Definition of Payment Card Industry - Data Security Standard (PCI-DSS) for ocp4

1.1.1: All security policies and operational procedures that are identified in Requirement 1 are Documented, Kept up to date, In use and Known to all affected parties.

Description: None

• base

Automated: no

No rules selected

1.1.2: Roles and responsibilities for performing activities in Requirement 1 are documented, assigned, and understood.

Description: None

• base

Automated: no

No rules selected

1.1: Processes and mechanisms for installing and maintaining network security controls are defined and understood.

Description: None

• base

Automated: no

No rules selected

1.2.1: Configuration standards for NSC rulesets are Defined, Implemented and Maintained.

Description: None

• base

Automated: no

No rules selected

1.2.2: All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1.

Description: None

• base

Automated: no

No rules selected

1.2.3: An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks.

Description: None

• base

Automated: no

No rules selected

1.2.4: An accurate data-flow diagram(s) is maintained

Description: An accurate data-flow diagram(s) is maintained that meets the following: - Shows all account data flows across systems and networks - Updated as needed upon changes to the environment

• base

Automated: no

No rules selected

1.2.5: All services, protocols, and ports allowed are identified, approved, and have a defined business need.

Description: None

• base

Automated: no

No rules selected

1.2.6: Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.

Description: None

• base

Automated: no

• configure_network_policies_hypershift_hosted: Ensure that HyperShift Hosted Namespaces have Network Policies defined.
• configure_network_policies_namespaces: Ensure that application Namespaces have Network Policies defined.

1.2.7: Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.

Description: NSC configurations that allow or restrict access to trusted networks are verified periodically to ensure that only authorized connections with a current business justification are permitted.

• base

Automated: no

No rules selected

1.2.8: Configuration files for NSCs are secured from unauthorized access and kept consistent with active network configurations.

Description: None

• base

Automated: no

No rules selected

1.2: Network Security Controls (NSCs) are configured and maintained.

Description: None

• base

Automated: no

• configure_network_policies_hypershift_hosted: Ensure that HyperShift Hosted Namespaces have Network Policies defined.
• configure_network_policies_namespaces: Ensure that application Namespaces have Network Policies defined.

1.3.1: Inbound traffic to the CDE is restricted to only traffic that is necessary

Description: Inbound traffic to the CDE is restricted as follows: - To only traffic that is necessary. - All other traffic is specifically denied.

• base

Automated: no

• configure_network_policies_hypershift_hosted: Ensure that HyperShift Hosted Namespaces have Network Policies defined.
• configure_network_policies_namespaces: Ensure that application Namespaces have Network Policies defined.

1.3.2: Outbound traffic from the CDE is restricted to only traffic that is necessary

Description: Outbound traffic from the CDE is restricted as follows: - To only traffic that is necessary. - All other traffic is specifically denied.

• base

Automated: no

No rules selected

1.3.3: NSCs are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE.

Description: NSCs are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE, such that: - All wireless traffic from wireless networks into the CDE is denied by default. - Only wireless traffic with an authorized business purpose is allowed into the CDE.

• base

Automated: no

No rules selected

1.3: Network access to and from the cardholder data environment is restricted.

Description: None

• base

Automated: no

• configure_network_policies_hypershift_hosted: Ensure that HyperShift Hosted Namespaces have Network Policies defined.
• configure_network_policies_namespaces: Ensure that application Namespaces have Network Policies defined.

1.4.1: NSCs are implemented between trusted and untrusted networks.

Description: Unauthorized traffic cannot traverse network boundaries between trusted and untrusted networks.

• base

Automated: yes

• configure_network_policies: Ensure that the CNI in use supports Network Policies
• configure_network_policies_hypershift_hosted: Ensure that HyperShift Hosted Namespaces have Network Policies defined.
• configure_network_policies_namespaces: Ensure that application Namespaces have Network Policies defined.

1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted.

Description: Inbound traffic from untrusted networks to trusted networks is restricted to: - Communications with system components that are authorized to provide publicly accessible services, protocols, and ports. - Stateful responses to communications initiated by system components in a trusted network. - All other traffic is denied.

• base

Automated: no

No rules selected

1.4.3: Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted network.

Description: None

• base

Automated: no

No rules selected

1.4.4: System components that store cardholder data are not directly accessible from untrusted networks.

Description: None

• base

Automated: no

No rules selected

1.4.5: The disclosure of internal IP addresses and routing information is limited to only authorized parties.

Description: Internal network information is protected from unauthorized disclosure.

• base

Automated: no

No rules selected

1.4: Network connections between trusted and untrusted networks are controlled.

Description: None

• base

Automated: no

• configure_network_policies: Ensure that the CNI in use supports Network Policies
• configure_network_policies_hypershift_hosted: Ensure that HyperShift Hosted Namespaces have Network Policies defined.
• configure_network_policies_namespaces: Ensure that application Namespaces have Network Policies defined.

1.5.1: Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE

Description: Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows: - Specific configuration settings are defined to prevent threats being introduced into the entity's network. - Security controls are actively running. - Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period.

• base

Automated: no

No rules selected

1.5: Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

Description: None

• base

Automated: no

No rules selected

2.1.1: All security policies and operational procedures that are identified in Requirement 2 are Documented, Kept up to date, In use and Known to all affected parties.

Description: None

• base

Automated: no

No rules selected

2.1.2: Roles and responsibilities for performing activities in Requirement 2 are documented, assigned, and understood.

Description: Day-to-day responsibilities for performing all the activities in Requirement 2 are allocated. Personnel are accountable for successful, continuous operation of these requirements.

• base

Automated: no

No rules selected

2.1: Processes and mechanisms for applying secure configurations to all system components are defined and understood.

Description: None

• base

Automated: no

No rules selected

2.2.1: Configuration standards are developed, implemented, and maintained

Description: Configuration standards are developed, implemented, and maintained to: - Cover all system components. - Address all known security vulnerabilities. - Be consistent with industry-accepted system hardening standards or vendor hardening recommendations. - Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. - Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.

• base

Automated: no

• accounts_restrict_service_account_tokens: Restrict Automounting of Service Account Tokens
• accounts_unique_service_account: Ensure Usage of Unique Service Accounts
• api_server_admission_control_plugin_alwaysadmit: Disable the AlwaysAdmit Admission Control Plugin
• api_server_admission_control_plugin_alwayspullimages: Ensure that the Admission Control Plugin AlwaysPullImages is not set
• api_server_admission_control_plugin_namespacelifecycle: Enable the NamespaceLifecycle Admission Control Plugin
• api_server_admission_control_plugin_noderestriction: Enable the NodeRestriction Admission Control Plugin
• api_server_admission_control_plugin_scc: Enable the SecurityContextConstraint Admission Control Plugin
• api_server_admission_control_plugin_service_account: Enable the ServiceAccount Admission Control Plugin
• api_server_anonymous_auth: Ensure that anonymous requests to the API Server are authorized
• api_server_audit_log_maxbackup: Configure the Kubernetes API Server Maximum Retained Audit Logs
• api_server_audit_log_maxsize: Configure Kubernetes API Server Maximum Audit Log Size
• api_server_audit_log_path: Configure the Audit Log Path
• api_server_auth_mode_no_aa: The authorization-mode cannot be AlwaysAllow
• api_server_auth_mode_rbac: Ensure authorization-mode RBAC is configured
• api_server_basic_auth: Disable basic-auth-file for the API Server
• api_server_bind_address: Ensure that the bindAddress is set to a relevant secure port
• api_server_client_ca: Configure the Client Certificate Authority for the API Server
• api_server_encryption_provider_cipher: Configure the Encryption Provider Cipher
• api_server_etcd_ca: Configure the etcd Certificate Authority for the API Server
• api_server_etcd_cert: Configure the etcd Certificate for the API Server
• api_server_etcd_key: Configure the etcd Certificate Key for the API Server
• api_server_https_for_kubelet_conn: Ensure that the --kubelet-https argument is set to true
• api_server_insecure_bind_address: Disable Use of the Insecure Bind Address
• api_server_kubelet_certificate_authority: Configure the kubelet Certificate Authority for the API Server
• api_server_kubelet_client_cert: Configure the kubelet Certificate File for the API Server
• api_server_kubelet_client_cert_pre_4_9: Configure the kubelet Certificate File for the API Server
• api_server_kubelet_client_key: Configure the kubelet Certificate Key for the API Server
• api_server_kubelet_client_key_pre_4_9: Configure the kubelet Certificate Key for the API Server
• api_server_oauth_https_serving_cert: Ensure the openshift-oauth-apiserver service uses TLS
• api_server_openshift_https_serving_cert: Ensure the openshift-oauth-apiserver service uses TLS
• api_server_profiling_protected_by_rbac: Profiling is protected by RBAC
• api_server_request_timeout: Configure the API Server Minimum Request Timeout
• api_server_service_account_lookup: Ensure that the service-account-lookup argument is set to true
• api_server_service_account_public_key: Configure the Service Account Public Key for the API Server
• api_server_tls_cert: Configure the Certificate for the API Server
• api_server_tls_cipher_suites: Use Strong Cryptographic Ciphers on the API Server
• api_server_tls_private_key: Configure the Certificate Key for the API Server
• api_server_token_auth: Disable Token-based Authentication
• audit_log_forwarding_enabled: Ensure that Audit Log Forwarding Is Enabled
• audit_log_forwarding_webhook: Ensure that Audit Log Webhook Is Configured
• audit_logging_enabled: Ensure that API server audit logging is enabled
• audit_profile_set: Ensure that the cluster's audit profile is properly set
• configure_network_policies: Ensure that the CNI in use supports Network Policies
• configure_network_policies_hypershift_hosted: Ensure that HyperShift Hosted Namespaces have Network Policies defined.
• configure_network_policies_namespaces: Ensure that application Namespaces have Network Policies defined.
• controller_insecure_port_disabled: Ensure Controller insecure port argument is unset
• controller_secure_port: Ensure Controller secure-port argument is set
• controller_service_account_ca: Configure the Service Account Certificate Authority Key for the Controller Manager
• controller_service_account_private_key: Configure the Service Account Private Key for the Controller Manager
• controller_use_service_account: Ensure that use-service-account-credentials is enabled
• etcd_auto_tls: Disable etcd Self-Signed Certificates
• etcd_cert_file: Ensure That The etcd Client Certificate Is Correctly Set
• etcd_client_cert_auth: Enable The Client Certificate Authentication
• etcd_key_file: Ensure That The etcd Key File Is Correctly Set
• etcd_peer_auto_tls: Disable etcd Peer Self-Signed Certificates
• etcd_peer_cert_file: Ensure That The etcd Peer Client Certificate Is Correctly Set
• etcd_peer_client_cert_auth: Enable The Peer Client Certificate Authentication
• etcd_peer_key_file: Ensure That The etcd Peer Key File Is Correctly Set
• etcd_unique_ca: Configure A Unique CA Certificate for etcd
• file_groupowner_cni_conf: Verify Group Who Owns The OpenShift Container Network Interface Files
• file_groupowner_controller_manager_kubeconfig: Verify Group Who Owns The OpenShift Controller Manager Kubeconfig File
• file_groupowner_etcd_data_dir: Verify Group Who Owns The Etcd Database Directory
• file_groupowner_etcd_data_files: Verify Group Who Owns The Etcd Write-Ahead-Log Files
• file_groupowner_etcd_member: Verify Group Who Owns The etcd Member Pod Specification File
• file_groupowner_etcd_pki_cert_files: Verify Group Who Owns The Etcd PKI Certificate Files
• file_groupowner_ip_allocations: Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
• file_groupowner_kube_apiserver: Verify Group Who Owns The Kubernetes API Server Pod Specification File
• file_groupowner_kube_controller_manager: Verify Group Who Owns The Kubernetes Controller Manager Pod Specification File
• file_groupowner_kube_scheduler: Verify Group Who Owns The Kubernetes Scheduler Pod Specification File
• file_groupowner_kubelet_conf: Verify Group Who Owns The Kubelet Configuration File
• file_groupowner_master_admin_kubeconfigs: Verify Group Who Owns The OpenShift Admin Kubeconfig Files
• file_groupowner_multus_conf: Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files
• file_groupowner_openshift_pki_cert_files: Verify Group Who Owns The OpenShift PKI Certificate Files
• file_groupowner_openshift_pki_key_files: Verify Group Who Owns The OpenShift PKI Private Key Files
• file_groupowner_openshift_sdn_cniserver_config: Verify Group Who Owns The OpenShift SDN CNI Server Config
• file_groupowner_ovn_cni_server_sock: Verify Group Who Owns The OVNKubernetes Socket
• file_groupowner_ovn_db_files: Verify Group Who Owns The OVNKubernetes DB files
• file_groupowner_ovs_conf_db: Verify Group Who Owns The Open vSwitch Configuration Database
• file_groupowner_ovs_conf_db_lock: Verify Group Who Owns The Open vSwitch Configuration Database Lock
• file_groupowner_ovs_pid: Verify Group Who Owns The Open vSwitch Process ID File
• file_groupowner_ovs_sys_id_conf: Verify Group Who Owns The Open vSwitch Persistent System ID
• file_groupowner_ovs_vswitchd_pid: Verify Group Who Owns The Open vSwitch Daemon PID File
• file_groupowner_ovsdb_server_pid: Verify Group Who Owns The Open vSwitch Database Server PID
• file_groupowner_proxy_kubeconfig: Verify Group Who Owns The Worker Proxy Kubeconfig File
• file_groupowner_scheduler_kubeconfig: Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File
• file_groupowner_worker_ca: Verify Group Who Owns the Worker Certificate Authority File
• file_groupowner_worker_kubeconfig: Verify Group Who Owns The Worker Kubeconfig File
• file_groupowner_worker_service: Verify Group Who Owns The OpenShift Node Service File
• file_owner_cni_conf: Verify User Who Owns The OpenShift Container Network Interface Files
• file_owner_controller_manager_kubeconfig: Verify User Who Owns The OpenShift Controller Manager Kubeconfig File
• file_owner_etcd_data_dir: Verify User Who Owns The Etcd Database Directory
• file_owner_etcd_data_files: Verify User Who Owns The Etcd Write-Ahead-Log Files
• file_owner_etcd_member: Verify User Who Owns The Etcd Member Pod Specification File
• file_owner_etcd_pki_cert_files: Verify User Who Owns The Etcd PKI Certificate Files
• file_owner_ip_allocations: Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
• file_owner_kube_apiserver: Verify User Who Owns The Kubernetes API Server Pod Specification File
• file_owner_kube_controller_manager: Verify User Who Owns The Kubernetes Controller Manager Pod Specification File
• file_owner_kube_scheduler: Verify User Who Owns The Kubernetes Scheduler Pod Specification File
• file_owner_kubelet: Verify User Who Owns The Kubelet Configuration File
• file_owner_kubelet_conf: Verify User Who Owns The Kubelet Configuration File
• file_owner_master_admin_kubeconfigs: Verify User Who Owns The OpenShift Admin Kubeconfig Files
• file_owner_multus_conf: Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files
• file_owner_openshift_pki_cert_files: Verify User Who Owns The OpenShift PKI Certificate Files
• file_owner_openshift_pki_key_files: Verify User Who Owns The OpenShift PKI Private Key Files
• file_owner_openshift_sdn_cniserver_config: Verify User Who Owns The OpenShift SDN CNI Server Config
• file_owner_ovn_cni_server_sock: Verify User Who Owns The OVNKubernetes Socket
• file_owner_ovn_db_files: Verify Who Owns The OVNKubernetes DB files
• file_owner_ovs_conf_db: Verify User Who Owns The Open vSwitch Configuration Database
• file_owner_ovs_conf_db_lock: Verify User Who Owns The Open vSwitch Configuration Database Lock
• file_owner_ovs_pid: Verify User Who Owns The Open vSwitch Process ID File
• file_owner_ovs_sys_id_conf: Verify User Who Owns The Open vSwitch Persistent System ID
• file_owner_ovs_vswitchd_pid: Verify User Who Owns The Open vSwitch Daemon PID File
• file_owner_ovsdb_server_pid: Verify User Who Owns The Open vSwitch Database Server PID
• file_owner_proxy_kubeconfig: Verify User Who Owns The Worker Proxy Kubeconfig File
• file_owner_scheduler_kubeconfig: Verify User Who Owns The Kubernetes Scheduler Kubeconfig File
• file_owner_worker_ca: Verify User Who Owns the Worker Certificate Authority File
• file_owner_worker_kubeconfig: Verify User Who Owns The Worker Kubeconfig File
• file_owner_worker_service: Verify User Who Owns The OpenShift Node Service File
• file_permissions_cni_conf: Verify Permissions on the OpenShift Container Network Interface Files
• file_permissions_controller_manager_kubeconfig: Verify Permissions on the OpenShift Controller Manager Kubeconfig File
• file_permissions_etcd_data_dir: Verify Permissions on the Etcd Database Directory
• file_permissions_etcd_data_files: Verify Permissions on the Etcd Write-Ahead-Log Files
• file_permissions_etcd_member: Verify Permissions on the Etcd Member Pod Specification File
• file_permissions_etcd_pki_cert_files: Verify Permissions on the Etcd PKI Certificate Files
• file_permissions_ip_allocations: Verify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations
• file_permissions_kube_apiserver: Verify Permissions on the Kubernetes API Server Pod Specification File
• file_permissions_kube_controller_manager: Verify Permissions on the Kubernetes Controller Manager Pod Specification File
• file_permissions_kubelet_conf: Verify Permissions on The Kubelet Configuration File
• file_permissions_master_admin_kubeconfigs: Verify Permissions on the OpenShift Admin Kubeconfig Files
• file_permissions_multus_conf: Verify Permissions on the OpenShift Multus Container Network Interface Plugin Files
• file_permissions_openshift_pki_cert_files: Verify Permissions on the OpenShift PKI Certificate Files
• file_permissions_openshift_pki_key_files: Verify Permissions on the OpenShift PKI Private Key Files
• file_permissions_ovn_cni_server_sock: Verify Permissions on the OVNKubernetes socket
• file_permissions_ovn_db_files: Verify Permissions on the OVNKubernetes DB files
• file_permissions_ovs_conf_db: Verify Permissions on the Open vSwitch Configuration Database
• file_permissions_ovs_conf_db_lock: Verify Permissions on the Open vSwitch Configuration Database Lock
• file_permissions_ovs_pid: Verify Permissions on the Open vSwitch Process ID File
• file_permissions_ovs_sys_id_conf: Verify Permissions on the Open vSwitch Persistent System ID
• file_permissions_ovs_vswitchd_pid: Verify Permissions on the Open vSwitch Daemon PID File
• file_permissions_ovsdb_server_pid: Verify Permissions on the Open vSwitch Database Server PID
• file_permissions_proxy_kubeconfig: Verify Permissions on the Worker Proxy Kubeconfig File
• file_permissions_scheduler: Verify Permissions on the Kubernetes Scheduler Pod Specification File
• file_permissions_scheduler_kubeconfig: Verify Permissions on the Kubernetes Scheduler Kubeconfig File
• file_permissions_worker_ca: Verify Permissions on the Worker Certificate Authority File
• file_permissions_worker_kubeconfig: Verify Permissions on the Worker Kubeconfig File
• file_permissions_worker_service: Verify Permissions on the OpenShift Node Service File
• file_perms_openshift_sdn_cniserver_config: Verify Permissions on the OpenShift SDN CNI Server Config
• general_apply_scc: Apply Security Context to Your Pods and Containers
• general_default_namespace_use: The default namespace should not be used
• general_default_seccomp_profile: Ensure Seccomp Profile Pod Definitions
• general_namespaces_in_use: Create administrative boundaries between resources using namespaces
• idp_is_configured: Configure An Identity Provider
• kubeadmin_removed: Ensure that the kubeadmin secret has been removed
• kubelet_anonymous_auth: Disable Anonymous Authentication to the Kubelet
• kubelet_authorization_mode: Ensure authorization is set to Webhook
• kubelet_configure_client_ca: kubelet - Configure the Client CA Certificate
• kubelet_configure_event_creation: Kubelet - Ensure Event Creation Is Configured
• kubelet_configure_tls_cert: Ensure That The kubelet Client Certificate Is Correctly Set
• kubelet_configure_tls_cipher_suites: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
• kubelet_configure_tls_cipher_suites_ingresscontroller: Ensure that the Ingress Controller only makes use of Strong Cryptographic Ciphers
• kubelet_configure_tls_key: Ensure That The kubelet Server Key Is Correctly Set
• kubelet_disable_readonly_port: kubelet - Disable the Read-Only Port
• kubelet_enable_cert_rotation: kubelet - Enable Certificate Rotation
• kubelet_enable_client_cert_rotation: kubelet - Enable Client Certificate Rotation
• kubelet_enable_iptables_util_chains: kubelet - Allow Automatic Firewall Configuration
• kubelet_enable_server_cert_rotation: kubelet - Enable Server Certificate Rotation
• kubelet_enable_streaming_connections: kubelet - Do Not Disable Streaming Timeouts
• kubelet_eviction_thresholds_set_hard_imagefs_available: Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available
• kubelet_eviction_thresholds_set_hard_memory_available: Ensure Eviction threshold Settings Are Set - evictionHard: memory.available
• kubelet_eviction_thresholds_set_hard_nodefs_available: Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available
• kubelet_eviction_thresholds_set_hard_nodefs_inodesfree: Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree
• ocp_allowed_registries: Allowed registries are configured
• ocp_allowed_registries_for_import: Allowed registries for import are configured
• ocp_api_server_audit_log_maxbackup: Configure the OpenShift API Server Maximum Retained Audit Logs
• ocp_api_server_audit_log_maxsize: Configure OpenShift API Server Maximum Audit Log Size
• ocp_insecure_allowed_registries_for_import: Check configured allowed registries for import uses secure protocol
• ocp_insecure_registries: Check if any insecure registry sources is configured
• openshift_api_server_audit_log_path: Configure the Audit Log Path
• rbac_debug_role_protects_pprof: Profiling is protected by RBAC
• rbac_least_privilege: Ensure that the RBAC setup follows the principle of least privilege
• rbac_limit_cluster_admin: Ensure that the cluster-admin role is only used where required
• rbac_limit_secrets_access: Limit Access to Kubernetes Secrets
• rbac_pod_creation_access: Minimize Access to Pod Creation
• rbac_wildcard_use: Minimize Wildcard Usage in Cluster and Local Roles
• scansettingbinding_exists: Ensure that Compliance Operator is scanning the cluster
• scc_drop_container_capabilities: Drop Container Capabilities
• scc_limit_container_allowed_capabilities: Limit Container Capabilities
• scc_limit_ipc_namespace: Limit Access to the Host IPC Namespace
• scc_limit_net_raw_capability: Limit Use of the CAP_NET_RAW
• scc_limit_network_namespace: Limit Access to the Host Network Namespace
• scc_limit_privilege_escalation: Limit Containers Ability to Escalate Privileges
• scc_limit_privileged_containers: Limit Privileged Container Use
• scc_limit_process_id_namespace: Limit Access to the Host Process ID Namespace
• scc_limit_root_containers: Limit Container Running As Root User
• scheduler_profiling_protected_by_rbac: Verify that the scheduler API service is protected by RBAC
• scheduler_service_protected_by_rbac: Verify that the scheduler API service is protected by RBAC
• secrets_consider_external_storage: Consider external secret storage
• secrets_no_environment_variables: Do Not Use Environment Variables with Secrets
• var_event_record_qps = 50

2.2.2: Vendor default accounts are managed

Description: Vendor default accounts are managed as follows: - If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6. - If the vendor default account(s) will not be used, the account is removed or disabled.

• base

Automated: yes

• kubeadmin_removed: Ensure that the kubeadmin secret has been removed

2.2.3: Primary functions requiring different security levels are managed

Description: Primary functions requiring different security levels are managed as follows: - Only one primary function exists on a system component OR - Primary functions with differing security levels that exist on the same system component are isolated from each other OR - Primary functions with differing security levels on the same system component are all secured to the level required by the function with the highest security need.

• base

Automated: no

No rules selected

2.2.4: Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled

Description: System components cannot be compromised by exploiting unnecessary functionality present in the system component.

• base

Automated: no

No rules selected

2.2.5: If any insecure services, protocols, or daemons are present, business justification is documented and the risk is reduced.

Description: If any insecure services, protocols, or daemons are present: - Business justification is documented. - Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.

• base

Automated: yes

• api_server_bind_address: Ensure that the bindAddress is set to a relevant secure port
• api_server_client_ca: Configure the Client Certificate Authority for the API Server
• api_server_etcd_ca: Configure the etcd Certificate Authority for the API Server
• api_server_etcd_cert: Configure the etcd Certificate for the API Server
• api_server_etcd_key: Configure the etcd Certificate Key for the API Server
• api_server_kubelet_certificate_authority: Configure the kubelet Certificate Authority for the API Server
• api_server_oauth_https_serving_cert: Ensure the openshift-oauth-apiserver service uses TLS
• api_server_openshift_https_serving_cert: Ensure the openshift-oauth-apiserver service uses TLS
• api_server_service_account_public_key: Configure the Service Account Public Key for the API Server
• api_server_tls_cert: Configure the Certificate for the API Server
• api_server_tls_cipher_suites: Use Strong Cryptographic Ciphers on the API Server
• api_server_tls_private_key: Configure the Certificate Key for the API Server
• controller_service_account_private_key: Configure the Service Account Private Key for the Controller Manager
• etcd_cert_file: Ensure That The etcd Client Certificate Is Correctly Set
• etcd_client_cert_auth: Enable The Client Certificate Authentication
• etcd_key_file: Ensure That The etcd Key File Is Correctly Set
• etcd_peer_cert_file: Ensure That The etcd Peer Client Certificate Is Correctly Set
• etcd_peer_client_cert_auth: Enable The Peer Client Certificate Authentication
• etcd_peer_key_file: Ensure That The etcd Peer Key File Is Correctly Set
• kubelet_configure_tls_cert: Ensure That The kubelet Client Certificate Is Correctly Set
• kubelet_configure_tls_key: Ensure That The kubelet Server Key Is Correctly Set

2.2.6: System security parameters are configured to prevent misuse.

Description: System components cannot be compromised because of incorrect security parameter configuration.

• base

Automated: yes

• scansettingbinding_exists: Ensure that Compliance Operator is scanning the cluster

2.2.7: All non-console administrative access is encrypted using strong cryptography.

Description: Cleartext administrative authorization factors cannot be read or intercepted from any network transmissions. This includes administrative access via browser-based interfaces and application programming interfaces (APIs).

• base

Automated: yes

• api_server_bind_address: Ensure that the bindAddress is set to a relevant secure port
• api_server_client_ca: Configure the Client Certificate Authority for the API Server
• api_server_etcd_ca: Configure the etcd Certificate Authority for the API Server
• api_server_etcd_cert: Configure the etcd Certificate for the API Server
• api_server_etcd_key: Configure the etcd Certificate Key for the API Server
• api_server_https_for_kubelet_conn: Ensure that the --kubelet-https argument is set to true
• api_server_kubelet_certificate_authority: Configure the kubelet Certificate Authority for the API Server
• api_server_oauth_https_serving_cert: Ensure the openshift-oauth-apiserver service uses TLS
• api_server_openshift_https_serving_cert: Ensure the openshift-oauth-apiserver service uses TLS
• api_server_service_account_public_key: Configure the Service Account Public Key for the API Server
• api_server_tls_cert: Configure the Certificate for the API Server
• api_server_tls_cipher_suites: Use Strong Cryptographic Ciphers on the API Server
• api_server_tls_private_key: Configure the Certificate Key for the API Server
• controller_service_account_private_key: Configure the Service Account Private Key for the Controller Manager
• etcd_cert_file: Ensure That The etcd Client Certificate Is Correctly Set
• etcd_client_cert_auth: Enable The Client Certificate Authentication
• etcd_key_file: Ensure That The etcd Key File Is Correctly Set
• etcd_peer_cert_file: Ensure That The etcd Peer Client Certificate Is Correctly Set
• etcd_peer_client_cert_auth: Enable The Peer Client Certificate Authentication
• etcd_peer_key_file: Ensure That The etcd Peer Key File Is Correctly Set
• kubelet_configure_tls_cert: Ensure That The kubelet Client Certificate Is Correctly Set
• kubelet_configure_tls_key: Ensure That The kubelet Server Key Is Correctly Set
• ocp_no_ldap_insecure: Only Use LDAP-based IdPs with TLS

2.2: System components are configured and managed securely

Description: None

• base

Automated: no

• accounts_restrict_service_account_tokens: Restrict Automounting of Service Account Tokens
• accounts_unique_service_account: Ensure Usage of Unique Service Accounts
• api_server_admission_control_plugin_alwaysadmit: Disable the AlwaysAdmit Admission Control Plugin
• api_server_admission_control_plugin_alwayspullimages: Ensure that the Admission Control Plugin AlwaysPullImages is not set
• api_server_admission_control_plugin_namespacelifecycle: Enable the NamespaceLifecycle Admission Control Plugin
• api_server_admission_control_plugin_noderestriction: Enable the NodeRestriction Admission Control Plugin
• api_server_admission_control_plugin_scc: Enable the SecurityContextConstraint Admission Control Plugin
• api_server_admission_control_plugin_service_account: Enable the ServiceAccount Admission Control Plugin
• api_server_anonymous_auth: Ensure that anonymous requests to the API Server are authorized
• api_server_audit_log_maxbackup: Configure the Kubernetes API Server Maximum Retained Audit Logs
• api_server_audit_log_maxsize: Configure Kubernetes API Server Maximum Audit Log Size
• api_server_audit_log_path: Configure the Audit Log Path
• api_server_auth_mode_no_aa: The authorization-mode cannot be AlwaysAllow
• api_server_auth_mode_rbac: Ensure authorization-mode RBAC is configured
• api_server_basic_auth: Disable basic-auth-file for the API Server
• api_server_bind_address: Ensure that the bindAddress is set to a relevant secure port
• api_server_client_ca: Configure the Client Certificate Authority for the API Server
• api_server_encryption_provider_cipher: Configure the Encryption Provider Cipher
• api_server_etcd_ca: Configure the etcd Certificate Authority for the API Server
• api_server_etcd_cert: Configure the etcd Certificate for the API Server
• api_server_etcd_key: Configure the etcd Certificate Key for the API Server
• api_server_https_for_kubelet_conn: Ensure that the --kubelet-https argument is set to true
• api_server_insecure_bind_address: Disable Use of the Insecure Bind Address
• api_server_kubelet_certificate_authority: Configure the kubelet Certificate Authority for the API Server
• api_server_kubelet_client_cert: Configure the kubelet Certificate File for the API Server
• api_server_kubelet_client_cert_pre_4_9: Configure the kubelet Certificate File for the API Server
• api_server_kubelet_client_key: Configure the kubelet Certificate Key for the API Server
• api_server_kubelet_client_key_pre_4_9: Configure the kubelet Certificate Key for the API Server
• api_server_oauth_https_serving_cert: Ensure the openshift-oauth-apiserver service uses TLS
• api_server_openshift_https_serving_cert: Ensure the openshift-oauth-apiserver service uses TLS
• api_server_profiling_protected_by_rbac: Profiling is protected by RBAC
• api_server_request_timeout: Configure the API Server Minimum Request Timeout
• api_server_service_account_lookup: Ensure that the service-account-lookup argument is set to true
• api_server_service_account_public_key: Configure the Service Account Public Key for the API Server
• api_server_tls_cert: Configure the Certificate for the API Server
• api_server_tls_cipher_suites: Use Strong Cryptographic Ciphers on the API Server
• api_server_tls_private_key: Configure the Certificate Key for the API Server
• api_server_token_auth: Disable Token-based Authentication
• audit_log_forwarding_enabled: Ensure that Audit Log Forwarding Is Enabled
• audit_log_forwarding_webhook: Ensure that Audit Log Webhook Is Configured
• audit_logging_enabled: Ensure that API server audit logging is enabled
• audit_profile_set: Ensure that the cluster's audit profile is properly set
• configure_network_policies: Ensure that the CNI in use supports Network Policies
• configure_network_policies_hypershift_hosted: Ensure that HyperShift Hosted Namespaces have Network Policies defined.
• configure_network_policies_namespaces: Ensure that application Namespaces have Network Policies defined.
• controller_insecure_port_disabled: Ensure Controller insecure port argument is unset
• controller_secure_port: Ensure Controller secure-port argument is set
• controller_service_account_ca: Configure the Service Account Certificate Authority Key for the Controller Manager
• controller_service_account_private_key: Configure the Service Account Private Key for the Controller Manager
• controller_use_service_account: Ensure that use-service-account-credentials is enabled
• etcd_auto_tls: Disable etcd Self-Signed Certificates
• etcd_cert_file: Ensure That The etcd Client Certificate Is Correctly Set
• etcd_client_cert_auth: Enable The Client Certificate Authentication
• etcd_key_file: Ensure That The etcd Key File Is Correctly Set
• etcd_peer_auto_tls: Disable etcd Peer Self-Signed Certificates
• etcd_peer_cert_file: Ensure That The etcd Peer Client Certificate Is Correctly Set
• etcd_peer_client_cert_auth: Enable The Peer Client Certificate Authentication
• etcd_peer_key_file: Ensure That The etcd Peer Key File Is Correctly Set
• etcd_unique_ca: Configure A Unique CA Certificate for etcd
• file_groupowner_cni_conf: Verify Group Who Owns The OpenShift Container Network Interface Files
• file_groupowner_controller_manager_kubeconfig: Verify Group Who Owns The OpenShift Controller Manager Kubeconfig File
• file_groupowner_etcd_data_dir: Verify Group Who Owns The Etcd Database Directory
• file_groupowner_etcd_data_files: Verify Group Who Owns The Etcd Write-Ahead-Log Files
• file_groupowner_etcd_member: Verify Group Who Owns The etcd Member Pod Specification File
• file_groupowner_etcd_pki_cert_files: Verify Group Who Owns The Etcd PKI Certificate Files
• file_groupowner_ip_allocations: Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
• file_groupowner_kube_apiserver: Verify Group Who Owns The Kubernetes API Server Pod Specification File
• file_groupowner_kube_controller_manager: Verify Group Who Owns The Kubernetes Controller Manager Pod Specification File
• file_groupowner_kube_scheduler: Verify Group Who Owns The Kubernetes Scheduler Pod Specification File
• file_groupowner_kubelet_conf: Verify Group Who Owns The Kubelet Configuration File
• file_groupowner_master_admin_kubeconfigs: Verify Group Who Owns The OpenShift Admin Kubeconfig Files
• file_groupowner_multus_conf: Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files
• file_groupowner_openshift_pki_cert_files: Verify Group Who Owns The OpenShift PKI Certificate Files
• file_groupowner_openshift_pki_key_files: Verify Group Who Owns The OpenShift PKI Private Key Files
• file_groupowner_openshift_sdn_cniserver_config: Verify Group Who Owns The OpenShift SDN CNI Server Config
• file_groupowner_ovn_cni_server_sock: Verify Group Who Owns The OVNKubernetes Socket
• file_groupowner_ovn_db_files: Verify Group Who Owns The OVNKubernetes DB files
• file_groupowner_ovs_conf_db: Verify Group Who Owns The Open vSwitch Configuration Database
• file_groupowner_ovs_conf_db_lock: Verify Group Who Owns The Open vSwitch Configuration Database Lock
• file_groupowner_ovs_pid: Verify Group Who Owns The Open vSwitch Process ID File
• file_groupowner_ovs_sys_id_conf: Verify Group Who Owns The Open vSwitch Persistent System ID
• file_groupowner_ovs_vswitchd_pid: Verify Group Who Owns The Open vSwitch Daemon PID File
• file_groupowner_ovsdb_server_pid: Verify Group Who Owns The Open vSwitch Database Server PID
• file_groupowner_proxy_kubeconfig: Verify Group Who Owns The Worker Proxy Kubeconfig File
• file_groupowner_scheduler_kubeconfig: Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File
• file_groupowner_worker_ca: Verify Group Who Owns the Worker Certificate Authority File
• file_groupowner_worker_kubeconfig: Verify Group Who Owns The Worker Kubeconfig File
• file_groupowner_worker_service: Verify Group Who Owns The OpenShift Node Service File
• file_owner_cni_conf: Verify User Who Owns The OpenShift Container Network Interface Files
• file_owner_controller_manager_kubeconfig: Verify User Who Owns The OpenShift Controller Manager Kubeconfig File
• file_owner_etcd_data_dir: Verify User Who Owns The Etcd Database Directory
• file_owner_etcd_data_files: Verify User Who Owns The Etcd Write-Ahead-Log Files
• file_owner_etcd_member: Verify User Who Owns The Etcd Member Pod Specification File
• file_owner_etcd_pki_cert_files: Verify User Who Owns The Etcd PKI Certificate Files
• file_owner_ip_allocations: Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations
• file_owner_kube_apiserver: Verify User Who Owns The Kubernetes API Server Pod Specification File
• file_owner_kube_controller_manager: Verify User Who Owns The Kubernetes Controller Manager Pod Specification File
• file_owner_kube_scheduler: Verify User Who Owns The Kubernetes Scheduler Pod Specification File
• file_owner_kubelet: Verify User Who Owns The Kubelet Configuration File
• file_owner_kubelet_conf: Verify User Who Owns The Kubelet Configuration File
• file_owner_master_admin_kubeconfigs: Verify User Who Owns The OpenShift Admin Kubeconfig Files
• file_owner_multus_conf: Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files
• file_owner_openshift_pki_cert_files: Verify User Who Owns The OpenShift PKI Certificate Files
• file_owner_openshift_pki_key_files: Verify User Who Owns The OpenShift PKI Private Key Files
• file_owner_openshift_sdn_cniserver_config: Verify User Who Owns The OpenShift SDN CNI Server Config
• file_owner_ovn_cni_server_sock: Verify User Who Owns The OVNKubernetes Socket
• file_owner_ovn_db_files: Verify Who Owns The OVNKubernetes DB files
• file_owner_ovs_conf_db: Verify User Who Owns The Open vSwitch Configuration Database
• file_owner_ovs_conf_db_lock: Verify User Who Owns The Open vSwitch Configuration Database Lock
• file_owner_ovs_pid: Verify User Who Owns The Open vSwitch Process ID File
• file_owner_ovs_sys_id_conf: Verify User Who Owns The Open vSwitch Persistent System ID
• file_owner_ovs_vswitchd_pid: Verify User Who Owns The Open vSwitch Daemon PID File
• file_owner_ovsdb_server_pid: Verify User Who Owns The Open vSwitch Database Server PID
• file_owner_proxy_kubeconfig: Verify User Who Owns The Worker Proxy Kubeconfig File
• file_owner_scheduler_kubeconfig: Verify User Who Owns The Kubernetes Scheduler Kubeconfig File
• file_owner_worker_ca: Verify User Who Owns the Worker Certificate Authority File
• file_owner_worker_kubeconfig: Verify User Who Owns The Worker Kubeconfig File
• file_owner_worker_service: Verify User Who Owns The OpenShift Node Service File
• file_permissions_cni_conf: Verify Permissions on the OpenShift Container Network Interface Files
• file_permissions_controller_manager_kubeconfig: Verify Permissions on the OpenShift Controller Manager Kubeconfig File
• file_permissions_etcd_data_dir: Verify Permissions on the Etcd Database Directory
• file_permissions_etcd_data_files: Verify Permissions on the Etcd Write-Ahead-Log Files
• file_permissions_etcd_member: Verify Permissions on the Etcd Member Pod Specification File
• file_permissions_etcd_pki_cert_files: Verify Permissions on the Etcd PKI Certificate Files
• file_permissions_ip_allocations: Verify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations
• file_permissions_kube_apiserver: Verify Permissions on the Kubernetes API Server Pod Specification File
• file_permissions_kube_controller_manager: Verify Permissions on the Kubernetes Controller Manager Pod Specification File
• file_permissions_kubelet_conf: Verify Permissions on The Kubelet Configuration File
• file_permissions_master_admin_kubeconfigs: Verify Permissions on the OpenShift Admin Kubeconfig Files
• file_permissions_multus_conf: Verify Permissions on the OpenShift Multus Container Network Interface Plugin Files
• file_permissions_openshift_pki_cert_files: Verify Permissions on the OpenShift PKI Certificate Files
• file_permissions_openshift_pki_key_files: Verify Permissions on the OpenShift PKI Private Key Files
• file_permissions_ovn_cni_server_sock: Verify Permissions on the OVNKubernetes socket
• file_permissions_ovn_db_files: Verify Permissions on the OVNKubernetes DB files
• file_permissions_ovs_conf_db: Verify Permissions on the Open vSwitch Configuration Database
• file_permissions_ovs_conf_db_lock: Verify Permissions on the Open vSwitch Configuration Database Lock
• file_permissions_ovs_pid: Verify Permissions on the Open vSwitch Process ID File
• file_permissions_ovs_sys_id_conf: Verify Permissions on the Open vSwitch Persistent System ID
• file_permissions_ovs_vswitchd_pid: Verify Permissions on the Open vSwitch Daemon PID File
• file_permissions_ovsdb_server_pid: Verify Permissions on the Open vSwitch Database Server PID
• file_permissions_proxy_kubeconfig: Verify Permissions on the Worker Proxy Kubeconfig File
• file_permissions_scheduler: Verify Permissions on the Kubernetes Scheduler Pod Specification File
• file_permissions_scheduler_kubeconfig: Verify Permissions on the Kubernetes Scheduler Kubeconfig File
• file_permissions_worker_ca: Verify Permissions on the Worker Certificate Authority File
• file_permissions_worker_kubeconfig: Verify Permissions on the Worker Kubeconfig File
• file_permissions_worker_service: Verify Permissions on the OpenShift Node Service File
• file_perms_openshift_sdn_cniserver_config: Verify Permissions on the OpenShift SDN CNI Server Config
• general_apply_scc: Apply Security Context to Your Pods and Containers
• general_default_namespace_use: The default namespace should not be used
• general_default_seccomp_profile: Ensure Seccomp Profile Pod Definitions
• general_namespaces_in_use: Create administrative boundaries between resources using namespaces
• idp_is_configured: Configure An Identity Provider
• kubeadmin_removed: Ensure that the kubeadmin secret has been removed
• kubelet_anonymous_auth: Disable Anonymous Authentication to the Kubelet
• kubelet_authorization_mode: Ensure authorization is set to Webhook
• kubelet_configure_client_ca: kubelet - Configure the Client CA Certificate
• kubelet_configure_event_creation: Kubelet - Ensure Event Creation Is Configured
• kubelet_configure_tls_cert: Ensure That The kubelet Client Certificate Is Correctly Set
• kubelet_configure_tls_cipher_suites: Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
• kubelet_configure_tls_cipher_suites_ingresscontroller: Ensure that the Ingress Controller only makes use of Strong Cryptographic Ciphers
• kubelet_configure_tls_key: Ensure That The kubelet Server Key Is Correctly Set
• kubelet_disable_readonly_port: kubelet - Disable the Read-Only Port
• kubelet_enable_cert_rotation: kubelet - Enable Certificate Rotation
• kubelet_enable_client_cert_rotation: kubelet - Enable Client Certificate Rotation
• kubelet_enable_iptables_util_chains: kubelet - Allow Automatic Firewall Configuration
• kubelet_enable_server_cert_rotation: kubelet - Enable Server Certificate Rotation
• kubelet_enable_streaming_connections: kubelet - Do Not Disable Streaming Timeouts
• kubelet_eviction_thresholds_set_hard_imagefs_available: Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available
• kubelet_eviction_thresholds_set_hard_memory_available: Ensure Eviction threshold Settings Are Set - evictionHard: memory.available
• kubelet_eviction_thresholds_set_hard_nodefs_available: Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available
• kubelet_eviction_thresholds_set_hard_nodefs_inodesfree: Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree
• ocp_allowed_registries: Allowed registries are configured
• ocp_allowed_registries_for_import: Allowed registries for import are configured
• ocp_api_server_audit_log_maxbackup: Configure the OpenShift API Server Maximum Retained Audit Logs
• ocp_api_server_audit_log_maxsize: Configure OpenShift API Server Maximum Audit Log Size
• ocp_insecure_allowed_registries_for_import: Check configured allowed registries for import uses secure protocol
• ocp_insecure_registries: Check if any insecure registry sources is configured
• ocp_no_ldap_insecure: Only Use LDAP-based IdPs with TLS
• openshift_api_server_audit_log_path: Configure the Audit Log Path
• rbac_debug_role_protects_pprof: Profiling is protected by RBAC
• rbac_least_privilege: Ensure that the RBAC setup follows the principle of least privilege
• rbac_limit_cluster_admin: Ensure that the cluster-admin role is only used where required
• rbac_limit_secrets_access: Limit Access to Kubernetes Secrets
• rbac_pod_creation_access: Minimize Access to Pod Creation
• rbac_wildcard_use: Minimize Wildcard Usage in Cluster and Local Roles
• scansettingbinding_exists: Ensure that Compliance Operator is scanning the cluster
• scc_drop_container_capabilities: Drop Container Capabilities
• scc_limit_container_allowed_capabilities: Limit Container Capabilities
• scc_limit_ipc_namespace: Limit Access to the Host IPC Namespace
• scc_limit_net_raw_capability: Limit Use of the CAP_NET_RAW
• scc_limit_network_namespace: Limit Access to the Host Network Namespace
• scc_limit_privilege_escalation: Limit Containers Ability to Escalate Privileges
• scc_limit_privileged_containers: Limit Privileged Container Use
• scc_limit_process_id_namespace: Limit Access to the Host Process ID Namespace
• scc_limit_root_containers: Limit Container Running As Root User
• scheduler_profiling_protected_by_rbac: Verify that the scheduler API service is protected by RBAC
• scheduler_service_protected_by_rbac: Verify that the scheduler API service is protected by RBAC
• secrets_consider_external_storage: Consider external secret storage
• secrets_no_environment_variables: Do Not Use Environment Variables with Secrets
• var_event_record_qps = 50

2.3.1: For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure.

Description: For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to: - Default wireless encryption keys. - Passwords on wireless access points. - SNMP defaults. - Any other security-related wireless vendor defaults.

• base

Automated: no

No rules selected

2.3.2: For wireless environments connected to the CDE or transmitting account data, wireless encryption keys are changed

Description: For wireless environments connected to the CDE or transmitting account data, wireless encryption keys are changed

• base

Automated: no

No rules selected

2.3: Wireless environments are configured and managed securely.

Description: None

• base

Automated: no

No rules selected

3.1.1: All security policies and operational procedures that are identified in Requirement 3 are Documented, Kept up to date, In use and Known to all affected parties.

Description: None

• base

Automated: no

No rules selected

3.1.2: Roles and responsibilities for performing activities in Requirement 3 are documented, assigned, and understood.

Description: None

• base

Automated: no

No rules selected

3.1: Processes and mechanisms for protecting stored account data are defined and understood.

Description: None

• base

Automated: no

No rules selected

3.2.1: Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes.

Description: Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: - Coverage for all locations of stored account data. - Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. - Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. - Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. - Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy. - A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable.

• base

Automated: no

No rules selected

3.2: Storage of account data is kept to a minimum.

Description: None

• base

Automated: no

No rules selected

3.3.1.1: The full contents of any track are not retained upon completion of the authorization process.

Description: This requirement is not eligible for the customized approach. In the normal course of business, the following data elements from the track may need to be retained: - Cardholder name. - Primary account number (PAN). - Expiration date. - Service code. To minimize risk, store securely only these data elements as needed for business.

• base

Automated: no

No rules selected

3.3.1.2: The card verification code is not retained upon completion of the authorization process.

Description: This requirement is not eligible for the customized approach. The card verification code is the three- or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions.

• base

Automated: no

No rules selected

3.3.1.3: The personal identification number (PIN) and the PIN block are not retained upon completion of the authorization process.

Description: This requirement is not eligible for the customized approach. PIN blocks are encrypted during the natural course of transaction processes, but even if an entity encrypts the PIN block again, it is still not allowed to be stored after the completion of the authorization process.

• base

Automated: no

No rules selected

3.3.1: SAD is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process.

Description: This requirement is not eligible for the customized approach. This requirement does not apply to issuers and companies that support issuing services (where SAD is needed for a legitimate issuing business need) and have a business justification to store the sensitive authentication data. Refer to Requirement 3.3.3 for additional requirements specifically for issuers. Sensitive authentication data includes the data cited in Requirements 3.3.1.1 through 3.3.1.3.

• base

Automated: no

No rules selected

3.3.2: SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.

Description: This requirement is not eligible for the customized approach. Whether SAD is permitted to be stored prior to authorization is determined by the organizations that manage compliance programs (for example, payment brands and acquirers). Contact the organizations of interest for any additional criteria. This requirement applies to all storage of SAD, even if no PAN is present in the environment. Refer to Requirement 3.2.1 for an additional requirement that applies if SAD is stored prior to completion of authorization. This requirement does not apply to issuers and companies that support issuing services where there is a legitimate issuing business justification to store SAD. Refer to Requirement 3.3.3 for requirements specifically for issuers. This requirement does not replace how PIN blocks are required to be managed, nor does it mean that a properly encrypted PIN block needs to be encrypted again.

• base

Automated: no

No rules selected

3.3.3: Additional requirement for issuers and companies that support issuing services and store sensitive authentication data.

Description: Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is: - Limited to that which is needed for a legitimate issuing business need and is secured. - Encrypted using strong cryptography. This bullet is a best practice until until 31 March 2025, after which it will be required as part of Requirement 3.3.3 and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

3.3: Sensitive authentication data (SAD) is not stored after authorization.

Description: None

• base

Automated: no

No rules selected

3.4.1: PAN is masked when displayed (the BIN and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the BIN and last four digits of the PAN.

Description: PAN displays are restricted to the minimum number of digits necessary to meet a defined business need. This requirement does not supersede stricter requirements in place for displays of cardholder data — for example, legal or payment brand requirements for point-of-sale (POS) receipts. This requirement relates to protection of PAN where it is displayed on screens, paper receipts, printouts, etc., and is not to be confused with Requirement 3.5.1 for protection of PAN when stored, processed, or transmitted.

• base

Automated: no

No rules selected

3.4.2: When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need.

Description: PAN cannot be copied or relocated by unauthorized personnel using remote-access technologies. Storing or relocating PAN onto local hard drives, removable electronic media, and other storage devices brings these devices into scope for PCI DSS. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

3.4: Access to displays of full PAN and ability to copy PAN is restricted.

Description: None

• base

Automated: no

No rules selected

3.5.1.1: Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7.

Description: This requirement applies to PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well as non-primary storage (backup, audit logs, exception, or troubleshooting logs) must all be protected. This requirement does not preclude the use of temporary files containing cleartext PAN while encrypting and decrypting PAN. This requirement is considered a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

3.5.1.2: If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only on removable electronic media or complemented by another mechanism that meets Requirement 3.5.1

Description: None

• base

Automated: no

No rules selected

3.5.1.3: If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable, it is managed.

Description: If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable, it is managed as follows: - Logical access is managed separately and independently of native operating system authentication and access control mechanisms. - Decryption keys are not associated with user accounts. - Authentication factors (passwords, passphrases, or cryptographic keys) that allow access to unencrypted data are stored securely.

• base

Automated: no

• api_server_encryption_provider_cipher: Configure the Encryption Provider Cipher
• machine_volume_encrypted: Ensure that full disk encryption is configured on cluster nodes
• storageclass_encryption_enabled: Ensure that EBS volumes declared in storageclasses are encrypted

3.5.1: PAN is rendered unreadable anywhere it is stored

Description: PAN is rendered unreadable anywhere it is stored by using any of the following approaches: - One-way hashes based on strong cryptography of the entire PAN. - Truncation (hashing cannot be used to replace the truncated segment of PAN). - If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN. - Indexes tokens. - Strong cryptography with associated key-management processes and procedures.

• base

Automated: no

• api_server_encryption_provider_cipher: Configure the Encryption Provider Cipher
• machine_volume_encrypted: Ensure that full disk encryption is configured on cluster nodes
• storageclass_encryption_enabled: Ensure that EBS volumes declared in storageclasses are encrypted

3.5: Primary account number (PAN) is secured wherever it is stored.

Description: None

• base

Automated: no

• api_server_encryption_provider_cipher: Configure the Encryption Provider Cipher
• machine_volume_encrypted: Ensure that full disk encryption is configured on cluster nodes
• storageclass_encryption_enabled: Ensure that EBS volumes declared in storageclasses are encrypted

3.6.1.1: Additional requirement for service providers only: A documented description of the cryptographic architecture is maintained

Description: Additional requirement for service providers only: A documented description of the cryptographic architecture is maintained that includes: - Details of all algorithms, protocols, and keys used for the protection of stored account data, including key strength and expiry date. - Preventing the use of the same cryptographic keys in production and test environments. This bullet is a best practice until 31 March 2025, after which it will be required as part of Requirement 3.6.1.1 and must be fully considered during a PCI DSS assessment. - Description of the key usage for each key. - Inventory of any hardware security modules (HSMs), key management systems (KMS), and other secure cryptographic devices (SCDs) used for key management, including type and location of devices, as outlined in Requirement 12.3.4.

• base

Automated: no

No rules selected

3.6.1.2: Secret and private keys used to encrypt/decrypt stored account data are stored in secure forms.

Description: Secret and private keys used to encrypt/decrypt stored account data are stored in one (or more) of the following forms at all times: - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key. - Within a secure cryptographic device (SCD), such as a hardware security module (HSM) or PTS-approved point-of-interaction device. - As at least two full-length key components or key shares, in accordance with an industry-accepted method. Secret and private keys are stored in a secure form that prevents unauthorized retrieval or access. It is not required that public keys be stored in one of these forms. Cryptographic keys stored as part of a key management system (KMS) that employs SCDs are acceptable. A cryptographic key that is split into two parts does not meet this requirement. Secret or private keys stored as key components or key shares must be generated via one of the following

• base

Automated: no

No rules selected

3.6.1.3: Access to cleartext cryptographic key components is restricted to the fewest number of custodians necessary.

Description: Access to cleartext cryptographic key components is restricted to necessary personnel.

• base

Automated: no

No rules selected

3.6.1.4: Cryptographic keys are stored in the fewest possible locations.

Description: Cryptographic keys are retained only where necessary.

• base

Automated: no

No rules selected

3.6.1: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse.

Description: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse that include: - Access to keys is restricted to the fewest number of custodians necessary. - Key-encrypting keys are at least as strong as the data-encrypting keys they protect. - Key-encrypting keys are stored separately from data-encrypting keys. - Keys are stored securely in the fewest possible locations and forms.

• base

Automated: no

No rules selected

3.6: Cryptographic keys used to protect stored account data are secured.

Description: None

• base

Automated: no

No rules selected

3.7.1: Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to protect stored account data.

Description: Strong cryptographic keys are generated.

• base

Automated: no

No rules selected

3.7.2: Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data.

Description: Cryptographic keys are secured during distribution.

• base

Automated: no

No rules selected

3.7.3: Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to protect stored account data.

Description: Cryptographic keys are secured when stored.

• base

Automated: no

No rules selected

3.7.4: Key management policies and procedures are implemented for cryptographic key changes for keys that have reached the end of their cryptoperiod, as defined by the associated application vendor or key owner, and based on industry best practices and guidelines.

Description: Key management policies and procedures are implemented for cryptographic key changes for keys that have reached the end of their cryptoperiod, as defined by the associated application vendor or key owner, and based on industry best practices and guidelines, including the following: - A defined cryptoperiod for each key type in use. - A process for key changes at the end of the defined cryptoperiod.

• base

Automated: no

No rules selected

3.7.5: Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary.

Description: Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when: - The key has reached the end of its defined cryptoperiod. - The integrity of the key has been weakened, including when personnel with knowledge of a cleartext key component leaves the company, or the role for which the key component was known. - The key is suspected of or known to be compromised. - Retired or replaced keys are not used for encryption operations.

• base

Automated: no

No rules selected

3.7.6: Where manual cleartext cryptographic key-management operations are performed by personnel, key-management policies and procedures are implemented include managing these operations using split knowledge and dual control.

Description: Cleartext secret or private keys cannot be known by anyone. Operations involving cleartext keys cannot be carried out by a single person. This control is applicable for manual key-management operations or where key management is not controlled by the encryption product. A cryptographic key that is simply split into two parts does not meet this requirement. Secret or private keys stored as key components or key shares must be generated via one of the following

• base

Automated: no

No rules selected

3.7.7: Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys.

Description: Cryptographic keys cannot be substituted by unauthorized personnel.

• base

Automated: no

No rules selected

3.7.8: Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities.

Description: Key custodians are knowledgeable about their responsibilities in relation to cryptographic operations and can access assistance and guidance when required.

• base

Automated: no

No rules selected

3.7.9: Additional requirement for service providers only: Where a service provider shares cryptographic keys with its customers for transmission or storage of account data, guidance on secure transmission, storage and updating of such keys is documented and distributed to the service provider’s customers.

Description: Customers are provided with appropriate key management guidance whenever they receive shared cryptographic keys. This requirement applies only when the entity being assessed is a service provider.

• base

Automated: no

No rules selected

3.7: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.

Description: None

• base

Automated: no

No rules selected

4.1.1: All security policies and operational procedures that are identified in Requirement 4 are Documented, Kept up to date, In use and Known to all affected parties.

Description: None

• base

Automated: no

No rules selected

4.1.2: Roles and responsibilities for performing activities in Requirement 4 are documented, assigned, and understood.

Description: None

• base

Automated: no

No rules selected

4.1: Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented.

Description: None

• base

Automated: no

No rules selected

4.2.1.1: An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained.

Description: All keys and certificates used to protect PAN during transmission are identified and confirmed as trusted. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

4.2.1.2: Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission.

Description: Cleartext PAN cannot be read or intercepted from wireless network transmissions.

• base

Automated: no

No rules selected

4.2.1: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks.

Description: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: - Only trusted keys and certificates are accepted. - Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until 31 March 2025, after which it will be required as part of Requirement 4.2.1 and must be fully considered during a PCI DSS assessment. - The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations. - The encryption strength is appropriate for the encryption methodology in use.

• base

Automated: no

• api_server_tls_cert: Configure the Certificate for the API Server
• api_server_tls_cipher_suites: Use Strong Cryptographic Ciphers on the API Server
• api_server_tls_security_profile: Ensure APIServer is configured with secure tlsSecurityProfile
• file_permissions_openshift_pki_cert_files: Verify Permissions on the OpenShift PKI Certificate Files
• ingress_controller_certificate: Ensure that the default Ingress certificate has been replaced
• ingress_controller_tls_security_profile: Ensure IngressController is configured to use secure tlsSecurityProfile
• kubelet_configure_tls_min_version: Ensure Kubelet is configured with allowed TLS versions
• routes_protected_by_tls: Ensure that all OpenShift Routes prefer TLS
• tls_version_check_apiserver: Ensure TLS v1.2 is minimum for Openshift APIServer
• tls_version_check_masters_workers: Ensure TLS v1.2 is minimum for Openshift master and worker nodes
• tls_version_check_router: Ensure TLS v1.2 is minimum for Openshift Router

4.2.2: PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.

Description: Cleartext PAN cannot be read or intercepted from transmissions using end-user messaging technologies. This requirement also applies if a customer, or other third-party, requests that PAN is sent to them via end-user messaging technologies. There could be occurrences where an entity receives unsolicited cardholder data via an insecure communication channel that was not intended for transmissions of sensitive data. In this situation, the entity can choose to either include the channel in the scope of their CDE and secure it according to PCI DSS or delete the cardholder data and implement measures to prevent the channel from being used for cardholder data.

• base

Automated: no

No rules selected

4.2: PAN is protected with strong cryptography during transmission.

Description: None

• base

Automated: no

• api_server_tls_cert: Configure the Certificate for the API Server
• api_server_tls_cipher_suites: Use Strong Cryptographic Ciphers on the API Server
• api_server_tls_security_profile: Ensure APIServer is configured with secure tlsSecurityProfile
• file_permissions_openshift_pki_cert_files: Verify Permissions on the OpenShift PKI Certificate Files
• ingress_controller_certificate: Ensure that the default Ingress certificate has been replaced
• ingress_controller_tls_security_profile: Ensure IngressController is configured to use secure tlsSecurityProfile
• kubelet_configure_tls_min_version: Ensure Kubelet is configured with allowed TLS versions
• routes_protected_by_tls: Ensure that all OpenShift Routes prefer TLS
• tls_version_check_apiserver: Ensure TLS v1.2 is minimum for Openshift APIServer
• tls_version_check_masters_workers: Ensure TLS v1.2 is minimum for Openshift master and worker nodes
• tls_version_check_router: Ensure TLS v1.2 is minimum for Openshift Router

5.1.1: All security policies and operational procedures that are identified in Requirement 5 are Documented, Kept up to date, In use and Known to all affected parties.

Description: None

• base

Automated: no

No rules selected

5.1.2: Roles and responsibilities for performing activities in Requirement 5 are documented, assigned, and understood.

Description: None

• base

Automated: no

No rules selected

5.1: Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.

Description: None

• base

Automated: no

No rules selected

5.2.1: An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.

Description: Automated mechanisms are implemented to prevent systems from becoming an attack vector for malware.

• base

Automated: no

No rules selected

5.2.2: The deployed anti-malware solution(s) detects all known types of malware and removes, blocks, or contains all known types of malware.

Description: None

• base

Automated: no

No rules selected

5.2.3.1: The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

Description: Systems not known to be at risk from malware are re-evaluated at a frequency that addresses the entity's risk. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

5.2.3: Any system components that are not at risk for malware are evaluated periodically.

Description: Any system components that are not at risk for malware are evaluated periodically to include the following: - A documented list of all system components not at risk for malware. - Identification and evaluation of evolving malware threats for those system components. - Confirmation whether such system components continue to not require anti-malware protection.

• base

Automated: no

No rules selected

5.2: Malicious software (malware) is prevented, or detected and addressed.

Description: None

• base

Automated: no

No rules selected

5.3.1: The anti-malware solution(s) is kept current via automatic updates.

Description: Anti-malware mechanisms can detect and address the latest malware threats.

• base

Automated: no

No rules selected

5.3.2.1: If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

Description: Scans by the malware solution are performed at a frequency that addresses the entity's risk. This requirement applies to entities conducting periodic malware scans to meet Requirement 5.3.2. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

5.3.2: The anti-malware solution(s) performs periodic scans and active or real-time scans or performs continuous behavioral analysis of systems or processes.

Description: None

• base

Automated: no

No rules selected

5.3.3: For removable electronic media, the anti-malware solution(s) performs automatic scans of when the media is inserted, connected, or logically mounted, or Performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted.

Description: None

• base

Automated: no

No rules selected

5.3.4: Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1.

Description: Historical records of anti-malware actions are immediately available and retained for at least 12 months.

• base

Automated: no

No rules selected

5.3.5: Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period.

Description: Anti-malware mechanisms cannot be modified by unauthorized personnel.Anti-malware solutions may be temporarily disabled only if there is a legitimate technical need, as authorized by management on a case-by-case basis. If anti-malware protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period during which anti-malware protection is not active.

• base

Automated: no

No rules selected

5.3: Anti-malware mechanisms and processes are active, maintained, and monitored.

Description: None

• base

Automated: no

No rules selected

5.4.1: Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.

Description: Mechanisms are in place to protect against and mitigate risk posed by phishing attacks. This requirement applies to the automated mechanism. It is not intended that the systems and services providing such automated mechanisms (such as email servers) are brought into scope for PCI DSS. The focus of this requirement is on protecting personnel with access to system components in-scope for PCI DSS. Meeting this requirement for technical and automated controls to detect and protect personnel against phishing is not the same as Requirement 12.6.3.1 for security awareness training. Meeting this requirement does not also meet the requirement for providing personnel with security awareness training, and vice versa. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

5.4: Anti-phishing mechanisms protect users against phishing attacks.

Description: None

• base

Automated: no

No rules selected

6.1.1: All security policies and operational procedures that are identified in Requirement 6 are Documented, Kept up to date, In use and Known to all affected parties.

Description: None

• base

Automated: no

No rules selected

6.1.2: Roles and responsibilities for performing activities in Requirement 6 are documented, assigned, and understood.

Description: None

• base

Automated: no

No rules selected

6.1: Processes and mechanisms for developing and maintaining secure systems and software are defined and understood.

Description: None

• base

Automated: no

No rules selected

6.2.1: Bespoke and custom software are developed securely.

Description: Bespoke and custom software are developed securely, as follows: - Based on industry standards and/or best practices for secure development. - In accordance with PCI DSS (for example, secure authentication and logging). - Incorporating consideration of information security issues during each stage of the software development lifecycle.

• base

Automated: no

No rules selected

6.2.2: Software development personnel working on bespoke and custom software are trained at least once every 12 months

Description: Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows: - On software security relevant to their job function and development languages. - Including secure software design and secure coding techniques. - Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software.

• base

Automated: no

No rules selected

6.2.3.1: If manual code reviews are performed for bespoke and custom software prior to release to production code changes co-reviewed and approved.

Description: If manual code reviews are performed for bespoke and custom software prior to release to production code changes are: - Reviewed by individuals other than the originating code author, and who are knowledgeable about code-review techniques and secure coding practices. - Reviewed and approved by management prior to release.

• base

Automated: no

No rules selected

6.2.3: Bespoke and custom software is reviewed prior to being released into production or to customers, to identify and correct potential coding vulnerabilities.

Description: Bespoke and custom software is reviewed prior to being released into production or to customers, to identify and correct potential coding vulnerabilities, as follows: - Code reviews ensure code is developed according to secure coding guidelines. - Code reviews look for both existing and emerging software vulnerabilities. - Appropriate corrections are implemented prior to release.

• base

Automated: no

No rules selected

6.2.4: Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software.

Description: None

• base

Automated: no

No rules selected

6.2: Bespoke and custom software are developed securely.

Description: None

• base

Automated: no

No rules selected

6.3.1: Security vulnerabilities are identified and managed

Description: Security vulnerabilities are identified and managed as follows: - New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs). - Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact. - Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment. - Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered.

• base

Automated: no

No rules selected

6.3.2: An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.

Description: Known vulnerabilities in third-party software components cannot be exploited in bespoke and custom software.This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches/updates.

Description: All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: - Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release. - All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity (for example, within three months of release).

• base

Automated: no

No rules selected

6.3: Security vulnerabilities are identified and addressed.

Description: None

• base

Automated: no

No rules selected

6.4.1: For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks.

Description: For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: - Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows: - At least once every 12 months and after significant changes. – By an entity that specializes in application security. – Including, at a minimum, all common software attacks in Requirement 6.2.4. – All vulnerabilities are ranked in accordance with requirement 6.3.1. – All vulnerabilities are corrected. – The application is re-evaluated after the corrections OR - Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows: - Installed in front of public-facing web applications to detect and prevent web-based attacks. - Actively running and up to date as applicable. - Generating audit logs. - Configured to either block web-based attacks or generate an alert that is immediately investigated.

• base

Automated: no

No rules selected

6.4.2: For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks.

Description: None

• base

Automated: no

• container_security_operator_exists: Make sure the Container Security Operator is installed
• security_profiles_operator_exists: Make sure the Security Profiles Operator is installed

6.4.3: All payment page scripts that are loaded and executed in the consumer's browser are managed

Description: All payment page scripts that are loaded and executed in the consumer's browser are managed as follows: - A method is implemented to confirm that each script is authorized. - A method is implemented to assure the integrity of each script. - An inventory of all scripts is maintained with written justification as to why each is necessary.

• base

Automated: no

No rules selected

6.4: Public-facing web applications are protected against attacks.

Description: None

• base

Automated: no

• container_security_operator_exists: Make sure the Container Security Operator is installed
• security_profiles_operator_exists: Make sure the Security Profiles Operator is installed

6.5.1: Changes to all system components in the production environment are made according to established procedures.

Description: None

• base

Automated: no

No rules selected

6.5.2: Upon completion of a significant change, all applicable PCI DSS requirements are confirmed to be in place on all new or changed systems and networks, and documentation is updated as applicable.

Description: All system components are verified after a significant change to be compliant with the applicable PCI DSS requirements.These significant changes should also be captured and reflected in the entity's annual PCI DSS scope confirmation activity per Requirement 12.5.2.

• base

Automated: no

No rules selected

6.5.3: Pre-production environments are separated from production environments and the separation is enforced with access controls.

Description: Pre-production environments cannot introduce risks and vulnerabilities into production environments.

• base

Automated: no

No rules selected

6.5.4: Roles and functions are separated between production and pre-production environments to provide accountability such that only reviewed and approved changes are deployed.

Description: Job roles and accountability that differentiate between pre-production and production activities are defined and managed to minimize the risk of unauthorized, unintentional, or inappropriate actions. In environments with limited personnel where individuals perform multiple roles or functions, this same goal can be achieved with additional procedural controls that provide accountability. For example, a developer may also be an administrator that uses an administrator-level account with elevated privileges in the development environment and, for their developer role, they use a separate account with user-level access to the production environment.

• base

Automated: no

No rules selected

6.5.5: Live PANs are not used in pre-production environments, except where those environments are included in the CDE and protected in accordance with all applicable PCI DSS requirements.

Description: Live PANs cannot be present in pre-production environments outside the CDE.s

• base

Automated: no

No rules selected

6.5.6: Test data and test accounts are removed from system components before the system goes into production.

Description: Test data and test accounts cannot exist in production environments.

• base

Automated: no

No rules selected

6.5: Changes to all system components are managed securely.

Description: None

• base

Automated: no

No rules selected

7.1.1: All security policies and operational procedures that are identified in Requirement 7 are Documented, Kept up to date, In use and Known to all affected parties.

Description: None

• base

Automated: no

No rules selected

7.1.2: Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood.

Description: None

• base

Automated: no

No rules selected

7.1: Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.

Description: None

• base

Automated: no

No rules selected

7.2.1: An access control model is defined and includes granting access

Description: An access control model is defined and includes granting access as follows: - Appropriate access depending on the entity's business and access needs. - Access to system components and data resources that is based on users' job classification and functions. - The least privileges required (for example, user, administrator) to perform a job function.

• base

Automated: no

• rbac_cluster_roles_defined: Ensure cluster roles are defined in the cluster
• rbac_roles_defined: Ensure roles are defined in the cluster

7.2.2: Access is assigned to users, including privileged users, based on job classification and function, and least privileges necessary to perform job responsibilities.

Description: None

• base

Automated: no

No rules selected

7.2.3: Required privileges are approved by authorized personnel.

Description: Access privileges cannot be granted to users without appropriate, documented authorization.

• base

Automated: no

No rules selected

7.2.4: All user accounts and related access privileges, including third-party/vendor accounts, are reviewed

Description: All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: - At least once every six months. - To ensure user accounts and access remain appropriate based on job function. - Any inappropriate access is addressed. - Management acknowledges that access remains appropriate.

• base

Automated: no

No rules selected

7.2.5.1: All access by application and system accounts and related access privileges are reviewed.

Description: None

• base

Automated: no

No rules selected

7.2.5: All application and system accounts and related access privileges are assigned and managed.

Description: All application and system accounts and related access privileges are assigned and managed as follows: - Based on the least privileges necessary for the operability of the system or application. - Access is limited to the systems, applications, or processes that specifically require their use.

• base

Automated: no

No rules selected

7.2.6: All user access to query repositories of stored cardholder data is restricted

Description: None

• base

Automated: no

No rules selected

7.2: Access to system components and data is appropriately defined and assigned.

Description: None

• base

Automated: no

• rbac_cluster_roles_defined: Ensure cluster roles are defined in the cluster
• rbac_roles_defined: Ensure roles are defined in the cluster

7.3.1: An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.

Description: Access rights and privileges are managed via mechanisms intended for that purpose.

• base

Automated: no

No rules selected

7.3.2: The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function.

Description: Individual account access rights and privileges to systems, applications, and data are only inherited from group membership.

• base

Automated: no

No rules selected

7.3.3: The access control system(s) is set to "deny all" by default.

Description: Access rights and privileges are prohibited unless expressly permitted.

• base

Automated: no

No rules selected

7.3: Access to system components and data is managed via an access control system(s).

Description: None

• base

Automated: no

No rules selected

8.1.1: All security policies and operational procedures that are identified in Requirement 8 are Documented, Kept up to date, In use and Known to all affected parties.

Description: None

• base

Automated: no

No rules selected

8.1.2: Roles and responsibilities for performing activities in Requirement 8 are documented, assigned, and understood.

Description: None

• base

Automated: no

No rules selected

8.1: Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.

Description: None

• base

Automated: no

No rules selected

8.2.1: All users are assigned a unique ID before access to system components or cardholder data is allowed.

Description: All actions by all users are attributable to an individual. This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).

• base

Automated: yes

• idp_is_configured: Configure An Identity Provider

8.2.2: Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis, and are managed.

Description: - Account use is prevented unless needed for an exceptional circumstance. - Use is limited to the time needed for the exceptional circumstance. - Business justification for use is documented. - Use is explicitly approved by management. - Individual user identity is confirmed before access to an account is granted. - Every action taken is attributable to an individual user.

• base

Automated: yes

• kubeadmin_removed: Ensure that the kubeadmin secret has been removed

8.2.3: Additional requirement for service providers only: Service providers with remote access to customer premises use unique authentication factors for each customer premises.

Description: None

• base

Automated: no

No rules selected

8.2.4: Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed

Description: None

• base

Automated: no

No rules selected

8.2.5: Access for terminated users is immediately revoked.

Description: The accounts of terminated users cannot be used.

• base

Automated: no

No rules selected

8.2.6: Inactive user accounts are removed or disabled within 90 days of inactivity.

Description: Inactive user accounts cannot be used.

• base

Automated: no

No rules selected

8.2.7: Accounts used by third parties to access, support, or maintain system components via remote access are managed.

Description: None

• base

Automated: no

No rules selected

8.2.8: If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session.

Description: A user session cannot be used except by the authorized user. This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals). This requirement is not meant to prevent legitimate activities from being performed while the console/PC is unattended.

• base

Automated: yes

• oauth_or_oauthclient_inactivity_timeout: Configure OAuth tokens to expire after a set period of inactivity
• var_oauth_inactivity_timeout = 15m0s

8.2: User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle.

Description: None

• base

Automated: yes

• idp_is_configured: Configure An Identity Provider
• kubeadmin_removed: Ensure that the kubeadmin secret has been removed
• oauth_or_oauthclient_inactivity_timeout: Configure OAuth tokens to expire after a set period of inactivity
• var_oauth_inactivity_timeout = 15m0s

8.3.1: All user access to system components for users and administrators is authenticated.

Description: All user access to system components for users and administrators is authenticated via at least one of the following authentication factors: - Something you know, such as a password or passphrase. - Something you have, such as a token device or smart card. - Something you are, such as a biometric element.

• base

Automated: no

No rules selected

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.

Description: Cleartext authentication factors cannot be obtained, derived, or reused from the interception of communications or from stored data.

• base

Automated: no

• ocp_no_ldap_insecure: Only Use LDAP-based IdPs with TLS

8.3.3: User identity is verified before modifying any authentication factor.

Description: Unauthorized individuals cannot gain system access by impersonating the identity of an authorized user.

• base

Automated: no

No rules selected

8.3.4: Invalid authentication attempts are limited.

Description: - Locking out the user ID after not more than 10 attempts. - Setting the lockout duration to a minimum of 30 minutes or until the user's identity is confirmed.

• base

Automated: no

• ocp_idp_no_htpasswd: Do Not Use htpasswd-based IdP

8.3.5: If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user.

Description: - Set to a unique value for first-time use and upon reset. - Forced to be changed immediately after the first use.

• base

Automated: no

No rules selected

8.3.6: If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity.

Description: - A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters). - Contain both numeric and alphabetic characters. A guessed password/passphrase cannot be verified by either an online or offline brute force attack.

• base

Automated: no

No rules selected

8.3.7: Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.

Description: A previously used password cannot be used to gain access to an account for at least 12 months.

• base

Automated: no

No rules selected

8.3.8: Authentication policies and procedures are documented and communicated to all users.

Description: None

• base

Automated: no

No rules selected

8.3.9: If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) they should have a limited lifetime.

Description: If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either: - Passwords/passphrases are changed at least once every 90 days, OR - The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.

• base

Automated: no

No rules selected

8.3.10.1: Additional requirement for service providers only: If passwords/passphrases are used as the only authentication factor for customer user access (i.e., in any single-factor authentication implementation) they should have a limited lifetime.

Description: None

• base

Automated: no

No rules selected

8.3.10: Additional requirement for service providers only: If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data (i.e., in any single-factor authentication implementation) then guidance is provided to customer users.

Description: None

• base

Automated: no

No rules selected

8.3.11: Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used, factors are not shared among multiple users and the usage is controlled.'

Description: None

• base

Automated: no

No rules selected

8.3: Strong authentication for users and administrators is established and managed.

Description: None

• base

Automated: no

• idp_is_configured: Configure An Identity Provider
• kubeadmin_removed: Ensure that the kubeadmin secret has been removed
• ocp_idp_no_htpasswd: Do Not Use htpasswd-based IdP
• ocp_no_ldap_insecure: Only Use LDAP-based IdPs with TLS

8.4.1: MFA is implemented for all non-console access into the CDE for personnel with administrative access.

Description: None

• base

Automated: no

No rules selected

8.4.2: MFA is implemented for all access into the CDE.

Description: Access into the CDE cannot be obtained by the use of a single authentication factor.

• base

Automated: no

No rules selected

8.4.3: MFA is implemented for all remote network access originating from outside the entity's network that could access or impact the CDE.

Description: None

• base

Automated: no

No rules selected

8.4: Multi-factor authentication (MFA) is implemented to secure access into the CDE.

Description: None

• base

Automated: no

No rules selected

8.5.1: MFA systems are properly implemented.

Description: - The MFA system is not susceptible to replay attacks. - MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period. - At least two different types of authentication factors are used. - Success of all authentication factors is required before access is granted.

• base

Automated: no

No rules selected

8.5: Multi-factor authentication (MFA) systems are configured to prevent misuse.

Description: None

• base

Automated: no

No rules selected

8.6.1: If accounts used by systems or applications can be used for interactive login, they are managed.

Description: - Interactive use is prevented unless needed for an exceptional circumstance. - Interactive use is limited to the time needed for the exceptional circumstance. - Business justification for interactive use is documented. - Interactive use is explicitly approved by management. - Individual user identity is confirmed before access to account is granted. - Every action taken is attributable to an individual user.

• base

Automated: no

No rules selected

8.6.2: Passwords/passphrases for any application and system accounts that can be used for interactive login are not hard coded in scripts, configuration/property files, or bespoke and custom source code.

Description: Passwords/passphrases used by application and system accounts cannot be used by unauthorized personnel.

• base

Automated: no

No rules selected

8.6.3: Passwords/passphrases for any application and system accounts are protected against misuse.

Description: - Passwords/passphrases are changed periodically (at the frequency defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise. - Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases.

• base

Automated: no

No rules selected

8.6: Use of application and system accounts and associated authentication factors is strictly managed.

Description: None

• base

Automated: no

No rules selected

9.1.1: All security policies and operational procedures that are identified in Requirement 9 are Documented, Kept up to date, In use and Known to all affected parties.

Description: None

• base

Automated: no

No rules selected

9.1.2: Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood.

Description: None

• base

Automated: no

No rules selected

9.1: Processes and mechanisms for restricting physical access to cardholder data are defined and understood.

Description: None

• base

Automated: no

No rules selected

9.2.1.1: Individual physical access to sensitive areas within the CDE is monitored with either video cameras or physical access control mechanisms (or both).

Description: None

• base

Automated: no

No rules selected

9.2.1: Appropriate facility entry controls are in place to restrict physical access to systems in the CDE.

Description: System components in the CDE cannot be physically accessed by unauthorized personnel.

• base

Automated: no

No rules selected

9.2.2: Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility.

Description: Unauthorized devices cannot connect to the entity's network from public areas within the facility.

• base

Automated: no

No rules selected

9.2.3: Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted

Description: Physical networking equipment cannot be accessed by unauthorized personnel.

• base

Automated: no

No rules selected

9.2.4: Access to consoles in sensitive areas is restricted via locking when not in use.

Description: Physical consoles within sensitive areas cannot be used by unauthorized personnel.

• base

Automated: no

No rules selected

9.2: Physical access controls manage entry into facilities and systems containing cardholder data.

Description: None

• base

Automated: no

No rules selected

9.3.1.1: Physical access to sensitive areas within the CDE for personnel is controlled

Description: None

• base

Automated: no

No rules selected

9.3.1: Procedures are implemented for authorizing and managing physical access of personnel to the CDE.

Description: None

• base

Automated: no

No rules selected

9.3.2: Procedures are implemented for authorizing and managing visitor access to the CDE.

Description: None

• base

Automated: no

No rules selected

9.3.3: Visitor badges or identification are surrendered or deactivated before visitors leave the facility or at the date of expiration.

Description: Visitor identification or badges cannot be reused after expiration.

• base

Automated: no

No rules selected

9.3.4: A visitor log is used to maintain a physical record of visitor activity within the facility and within sensitive areas.

Description: None

• base

Automated: no

No rules selected

9.3: Physical access for personnel and visitors is authorized and managed.

Description: None

• base

Automated: no

No rules selected

9.4.1.1: Offline media backups with cardholder data are stored in a secure location.

Description: Offline backups cannot be accessed by unauthorized personnel.

• base

Automated: no

No rules selected

9.4.1.2: The security of the offline media backup location(s) with cardholder data is reviewed at least once every 12 months.

Description: The security controls protecting offline backups are verified periodically by inspection.

• base

Automated: no

No rules selected

9.4.1: All media with cardholder data is physically secured.

Description: Media with cardholder data cannot be accessed by unauthorized personnel.

• base

Automated: no

No rules selected

9.4.2: All media with cardholder data is classified in accordance with the sensitivity of the data.

Description: Media are classified and protected appropriately.

• base

Automated: no

No rules selected

9.4.3: Media with cardholder data sent outside the facility is secured.

Description: Media is secured and tracked when transported outside the facility. - Media sent outside the facility is logged. - Media is sent by secured courier or other delivery method that can be accurately tracked. - Offsite tracking logs include details about media location.

• base

Automated: no

No rules selected

9.4.4: Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals).

Description: Media cannot leave a facility without the approval of accountable personnel. Individuals approving media movements should have the appropriate level of management authority to grant this approval. However, it is not specifically required that such individuals have "manager" as part of their title.

• base

Automated: no

No rules selected

9.4.5.1: Inventories of electronic media with cardholder data are conducted at least once every 12 months.

Description: Media inventories are verified periodically.

• base

Automated: no

No rules selected

9.4.5: Inventory logs of all electronic media with cardholder data are maintained.

Description: Accurate inventories of stored electronic media are maintained.

• base

Automated: no

No rules selected

9.4.6: Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons.

Description: None

• base

Automated: no

No rules selected

9.4.7: Electronic media with cardholder data is destroyed when no longer needed for business or legal reasons.

Description: - The electronic media is destroyed. - The cardholder data is rendered unrecoverable so that it cannot be reconstructed.

• base

Automated: no

No rules selected

9.4: Media with cardholder data is securely stored, accessed, distributed, and destroyed.

Description: None

• base

Automated: no

No rules selected

9.5.1.1: An up-to-date list of POI devices is maintained.

Description: None

• base

Automated: no

No rules selected

9.5.1.2.1: The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

Description: POI devices are inspected at a frequency that addresses the entity's risk. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

9.5.1.2: POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.

Description: Point of Interaction Devices cannot be tampered with, substituted without authorization, or have skimming attachments installed without timely detection.

• base

Automated: no

No rules selected

9.5.1.3: Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices.

Description: None

• base

Automated: no

No rules selected

9.5.1: POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution.

Description: None

• base

Automated: no

No rules selected

9.5: Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.

Description: None

• base

Automated: no

No rules selected

10.1.1: All security policies and operational procedures that are identified in Requirement 10 are Documented, Kept up to date, In use and Known to all affected parties.

Description: None

• base

Automated: no

No rules selected

10.1.2: Roles and responsibilities for performing activities in Requirement 10 are documented, assigned, and understood.

Description: None

• base

Automated: no

No rules selected

10.1: Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.

Description: None

• base

Automated: no

No rules selected

10.2.1.1: Audit logs capture all individual user access to cardholder data.

Description: Records of all individual user access to cardholder data are captured.

• base

Automated: no

No rules selected

10.2.1.2: Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.

Description: Records of all actions performed by individuals with elevated privileges are captured.

• base

Automated: no

No rules selected

10.2.1.3: Audit logs capture all access to audit logs.

Description: Records of all access to audit logs are captured.

• base

Automated: no

• audit_logging_enabled: Ensure that API server audit logging is enabled

10.2.1.4: Audit logs capture all invalid logical access attempts.

Description: Records of all invalid access attempts are captured.

• base

Automated: no

No rules selected

10.2.1.5: Audit logs capture all changes to identification and authentication credentials.

Description: None

• base

Automated: no

No rules selected

10.2.1.6: Audit logs capture the initialization of new audit logs, and starting, stopping, or pausing of the existing audit logs.

Description: None

• base

Automated: no

No rules selected

10.2.1.7: Audit logs capture all creation and deletion of system-level objects.

Description: Records of alterations that indicate a system has been modified from its intended functionality are captured.

• base

Automated: no

No rules selected

10.2.1: Audit logs are enabled and active for all system components and cardholder data.

Description: Records of all activities affecting system components and cardholder data are captured.

• base

Automated: no

• audit_logging_enabled: Ensure that API server audit logging is enabled

10.2.2: Audit logs record sufficient details for each auditable event.

Description: - User identification. - Type of event. - Date and time. - Success and failure indication. - Origination of event. - Identity or name of affected data, system component, resource, or service (for example, name and protocol).

• base

Automated: yes

• audit_profile_set: Ensure that the cluster's audit profile is properly set
• var_openshift_audit_profile = WriteRequestBodies

10.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

Description: None

• base

Automated: no

• audit_logging_enabled: Ensure that API server audit logging is enabled
• audit_profile_set: Ensure that the cluster's audit profile is properly set
• var_openshift_audit_profile = WriteRequestBodies

10.3.1: Read access to audit logs files is limited to those with a job-related need.

Description: Stored activity records cannot be accessed by unauthorized personnel.

• base

Automated: no

• rbac_limit_cluster_admin: Ensure that the cluster-admin role is only used where required

10.3.2: Audit log files are protected to prevent modifications by individuals.

Description: Stored activity records cannot be modified by personnel.

• base

Automated: no

• directory_access_var_log_kube_audit: Record Access Events to Kubernetes Audit Log Directory
• directory_access_var_log_oauth_audit: Record Access Events to OAuth Audit Log Directory
• directory_access_var_log_ocp_audit: Record Access Events to OpenShift Audit Log Directory
• directory_permissions_var_log_kube_audit: The Kubernetes Audit Logs Directory Must Have Mode 0700
• directory_permissions_var_log_oauth_audit: The OAuth Audit Logs Directory Must Have Mode 0700
• directory_permissions_var_log_ocp_audit: The OpenShift Audit Logs Directory Must Have Mode 0700
• file_ownership_var_log_kube_audit: Kubernetes Audit Logs Must Be Owned By Root
• file_ownership_var_log_oauth_audit: OAuth Audit Logs Must Be Owned By Root
• file_ownership_var_log_ocp_audit: OpenShift Audit Logs Must Be Owned By Root
• file_permissions_var_log_kube_audit: Kubernetes Audit Logs Must Have Mode 0600
• file_permissions_var_log_oauth_audit: OAuth Audit Logs Must Have Mode 0600
• file_permissions_var_log_ocp_audit: OpenShift Audit Logs Must Have Mode 0600

10.3.3: Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.

Description: Stored activity records are secured and preserved in a central location to prevent unauthorized modification.

• base

Automated: no

No rules selected

10.3.4: File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.

Description: Stored activity records cannot be modified without an alert being generated.

• base

Automated: no

• file_integrity_exists: Ensure that File Integrity Operator is scanning the cluster

10.3: Audit logs are protected from destruction and unauthorized modifications.

Description: None

• base

Automated: no

• directory_access_var_log_kube_audit: Record Access Events to Kubernetes Audit Log Directory
• directory_access_var_log_oauth_audit: Record Access Events to OAuth Audit Log Directory
• directory_access_var_log_ocp_audit: Record Access Events to OpenShift Audit Log Directory
• directory_permissions_var_log_kube_audit: The Kubernetes Audit Logs Directory Must Have Mode 0700
• directory_permissions_var_log_oauth_audit: The OAuth Audit Logs Directory Must Have Mode 0700
• directory_permissions_var_log_ocp_audit: The OpenShift Audit Logs Directory Must Have Mode 0700
• file_integrity_exists: Ensure that File Integrity Operator is scanning the cluster
• file_ownership_var_log_kube_audit: Kubernetes Audit Logs Must Be Owned By Root
• file_ownership_var_log_oauth_audit: OAuth Audit Logs Must Be Owned By Root
• file_ownership_var_log_ocp_audit: OpenShift Audit Logs Must Be Owned By Root
• file_permissions_var_log_kube_audit: Kubernetes Audit Logs Must Have Mode 0600
• file_permissions_var_log_oauth_audit: OAuth Audit Logs Must Have Mode 0600
• file_permissions_var_log_ocp_audit: OpenShift Audit Logs Must Have Mode 0600
• rbac_limit_cluster_admin: Ensure that the cluster-admin role is only used where required

10.4.1.1: Automated mechanisms are used to perform audit log reviews.

Description: Potentially suspicious or anomalous activities are identified via a repeatable and consistent mechanism. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

10.4.1: The audit logs are reviewed at least once daily.

Description: - All security events. - Logs of all system components that store, process, or transmit CHD and/or SAD. - Logs of all critical system components. - Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers).

• base

Automated: no

No rules selected

10.4.2.1: The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1

Description: Log reviews for lower-risk system components are performed at a frequency that addresses the entity's risk. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

10.4.2: Logs of all other system components (those not specified in Requirement 10.4.1) are reviewed periodically.

Description: Potentially suspicious or anomalous activities for other system components (not included in 10.4.1) are reviewed in accordance with the entity's identified risk. This requirement is applicable to all other in-scope system components not included in Requirement 10.4.1.

• base

Automated: no

No rules selected

10.4.3: Exceptions and anomalies identified during the review process are addressed.

Description: Suspicious or anomalous activities are addressed.

• base

Automated: no

No rules selected

10.4: Audit logs are reviewed to identify anomalies or suspicious activity.

Description: None

• base

Automated: no

No rules selected

10.5.1: Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.

Description: Historical records of activity are available immediately to support incident response and are retained for at least 12 months.

• base

Automated: no

No rules selected

10.5: Audit log history is retained and available for analysis.

Description: None

• base

Automated: no

No rules selected

10.6.1: System clocks and time are synchronized using time-synchronization technology.

Description: Common time is established across all systems. Keeping time-synchronization technology current includes managing vulnerabilities and patching the technology according to PCI DSS Requirements 6.3.1 and 6.3.3.

• base

Automated: no

No rules selected

10.6.2: Systems are configured to the correct and consistent time.

Description: - One or more designated time servers are in use. - Only the designated central time server(s) receives time from external sources. - Time received from external sources is based on International Atomic Time or Coordinated Universal Time (UTC). - The designated time server(s) accept time updates only from specific industry-accepted external sources. - Where there is more than one designated time server, the time servers peer with one another to keep accurate time. - Internal systems receive time information only from designated central time server(s).

• base

Automated: no

No rules selected

10.6.3: Time synchronization settings and data are protected.

Description: - Access to time data is restricted to only personnel with a business need. - Any changes to time settings on critical systems are logged, monitored, and reviewed.

• base

Automated: no

No rules selected

10.6: Time-synchronization mechanisms support consistent time settings across all systems.

Description: None

• base

Automated: no

No rules selected

10.7.1: Additional requirement for service providers only: Failures of critical security control systems are detected, alerted, and addressed promptly.

Description: It includes but is not limited to failure of the following critical security control systems: - Network security controls. - IDS/IPS. - FIM. - Anti-malware solutions. - Physical access controls. - Logical access controls. - Audit logging mechanisms. - Segmentation controls (if used).

• base

Automated: no

No rules selected

10.7.2: Failures of critical security control systems are detected, alerted, and addressed promptly.

Description: It includes but is not limited to failure of the following critical security control systems: - Network security controls. - IDS/IPS. - Change-detection mechanisms. - Anti-malware solutions. - Physical access controls. - Logical access controls. - Audit logging mechanisms. - Segmentation controls (if used). - Audit log review mechanisms. - Automated security testing tools (if used).

• base

Automated: no

• alert_receiver_configured: Ensure the alert receiver is configured
• audit_error_alert_exists: Ensure that Audit Log Errors Emit Alerts

10.7.3: Failures of any critical security controls systems are responded to restore security functions, ensure documentation, address security issues and prevent other failures.

Description: It includes but is not limited to: - Restoring security functions. - Identifying and documenting the duration (date and time from start to end) of the security failure. - Identifying and documenting the cause(s) of failure and documenting required remediation. - Identifying and addressing any security issues that arose during the failure. - Determining whether further actions are required as a result of the security failure. - Implementing controls to prevent the cause of failure from reoccurring. - Resuming monitoring of security controls.

• base

Automated: no

No rules selected

10.7: Failures of critical security control systems are detected, reported, and responded to promptly.

Description: None

• base

Automated: no

• alert_receiver_configured: Ensure the alert receiver is configured
• audit_error_alert_exists: Ensure that Audit Log Errors Emit Alerts

11.1.1: All security policies and operational procedures that are identified in Requirement 11 are Documented, Kept up to date, In use and Known to all affected parties.

Description: None

• base

Automated: no

No rules selected

11.1.2: Roles and responsibilities for performing activities in Requirement 11 are documented, assigned, and understood.

Description: None

• base

Automated: no

No rules selected

11.1: Processes and mechanisms for regularly testing security of systems and networks are defined and understood.

Description: None

• base

Automated: no

No rules selected

11.2.1: Authorized and unauthorized wireless access points are managed.

Description: None

• base

Automated: no

No rules selected

11.2.2: An inventory of authorized wireless access points is maintained, including a documented business justification.

Description: Unauthorized wireless access points are not mistaken for authorized wireless access points.

• base

Automated: no

No rules selected

11.2: Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.

Description: None

• base

Automated: no

No rules selected

11.3.1.1: All other applicable vulnerabilities (those not ranked as high-risk or critical per the entity's vulnerability risk rankings defined at Requirement 6.3.1) are managed

Description: None

• base

Automated: no

No rules selected

11.3.1.2: Internal vulnerability scans are performed via authenticated scanning.

Description: None

• base

Automated: no

No rules selected

11.3.1.3: Internal vulnerability scans are performed after any significant change.

Description: None

• base

Automated: no

No rules selected

11.3.1: Internal vulnerability scans are performed.

Description: None

• base

Automated: no

No rules selected

11.3.2.1: External vulnerability scans are performed after any significant change.

Description: None

• base

Automated: no

No rules selected

11.3.2: External vulnerability scans are performed.

Description: None

• base

Automated: no

No rules selected

11.3: External and internal vulnerabilities are regularly identified, prioritized, and addressed.

Description: None

• base

Automated: no

No rules selected

11.4.1: A penetration testing methodology is defined, documented, and implemented by the entity.

Description: None

• base

Automated: no

No rules selected

11.4.2: Internal penetration testing is performed.

Description: None

• base

Automated: no

No rules selected

11.4.3: External penetration testing is performed.

Description: None

• base

Automated: no

No rules selected

11.4.4: Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected

Description: None

• base

Automated: no

No rules selected

11.4.5: If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls.

Description: None

• base

Automated: no

No rules selected

11.4.6: Additional requirement for service providers only: If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls.

Description: None

• base

Automated: no

No rules selected

11.4.7: Additional requirement for multi-tenant service providers only: Multi-tenant service providers support their customers for external penetration testing per Requirement 11.4.3 and 11.4.4.

Description: Multi-tenant service providers support their customers' need for technical testing either by providing access or evidence that comparable technical testing has been undertaken.

• base

Automated: no

No rules selected

11.4: External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.

Description: None

• base

Automated: no

No rules selected

11.5.1.1: Additional requirement for service providers only: Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.

Description: Mechanisms are in place to detect and alert/prevent covert communications with command-and-control systems. Alerts generated by these mechanisms are responded to by personnel, or by automated means that ensure that such communications are blocked. This requirement applies only when the entity being assessed is a service provider. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

• acs_sensor_exists: Ensure that Advanced Cluster Security (ACS) Sensor is deployed

11.5.1: Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.

Description: None

• base

Automated: no

• acs_sensor_exists: Ensure that Advanced Cluster Security (ACS) Sensor is deployed

11.5: Network intrusions and unexpected file changes are detected and responded to.

Description: None

• base

Automated: yes

• acs_sensor_exists: Ensure that Advanced Cluster Security (ACS) Sensor is deployed

11.5.2: A change-detection mechanism (for example, file integrity monitoring tools) is deployed.

Description: None

• base

Automated: no

• file_integrity_exists: Ensure that File Integrity Operator is scanning the cluster
• file_integrity_notification_enabled: Ensure the notification is enabled for file integrity operator

11.6.1: A change- and tamper-detection mechanism is deployed.

Description: None

• base

Automated: no

No rules selected

11.6: Unauthorized changes on payment pages are detected and responded to.

Description: None

• base

Automated: no

No rules selected

12.1.1: An overall information security policy is established, published, maintained and disseminated to all relevant personnel, as well as to relevant vendors and business partners.

Description: None

• base

Automated: no

No rules selected

12.1.2: The information security policy is updated and reviewed at least once every 12 months.

Description: None

• base

Automated: no

No rules selected

12.1.3: The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities.

Description: Personnel understand their role in protecting the entity's cardholder data.

• base

Automated: no

No rules selected

12.1.4: Responsibility for information security is formally assigned to a Chief Information Security Officer or other information security knowledgeable member of executive management.

Description: A designated member of executive management is responsible for information security.

• base

Automated: no

No rules selected

12.1: A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current.

Description: None

• base

Automated: no

No rules selected

12.2.1: Acceptable use policies for end-user technologies are documented and implemented.

Description: None

• base

Automated: no

No rules selected

12.2: Acceptable use policies for end-user technologies are defined and implemented.

Description: None

• base

Automated: no

No rules selected

12.3.1: Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a targeted risk analysis that is documented.

Description: None

• base

Automated: no

No rules selected

12.3.2: A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach

Description: None

• base

Automated: no

No rules selected

12.3.3: Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months.

Description: None

• base

Automated: no

No rules selected

12.3.4: Hardware and software technologies in use are reviewed at least once every 12 months.

Description: None

• base

Automated: no

No rules selected

12.3: Risks to the cardholder data environment are formally identified, evaluated, and managed.

Description: None

• base

Automated: no

No rules selected

12.4.1: Additional requirement for service providers only: Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program.

Description: None

• base

Automated: no

No rules selected

12.4.2.1: Additional requirement for service providers only: Reviews conducted in accordance with Requirement 12.4.2 are documented.

Description: None

• base

Automated: no

No rules selected

12.4.2: Additional requirement for service providers only: Reviews are performed at least once every three months to confirm that personnel are performing their tasks in accordance with all security policies and operational procedures.

Description: Reviews are performed by personnel other than those responsible for performing the given task.

• base

Automated: no

No rules selected

12.4: PCI DSS compliance is managed.

Description: None

• base

Automated: no

No rules selected

12.5.1: An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.

Description: All system components in scope for PCI DSS are identified and known.

• base

Automated: no

No rules selected

12.5.2.1: Additional requirement for service providers only: PCI DSS scope is documented and confirmed by the entity at least once every six months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes all the elements specified in Requirement 12.5.2.

Description: The accuracy of PCI DSS scope is verified to be continuously accurate by comprehensive analysis and appropriate technical measures. This requirement applies only when the entity being assessed is a service provider. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

12.5.2: PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment.

Description: None

• base

Automated: no

No rules selected

12.5.3: Additional requirement for service providers only: Significant changes to organizational structure result in a documented (internal) review of the impact to PCI DSS scope and applicability of controls, with results communicated to executive management.

Description: PCI DSS scope is confirmed after significant organizational change. This requirement applies only when the entity being assessed is a service provider. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

12.5: PCI DSS scope is documented and validated.

Description: None

• base

Automated: no

No rules selected

12.6.1: A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data.

Description: Personnel are knowledgeable about the threat landscape, their responsibility for the operation of relevant security controls, and are able to access assistance and guidance when required.

• base

Automated: no

No rules selected

12.6.2: The security awareness program is updated and reviewed at least once every 12 months.

Description: None

• base

Automated: no

No rules selected

12.6.3.1: Security awareness training includes awareness of threats and vulnerabilities that could impact the security of the CDE.

Description: None

• base

Automated: no

No rules selected

12.6.3.2: Security awareness training includes awareness about the acceptable use of end-user technologies in accordance with Requirement 12.2.1.

Description: Personnel are knowledgeable about their responsibility for the security and operation of end-user technologies and are able to access assistance and guidance when required. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

12.6.3: Personnel receive security awareness training upon hire and at least once every 12 months via multiple methods of communication.

Description: None

• base

Automated: no

No rules selected

12.6: Security awareness education is an ongoing activity.

Description: None

• base

Automated: no

No rules selected

12.7.1: Potential personnel who will have access to the CDE are screened, within the constraints of local laws, prior to hire to minimize the risk of attacks from internal sources.

Description: The risk related to allowing new members of staff access to the CDE is understood and managed. For those potential personnel to be hired for positions such as store cashiers, who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.

• base

Automated: no

No rules selected

12.7: Personnel are screened to reduce risks from insider threats.

Description: None

• base

Automated: no

No rules selected

12.8.1: A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided.

Description: Records are maintained of TPSPs and the services provided. The use of a PCI DSS compliant TPSP does not make an entity PCI DSS compliant, nor does it remove the entit's responsibility for its own PCI DSS compliance.

• base

Automated: no

No rules selected

12.8.2: Written agreements with TPSPs are maintained

Description: None

• base

Automated: no

No rules selected

12.8.3: An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.

Description: The capability, intent, and resources of a prospective TPSP to adequately protect account data are assessed before the TPSP is engaged.

• base

Automated: no

No rules selected

12.8.4: A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months.

Description: The PCI DSS compliance status of TPSPs is verified periodically. Where an entity has an agreement with a TPSP for meeting PCI DSS requirements on behalf of the entity (for example, via a firewall service), the entity must work with the TPSP to make sure the applicable PCI DSS requirements are met. If the TPSP does not meet those applicable PCI DSS requirements, then those requirements are also "not in place" for the entity.

• base

Automated: no

No rules selected

12.8.5: Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity.

Description: Records detailing the PCI DSS requirements and related system components for which each TPSP is solely or jointly responsible, are maintained and reviewed periodically.

• base

Automated: no

No rules selected

12.8: Risk to information assets associated with third-party service provider (TPSP) relationships is managed.

Description: None

• base

Automated: no

No rules selected

12.9.1: Additional requirement for service providers only: TPSPs acknowledge in writing to customers that they are responsible for the security of account data the TPSP possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer's CDE.

Description: TPSPs formally acknowledge their security responsibilities to their customers. This requirement applies only when the entity being assessed is a service provider. The exact wording of an acknowledgment will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgment does not have to include the exact wording provided in this requirement.

• base

Automated: no

No rules selected

12.9.2: Additional requirement for service providers only: TPSPs support their customers' requests for information to meet Requirements 12.8.4 and 12.8.5.

Description: None

• base

Automated: no

No rules selected

12.9: Third-party service providers (TPSPs) support their customers' PCI DSS compliance.

Description: None

• base

Automated: no

No rules selected

12.10.1: An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident.

Description: None

• base

Automated: no

No rules selected

12.10.2: At least once every 12 months, the security incident response plan is reviewed, updated, and tested.

Description: None

• base

Automated: no

No rules selected

12.10.3: Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents.

Description: Incidents are responded to immediately where appropriate.

• base

Automated: no

No rules selected

12.10.4.1: The frequency of periodic training for incident response personnel is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

Description: Incident response personnel are trained at a frequency that addresses the entity's risk. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

12.10.4: Personnel responsible for responding to suspected and confirmed security incidents are appropriately and periodically trained on their incident response responsibilities.

Description: Personnel are knowledgeable about their role and responsibilities in incident response and are able to access assistance and guidance when required.

• base

Automated: no

No rules selected

12.10.5: The security incident response plan includes monitoring and responding to alerts from security monitoring systems.

Description: None

• base

Automated: no

No rules selected

12.10.6: The security incident response plan is modified and evolved according to lessons learned and to incorporate industry developments.

Description: The effectiveness and accuracy of the incident response plan is reviewed and updated after each invocation.

• base

Automated: no

No rules selected

12.10.7: Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expected.

Description: None

• base

Automated: no

No rules selected

12.10: Suspected and confirmed security incidents that could impact the CDE are responded to immediately.

Description: None

• base

Automated: no

No rules selected

A1.1.1: Logical separation is implemented.

Description: - The provider cannot access its customers' environments without authorization. - Customers cannot access the provider's environment without authorization.

• base

Automated: no

No rules selected

A1.1.2: Controls are implemented such that each customer only has permission to access its own cardholder data and CDE.

Description: Customers cannot access other customers' environments.

• base

Automated: no

No rules selected

A1.1.3: Controls are implemented such that each customer can only access resources allocated to them.

Description: Customers cannot impact resources allocated to other customers.

• base

Automated: no

No rules selected

A1.1.4: The effectiveness of logical separation controls used to separate customer environments is confirmed at least once every six months via penetration testing.

Description: Segmentation of customer environments from other environments is periodically validated to be effective. The testing of adequate separation between customers in a multi-tenant service provider environment is in addition to the penetration tests specified in Requirement 11.4.6. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

• base

Automated: no

No rules selected

A1.1: Multi-tenant service providers protect and separate all customer environments and data.

Description: None

• base

Automated: no

No rules selected

A1.2.1: Audit log capability is enabled for each customer's environment that is consistent with PCI DSS Requirement 10.

Description: None

• base

Automated: no

No rules selected

A1.2.2: Processes or mechanisms are implemented to support and/or facilitate prompt forensic investigations in the event of a suspected or confirmed security incident for any customer.

Description: Forensic investigation is readily available to all customers in the event of a suspected or confirmed security incident.

• base

Automated: no

No rules selected

A1.2.3: Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities.

Description: None

• base

Automated: no

No rules selected

A1.2: Multi-tenant service providers facilitate logging and incident response for all customers.

Description: None

• base

Automated: no

No rules selected

A2.1.1: Where POS POI terminals at the merchant or payment acceptance location use SSL and/or early TLS, the entity confirms the devices are not susceptible to any known exploits for those protocols.

Description: None

• base

Automated: no

No rules selected

A2.1.2: Additional requirement for service providers only: All service providers with existing connection points to POS POI terminals that use SSL and/or early TLS as defined in A2.1 have a formal Risk Mitigation and Migration Plan in place.

Description: None

• base

Automated: no

No rules selected

A2.1.3: Additional requirement for service providers only: All service providers provide a secure service offering.

Description: This requirement is not eligible for the customized approach. This requirement applies only when the entity being assessed is a service provider.

• base

Automated: no

No rules selected

A2.1: POI terminals using SSL and/or early TLS are confirmed as not susceptible to known SSL/TLS exploits.

Description: Appendix A2: Additional PCI DSS Requirements for Entities Using SSL/Early TLS for Card-Present POS POI Terminal Connections.

• base

Automated: no

No rules selected

A3.1.1: Responsibility is established by executive management for the protection of account data and a PCI DSS compliance program.

Description: None

• base

Automated: no

No rules selected

A3.1.2: A formal PCI DSS compliance program is in place.

Description: None

• base

Automated: no

No rules selected

A3.1.3: PCI DSS compliance roles and responsibilities are specifically defined and formally assigned to one or more personnel.

Description: None

• base

Automated: no

No rules selected

A3.1.4: Up-to-date PCI DSS and/or information security training is provided at least once every 12 months to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3).

Description: None

• base

Automated: no

No rules selected

A3.1: A PCI DSS compliance program is implemented.

Description: Appendix A3: Designated Entities Supplemental Validation (DESV)

• base

Automated: no

No rules selected

A3.2.1: PCI DSS scope is documented and confirmed for accuracy at least once every three months and upon significant changes to the in-scope environment.

Description: None

• base

Automated: no

No rules selected

A3.2.2.1: Upon completion of a change, all relevant PCI DSS requirements are confirmed to be implemented on all new or changed systems and networks, and documentation is updated as applicable.

Description: None

• base

Automated: no

No rules selected

A3.2.2: PCI DSS scope impact for all changes to systems or networks is determined, including additions of new systems and new network connections.

Description: None

• base

Automated: no

No rules selected

A3.2.3: Changes to organizational structure result in a formal (internal) review of the impact to PCI DSS scope and applicability of controls.

Description: None

• base

Automated: no

No rules selected

A3.2.4: If segmentation is used, PCI DSS scope is confirmed.

Description: None

• base

Automated: no

No rules selected

A3.2.5.1: Data discovery methods are confirmed.

Description: None

• base

Automated: no

No rules selected

A3.2.5.2: Response procedures are implemented to be initiated upon the detection of cleartext PAN outside the CDE.

Description: None

• base

Automated: no

No rules selected

A3.2.5: A data-discovery methodology is implemented.

Description: None

• base

Automated: no

No rules selected

A3.2.6.1: Response procedures are implemented to be initiated upon the detection of attempts to remove cleartext PAN from the CDE via an unauthorized channel, method, or process.

Description: None

• base

Automated: no

No rules selected

A3.2.6: Mechanisms are implemented for detecting and preventing cleartext PAN from leaving the CDE via an unauthorized channel, method, or process.

Description: None

• base

Automated: no

No rules selected

A3.2: PCI DSS scope is documented and validated.

Description: None

• base

Automated: no

No rules selected

A3.3.1.2: Failures of any critical security control systems are responded to promptly.

Description: None

• base

Automated: no

No rules selected

A3.3.1: Failures of critical security control systems are detected, alerted, and addressed promptly.

Description: None

• base

Automated: no

No rules selected

A3.3.2: Hardware and software technologies are reviewed at least once every 12 months to confirm whether they continue to meet the organization's PCI DSS requirements.

Description: None

• base

Automated: no

No rules selected

A3.3.3: Reviews are performed at least once every three months to verify BAU activities are being followed.

Description: Reviews are performed by personnel assigned to the PCI DSS compliance program (as identified in A3.1.3).

• base

Automated: no

No rules selected

A3.3: PCI DSS is incorporated into business-as-usual (BAU) activities.

Description: None

• base

Automated: no

No rules selected

A3.4.1: User accounts and access privileges to in-scope system components are reviewed at least once every six months to ensure user accounts and access privileges remain appropriate based on job function, and that all access is authorized.

Description: None

• base

Automated: no

No rules selected

A3.4: Logical access to the cardholder data environment is controlled and managed.

Description: None

• base

Automated: no

No rules selected

A3.5.1: A methodology is implemented for the prompt identification of attack patterns and undesirable behavior across systems.

Description: None

• base

Automated: no

No rules selected

A3.5: Suspicious events are identified and responded to.

Description: None

• base

Automated: no

No rules selected