions
8.2.3PCI DSS 8.2.3: Unique Credentials for Service Providers
8.2.4PCI DSS 8.2.4: Authorize Account Additions and Deletions
8.2.5PCI DSS 8.2.5: Immediate User Access Revocation
8.2.6PCI DSS 8.2.6: Remove Inactive Accounts in 90 Days
8.2.7PCI DSS 8.2.7: Third-Party Remote Access Account Management
8.2.8PCI DSS 8.2.8: Re-Authentication After 15 Minutes Idle
8.3.1PCI DSS 8.3.1: Multi-Factor User Authentication
8.3.10PCI DSS 8.3.10: Service Provider Password Guidance
8.3.10.1PCI DSS 8.3.10.1: Customer Password Change Guidance
8.3.11PCI DSS 8.3.11: Individual Token Assignment | GRCWatch
8.3.2PCI DSS 8.3.2: Encrypt Authentication Credentials | GRCWatch
8.3.3PCI DSS 8.3.3: Verify User Identity Before Authentication Changes
8.3.4PCI DSS 8.3.4: Account Lockout After Failed Login Attempts
8.3.5PCI DSS 8.3.5: Password Complexity Requirements
8.3.6PCI DSS 8.3.6: Enforce Minimum Password Length
8.3.7PCI DSS 8.3.7: Prevent Password Reuse | GRCWatch
8.3.8PCI DSS 8.3.8: Communicate Authentication Policies to Users
8.3.9PCI DSS 8.3.9: Non-Consumer Password Change Requirements
8.4.1PCI DSS 8.4.1: MFA for CDE Administrative Access
8.4.2PCI DSS 8.4.2: MFA for Non-Console CDE Access
8.4.3PCI DSS 8.4.3: MFA for Remote Network Access
8.5.1PCI DSS 8.5.1: Replay-Resistant MFA Implementation
8.6.1PCI DSS 8.6.1: Manage Interactive Login for System Accounts
8.6.2PCI DSS 8.6.2: Prohibit Hardcoded Passwords
8.6.3PCI DSS 8.6.3: Protect System Account Passwords
9.1.1PCI DSS 9.1.1: Document Physical Security Policies
9.1.2PCI DSS 9.1.2: Assign Physical Security Roles
9.1.3PCI DSS 9.1.3: Physical Security Controls for CDE Areas
9.2.1PCI DSS 9.2.1: Physical Entry Controls for CDE
9.2.1.1PCI DSS 9.2.1.1: Monitor Physical Access to Sensitive Areas
9.2.2PCI DSS 9.2.2: Restrict Public Network Jack Access
9.2.3PCI DSS 9.2.3: Restrict Wireless Access Point Physical Access
9.2.4PCI DSS 9.2.4: Console Locking Requirements
9.3.1PCI DSS 9.3.1: Physical Access Authorization & Management
9.3.1.1PCI DSS 9.3.1.1: Control CDE Access for Personnel
9.3.2PCI DSS 9.3.2: Visitor Authorization & Escort Procedures
9.3.3PCI DSS 9.3.3: Visitor Badge Surrender & Deactivation
9.3.4PCI DSS 9.3.4: Maintain Visitor Log Requirements
9.4.1PCI DSS 9.4.1: Physically Secure Cardholder Data Media
9.4.1.1PCI DSS 9.4.1.1: Secure Offline Media Backups
9.4.1.2PCI DSS 9.4.1.2: Annual Backup Security Reviews
9.4.2PCI DSS 9.4.2: Classify Cardholder Data Media
9.4.3PCI DSS 9.4.3: Secure Media Outside Facility
9.4.4PCI DSS 9.4.4: Media Transport Approval | GRCWatch
9.4.5PCI DSS 9.4.5: Electronic Media Inventory Logs
9.4.5.1PCI DSS 9.4.5.1: Annual Media Inventory Requirements
9.4.6PCI DSS 9.4.6: Hard-Copy CHD Media Destruction
9.4.7PCI DSS 9.4.7: Destroy Electronic CHD Media Securely
9.5.1PCI DSS 9.5.1: POI Device Tampering Protection
9.5.1.1PCI DSS 9.5.1.1: Maintain POI Device Inventory
9.5.1.2PCI DSS 9.5.1.2: POI Device Tampering Inspection
9.5.1.2.1PCI DSS 9.5.1.2.1: POI Device Inspection Frequency
9.5.1.3PCI DSS 9.5.1.3: POI Device Tampering Awareness Training