Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: An accurate data-flow diagram(s) is maintained that meets the following: - Shows all account data flows across systems and networks - Updated as needed upon changes to the environment
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: NSC configurations that allow or restrict access to trusted networks are verified periodically to ensure that only authorized connections with a current business justification are permitted.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: yes
Selections:Description: Inbound traffic to the CDE is restricted as follows: - To only traffic that is necessary. - All other traffic is specifically denied.
Levels:Automated: yes
Selections:Description: Outbound traffic from the CDE is restricted as follows: - To only traffic that is necessary. - All other traffic is specifically denied.
Levels:Automated: no
No rules selected
Description: NSCs are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE, such that: - All wireless traffic from wireless networks into the CDE is denied by default. - Only wireless traffic with an authorized business purpose is allowed into the CDE.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
Selections:Description: Unauthorized traffic cannot traverse network boundaries between trusted and untrusted networks.
Levels:Automated: yes
Selections:Description: Inbound traffic from untrusted networks to trusted networks is restricted to: - Communications with system components that are authorized to provide publicly accessible services, protocols, and ports. - Stateful responses to communications initiated by system components in a trusted network. - All other traffic is denied.
Levels:Automated: no
Selections:Description: None
Levels:Automated: no
Selections:Description: None
Levels:Automated: no
No rules selected
Description: Internal network information is protected from unauthorized disclosure.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
Selections:Description: Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows: - Specific configuration settings are defined to prevent threats being introduced into the entity's network. - Security controls are actively running. - Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Day-to-day responsibilities for performing all the activities in Requirement 2 are allocated. Personnel are accountable for successful, continuous operation of these requirements.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Configuration standards are developed, implemented, and maintained to: - Cover all system components. - Address all known security vulnerabilities. - Be consistent with industry-accepted system hardening standards or vendor hardening recommendations. - Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1. - Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.
Levels:Automated: no
Selections:Description: Vendor default accounts are managed as follows: - If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6. - If the vendor default account(s) will not be used, the account is removed or disabled.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: System components cannot be compromised by exploiting unnecessary functionality present in the system component.
Levels:Automated: yes
Selections:Description: If any insecure services, protocols, or daemons are present: - Business justification is documented. - Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.
Levels:Automated: no
No rules selected
Description: System components cannot be compromised because of incorrect security parameter configuration.
Levels:Automated: yes
Selections:Description: Cleartext administrative authorization factors cannot be read or intercepted from any network transmissions. This includes administrative access via browser-based interfaces and application programming interfaces (APIs).
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
Selections:Description: For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to: - Default wireless encryption keys. - Passwords on wireless access points. - SNMP defaults. - Any other security-related wireless vendor defaults.
Levels:Automated: no
No rules selected
Description: For wireless environments connected to the CDE or transmitting account data, wireless encryption keys are changed
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following: - Coverage for all locations of stored account data. - Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. - Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements. - Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification. - Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy. - A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: This requirement is not eligible for the customized approach. In the normal course of business, the following data elements from the track may need to be retained: - Cardholder name. - Primary account number (PAN). - Expiration date. - Service code. To minimize risk, store securely only these data elements as needed for business.
Levels:Automated: no
Selections:Description: This requirement is not eligible for the customized approach. The card verification code is the three- or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions.
Levels:Automated: no
No rules selected
Description: This requirement is not eligible for the customized approach. PIN blocks are encrypted during the natural course of transaction processes, but even if an entity encrypts the PIN block again, it is still not allowed to be stored after the completion of the authorization process.
Levels:Automated: no
No rules selected
Description: This requirement is not eligible for the customized approach. This requirement does not apply to issuers and companies that support issuing services (where SAD is needed for a legitimate issuing business need) and have a business justification to store the sensitive authentication data. Refer to Requirement 3.3.3 for additional requirements specifically for issuers. Sensitive authentication data includes the data cited in Requirements 3.3.1.1 through 3.3.1.3.
Levels:Automated: no
Selections:Description: This requirement is not eligible for the customized approach. Whether SAD is permitted to be stored prior to authorization is determined by the organizations that manage compliance programs (for example, payment brands and acquirers). Contact the organizations of interest for any additional criteria. This requirement applies to all storage of SAD, even if no PAN is present in the environment. Refer to Requirement 3.2.1 for an additional requirement that applies if SAD is stored prior to completion of authorization. Issuers and companies that support issuing services, where there is a legitimate and documented business need to store SAD, are not required to meet this requirement. A legitimate business need is one that is necessary for the performance of the function being provided by or for the issuer. Refer to Requirement 3.3.3 for requirements specifically for issuers. This requirement does not replace how PIN blocks are required to be managed, nor does it mean that a properly encrypted PIN block needs to be encrypted again.
Levels:Automated: no
No rules selected
Description: Additional requirement for issuers and companies that support issuing services and store sensitive authentication data: Any storage of sensitive authentication data is: - Limited to that which is needed for a legitimate issuing business need and is secured. - Encrypted using strong cryptography. This bullet is a best practice until until 31 March 2025, after which it will be required as part of Requirement 3.3.3 and must be fully considered during a PCI DSS assessment.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
Selections:Description: PAN displays are restricted to the minimum number of digits necessary to meet a defined business need. This requirement does not supersede stricter requirements in place for displays of cardholder data — for example, legal or payment brand requirements for point-of-sale (POS) receipts. This requirement relates to protection of PAN where it is displayed on screens, paper receipts, printouts, etc., and is not to be confused with Requirement 3.5.1 for protection of PAN when stored, processed, or transmitted.
Levels:Automated: no
No rules selected
Description: PAN cannot be copied or relocated by unauthorized personnel using remote-access technologies. Storing or relocating PAN onto local hard drives, removable electronic media, and other storage devices brings these devices into scope for PCI DSS. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: yes
Selections:Description: All Applicability Notes for Requirement 3.5.1 also apply to this requirement. Key-management processes and procedures (Requirements 3.6 and 3.7) do not apply to system components used to generate individual keyed hashes of a PAN for comparison to another system if: - The system components only have access to one hash value at a time (hash values are not stored on the system) AND - There is no other account data stored on the same system as the hashes. This requirement is considered a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment. This requirement will replace the bullet in Requirement 3.5.1 for one-way hashes once its effective date is reached.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable, it is managed as follows: - Logical access is managed separately and independently of native operating system authentication and access control mechanisms. - Decryption keys are not associated with user accounts. - Authentication factors (passwords, passphrases, or cryptographic keys) that allow access to unencrypted data are stored securely.
Levels:Automated: no
No rules selected
Description: PAN is rendered unreadable anywhere it is stored by using any of the following approaches: - One-way hashes based on strong cryptography of the entire PAN. - Truncation (hashing cannot be used to replace the truncated segment of PAN). - If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN. - Indexes tokens. - Strong cryptography with associated key-management processes and procedures.
Levels:Automated: no
Selections:Description: None
Levels:Automated: no
Selections:Description: Additional requirement for service providers only: A documented description of the cryptographic architecture is maintained that includes: - Details of all algorithms, protocols, and keys used for the protection of stored account data, including key strength and expiry date. - Preventing the use of the same cryptographic keys in production and test environments. This bullet is a best practice until 31 March 2025, after which it will be required as part of Requirement 3.6.1.1 and must be fully considered during a PCI DSS assessment. - Description of the key usage for each key. - Inventory of any hardware security modules (HSMs), key management systems (KMS), and other secure cryptographic devices (SCDs) used for key management, including type and location of devices, as outlined in Requirement 12.3.4.
Levels:Automated: no
No rules selected
Description: Secret and private keys used to encrypt/decrypt stored account data are stored in one (or more) of the following forms at all times: - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key. - Within a secure cryptographic device (SCD), such as a hardware security module (HSM) or PTS-approved point-of-interaction device. - As at least two full-length key components or key shares, in accordance with an industry-accepted method. Secret and private keys are stored in a secure form that prevents unauthorized retrieval or access. It is not required that public keys be stored in one of these forms. Cryptographic keys stored as part of a key management system (KMS) that employs SCDs are acceptable. A cryptographic key that is split into two parts does not meet this requirement. Secret or private keys stored as key components or key shares must be generated via one of the following
Levels:Automated: no
No rules selected
Description: Access to cleartext cryptographic key components is restricted to necessary personnel.
Levels:Automated: no
No rules selected
Description: Cryptographic keys are retained only where necessary.
Levels:Automated: no
No rules selected
Description: Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse that include: - Access to keys is restricted to the fewest number of custodians necessary. - Key-encrypting keys are at least as strong as the data-encrypting keys they protect. - Key-encrypting keys are stored separately from data-encrypting keys. - Keys are stored securely in the fewest possible locations and forms.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Strong cryptographic keys are generated.
Levels:Automated: no
No rules selected
Description: Cryptographic keys are secured during distribution.
Levels:Automated: no
No rules selected
Description: Cryptographic keys are secured when stored.
Levels:Automated: no
No rules selected
Description: Key management policies and procedures are implemented for cryptographic key changes for keys that have reached the end of their cryptoperiod, as defined by the associated application vendor or key owner, and based on industry best practices and guidelines, including the following: - A defined cryptoperiod for each key type in use. - A process for key changes at the end of the defined cryptoperiod.
Levels:Automated: no
No rules selected
Description: Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when: - The key has reached the end of its defined cryptoperiod. - The integrity of the key has been weakened, including when personnel with knowledge of a cleartext key component leaves the company, or the role for which the key component was known. - The key is suspected of or known to be compromised. - Retired or replaced keys are not used for encryption operations.
Levels:Automated: no
No rules selected
Description: Cleartext secret or private keys cannot be known by anyone. Operations involving cleartext keys cannot be carried out by a single person. This control is applicable for manual key-management operations or where key management is not controlled by the encryption product. A cryptographic key that is simply split into two parts does not meet this requirement. Secret or private keys stored as key components or key shares must be generated via one of the following
Levels:Automated: no
No rules selected
Description: Cryptographic keys cannot be substituted by unauthorized personnel.
Levels:Automated: no
No rules selected
Description: Key custodians are knowledgeable about their responsibilities in relation to cryptographic operations and can access assistance and guidance when required.
Levels:Automated: no
No rules selected
Description: Customers are provided with appropriate key management guidance whenever they receive shared cryptographic keys. This requirement applies only when the entity being assessed is a service provider.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: All keys and certificates used to protect PAN during transmission are identified and confirmed as trusted. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Levels:Automated: no
No rules selected
Description: Cleartext PAN cannot be read or intercepted from wireless network transmissions.
Levels:Automated: no
No rules selected
Description: Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: - Only trusted keys and certificates are accepted. - Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until 31 March 2025, after which it will be required as part of Requirement 4.2.1 and must be fully considered during a PCI DSS assessment. - The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations. - The encryption strength is appropriate for the encryption methodology in use.
Levels:Automated: no
No rules selected
Description: Cleartext PAN cannot be read or intercepted from transmissions using end-user messaging technologies. This requirement also applies if a customer, or other third-party, requests that PAN is sent to them via end-user messaging technologies. There could be occurrences where an entity receives unsolicited cardholder data via an insecure communication channel that was not intended for transmissions of sensitive data. In this situation, the entity can choose to either include the channel in the scope of their CDE and secure it according to PCI DSS or delete the cardholder data and implement measures to prevent the channel from being used for cardholder data.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Automated mechanisms are implemented to prevent systems from becoming an attack vector for malware.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Systems not known to be at risk from malware are re-evaluated at a frequency that addresses the entity's risk. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Levels:Automated: no
No rules selected
Description: Any system components that are not at risk for malware are evaluated periodically to include the following: - A documented list of all system components not at risk for malware. - Identification and evaluation of evolving malware threats for those system components. - Confirmation whether such system components continue to not require anti-malware protection.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
No rules selected
Description: Anti-malware mechanisms can detect and address the latest malware threats.
Levels:Automated: no
No rules selected
Description: Scans by the malware solution are performed at a frequency that addresses the entity's risk. This requirement applies to entities conducting periodic malware scans to meet Requirement 5.3.2. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Historical records of anti-malware actions are immediately available and retained for at least 12 months.
Levels:Automated: no
No rules selected
Description: Anti-malware mechanisms cannot be modified by unauthorized personnel.Anti-malware solutions may be temporarily disabled only if there is a legitimate technical need, as authorized by management on a case-by-case basis. If anti-malware protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period during which anti-malware protection is not active.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Mechanisms are in place to protect against and mitigate risk posed by phishing attacks. The focus of this requirement is on protecting personnel with access to system components in-scope for PCI DSS. Meeting this requirement for technical and automated controls to detect and protect personnel against phishing is not the same as Requirement 12.6.3.1 for security awareness training. Meeting this requirement does not also meet the requirement for providing personnel with security awareness training, and vice versa. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Bespoke and custom software are developed securely, as follows: - Based on industry standards and/or best practices for secure development. - In accordance with PCI DSS (for example, secure authentication and logging). - Incorporating consideration of information security issues during each stage of the software development lifecycle.
Levels:Automated: no
No rules selected
Description: Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows: - On software security relevant to their job function and development languages. - Including secure software design and secure coding techniques. - Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software.
Levels:Automated: no
No rules selected
Description: If manual code reviews are performed for bespoke and custom software prior to release to production code changes are: - Reviewed by individuals other than the originating code author, and who are knowledgeable about code-review techniques and secure coding practices. - Reviewed and approved by management prior to release.
Levels:Automated: no
No rules selected
Description: Bespoke and custom software is reviewed prior to being released into production or to customers, to identify and correct potential coding vulnerabilities, as follows: - Code reviews ensure code is developed according to secure coding guidelines. - Code reviews look for both existing and emerging software vulnerabilities. - Appropriate corrections are implemented prior to release.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Known vulnerabilities in third-party software components cannot be exploited in bespoke and custom software.This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Levels:Automated: no
No rules selected
Description: All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: - Patches/updates for critical vulnerabilities (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release. - All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity's assessment of the criticality of the risk to the environment as identified according to the risk ranking process at Requirement 6.3.1.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: yes
Selections:Description: For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: - Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows: - At least once every 12 months and after significant changes. - By an entity that specializes in application security. - Including, at a minimum, all common software attacks in Requirement 6.2.4. - All vulnerabilities are ranked in accordance with requirement 6.3.1. - All vulnerabilities are corrected. - The application is re-evaluated after the corrections OR - Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows: - Installed in front of public-facing web applications to detect and prevent web-based attacks. - Actively running and up to date as applicable. - Generating audit logs. - Configured to either block web-based attacks or generate an alert that is immediately investigated.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: All payment page scripts that are loaded and executed in the consumer's browser are managed as follows: - A method is implemented to confirm that each script is authorized. - A method is implemented to assure the integrity of each script. - An inventory of all scripts is maintained with written business or technical justification as to why each is necessary.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: All system components are verified after a significant change to be compliant with the applicable PCI DSS requirements.These significant changes should also be captured and reflected in the entity's annual PCI DSS scope confirmation activity per Requirement 12.5.2.
Levels:Automated: no
No rules selected
Description: Pre-production environments cannot introduce risks and vulnerabilities into production environments.
Levels:Automated: no
No rules selected
Description: Job roles and accountability that differentiate between pre-production and production activities are defined and managed to minimize the risk of unauthorized, unintentional, or inappropriate actions. In environments with limited personnel where individuals perform multiple roles or functions, this same goal can be achieved with additional procedural controls that provide accountability. For example, a developer may also be an administrator that uses an administrator-level account with elevated privileges in the development environment and, for their developer role, they use a separate account with user-level access to the production environment.
Levels:Automated: no
No rules selected
Description: Live PANs cannot be present in pre-production environments outside the CDE.s
Levels:Automated: no
No rules selected
Description: Test data and test accounts cannot exist in production environments.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: An access control model is defined and includes granting access as follows: - Appropriate access depending on the entity's business and access needs. - Access to system components and data resources that is based on users' job classification and functions. - The least privileges required (for example, user, administrator) to perform a job function.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Access privileges cannot be granted to users without appropriate, documented authorization.
Levels:Automated: no
No rules selected
Description: All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows: - At least once every six months. - To ensure user accounts and access remain appropriate based on job function. - Any inappropriate access is addressed. - Management acknowledges that access remains appropriate.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: All application and system accounts and related access privileges are assigned and managed as follows: - Based on the least privileges necessary for the operability of the system or application. - Access is limited to the systems, applications, or processes that specifically require their use.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Access rights and privileges are managed via mechanisms intended for that purpose.
Levels:Automated: no
No rules selected
Description: Individual account access rights and privileges to systems, applications, and data are only inherited from group membership.
Levels:Automated: no
No rules selected
Description: Access rights and privileges are prohibited unless expressly permitted.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: All actions by all users are attributable to an individual. This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
Levels:Automated: no
Selections:Description: - ID use is prevented unless needed for an exceptional circumstance. - Use is limited to the time needed for the exceptional circumstance. - Business justification for use is documented. - Use is explicitly approved by management. - Individual user identity is confirmed before access to an account is granted. - Every action taken is attributable to an individual user.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: The accounts of terminated users cannot be used.
Levels:Automated: no
No rules selected
Description: Inactive user accounts cannot be used.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: A user session cannot be used except by the authorized user. This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals). This requirement is not meant to prevent legitimate activities from being performed while the console/PC is unattended.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
Selections:Description: None
Levels:Automated: yes
Selections:Description: Cleartext authentication factors cannot be obtained, derived, or reused from the interception of communications or from stored data.
Levels:Automated: yes
Selections:Description: Unauthorized individuals cannot gain system access by impersonating the identity of an authorized user.
Levels:Automated: no
No rules selected
Description: - Locking out the user ID after not more than 10 attempts. - Setting the lockout duration to a minimum of 30 minutes or until the user's identity is confirmed.
Levels:Automated: yes
Selections:Description: - Set to a unique value for first-time use and upon reset. - Forced to be changed immediately after the first use.
Levels:Automated: yes
Selections:Description: - A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters). - Contain both numeric and alphabetic characters. A guessed password/passphrase cannot be verified by either an online or offline brute force attack.
Levels:Automated: yes
Selections:Description: A previously used password cannot be used to gain access to an account for at least 12 months.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either: - Passwords/passphrases are changed at least once every 90 days, OR - The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: yes
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
Selections:Description: None
Levels:Automated: no
No rules selected
Description: Access into the CDE cannot be obtained by the use of a single authentication factor.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: - The MFA system is not susceptible to replay attacks. - MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period. - At least two different types of authentication factors are used. - Success of all authentication factors is required before access is granted.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: - Interactive use is prevented unless needed for an exceptional circumstance. - Interactive use is limited to the time needed for the exceptional circumstance. - Business justification for interactive use is documented. - Interactive use is explicitly approved by management. - Individual user identity is confirmed before access to account is granted. - Every action taken is attributable to an individual user.
Levels:Automated: yes
Selections:Description: Passwords/passphrases used by application and system accounts cannot be used by unauthorized personnel.
Levels:Automated: no
No rules selected
Description: - Passwords/passphrases are changed periodically (at the frequency defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise. - Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases.
Levels:Automated: yes
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: System components in the CDE cannot be physically accessed by unauthorized personnel.
Levels:Automated: no
No rules selected
Description: Unauthorized devices cannot connect to the entity's network from public areas within the facility.
Levels:Automated: no
No rules selected
Description: Physical networking equipment cannot be accessed by unauthorized personnel.
Levels:Automated: no
No rules selected
Description: Physical consoles within sensitive areas cannot be used by unauthorized personnel.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Visitor identification or badges cannot be reused after expiration.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Offline backups cannot be accessed by unauthorized personnel.
Levels:Automated: no
No rules selected
Description: The security controls protecting offline backups are verified periodically by inspection.
Levels:Automated: no
No rules selected
Description: Media with cardholder data cannot be accessed by unauthorized personnel.
Levels:Automated: no
No rules selected
Description: Media are classified and protected appropriately.
Levels:Automated: no
No rules selected
Description: Media is secured and tracked when transported outside the facility. - Media sent outside the facility is logged. - Media is sent by secured courier or other delivery method that can be accurately tracked. - Offsite tracking logs include details about media location.
Levels:Automated: no
No rules selected
Description: Media cannot leave a facility without the approval of accountable personnel. Individuals approving media movements should have the appropriate level of management authority to grant this approval. However, it is not specifically required that such individuals have "manager" as part of their title.
Levels:Automated: no
No rules selected
Description: Media inventories are verified periodically.
Levels:Automated: no
No rules selected
Description: Accurate inventories of stored electronic media are maintained.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: - The electronic media is destroyed. - The cardholder data is rendered unrecoverable so that it cannot be reconstructed.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: POI devices are inspected at a frequency that addresses the entity's risk. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Levels:Automated: no
No rules selected
Description: Point of Interaction Devices cannot be tampered with, substituted without authorization, or have skimming attachments installed without timely detection.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Records of all individual user access to cardholder data are captured.
Levels:Automated: no
No rules selected
Description: Records of all actions performed by individuals with elevated privileges are captured.
Levels:Automated: no
Selections:Description: Records of all access to audit logs are captured.
Levels:Automated: yes
Selections:Description: Records of all invalid access attempts are captured.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: Records of alterations that indicate a system has been modified from its intended functionality are captured.
Levels:Automated: no
Selections:Description: Records of all activities affecting system components and cardholder data are captured.
Levels:Automated: yes
Selections:Description: - User identification. - Type of event. - Date and time. - Success and failure indication. - Origination of event. - Identity or name of affected data, system component, resource, or service (for example, name and protocol).
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
Selections:Description: Stored activity records cannot be accessed by unauthorized personnel.
Levels:Automated: yes
Selections:Description: Stored activity records cannot be modified by personnel.
Levels:Automated: yes
Selections:Description: Stored activity records are secured and preserved in a central location to prevent unauthorized modification.
Levels:Automated: no
Selections:Description: Stored activity records cannot be modified without an alert being generated.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
Selections:Description: Potentially suspicious or anomalous activities are identified via a repeatable and consistent mechanism. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Levels:Automated: no
No rules selected
Description: - All security events. - Logs of all system components that store, process, or transmit CHD and/or SAD. - Logs of all critical system components. - Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers).
Levels:Automated: no
No rules selected
Description: Log reviews for lower-risk system components are performed at a frequency that addresses the entity's risk. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Levels:Automated: no
No rules selected
Description: Potentially suspicious or anomalous activities for other system components (not included in 10.4.1) are reviewed in accordance with the entity's identified risk. This requirement is applicable to all other in-scope system components not included in Requirement 10.4.1.
Levels:Automated: no
No rules selected
Description: Suspicious or anomalous activities are addressed.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Historical records of activity are available immediately to support incident response and are retained for at least 12 months.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: yes
Selections:Description: Common time is established across all systems. Keeping time-synchronization technology current includes managing vulnerabilities and patching the technology according to PCI DSS Requirements 6.3.1 and 6.3.3.
Levels:Automated: yes
Selections:Description: - One or more designated time servers are in use. - Only the designated central time server(s) receives time from external sources. - Time received from external sources is based on International Atomic Time or Coordinated Universal Time (UTC). - The designated time server(s) accept time updates only from specific industry-accepted external sources. - Where there is more than one designated time server, the time servers peer with one another to keep accurate time. - Internal systems receive time information only from designated central time server(s).
Levels:Automated: yes
Selections:Description: - Access to time data is restricted to only personnel with a business need. - Any changes to time settings on critical systems are logged, monitored, and reviewed.
Levels:Automated: yes
Selections:Description: None
Levels:Automated: yes
Selections:Description: It includes but is not limited to failure of the following critical security control systems: - Network security controls. - IDS/IPS. - FIM. - Anti-malware solutions. - Physical access controls. - Logical access controls. - Audit logging mechanisms. - Segmentation controls (if used).
Levels:Automated: no
No rules selected
Description: It includes but is not limited to failure of the following critical security control systems: - Network security controls. - IDS/IPS. - Change-detection mechanisms. - Anti-malware solutions. - Physical access controls. - Logical access controls. - Audit logging mechanisms. - Segmentation controls (if used). - Audit log review mechanisms. - Automated security testing tools (if used).
Levels:Automated: no
Selections:Description: It includes but is not limited to: - Restoring security functions. - Identifying and documenting the duration (date and time from start to end) of the security failure. - Identifying and documenting the cause(s) of failure and documenting required remediation. - Identifying and addressing any security issues that arose during the failure. - Determining whether further actions are required as a result of the security failure. - Implementing controls to prevent the cause of failure from reoccurring. - Resuming monitoring of security controls.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
Selections:Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Unauthorized wireless access points are not mistaken for authorized wireless access points.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Multi-tenant service providers support their customers' need for technical testing either by providing access or evidence that comparable technical testing has been undertaken.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Mechanisms are in place to detect and alert/prevent covert communications with command-and-control systems. Alerts generated by these mechanisms are responded to by personnel, or by automated means that ensure that such communications are blocked. This requirement applies only when the entity being assessed is a service provider. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: yes
No rules selected
Description: None
Levels:Automated: yes
Selections:Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Personnel understand their role in protecting the entity's cardholder data.
Levels:Automated: no
No rules selected
Description: A designated member of executive management is responsible for information security.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Reviews are performed by personnel other than those responsible for performing the given task.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: All system components in scope for PCI DSS are identified and known.
Levels:Automated: no
No rules selected
Description: The accuracy of PCI DSS scope is verified to be continuously accurate by comprehensive analysis and appropriate technical measures. This requirement applies only when the entity being assessed is a service provider. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: PCI DSS scope is confirmed after significant organizational change. This requirement applies only when the entity being assessed is a service provider. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Personnel are knowledgeable about the threat landscape, their responsibility for the operation of relevant security controls, and are able to access assistance and guidance when required.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Personnel are knowledgeable about their responsibility for the security and operation of end-user technologies and are able to access assistance and guidance when required. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: The risk related to allowing new members of staff access to the CDE is understood and managed. For those potential personnel to be hired for positions such as store cashiers, who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Records are maintained of TPSPs and the services provided. The use of a PCI DSS compliant TPSP does not make an entity PCI DSS compliant, nor does it remove the entit's responsibility for its own PCI DSS compliance.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: The capability, intent, and resources of a prospective TPSP to adequately protect account data are assessed before the TPSP is engaged.
Levels:Automated: no
No rules selected
Description: The PCI DSS compliance status of TPSPs is verified periodically. Where an entity has an agreement with a TPSP for meeting PCI DSS requirements on behalf of the entity (for example, via a firewall service), the entity must work with the TPSP to make sure the applicable PCI DSS requirements are met. If the TPSP does not meet those applicable PCI DSS requirements, then those requirements are also "not in place" for the entity.
Levels:Automated: no
No rules selected
Description: Records detailing the PCI DSS requirements and related system components for which each TPSP is solely or jointly responsible, are maintained and reviewed periodically.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: TPSPs formally acknowledge their security responsibilities to their customers. This requirement applies only when the entity being assessed is a service provider. The exact wording of an agreement will depend on the details of the service being provided, and the responsibilities assigned to each party. The agreement does not have to include the exact wording provided in this requirement.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Incidents are responded to immediately where appropriate.
Levels:Automated: no
No rules selected
Description: Incident response personnel are trained at a frequency that addresses the entity's risk. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Levels:Automated: no
No rules selected
Description: Personnel are knowledgeable about their role and responsibilities in incident response and are able to access assistance and guidance when required.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: The effectiveness and accuracy of the incident response plan is reviewed and updated after each invocation.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: - The provider cannot access its customers' environments without authorization. - Customers cannot access the provider's environment without authorization.
Levels:Automated: no
No rules selected
Description: Customers cannot access other customers' environments.
Levels:Automated: no
No rules selected
Description: Customers cannot impact resources allocated to other customers.
Levels:Automated: no
No rules selected
Description: Segmentation of customer environments from other environments is periodically validated to be effective. The testing of adequate separation between customers in a multi-tenant service provider environment is in addition to the penetration tests specified in Requirement 11.4.6. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Forensic investigation is readily available to all customers in the event of a suspected or confirmed security incident.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: This requirement is not eligible for the customized approach. This requirement applies only when the entity being assessed is a service provider.
Levels:Automated: no
No rules selected
Description: Appendix A2: Additional PCI DSS Requirements for Entities Using SSL/Early TLS for Card-Present POS POI Terminal Connections.
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Appendix A3: Designated Entities Supplemental Validation (DESV)
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: Reviews are performed by personnel assigned to the PCI DSS compliance program (as identified in A3.1.3).
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected
Description: None
Levels:Automated: no
No rules selected