The Information Security Policy is a crucial component of any organization's security framework. It defines the principles, guidelines, and responsibilities for safeguarding the confidentiality, integrity, and availability of information assets. The policy serves as a top-level document that sets the tone for the organization's commitment to security and guides the development of more detailed security controls and procedures. It should be regularly reviewed, updated, and communicated to all employees, ensuring awareness and adherence to the established security standards.

• Incident Response Plan Components (12.10.1)

  Incident Response Plan Components refer to the essential elements that organizations must include in their incident response plan. A well-defined and tested incident response plan is crucial to effectively detect, respond to, and mitigate security incidents.

• Incident Response Plan Components (12.10.1)

  Incident Response Plan Components refer to the essential elements that organizations must include in their incident response plan. A well-defined and tested incident response plan is crucial to effectively detect, respond to, and mitigate security incidents.

• Plan Testing (12.10.2)

  Plan Testing involves conducting tests and drills of the incident response plan to assess its effectiveness, identify gaps, and improve response capabilities.

• Availability of Personnel to Respond to Alerts (12.10.3)

  Availability of Personnel to Respond to Alerts refers to ensuring that designated personnel are readily available to respond promptly to security alerts and incidents.

• Staff Training for Breach Response (12.10.4)

  Staff Training for Breach Response involves providing training and awareness programs to employees to educate them on identifying, reporting, and responding to security incidents and breaches.

• Alerts From Security Monitoring Systems (12.10.5)

  Alerts From Security Monitoring Systems refer to promptly detecting and responding to alerts triggered by security monitoring systems.

• Incorporating Lessons Learned and Industry Developments (12.10.6)

  Incorporating Lessons Learned and Industry Developments refers to an organization's practice of regularly updating and enhancing its incident response plan based on insights gained from real incidents, lessons learned, and emerging industry best practices.

• Quarterly Reviews (12.11)

  Quarterly Reviews refer to the periodic assessment and review of the organization's incident response activities, procedures, and effectiveness.

• Documentation of Quarterly Review Process (12.11.1)

  Documentation of Quarterly Review Process involves creating and maintaining records of the organization's quarterly reviews, including assessment findings, recommendations, and actions taken.

Firewall configurations refer to the rules and settings applied to network firewalls to control the flow of traffic between different network segments and protect the organization's internal network from unauthorized access. Properly configured firewalls play a critical role in preventing unauthorized access, data breaches, and other cyber threats. Organizations must maintain an up-to-date and robust firewall configuration that aligns with their security requirements and is regularly reviewed to adapt to evolving threats.

• Formal Firewall and Router Configurations Process (1.1.1)

  Formal Firewall and Router Configurations Process refers to the establishment of well-defined and documented procedures for configuring, managing, and reviewing firewall and router settings.

• Current Network Diagram (1.1.2)

  Current Network Diagram refers to maintaining an up-to-date and accurate representation of the organization's network topology and architecture.

• Cardholder data Flows Diagram (1.1.3)

  Cardholder Data Flows Diagram refers to creating and maintaining a visual representation of the flow of cardholder data through the organization's systems and networks.

• Firewall Network Requirements (1.1.4)

  Firewall Network Requirements refer to establishing and enforcing firewall rules and configurations to protect cardholder data and control network traffic.

• Roles and Responsibilities for Managing Network Components (1.1.5)

  Roles and Responsibilities for Managing Network Components refer to defining and communicating the responsibilities of personnel involved in configuring, monitoring, and managing network components.

• Documentation of All Services, Protocols, and Ports Allowed (1.1.6)

  Documentation of All Services, Protocols, and Ports Allowed involves maintaining an up-to-date record of all services, protocols, and ports allowed within the organization's network.

• Six Month Firewall and Router Reviews (1.1.7)

  Six Month Firewall and Router Reviews involve conducting periodic reviews and assessments of firewall and router configurations every six months.

• Firewall and Router Configurations For Untrusted Networks (1.2)

  Firewall and Router Configurations for Untrusted Networks refer to defining specific security measures and access controls for connections with untrusted networks.

• Restricting Inbound and Outbound Traffic (1.2.1)

  Restricting Inbound and Outbound Traffic refers to configuring firewalls and routers to restrict inbound and outbound network traffic based on business requirements and security policies.

• Securing and Synchronizing Router Configuration Files (1.2.2)

  Securing and Synchronizing Router Configuration Files involves implementing measures to protect the confidentiality and integrity of router configuration files and ensuring they are synchronized across network devices.

• Perimeter Firewalls Between Wireless Networks and Cardholder Data Environment (1.2.3)

  Perimeter Firewalls Between Wireless Networks and Cardholder Data Environment refers to implementing firewalls to protect the connection between wireless networks and the cardholder data environment.

• Restricting Public Internet Access (1.3)

  Restricting Public Internet Access involves implementing measures to limit direct access to the cardholder data environment from the public internet.

• Implementing a DMZ to Limit Inbound Traffic (1.3.1)

  Implementing a DMZ to Limit Inbound Traffic refers to creating and maintaining a Demilitarized Zone (DMZ) to isolate external-facing systems from the internal network.

• Limiting DMZ InBound Traffic (1.3.2)

  Limiting DMZ Inbound Traffic involves configuring firewalls and access controls to restrict inbound traffic to the DMZ from untrusted networks.

• Implementing Anti-spoofing Measures (1.3.3)

  Implementing Anti-spoofing Measures involves configuring network devices to detect and prevent IP address spoofing attacks.

• Restricting Traffic Between the Internet and the Cardholder Data Environment (1.3.4)

  Restricting Traffic Between the Internet and the Cardholder Data Environment involves configuring firewalls and access controls to limit traffic flow between the public internet and the cardholder data environment.

• Permit only established connections into the network (1.3.5)

  Permit Only Established Connections into the Network involves configuring network devices to allow only established connections into the cardholder data environment.

• Segregate Cardholder Data Environment on Internal Network Zone (1.3.6)

  Segregate Cardholder Data Environment on Internal Network Zone involves creating a distinct internal network zone for the cardholder data environment, separating it from other internal networks.

• Disclosure of Private IPs and Routing Information (1.3.7)

  Disclosure of Private IPs and Routing Information refers to preventing the unintentional disclosure of private IP addresses and routing details to external parties.

• Preventing the Disclosure of Private IP Addresses and Routing Information to Unauthorized Parties (1.3.8)

  Preventing the Disclosure of Private IP Addresses and Routing Information involves protecting internal network information from unauthorized access.

• Installing Personal Firewall Software on Mobile Devices (1.4)

  Installing Personal Firewall Software on Mobile Devices involves deploying firewall software on mobile devices to protect them from unauthorized network access and potential security threats.

• Documenting Security Policies and Firewall Management (1.5)

  Documenting Security Policies and Firewall Management involves creating comprehensive policies and procedures for managing firewalls and documenting changes made to firewall configurations.

System Defaults Management involves the process of securely configuring and managing default settings on information systems and applications. Default configurations often come with inherent security risks, as they may provide unnecessary access or weaken security controls. Proper management of system defaults is essential to ensure that all systems are securely configured from the outset, reducing the attack surface and minimizing the risk of unauthorized access.

• Changing Vendor-supplied Defaults (2.1)

  Changing Vendor-supplied Defaults involves modifying default settings and passwords provided by vendors for system components and software.

• Changing Vendor Defaults in Wireless Environments (2.1.1)

  Changing Vendor Defaults in Wireless Environments involves modifying default settings and passwords provided by vendors for wireless devices and access points.

• Developing Configuration Standards for All System Components (2.2)

  Developing Configuration Standards for All System Components involves creating a set of configuration standards that apply to all system components within the organization.

• Implementing One Primary Function Per Server (2.2.1)

  Implementing One Primary Function Per Server involves assigning specific roles to servers, ensuring that each server has a single primary function.

• Enabling Only Necessary Services (2.2.2)

  Enabling Only Necessary Services involves disabling or deactivating unnecessary services and features on system components.

• Implementing Additional Security Features (2.2.3)

  Implementing Additional Security Features involves adding supplementary security measures to system components beyond default configurations.

• Configuring System Security Parameters to Prevent Misuse (2.2.4)

  Configuring System Security Parameters to Prevent Misuse involves adjusting system settings to prevent intentional or unintentional misuse of resources and privileges.

• Removing Unnecessary Functionality (2.2.5)

  Removing Unnecessary Functionality involves eliminating or disabling any features, services, or components that are not essential for the intended operation of a system.

• Encrypting Non-console Administrative Access (2.3)

  Encrypting Non-console Administrative Access involves securing remote administrative access to systems through encryption mechanisms.

• Maintaining an Inventory of System Components (2.4)

  Maintaining an Inventory of System Components involves creating and maintaining a comprehensive record of all hardware and software components within an organization's IT infrastructure.

• Security Policies and Procedures for Managing Vendor Defaults (2.5)

  Security Policies and Procedures for Managing Vendor Defaults involves establishing clear guidelines and procedures for managing vendor-provided default configurations and credentials.

• Protection Within Shared Hosting Providers (2.6)

  Protection Within Shared Hosting Providers involves implementing security measures to protect hosted environments within shared hosting platforms.

Protecting Stored Cardholder Data is a critical requirement for organizations that handle payment card transactions. This sub-control focuses on implementing secure storage practices and encryption techniques to safeguard cardholder data from unauthorized access or disclosure. Organizations must adhere to industry-specific security standards, such as the Payment Card Industry Data Security Standard (PCI DSS), to protect stored cardholder data effectively.

• Minimizing Cardholder Data Storage (3.1)

  Minimizing Cardholder Data Storage involves reducing the amount of cardholder data stored within an organization's systems and applications.

• Storing Sensitive Authentication Data After Authorization (3.2)

  Storing Sensitive Authentication Data After Authorization involves securely storing authentication data after it has been authorized for use.

• Storing Sensitive Authentication Data After Authorization (3.2)

  Storing Sensitive Authentication Data After Authorization involves securely storing authentication data after it has been authorized for use.

• Storing of Card Track Data After Authorization (3.2.1)

  Storing of Card Track Data After Authorization involves securely storing track data from the magnetic stripe on payment cards after it has been authorized for use.

• Storing of Card Verification Codes (3.2.2)

  Storing of Card Verification Codes involves securely storing the three- or four-digit card verification codes (CVV or CVC) after they have been authorized for use.

• Storing the Personal Identification Number (PIN) (3.2.3)

  Storing the Personal Identification Number (PIN) involves securely storing personal identification numbers used in cardholder authentication.

• Restricting PAN (3.3)

  Restricting PAN involves limiting the display and transmission of payment card numbers (PAN) to only those with a legitimate business need.

• Managing PAN Data Storage (3.4)

  Managing PAN Data Storage involves implementing secure storage practices for payment card numbers (PAN) to prevent unauthorized access.

• Access and Authentication with Disk Encryption (3.4.1)

  Access and Authentication with Disk Encryption involves ensuring that access to encrypted data on disk is restricted to authorized users.

• Access and Authentication with Disk Encryption (3.4.1)

  Access and Authentication with Disk Encryption involves ensuring that access to encrypted data on disk is restricted to authorized users.

• Access and Authentication with Disk Encryption (3.4.1)

  Access and Authentication with Disk Encryption involves ensuring that access to encrypted data on disk is restricted to authorized users.

• Protecting Keys Used in Storing Cardholder Data (3.5)

  Protecting Keys Used in Storing Cardholder Data involves implementing robust security measures to safeguard cryptographic keys used for encrypting cardholder data.

• Maintain a Description of the Cryptographic Architecture (3.5.1)

  Maintain a Description of the Cryptographic Architecture involves creating and updating documentation that describes the organization's cryptographic architecture.

• Restricting Access to Cryptographic Keys (3.5.2)

  Restricting Access to Cryptographic Keys involves limiting access to cryptographic keys to only authorized personnel.

• Storing Keys Used to Encrypt / Decrypt Cardholder Data (3.5.3)

  Storing Keys Used to Encrypt / Decrypt Cardholder Data involves securely storing cryptographic keys used for the encryption and decryption of cardholder data.

• Storing Keys Used to Encrypt / Decrypt Cardholder Data (3.5.3)

  Storing Keys Used to Encrypt / Decrypt Cardholder Data involves securely storing cryptographic keys used for the encryption and decryption of cardholder data.

• Storing Keys Used to Encrypt / Decrypt Cardholder Data (3.5.3)

  Storing Keys Used to Encrypt / Decrypt Cardholder Data involves securely storing cryptographic keys used for the encryption and decryption of cardholder data.

• Storing Cryptographic Keys in the Fewest Possible Locations (3.5.4)

  Storing Cryptographic Keys in the Fewest Possible Locations involves minimizing the number of places where cryptographic keys are stored.

• Document and Implement Key Management Processes and Procedures (3.6)

  Document and Implement Key Management Processes and Procedures involves creating and following comprehensive documentation for key management practices.

• Generation of Strong Cryptographic Keys (3.6.1)

  Generation of Strong Cryptographic Keys involves creating cryptographic keys using algorithms and procedures that ensure a high level of randomness and unpredictability.

• Securing Cryptographic Key Distribution (3.6.2)

  Securing Cryptographic Key Distribution involves ensuring the secure transfer of cryptographic keys from the key generation point to authorized users or systems.

• Securing Cryptographic Key Storage (3.6.3)

  Securing Cryptographic Key Storage involves implementing robust security measures to protect cryptographic keys from unauthorized access and compromise.

• Cryptographic Key Changes (3.6.4)

  Cryptographic Key Changes involves periodically changing cryptographic keys to mitigate the impact of potential key compromise.

• Retirement or Replacement of Keys (3.6.5)

  Retirement or Replacement of Keys involves securely retiring or replacing cryptographic keys that have reached the end of their lifecycle.

• Retirement or Replacement of Keys (3.6.5)

  Retirement or Replacement of Keys involves securely retiring or replacing cryptographic keys that have reached the end of their lifecycle.

• Clear-text Cryptographic Key Management (3.6.6)

  Clear-text Cryptographic Key Management involves ensuring that cryptographic keys are not stored or transmitted in clear-text format.

• Prevention of Unauthorized Substitution of Cryptographic Keys (3.6.7)

  Prevention of Unauthorized Substitution of Cryptographic Keys involves implementing measures to prevent the unauthorized replacement of cryptographic keys with unauthorized or compromised keys.

• Key-custodian Responsibilities (3.6.8)

  Key-custodian Responsibilities involves defining and assigning specific responsibilities for key custodians to manage cryptographic keys securely.

• Security Policies and Operational Procedures (3.7)

  Security Policies and Operational Procedures involve the development and implementation of comprehensive security policies and procedures to guide the organization's security practices.

Encryption of Cardholder Data is essential for protecting sensitive information, especially during transmission or storage. This sub-control emphasizes the use of strong encryption algorithms and proper key management practices to secure cardholder data. Organizations processing payment card transactions must adhere to encryption requirements outlined in relevant industry standards like PCI DSS.

• Use of Strong Cryptography and Security Protocols (4.1)

  Use of Strong Cryptography and Security Protocols involves implementing robust encryption algorithms and secure protocols to protect sensitive data during transmission.

• Wireless Networks Transmitting Cardholder Data (4.1.1)

  Wireless Networks Transmitting Cardholder Data involves securing wireless networks that transmit cardholder data to prevent unauthorized access.

• Transmission of Unprotected PANs By End-user Messaging Technologies (4.2)

  Transmission of Unprotected PANs By End-user Messaging Technologies involves preventing the transmission of unprotected Primary Account Numbers (PANs) through messaging applications and technologies.

• Policies and Procedures for Encrypting Transmissions of Cardholder Data (4.3)

  Policies and Procedures for Encrypting Transmissions of Cardholder Data involve the development and implementation of clear guidelines for encrypting cardholder data during transmission.

Anti-virus software or programs are essential tools for detecting and preventing malware infections on computer systems and networks. This sub-control stresses the need to install and maintain up-to-date anti-virus software on all endpoints and servers to protect against viruses, Trojans, ransomware, and other malicious software. Regular updates and scanning are crucial to ensuring the effectiveness of anti-virus protection.

• Deploy Anti-virus Software (5.1)

  Deploy Anti-virus Software involves installing and using anti-virus software on systems and devices to protect against malicious software.

• Anti-virus Capabilities (5.1.1)

  Anti-virus Capabilities involve ensuring that anti-virus software has the necessary features and configurations to effectively detect and remove malware.

• Evaluating Systems Not Commonly Affected By Malicious Software (5.1.2)

  Evaluating Systems Not Commonly Affected By Malicious Software involves assessing devices and systems that may not typically be targeted by malware.

• Anti-virus Maintenance (5.2)

  Anti-virus Maintenance involves managing and updating anti-virus software to maintain its effectiveness and protect against new malware threats.

• Disabling Anti-virus (5.3)

  Disabling Anti-virus involves preventing users from disabling or uninstalling anti-virus software without proper authorization.

• Policies and Procedures for Protecting Against Malware (5.4)

  Policies and Procedures for Protecting Against Malware involve developing and implementing guidelines to defend against malware threats.

Securing Systems and Applications involves implementing security measures to protect information systems and software from vulnerabilities and cyber-attacks. This sub-control emphasizes the need for regular security patching, secure coding practices, and robust system hardening to reduce the risk of exploitation by malicious actors.

• Establishing a Process to Assess and Identify Security Vulnerabilities (6.1)

  Establishing a Process to Assess and Identify Security Vulnerabilities involves implementing a structured approach to identify and assess potential security vulnerabilities.

• Installing Critical Security Patches (6.2)

  Installing Critical Security Patches involves promptly applying important security patches to address known vulnerabilities in software and systems.

• Developing Internal and External Software Applications (6.3)

  Developing Internal and External Software Applications involves ensuring that all software applications are designed and implemented with security considerations.

• Security of Custom Application Accounts (6.3.1)

  Security of Custom Application Accounts involves implementing security measures to protect user accounts used in custom applications.

• Reviewing of Custom Code Prior to Release (6.3.2)

  Reviewing of Custom Code Prior to Release involves conducting code reviews and testing custom application code before deployment.

• Change Control Processes and Procedures (6.4)

  Change Control Processes and Procedures involve establishing processes to manage and authorize changes to IT systems and applications.

• Separating Development/test Environments From Production Environments (6.4.1)

  Separating Development/test Environments From Production Environments involves segregating development and testing environments from the production environment to prevent unintended impacts on production systems.

• Separating Duties Between Development/test and Production Environments (6.4.2)

  Separating Duties Between Development/test and Production Environments involves assigning different responsibilities to personnel in development/test and production environments to reduce the risk of unauthorized changes.

• Production Data for Development (6.4.3)

  Production Data for Development involves using sanitized or fictional data in development and testing environments instead of actual production data.

• Removal of Test Data and Accounts (6.4.4)

  Removal of Test Data and Accounts involves removing test data and user accounts from development and testing environments after their intended use.

• Change Control Procedures for Security Patches and Software Modifications (6.4.5)

  Change Control Procedures for Security Patches and Software Modifications involve implementing formalized processes for handling security patches and software changes.

• Documentation of Impact (6.4.5.1)

  Documentation of Impact involves recording the expected impact of proposed security patches and software modifications.

• Documented Change Approval (6.4.5.2)

  Documented Change Approval involves recording approvals for security patches and software modifications.

• Functionality Testing (6.4.5.3)

  Functionality Testing involves testing security patches and software modifications for potential functional issues before deployment.

• Back-out Procedures (6.4.5.4)

  Back-out Procedures involve establishing processes to revert changes in case of issues or failures after deploying security patches and software updates.

• Significant Changes (6.4.6)

  Significant Changes involve subjecting significant modifications to IT systems to additional controls and scrutiny.

• Addressing Coding Vulnerabilities (6.5)

  Addressing Coding Vulnerabilities involves implementing secure coding practices to prevent common vulnerabilities in software applications.

• Injection Flaws (6.5.1)

  Injection Flaws involve preventing malicious code injection into software applications.

• Buffer Overflows (6.5.2)

  Buffer Overflows involve implementing safeguards against buffer overflow vulnerabilities in software applications.

• Insecure Cryptographic Storage (6.5.3)

  Insecure Cryptographic Storage involves using strong encryption and secure storage methods to protect sensitive data.

• Insecure Communications (6.5.4)

  Insecure Communications involve securing data transmitted over networks to prevent interception and unauthorized access.

• Improper Error Handling (6.5.5)

  Improper Error Handling involves implementing proper error handling mechanisms to prevent the disclosure of sensitive information.

• Addressing “High Risk” Vulnerabilities (6.5.6)

  Addressing "High Risk" Vulnerabilities involves prioritizing the mitigation of high-risk vulnerabilities in software applications.

• Cross-site Scripting (XSS) (6.5.7)

  Cross-site Scripting (XSS) involves implementing measures to prevent XSS attacks on web applications.

• Improper Access Control (6.5.8)

  Improper Access Control involves implementing strong access controls to prevent unauthorized access to sensitive resources.

• Cross-site Request Forgery (CSRF) (6.5.9)

  Cross-site Request Forgery (CSRF) involves implementing mechanisms to prevent CSRF attacks on web applications.

• Broken Authentication and Session Management (6.5.10)

  Broken Authentication and Session Management involve implementing secure authentication and session handling mechanisms.

• Public-facing Web Applications (6.6)

  Public-facing Web Applications involve securing web applications accessible to the public.

• Policies and Procedures (6.7)

  Policies and Procedures involve creating and enforcing information security policies and procedures.

Restricting Access to Cardholder Data is a key aspect of protecting sensitive payment card information. This sub-control requires organizations to enforce access controls, such as role-based access, least privilege, and multi-factor authentication, to ensure that only authorized personnel can access cardholder data. These measures help prevent unauthorized access and insider threats.

• Limiting Access to Cardholder Data (7.1)

  Limiting Access to Cardholder Data involves restricting access to sensitive cardholder data based on the principle of least privilege.

• Defining Access Needs (7.1.1)

  Defining Access Needs involves determining the specific access requirements for individuals based on their job roles and responsibilities.

• Least Privilege Access (7.1.2)

  Least Privilege Access involves granting individuals the minimum necessary access rights required to perform their job functions.

• Job classifications and functions (7.1.3)

  Job Classifications and Functions involve grouping job roles and functions based on common access requirements.

• Documented Privileges Approval (7.1.4)

  Documented Privileges Approval involves obtaining formal approval for granting access privileges.

• Access Control System Restrictions (7.2)

  Access Control System Restrictions involve limiting access to the access control systems themselves.

• Coverage of All System Components (7.2.1)

  Coverage of All System Components involves ensuring that all relevant system components are subject to access control measures.

• Assignment of Privileges (7.2.2)

  Assignment of Privileges involves assigning access privileges based on business needs and job responsibilities.

• Default “deny-all” Setting (7.2.3)

  Default "deny-all" Setting involves setting access controls to deny all access by default.

• Policies & Procedures (7.3)

  Policies & Procedures involve creating and enforcing access control policies and procedures.

Identity (ID) Management involves the secure management of user identities and access privileges. This sub-control emphasizes the need for robust identity and access management (IAM) practices, including user provisioning, de-provisioning, and regular access reviews. Effective ID management helps maintain the integrity of access controls and reduces the risk of unauthorized access.

• Policies and Procedures for User Identification Management (8.1)

  Policies and Procedures for User Identification Management involve creating and enforcing policies related to user identification and authentication.

• Unique User IDs (8.1.1)

  Unique User IDs involve assigning distinct user identification credentials to each user.

• User ID Management (8.1.2)

  User ID Management involves maintaining and managing user identification credentials.

• Revoking Access for Terminated Users (8.1.3)

  Revoking Access for Terminated Users involves promptly terminating access for users who are no longer employed or authorized to access resources.

• Removing/disabling Inactive User Accounts (8.1.4)

  Removing/Disabling Inactive User Accounts involves identifying and deactivating user accounts that have been inactive for a prolonged period.

• Vendor ID Management (8.1.5)

  Vendor ID Management involves managing user identifiers for external vendors and third-party partners.

• Limiting Access Attempts (8.1.6)

  Limiting Access Attempts involves enforcing restrictions on the number of failed login attempts to prevent brute-force attacks.

• Lockout Duration (8.1.7)

  Lockout Duration involves determining the duration for which a user account remains locked after exceeding the maximum number of login attempts.

• Session Time Out (8.1.8)

  Session Time Out involves setting a period of inactivity after which a user's session automatically terminates.

• User Authentication Management (8.2)

  User Authentication Management involves managing user authentication credentials and practices.

• Cryptography (8.2.1)

  Cryptography involves protecting sensitive data through encryption and other cryptographic techniques.

• Verifying User Identities (8.2.2)

  Verifying User Identities involves ensuring the accuracy and legitimacy of user identities during authentication.

• Password Requirements (8.2.3)

  Password Requirements involve setting standards and criteria for password creation and complexity.

• Passwords Change Schedule (8.2.4)

  Passwords Change Schedule involves determining the frequency at which users are required to change their passwords.

• Reusing Old Passwords (8.2.5)

  Reusing Old Passwords involves preventing users from reusing previously used passwords.

• Passwords Issued / Reset Requirements (8.2.6)

  Passwords Issued/Reset Requirements involve defining the rules and procedures for issuing and resetting passwords.

• Incorporating Multi-factor Authentication (8.3)

  Incorporating Multi-factor Authentication (MFA) involves combining multiple authentication factors to enhance user identity verification.

• MFA for non-console access to CDE (8.3.1)

  MFA for Non-console Access to CDE involves enforcing MFA for users accessing the Cardholder Data Environment (CDE) from external locations or devices.

• MFA for remote access (8.3.2)

  MFA for Remote Access involves enforcing MFA for users accessing organizational systems or data remotely.

• Documenting and Communicating Authentication Policies and Procedures (8.4)

  Documenting and Communicating Authentication Policies and Procedures involve creating and sharing documentation related to authentication practices.

• Use of Group, Shared, or Generic Authentication Methods (8.5)

  Use of Group, Shared, or Generic Authentication Methods involves avoiding the use of common authentication credentials shared among multiple users.

• Service Providers with Remote Access (8.5.1)

  Service Providers with Remote Access involves managing the access of service providers to the organization's systems and data.

• Use of Other Authentication Mechanisms (8.6)

  Use of Other Authentication Mechanisms involves implementing alternative authentication methods beyond traditional passwords.

• Access to Databases Containing Cardholder Data (8.7)

  Access to Databases Containing Cardholder Data involves managing and controlling access to databases storing cardholder data.

• Policies and Procedures (8.8)

  Policies and Procedures involve developing comprehensive documentation outlining the organization's security practices.

Physical Access to Cardholder Data addresses the need to restrict physical access to areas where cardholder data is stored or processed. Organizations must implement physical security measures, such as access controls, surveillance, and visitor management, to prevent unauthorized personnel from gaining physical access to cardholder data storage areas.

• Facility Entry Controls (9.1)

  Facility Entry Controls involve implementing security measures to control physical access to facilities.

• Monitoring Physical Access (9.1.1)

  Monitoring Physical Access involves continuously monitoring and logging physical access to facilities.

• Access to Publicly Accessible Network Jacks (9.1.2)

  Access to Publicly Accessible Network Jacks involves securing network access points available in publicly accessible areas.

• Physical Access to Wireless Access Points, Gateways, Handheld Devices, Networking/communications Hardware, and Telecommunication Lines (9.1.3)

  Physical Access to Wireless Access Points, Gateways, Handheld Devices, Networking/communications Hardware, and Telecommunication Lines involves securing physical access to wireless infrastructure and network components.

• Onsite Personnel and Visitors (9.2)

  Onsite Personnel and Visitors involve managing and controlling physical access for employees and visitors on the premises.

• Access For Onsite Personnel to Sensitive Areas (9.3)

  Access For Onsite Personnel to Sensitive Areas involves managing and controlling physical access for authorized employees to sensitive areas within the facility.

• Visitor Identification and Authorization (9.4)

  Visitor Identification and Authorization involves verifying the identity of visitors and authorizing their access to the facility.

• Visitor Escorting (9.4.1)

  Visitor Escorting involves providing a designated escort to accompany visitors within the facility.

• Issuing Visitor Badges (9.4.2)

  Issuing Visitor Badges involves providing identification badges to visitors for easy identification.

• Retrieving Visitor Badges (9.4.3)

  Retrieving Visitor Badges involves collecting identification badges from visitors upon their departure.

• Visitor Logs (9.4.4)

  Visitor Logs involve maintaining a record of all visitors entering the facility.

• Visitor Logs (9.4.4)

  Visitor Logs involve maintaining a record of all visitors entering the facility.

• Visitor Logs (9.4.4)

  Visitor Logs involve maintaining a record of all visitors entering the facility.

• Physically Securing Media (9.5)

  Physically Securing Media involves protecting physical storage media that contain sensitive information.

• Storing Media Backups (9.5.1)

  Storing Media Backups involves protecting backup media to ensure data recoverability in case of a system failure or data loss.

• Storing Media Backups (9.5.1)

  Storing Media Backups involves protecting backup media to ensure data recoverability in case of a system failure or data loss.

• Control Over the Distribution of Media (9.6)

  Control Over the Distribution of Media involves managing the distribution of media containing sensitive data.

• Media Classification (9.6.1)

  Media Classification involves categorizing media based on the sensitivity of the data it contains.

• Media Delivery (9.6.2)

  Media Delivery involves securely transmitting sensitive data to authorized recipients.

• Media Delivery Approvals (9.6.3)

  Media Delivery Approvals involves obtaining proper authorization before transmitting sensitive data.

• Media Storage and Accessibility (9.7)

  Media Storage and Accessibility involves managing the storage of media containing sensitive data and controlling access to it.

• Media Inventory Logs (9.7.1)

  Media Inventory Logs involve maintaining a record of all media containing sensitive data in the organization's inventory.

• Media Destruction (9.8)

  Media Destruction involves securely disposing of sensitive data stored on various media types.

• Hard-copy Data Destruction (9.8.1)

  Hard-copy Data Destruction involves securely disposing of sensitive data stored in physical paper format.

• Hard-copy Data Destruction (9.8.1)

  Hard-copy Data Destruction involves securely disposing of sensitive data stored in physical paper format.

• Electronic Media Protection (9.8.2)

  Electronic Media Protection involves securely disposing of sensitive data stored on electronic media.

• Protecting Payment Card Devices (9.9)

  Protecting Payment Card Devices involves implementing security measures for devices used to process payment card transactions.

• Maintaining Up-to-date Device Lists (9.9.1)

  Maintaining Up-to-date Device Lists involves keeping an accurate inventory of payment card devices used within the organization.

• Maintaining Up-to-date Device Lists (9.9.1)

  Maintaining Up-to-date Device Lists involves keeping an accurate inventory of payment card devices used within the organization.

• Inspection of Device Surfaces (9.9.2)

  Inspection of Device Surfaces involves regular examination of payment card devices for signs of tampering or skimming devices.

• Employee Training (9.9.3)

  Employee Training involves educating personnel on proper payment card device handling and security practices.

• Employee Training (9.9.3)

  Employee Training involves educating personnel on proper payment card device handling and security practices.

• Policies and Procedures (9.10)

  Policies and Procedures involve establishing guidelines for the secure handling and management of payment card devices.

Tracking and Monitoring Network Access and Data is crucial for detecting and responding to security incidents promptly. This sub-control emphasizes the implementation of logging, monitoring, and auditing mechanisms to track network activities, access attempts, and data changes. Effective tracking and monitoring enhance an organization's ability to detect anomalous behavior and potential security breaches.

• Implementing Audit Trails (10.1)

  Implementing Audit Trails involves recording and monitoring activities related to payment card devices.

• Implementing Automated Audit Trails for All System Components (10.2)

  Implementing Automated Audit Trails for All System Components involves automatically generating audit logs for all systems, including payment card devices.

• Logging User Access to Cardholder Data (10.2.1)

  Logging User Access to Cardholder Data involves recording user access to sensitive cardholder data.

• Logging Root or Administrative Privilege Actions (10.2.2)

  Logging Root or Administrative Privilege Actions involves recording activities performed with elevated privileges.

• Logging Audit Trails (10.2.3)

  Logging Audit Trails involves capturing and storing audit logs securely.

• Logging Invalid Logical Access Attempts (10.2.4)

  Logging Invalid Logical Access Attempts involves recording failed attempts to access the system or cardholder data.

• Logging Identification and Authentication Mechanisms (10.2.5)

  Logging Identification and Authentication Mechanisms involves recording user identification and authentication activities.

• Logging the Initialization, Stoppage or Pausing of Audit Logs (10.2.6)

  Logging the Initialization, Stoppage, or Pausing of Audit Logs involves recording events related to audit log management.

• Logging the Creation and Deletion of System-level Objects (10.2.7)

  Logging the Creation and Deletion of System-level Objects involves recording events related to the creation or deletion of critical system objects.

• Record Audit Trail Entries For All System Components (10.3)

  Record Audit Trail Entries For All System Components involves capturing audit logs for all critical system components.

• User Identification is Logged (10.3.1)

  User Identification is Logged involves recording the identity of users who perform specific actions.

• Type of Event is Logged (10.3.2)

  Type of Event is Logged involves recording the nature and category of events in audit logs.

• Date and Time is Logged (10.3.3)

  Date and Time is Logged involves recording the timestamps of events in audit logs.

• Success or Failure Indication is Logged (10.3.4)

  Success or Failure Indication is Logged involves recording whether an event was successful or resulted in failure.

• Origination of Event is Logged (10.3.5)

  Origination of Event is Logged involves recording the source or location of an event in audit logs.

• Name of Affected Data, System Component, or Resource is Logged (10.3.6)

  Name of Affected Data, System Component, or Resource is Logged involves recording the specific data, system components, or resources impacted by an event.

• Synchronization of All Critical System Clocks and Times (10.4)

  Synchronization of All Critical System Clocks and Times involves ensuring consistent timekeeping across all critical system components.

• Critical Systems Have the Correct and Consistent Time (10.4.1)

  Critical Systems Have the Correct and Consistent Time involves ensuring that critical systems maintain accurate and synchronized time.

• Time Data is Protected (10.4.2)

  Time Data is Protected involves safeguarding time data from unauthorized modification or tampering.

• Time Settings Are From Industry-accepted Time Sources (10.4.3)

  Time Settings Are From Industry-accepted Time Sources involves obtaining time settings from reputable and reliable sources.

• Audit Trails Are Secured (10.5)

  Audit Trails Are Secured involves protecting audit logs from unauthorized access, modification, or deletion.

• Viewing of Audit Trails (10.5.1)

  Viewing of Audit Trails involves controlling access to audit logs and limiting viewing privileges.

• Protection of Audit Trail Files (10.5.2)

  Protection of Audit Trail Files involves safeguarding audit log files from unauthorized access and modification.

• Audit Trail Files Back-up (10.5.3)

  Audit Trail Files Back-up involves creating copies of audit log files for redundancy and disaster recovery purposes.

• Logs for External-facing Technologies (10.5.4)

  Logs for External-facing Technologies involves generating audit logs for systems and technologies exposed to external networks.

• File-integrity Monitoring On Logs (10.5.5)

  File-integrity Monitoring On Logs involves implementing mechanisms to detect unauthorized changes to audit log files.

• Reviewing of Log Data to Identify Anomalies or Auspicious Activity (10.6)

  Reviewing of Log Data to Identify Anomalies or Suspicious Activity involves regularly examining log data to detect potential security incidents.

• Daily Log Reviews (10.6.1)

  Daily Log Reviews involves conducting log data reviews on a daily basis.

• Log Reviews of Other Systems (10.6.2)

  Log Reviews of Other Systems involves conducting log data reviews for systems beyond critical systems.

• Exceptions and Anomalies Are Identified and Addressed (10.6.3)

  Exceptions and Anomalies Are Identified and Addressed involves promptly investigating and addressing identified log anomalies.

• Audit Trail History (10.7)

  Audit Trail History involves maintaining historical audit logs for a specific retention period.

• Detection of Failures (service providers only) (10.8)

  Detection of Failures (service providers only) involves monitoring for system failures and malfunctions.

• Response to Failures (service providers only) (10.8.1)

  Response to Failures (service providers only) involves taking appropriate actions to address system failures.

• Response to Failures (service providers only) (10.8.1)

  Response to Failures (service providers only) involves taking appropriate actions to address system failures.

• Policies and Procedures (10.9)

  Policies and Procedures involves developing and implementing cybersecurity-related policies and procedures.

Testing Security Systems and Processes involves conducting regular assessments and tests to validate the effectiveness of security controls. This sub-control includes vulnerability assessments, penetration testing, and security awareness training for employees. Testing helps identify weaknesses in security measures and allows organizations to address them proactively.

• Testing Wireless Access Points (11.1)

  Testing Wireless Access Points involves evaluating the security of wireless access points.

• Inventory of Authorized Wireless Access Points (11.1.1)

  Inventory of Authorized Wireless Access Points involves maintaining an up-to-date list of authorized wireless access points.

• Incident Response Procedures (11.1.2)

  Incident Response Procedures involves establishing procedures for responding to security incidents.

• Vulnerability Scanning (11.2)

  Vulnerability Scanning involves using automated tools to identify potential vulnerabilities in systems and applications.

• Internal Vulnerability Scanning (11.2.1)

  Internal Vulnerability Scanning involves scanning internal systems and applications for potential vulnerabilities.

• External Vulnerability Scanning (11.2.2)

  External Vulnerability Scanning involves scanning external-facing systems and applications for potential vulnerabilities.

• External Vulnerability Scanning (11.2.2)

  External Vulnerability Scanning involves scanning external-facing systems and applications for potential vulnerabilities.

• Scanning Due to Significant Change (11.2.3)

  Scanning Due to Significant Change involves conducting vulnerability scans after significant changes to systems and applications.

• Scanning Due to Significant Change (11.2.3)

  Scanning Due to Significant Change involves conducting vulnerability scans after significant changes to systems and applications.

• Penetration Testing Methodology (11.3)

  Penetration Testing Methodology involves defining a systematic approach for conducting penetration tests.

• External Penetration Testing (11.3.1)

  External Penetration Testing involves conducting penetration tests from an external perspective to evaluate the security of external-facing systems.

• Internal Penetration Testing (11.3.2)

  Internal Penetration Testing involves conducting penetration tests from an internal perspective to evaluate the security of the organization's internal network.

• Correcting Exploitable Vulnerabilities (11.3.3)

  Correcting Exploitable Vulnerabilities involves promptly addressing vulnerabilities identified during penetration testing.

• CDE Segmentation (11.3.4)

  CDE Segmentation involves isolating the Cardholder Data Environment (CDE) from other network segments.

• Testing Changes to Segmentation Controls (service providers only) (11.3.4.1)

  Testing Changes to Segmentation Controls involves validating the effectiveness of segmentation controls after making network changes.

• Intrusion-detection/intrusion-prevention (11.4)

  Intrusion-detection/Intrusion-prevention involves deploying systems to detect and prevent unauthorized access and malicious activities.

• Intrusion-detection/intrusion-prevention (11.4)

  Intrusion-detection/Intrusion-prevention involves deploying systems to detect and prevent unauthorized access and malicious activities.

• Intrusion-detection/intrusion-prevention (11.4)

  Intrusion-detection/Intrusion-prevention involves deploying systems to detect and prevent unauthorized access and malicious activities.

• Change-detection Alerts (11.5)

  Change-detection Alerts involve monitoring and generating alerts for changes to critical files and system configurations.

• Responding to Change-detection Alerts (11.5.1)

  Responding to Change-detection Alerts involves investigating and mitigating unauthorized changes indicated by alerts.

• Policies and Procedures (11.6)

  Policies and Procedures involve developing and maintaining a comprehensive set of security policies and procedures.

The Information Security Policy, already discussed in the first sub-control, serves as a central and critical component of the entire information security program. It provides a foundation for all other security controls, guiding the organization's overall approach to information security and risk management.

• Establish, Publish, Maintain, and Disseminate a Security Policy (12.1)

  Establish, Publish, Maintain, and Disseminate a Security Policy involves creating a comprehensive security policy document.

• Policy Reviews and Updates (12.1.1)

  Policy Reviews and Updates involve periodically evaluating and revising security policies.

• Risk-assessment Process (12.2)

  Risk-assessment Process involves evaluating and managing information security risks.

• Risk-assessment Process (12.2)

  Risk-assessment Process involves evaluating and managing information security risks.

• Usage Policies (12.3)

  Usage Policies involve developing policies that define appropriate and acceptable usage of technology and systems.

• Usage Approvals By Authorized Parties (12.3.1)

  Usage Approvals By Authorized Parties involve obtaining approvals for specific technology usage scenarios.

• Authentication For Use of Technology (12.3.2)

  Authentication For Use of Technology involves implementing secure authentication mechanisms for accessing technology resources.

• List of Authorized Usage of Devices (12.3.3)

  List of Authorized Usage of Devices involves maintaining a list of approved devices for use within the organization.

• Inventorying of Devices (12.3.4)

  Inventorying of Devices involves creating and maintaining a comprehensive inventory of all technology devices within the organization.

• Acceptable Uses of Technology (12.3.5)

  Acceptable Uses of Technology involve defining the permissible ways technology resources can be utilized.

• Acceptable Network Locations of Technologies (12.3.6)

  Acceptable Network Locations of Technologies involve specifying the permitted network locations for various technology resources.

• List of Company-approved Products (12.3.7)

  List of Company-approved Products involves maintaining a list of approved software and hardware products for use within the organization.

• Automatic Remote-access Disconnect (12.3.8)

  Automatic Remote-access Disconnect involves implementing mechanisms to automatically terminate remote-access sessions.

• Activation of Remote-access Technologies for Vendors and Business Partners (12.3.9)

  Activation of Remote-access Technologies for Vendors and Business Partners involves the secure activation and management of remote-access solutions for external entities.

• Accessing Cardholder Data Via Remote-access Technologies (12.3.10)

  Accessing Cardholder Data Via Remote-access Technologies involves defining the procedures and controls for accessing cardholder data remotely.

• Accessing Cardholder Data Via Remote-access Technologies (12.3.10)

  Accessing Cardholder Data Via Remote-access Technologies involves defining the procedures and controls for accessing cardholder data remotely.

• Information Security Responsibilities (12.4)

  Information Security Responsibilities involves assigning and documenting the responsibilities for information security within the organization.

• Additional Requirement for Service Providers Only: Executive Management Responsibility for Protecting Cardholder Data and PCI DSS Compliance (12.4.1)

  Additional Requirement for Service Providers Only focuses on the executive management's accountability for protecting cardholder data and ensuring PCI DSS compliance.

• Assigning Information Security Management Responsibilities (12.5)

  Assigning Information Security Management Responsibilities involves designating roles responsible for overseeing information security initiatives.

• Establish, Document, and Distribute Security Policies and Procedures (12.5.1)

  Establish, Document, and Distribute Security Policies and Procedures involves developing and disseminating formal security policies and procedures.

• Monitoring and Analyzing Security Alerts and Information (12.5.2)

  Monitoring and Analyzing Security Alerts and Information involves actively monitoring security alerts and events to identify potential security incidents.

• Incident Response and Escalation Procedures (12.5.3)

  Incident Response and Escalation Procedures involves developing formal procedures for handling security incidents and escalating them as needed.

• Administering User Accounts (12.5.4)

  Administering User Accounts involves managing user accounts throughout their lifecycle, including creation, modification, and removal.

• Monitoring and Controlling All Access to Data (12.5.5)

  Monitoring and Controlling All Access to Data involves implementing measures to track and control access to sensitive data.

• Security Awareness Program (12.6)

  Security Awareness Program involves implementing a structured program to educate employees about security best practices.

• Personnel Education (12.6.1).

  Personnel Education involves providing ongoing education to employees on information security topics.

• Verifying Personnel Understands Security Policies and Procedures (12.6.2)

  Verifying Personnel Understands Security Policies and Procedures involves assessing employees' comprehension of security policies and procedures.

• New Hire Screening (12.7)

  New Hire Screening involves conducting background checks and vetting processes for newly hired employees.

• Managing Service Providers (12.8)

  Managing Service Providers involves implementing processes to oversee and ensure compliance with security requirements by third-party service providers.

• Maintaining a List of Service Providers (12.8.1)

  Maintaining a List of Service Providers involves keeping an up-to-date inventory of all third-party service providers.

• Service Provider Responsibility Agreements (12.8.2)

  Service Provider Responsibility Agreements involves establishing formal agreements that define security responsibilities between the organization and its service providers.

• Process for Engaging Service Providers (12.8.3)

  Process for Engaging Service Providers involves establishing procedures for evaluating, selecting, and engaging third-party service providers.

• Monitoring Service Provider Compliance (12.8.4)

  Monitoring Service Provider Compliance involves conducting regular assessments to verify that service providers comply with agreed-upon security requirements.

• Managing PCI DSS Requirements by Service Providers (12.8.5)

  Managing PCI DSS Requirements by Service Providers involves ensuring that service providers comply with applicable PCI DSS requirements.

• Written Acknowledgement of Service Provider Responsibility (12.9)

  Written Acknowledgement of Service Provider Responsibility involves obtaining written acknowledgment from service providers regarding their security responsibilities.

• Incident Response Plan (12.10)

  Incident Response Plan involves developing a comprehensive plan for responding to security incidents.