1.1.1 | PCI DSS 1.1.1: Document Network Security Policies |
1.1.2 | PCI DSS 1.1.2: Assign Network Security Roles |
1.2.1 | PCI DSS 1.2.1: NSC Configuration Standards |
1.2.2 | PCI DSS 1.2.2: Identify Approved Services and Ports |
1.2.3 | PCI DSS 1.2.3: Maintain Accurate Network Diagrams |
1.2.4 | PCI DSS 1.2.4: Maintain Accurate Data-Flow Diagrams |
1.2.5 | PCI DSS 1.2.5: Document Business Need for Allowed Services |
1.2.6 | PCI DSS 1.2.6: Secure Risky Services and Protocols |
1.2.7 | PCI DSS 1.2.7: NSC Configuration Review Requirements |
1.2.8 | PCI DSS 1.2.8: Secure NSC Configuration Files |
1.2.9 | PCI DSS 1.2.9: Annual Network Diagram Reviews |
1.3.1 | PCI DSS 1.3.1: Restrict Inbound Traffic to CDE |
1.3.2 | PCI DSS 1.3.2: Restrict Outbound CDE Traffic |
1.3.3 | PCI DSS 1.3.3: Isolate Wireless Networks from CDE |
1.4.1 | PCI DSS 1.4.1: Network Segmentation Controls (NSCs) |
1.4.2 | PCI DSS 1.4.2: Restrict Inbound Traffic from Untrusted Networks |
1.4.3 | PCI DSS 1.4.3: Anti-Spoofing Measures for Network Security |
1.4.4 | PCI DSS 1.4.4: Prevent Direct Access to Cardholder Data |
1.4.5 | PCI DSS 1.4.5: Limit Internal IP Address Disclosure |
1.5.1 | PCI DSS 1.5.1: Secure Computing Devices in CDE |
10.1.1 | PCI DSS 10.1.1: Document Logging & Monitoring Policies |
10.1.2 | PCI DSS 10.1.2: Assign Logging and Monitoring Roles |
10.2.1 | PCI DSS 10.2.1: Audit Logs for Cardholder Data Access |
10.2.1.1 | PCI DSS 10.2.1.1: Log Administrative & Root Actions |
10.2.1.2 | PCI DSS 10.2.1.2: Audit Log Access Control |
10.2.1.3 | PCI DSS 10.2.1.3: Log Invalid Access Attempts |
10.2.1.4 | PCI DSS 10.2.1.4: Log Authentication Mechanism Changes |
10.2.1.5 | PCI DSS 10.2.1.5: Log System-Level Object Changes |
10.2.1.6 | PCI DSS 10.2.1.6: Audit Log Initialization & Stopping |
10.2.1.7 | PCI DSS 10.2.1.7: Log System Object Creation & Deletion |
10.2.2 | PCI DSS 10.2.2: Audit Log Entry Requirements |
10.3.1 | PCI DSS 10.3.1: Restrict Audit Log Read Access |
10.3.2 | PCI DSS 10.3.2: Protect Audit Logs from Modification |
10.3.3 | PCI DSS 10.3.3: Secure Audit Log Backup |
10.3.4 | PCI DSS 10.3.4: File Integrity Monitoring for Audit Logs |
10.4.1 | PCI DSS 10.4.1: Daily Security Event Log Review |
10.4.1.1 | PCI DSS 10.4.1.1: Automate Audit Log Reviews |
10.4.2 | PCI DSS 10.4.2: Periodic System Component Log Review |
10.4.2.1 | PCI DSS 10.4.2.1: Define Log Review Frequency |
10.4.3 | PCI DSS 10.4.3: Address Log Review Exceptions & Anomalies |
10.5.1 | PCI DSS 10.5.1: Audit Log Retention Requirements |
10.5.1.1 | PCI DSS 10.5.1.1: 12-Month Audit Log Retention |
10.5.1.2 | PCI DSS 10.5.1.2: Protect Audit Log Integrity |
10.6.1 | PCI DSS 10.6.1: System Clock Synchronization with NTP |
10.6.1.1 | PCI DSS 10.6.1.1: Protect Time Signals from Manipulation |
10.6.3 | PCI DSS 10.6.3: Protect Time Synchronization Settings |
10.7.1 | PCI DSS 10.7.1: Detect & Respond to Critical Control Failures |
10.7.2 | PCI DSS 10.7.2: Detect & Respond to Control Failures |
10.7.3 | PCI DSS 10.7.3: Restore Security Functions After Failure |
11.1.1 | PCI DSS 11.1.1: Security Testing Policy Documentation |
11.1.2 | PCI DSS 11.1.2: Assign Security Testing Roles |
11.1.3 | PCI DSS 11.1.3: Manage Non-Critical Vulnerabilities |
11.2.1 | PCI DSS 11.2.1: Wireless AP Detection & Management |
11.2.2 | PCI DSS 11.2.2: Wireless Access Point Inventory |
11.2.3 | PCI DSS 11.2.3: Quarterly Wireless AP Testing |
11.3.1 | PCI DSS 11.3.1: Quarterly External Vulnerability Scans |
11.3.1.1 | PCI DSS 11.3.1.1: Internal Authenticated Scanning |
11.3.1.2 | PCI DSS 11.3.1.2: Vulnerability Scans After Changes |
11.3.1.3 | PCI DSS 11.3.1.3: Clean External Vulnerability Scans |
11.3.2 | PCI DSS 11.3.2: Internal Vulnerability Scans |
11.3.2.1 | PCI DSS 11.3.2.1: Vulnerability Rescan After Changes |
11.4.1 | PCI DSS 11.4.1: Define Penetration Testing Methodology |
11.4.2 | PCI DSS 11.4.2: Internal Penetration Testing Requirements |
11.4.3 | PCI DSS 11.4.3: External Penetration Testing Requirements |
11.4.4 | PCI DSS 11.4.4: Correct Penetration Test Findings |
11.4.5 | PCI DSS 11.4.5: Annual Segmentation Penetration Testing |
11.4.6 | PCI DSS 11.4.6: Semi-Annual Segmentation Penetration Tests |
11.4.7 | PCI DSS 11.4.7: Multi-Tenant Penetration Testing Support |
11.5.1 | PCI DSS 11.5.1: Intrusion Detection & Prevention |
11.5.1.1 | PCI DSS 11.5.1.1: Detect Covert Malware Communication Channels |
11.5.2 | PCI DSS 11.5.2: File Integrity Monitoring for Critical Files |
11.6.1 | PCI DSS 11.6.1: Payment Page Tamper-Detection Mechanism |
12.1.1 | PCI DSS 12.1.1: Establish Information Security Policy |
12.1.2 | PCI DSS 12.1.2: Annual Security Policy Review |
12.1.3 | PCI DSS 12.1.3: Define Security Roles & Responsibilities |
12.1.4 | PCI DSS 12.1.4: Assign Executive Information Security Responsibility |
12.10.1 | PCI DSS 12.10.1: Incident Response Plan Requirements |
12.10.2 | PCI DSS 12.10.2: Annual Incident Response Plan Testing |
12.10.3 | PCI DSS 12.10.3: 24/7 Incident Response Personnel |
12.10.4 | PCI DSS 12.10.4: Incident Response Personnel Training |
12.10.4.1 | PCI DSS 12.10.4.1: Incident Response Training Frequency |
12.10.5 | PCI DSS 12.10.5: Security Monitoring Alerts in IR Plan |
12.10.6 | PCI DSS 12.10.6: Update IR Plan Based on Lessons Learned |
12.10.7 | PCI DSS 12.10.7: Respond to Unexpected PAN Discovery |
12.2.1 | PCI DSS 12.2.1: Acceptable Use Policies for End-User Technologies |
12.3.1 | PCI DSS 12.3.1: Risk Analysis for Flexible Requirements |
12.3.2 | PCI DSS 12.3.2: Risk Analysis for Customized Approaches |
12.3.3 | PCI DSS 12.3.3: Annual Cryptographic Cipher Suite Review |
12.3.4 | PCI DSS 12.3.4: Annual Hardware & Software Review |
12.4.1 | PCI DSS 12.4.1: Executive Responsibility for CHD Protection |
12.4.2 | PCI DSS 12.4.2: Quarterly Compliance Reviews for Service Providers |
12.4.2.1 | PCI DSS 12.4.2.1: Document Quarterly Reviews (Service Providers) |
12.5.1 | PCI DSS 12.5.1: Hardware & Software Inventory Management |
12.5.2 | PCI DSS 12.5.2: Annual Scope Confirmation Guide |
12.5.2.1 | PCI DSS 12.5.2.1: Semi-Annual Scope Confirmation for Service Providers |
12.5.3 | PCI DSS 12.5.3: Review Scope Impact of Organizational Changes |
12.6.1 | PCI DSS 12.6.1: Security Awareness Program Implementation |
12.6.2 | PCI DSS 12.6.2: Annual Security Awareness Program Review |
12.6.3 | PCI DSS 12.6.3: Security Awareness Training Requirements |
12.6.3.1 | PCI DSS 12.6.3.1: Threat Awareness Training | GRCWatch |
12.6.3.2 | PCI DSS 12.6.3.2: Acceptable Use in Security Training |
12.7.1 | PCI DSS 12.7.1: Background Checks for CDE Access |
12.8.1 | PCI DSS 12.8.1: Third-Party Service Provider List |
12.8.2 | PCI DSS 12.8.2: Third-Party Service Provider Agreements |
12.8.3 | PCI DSS 12.8.3: TPSP Due Diligence Requirements |
12.8.4 | PCI DSS 12.8.4: Annual TPSP Compliance Monitoring |
12.8.5 | PCI DSS 12.8.5: Document TPSP Responsibility Ownership |
12.9.1 | PCI DSS 12.9.1: TPSP Written Acknowledgment of CHD Responsibility |
12.9.2 | PCI DSS 12.9.2: TPSP Customer Compliance Monitoring |
2.1.1 | PCI DSS 2.1.1: Document Secure Configuration Policies |
2.1.2 | PCI DSS 2.1.2: Assign Secure Configuration Roles |
2.2.1 | PCI DSS 2.2.1: Configuration Standards | GRCWatch |
2.2.2 | PCI DSS 2.2.2: Manage Vendor Default Accounts |
2.2.3 | PCI DSS 2.2.3: Manage Multiple-Function System Components |
2.2.4 | PCI DSS 2.2.4: Disable Unnecessary Services & Protocols |
2.2.5 | PCI DSS 2.2.5: Document Insecure Services Business Justification |
2.2.6 | PCI DSS 2.2.6: Configure System Security Parameters |
2.2.7 | PCI DSS 2.2.7: Encrypt Non-Console Admin Access |
2.3.1 | PCI DSS 2.3.1: Change Wireless Vendor Defaults |
2.3.2 | PCI DSS 2.3.2: Wireless Encryption Key Management |
3.5.1.1 | PCI DSS 3.5.1.1: Keyed Cryptographic Hashes for PAN |
3.5.1.2 | PCI DSS 3.5.1.2: Disk-Level Encryption Management |
3.5.1.3 | PCI DSS 3.5.1.3: Disk Encryption for Removable Media |
3.6.1.1 | PCI DSS 3.6.1.1: Document Cryptographic Architecture |
3.6.1.2 | PCI DSS 3.6.1.2: Cryptographic Key Retirement & Replacement |
3.6.1.3 | PCI DSS 3.6.1.3: Split Knowledge for Cryptographic Keys |
3.7.7 | PCI DSS 3.7.7: Prevent Unauthorized Key Substitution |
3.7.8 | PCI DSS 3.7.8: Key Custodian Formal Acknowledgment |
3.7.9 | PCI DSS 3.7.9: Key-Sharing Guidance for Service Providers |
4.1.1 | PCI DSS 4.1.1: Document Transmission Protection Policies |
4.1.2 | PCI DSS 4.1.2: Assign Transmission Protection Roles |
4.2.1 | PCI DSS 4.2.1: Strong Cryptography for PAN Transmission |
4.2.1.1 | PCI DSS 4.2.1.1: Certificate Inventory Management |
4.2.1.2 | PCI DSS 4.2.1.2: Validate Transmission Certificates |
4.2.2 | PCI DSS 4.2.2: Secure PAN in End-User Messaging |
5.1.1 | PCI DSS 5.1.1: Document Anti-Malware Policies | GRCWatch |
5.1.2 | PCI DSS 5.1.2: Assign Anti-Malware Roles & Responsibilities |
5.2.1 | PCI DSS 5.2.1: Anti-Malware Deployment Guide |
5.2.2 | PCI DSS 5.2.2: Detect All Known Malware Types |
5.2.3 | PCI DSS 5.2.3: Evaluate Low-Risk System Components |
5.2.3.1 | PCI DSS 5.2.3.1: Define Evaluation Frequency in Risk Analysis |
5.3.1 | PCI DSS 5.3.1: Anti-Malware Automatic Updates |
5.3.2 | PCI DSS 5.3.2: Periodic & Real-Time Malware Scans |
5.3.2.1 | PCI DSS 5.3.2.1: Define Periodic Scan Frequency |
5.3.3 | PCI DSS 5.3.3: Removable Media Scan Requirements |
5.3.4 | PCI DSS 5.3.4: Anti-Malware Audit Logs | GRCWatch |
5.3.5 | PCI DSS 5.3.5: Prevent Users from Disabling Anti-Malware |
5.4.1 | PCI DSS 5.4.1: Anti-Phishing Controls for Payment Security |
6.1.1 | PCI DSS 6.1.1: Document Secure Development Policies |
6.1.2 | PCI DSS 6.1.2: Assign Secure Development Roles |
6.2.1 | PCI DSS 6.2.1: Secure Software Development Standards |
6.2.2 | PCI DSS 6.2.2: Developer Secure Coding Training |
6.2.3 | PCI DSS 6.2.3: Code Review Before Production |
6.2.3.1 | PCI DSS 6.2.3.1: Independent Code Review Requirements |
6.2.4 | PCI DSS 6.2.4: Prevent Common Software Attack Vulnerabilities |
6.3.1 | PCI DSS 6.3.1: Identify & Manage Security Vulnerabilities |
6.3.2 | PCI DSS 6.3.2: Bespoke Software Inventory Management |
6.3.3 | PCI DSS 6.3.3: Security Patch Management |
6.4.1 | PCI DSS 6.4.1: Address Web Application Threats Continuously |
6.4.2 | PCI DSS 6.4.2: Automated Web Application Defense |
6.4.3 | PCI DSS 6.4.3: Manage Payment Page Scripts |
6.5.1 | PCI DSS 6.5.1: Production Change Management Procedures |
6.5.2 | PCI DSS 6.5.2: Software Change Control Management |
6.5.3 | PCI DSS 6.5.3: Separate Pre-Production from Production |
6.5.4 | PCI DSS 6.5.4: Separate Roles Production vs Pre-Production |
6.5.5 | PCI DSS 6.5.5: Prevent Live PANs in Pre-Production |
6.5.6 | PCI DSS 6.5.6: Remove Test Data Before Production |
7.1.1 | PCI DSS 7.1.1: Document Access Control Policies |
7.1.2 | PCI DSS 7.1.2: Assign Access Control Roles |
7.1.3 | PCI DSS 7.1.3: Define Your Access Control Model |
7.1.4 | PCI DSS 7.1.4: Access Control System Implementation |
7.1.5 | PCI DSS 7.1.5: Semi-Annual User Account & Privilege Review |
7.2.1 | PCI DSS 7.2.1: Default Deny All Access Control |
7.2.2 | PCI DSS 7.2.2: Role-Based Access Control | GRCWatch |
7.2.3 | PCI DSS 7.2.3: Privilege Approval Requirements |
7.2.4 | PCI DSS 7.2.4: Semi-Annual User Access Reviews |
7.2.5 | PCI DSS 7.2.5: Least Privilege for System Accounts |
7.2.5.1 | PCI DSS 7.2.5.1: System Account Access Review |
7.2.6 | PCI DSS 7.2.6: Restrict CHD Repository Query Access |
7.3.1 | PCI DSS 7.3.1: Role-Based Access Control System |
7.3.2 | PCI DSS 7.3.2: Job-Based Access Control |
7.3.3 | PCI DSS 7.3.3: Deny by Default Access Control |
8.1.1 | PCI DSS 8.1.1: Document Identity & Authentication Policies |
8.1.2 | PCI DSS 8.1.2: Assign Authentication Management Roles |
8.1.3 | PCI DSS 8.1.3: Manage User IDs Across Account Lifecycle |
8.2.1 | PCI DSS 8.2.1: Assign Unique User IDs | GRCWatch |
8.2.2 | PCI DSS 8.2.2: Restrict Shared Accounts to Exceptions |
8.2.3 | PCI DSS 8.2.3: Unique Credentials for Service Providers |
8.2.4 | PCI DSS 8.2.4: Authorize Account Additions and Deletions |
8.2.5 | PCI DSS 8.2.5: Immediate User Access Revocation |
8.2.6 | PCI DSS 8.2.6: Remove Inactive Accounts in 90 Days |
8.2.7 | PCI DSS 8.2.7: Third-Party Remote Access Account Management |
8.2.8 | PCI DSS 8.2.8: Re-Authentication After 15 Minutes Idle |
8.3.1 | PCI DSS 8.3.1: Multi-Factor User Authentication |
8.3.10 | PCI DSS 8.3.10: Service Provider Password Guidance |
8.3.10.1 | PCI DSS 8.3.10.1: Customer Password Change Guidance |
8.3.11 | PCI DSS 8.3.11: Individual Token Assignment | GRCWatch |
8.3.2 | PCI DSS 8.3.2: Encrypt Authentication Credentials | GRCWatch |
8.3.3 | PCI DSS 8.3.3: Verify User Identity Before Authentication Changes |
8.3.4 | PCI DSS 8.3.4: Account Lockout After Failed Login Attempts |
8.3.5 | PCI DSS 8.3.5: Password Complexity Requirements |
8.3.6 | PCI DSS 8.3.6: Enforce Minimum Password Length |
8.3.7 | PCI DSS 8.3.7: Prevent Password Reuse | GRCWatch |
8.3.8 | PCI DSS 8.3.8: Communicate Authentication Policies to Users |
8.3.9 | PCI DSS 8.3.9: Non-Consumer Password Change Requirements |
8.4.1 | PCI DSS 8.4.1: MFA for CDE Administrative Access |
8.4.2 | PCI DSS 8.4.2: MFA for Non-Console CDE Access |
8.4.3 | PCI DSS 8.4.3: MFA for Remote Network Access |
8.5.1 | PCI DSS 8.5.1: Replay-Resistant MFA Implementation |
8.6.1 | PCI DSS 8.6.1: Manage Interactive Login for System Accounts |
8.6.2 | PCI DSS 8.6.2: Prohibit Hardcoded Passwords |
8.6.3 | PCI DSS 8.6.3: Protect System Account Passwords |
9.1.1 | PCI DSS 9.1.1: Document Physical Security Policies |
9.1.2 | PCI DSS 9.1.2: Assign Physical Security Roles |
9.1.3 | PCI DSS 9.1.3: Physical Security Controls for CDE Areas |
9.2.1 | PCI DSS 9.2.1: Physical Entry Controls for CDE |
9.2.1.1 | PCI DSS 9.2.1.1: Monitor Physical Access to Sensitive Areas |
9.2.2 | PCI DSS 9.2.2: Restrict Public Network Jack Access |
9.2.3 | PCI DSS 9.2.3: Restrict Wireless Access Point Physical Access |
9.2.4 | PCI DSS 9.2.4: Console Locking Requirements |
9.3.1 | PCI DSS 9.3.1: Physical Access Authorization & Management |
9.3.1.1 | PCI DSS 9.3.1.1: Control CDE Access for Personnel |
9.3.2 | PCI DSS 9.3.2: Visitor Authorization & Escort Procedures |
9.3.3 | PCI DSS 9.3.3: Visitor Badge Surrender & Deactivation |
9.3.4 | PCI DSS 9.3.4: Maintain Visitor Log Requirements |
9.4.1 | PCI DSS 9.4.1: Physically Secure Cardholder Data Media |
9.4.1.1 | PCI DSS 9.4.1.1: Secure Offline Media Backups |
9.4.1.2 | PCI DSS 9.4.1.2: Annual Backup Security Reviews |
9.4.2 | PCI DSS 9.4.2: Classify Cardholder Data Media |
9.4.3 | PCI DSS 9.4.3: Secure Media Outside Facility |
9.4.4 | PCI DSS 9.4.4: Media Transport Approval | GRCWatch |
9.4.5 | PCI DSS 9.4.5: Electronic Media Inventory Logs |
9.4.5.1 | PCI DSS 9.4.5.1: Annual Media Inventory Requirements |
9.4.6 | PCI DSS 9.4.6: Hard-Copy CHD Media Destruction |
9.4.7 | PCI DSS 9.4.7: Destroy Electronic CHD Media Securely |
9.5.1 | PCI DSS 9.5.1: POI Device Tampering Protection |
9.5.1.1 | PCI DSS 9.5.1.1: Maintain POI Device Inventory |
9.5.1.2 | PCI DSS 9.5.1.2: POI Device Tampering Inspection |
9.5.1.2.1 | PCI DSS 9.5.1.2.1: POI Device Inspection Frequency |
9.5.1.3 | PCI DSS 9.5.1.3: POI Device Tampering Awareness Training |