pcidss-4_0.yaml

urn: urn:intuitem:risk:library:pcidss-4_0
locale: en
ref_id: PCI DSS 4.0
name: Payment Card Industry Data Security Standard
description: 'Payment Card Industry Data Security Standard: Requirements and Testing
  Procedures, v4.0 '
copyright: "\xA92006 - 2022 PCI Security Standards Council, LLC. All Rights Reserved. "
version: 1
provider: PCI Security Standards Council
packager: intuitem
objects:
  framework:
    urn: urn:intuitem:risk:framework:pcidss-4_0
    ref_id: PCI DSS 4.0
    name: Payment Card Industry Data Security Standard
    description: 'Payment Card Industry Data Security Standard: Requirements and Testing
      Procedures, v4.0 '
    requirement_nodes:
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:build-and-maintain-a-secure-network-and-systems
      assessable: false
      depth: 1
      name: Build and Maintain a Secure Network and Systems
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:build-and-maintain-a-secure-network-and-systems
      ref_id: '1'
      name: Requirement 1
      description: Install and Maintain Network Security Controls
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1
      ref_id: '1.1'
      description: Processes and mechanisms for installing and maintaining network
        security controls are defined and understood.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.1
      ref_id: 1.1.1
      description: 'All security policies and operational procedures that are identified
        in Requirement 1 are:

        - Documented.

        - Kept up to date.

        - In use.

        - Known to all affected parties.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.1
      ref_id: 1.1.2
      description: 'Roles and responsibilities for performing activities in Requirement
        1 are documented, assigned, and understood. '
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1
      ref_id: '1.2'
      description: Network security controls (NSCs) are configured and maintained.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2
      ref_id: 1.2.1
      description: 'Configuration standards for NSC rulesets are

        - Defined.

        - Implemented

        - Maintained.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2
      ref_id: 1.2.2
      description: 'All changes to network connections and to configurations of NSCs
        are approved and managed in accordance with the change control process defined
        at Requirement 6.5.1. '
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2
      ref_id: 1.2.3
      description: 'An accurate network diagram(s) is maintained that shows all connections
        between the CDE and other networks, including any wireless networks. '
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2
      ref_id: 1.2.4
      description: 'An accurate data-flow diagram(s) is maintained that meets the
        following:

        - Shows all account data flows across systems and networks.

        - Updated as needed upon changes to the environment.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2
      ref_id: 1.2.5
      description: All services, protocols, and ports allowed are identified, approved,
        and have a defined business need.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2
      ref_id: 1.2.6
      description: Security features are defined and implemented for all services,
        protocols, and ports that are in use and considered to be insecure, such that
        the risk is mitigated.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2.7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2
      ref_id: 1.2.7
      description: Configurations of NSCs are reviewed at least once every six months
        to confirm they are relevant and effective.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2.8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.2
      ref_id: 1.2.8
      description: 'Configuration files for NSCs are:

        - Secured from unauthorized access.

        - Kept consistent with active network configurations.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1
      ref_id: '1.3'
      description: Network access to and from the cardholder data environment is restricted.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.3
      ref_id: 1.3.1
      description: "Inbound traffic to the CDE is restricted as follows: \n- To only\
        \ traffic that is necessary. \n- All other traffic is specifically denied. "
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.3
      ref_id: 1.3.2
      description: 'Outbound traffic from the CDE is restricted as follows:

        - To only traffic that is necessary.

        - All other traffic is specifically denied.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.3
      ref_id: 1.3.3
      description: "NSCs are installed between all wireless networks and the CDE,\
        \ regardless of whether the wireless network is a CDE, such that: \n- All\
        \ wireless traffic from wireless networks into the CDE is denied by default.\n\
        - Only wireless traffic with an authorized business purpose is allowed into\
        \ the CDE."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1
      ref_id: '1.4'
      description: Network connections between trusted and untrusted networks are
        controlled.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.4
      ref_id: 1.4.1
      description: NSCs are implemented between trusted and untrusted networks.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.4
      ref_id: 1.4.2
      description: 'Inbound traffic from untrusted networks to trusted networks is
        restricted to:

        - Communications with system components that are authorized to provide publicly
        accessible services, protocols, and ports.

        - Stateful responses to communications initiated by system components in a
        trusted network.

        - All other traffic is denied.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.4.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.4
      ref_id: 1.4.3
      description: 'Anti-spoofing measures are implemented to detect and block forged
        source IP addresses from entering the trusted network. '
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.4.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.4
      ref_id: 1.4.4
      description: 'System components that store cardholder data are not directly
        accessible from untrusted networks. '
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.4.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.4
      ref_id: 1.4.5
      description: The disclosure of internal IP addresses and routing information
        is limited to only authorized parties.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1
      ref_id: '1.5'
      description: Risks to the CDE from computing devices that are able to connect
        to both untrusted networks and the CDE are mitigated.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:1.5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:1.5
      ref_id: 1.5.1
      description: "Security controls are implemented on any computing devices, including\
        \ company- and employee-owned devices, that connect to both untrusted networks\
        \ (including the Internet) and the CDE as follows:\n- Specific configuration\
        \ settings are defined to prevent threats being introduced into the entity\u2019\
        s network.\n- Security controls are actively running.\n- Security controls\
        \ are not alterable by users of the computing devices unless specifically\
        \ documented and authorized by Management on a case-by-case basis for a limited\
        \ period."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:build-and-maintain-a-secure-network-and-systems
      ref_id: '2'
      name: Requirement 2
      description: Apply Secure Configurations to All System Components
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:2
      ref_id: '2.1'
      description: Processes and mechanisms for applying secure configurations to
        all system components are defined and understood.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:2.1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:2.1
      ref_id: 2.1.1
      description: 'All security policies and operational procedures that are identified
        in Requirement 2 are:

        - Documented.

        - Kept up to date.

        - In use.

        - Known to all affected parties. '
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:2.1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:2.1
      ref_id: 2.1.2
      description: 'Roles and responsibilities for performing activities in Requirement
        2 are documented, assigned, and understood. '
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:2.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:2
      ref_id: '2.2'
      description: System components are configured and managed securely.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:2.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:2.2
      ref_id: 2.2.1
      description: 'Configuration standards are developed, implemented, and maintained
        to:

        - Cover all system components.

        - Be consistent with industry-accepted system hardening standards or vendor
        hardening recommendations.

        - Be updated as new vulnerability issues are identified, as defined in Requirement
        6.3.1.

        - Be applied when new systems are configured and verified as in place before
        or immediately after a system component is connected to a production environment.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:2.2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:2.2
      ref_id: 2.2.2
      description: 'Vendor default accounts are managed as follows:

        - If the vendor default account(s) will be used, the default password is changed
        per Requirement 8.3.6.

        - If the vendor default account(s) will not be used, the account is removed
        or disabled.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:2.2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:2.2
      ref_id: 2.2.3
      description: "Primary functions requiring different security levels are managed\
        \ as follows: \n- Only one primary function exists on a system component.\n\
        OR \n- Primary functions with differing security levels that exist on the\
        \ same system component are isolated from each other.\nOR\n- Primary functions\
        \ with differing security levels on the same system component are all secured\
        \ to the level required by the function with the highest security need."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:2.2.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:2.2
      ref_id: 2.2.4
      description: Only necessary services, protocols, daemons, and functions are
        enabled, and all unnecessary functionality is removed or disabled.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:2.2.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:2.2
      ref_id: 2.2.5
      description: 'If any insecure services, protocols, or daemons are present:

        - business justification is documented.

        - additional security features are documented and implemented that reduce
        the risk of using insecure services, protocols, or daemons.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:2.2.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:2.2
      ref_id: 2.2.6
      description: System security parameters are configured to prevent misuse.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:2.2.7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:2.2
      ref_id: 2.2.7
      description: All non-console administrative access is encrypted using strong
        cryptography.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:2.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:2
      ref_id: '2.3'
      description: Wireless environments are configured and managed securely.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:2.3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:2.3
      ref_id: 2.3.1
      description: "For wireless environments connected to the CDE or transmitting\
        \ account data, all wireless vendor defaults are changed at installation or\
        \ are confirmed to be secure, including but not limited to: \_\n- Default\
        \ wireless encryption keys.\n- Default wireless encryption keys.\n- Passwords\
        \ on wireless access points.\n- SNMP defaults.\n- Any other security-related\
        \ wireless vendor defaults."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:2.3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:2.3
      ref_id: 2.3.2
      description: 'For wireless environments connected to the CDE or transmitting
        account data, wireless encryption keys are changed as follows:

        - Whenever personnel with knowledge of the key leave the company or the role
        for which the knowledge was necessary.

        - Whenever a key is suspected of or known to be compromised.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:protect-account-data
      assessable: false
      depth: 1
      name: Protect Account Data
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:protect-account-data
      ref_id: '3'
      name: Requirement 3
      description: Protect Stored Account Data
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3
      ref_id: '3.1'
      description: Processes and mechanisms for protecting stored account data are
        defined and understood.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.1
      ref_id: 3.1.1
      description: 'All security policies and operational procedures that are identified
        in Requirement 3 are:

        - Documented.

        - Kept up to date.

        - In use.

        - Known to all affected parties.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.1
      ref_id: 3.1.2
      description: 'Roles and responsibilities for performing activities in Requirement
        3 are documented, assigned, and understood. '
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3
      ref_id: '3.2'
      description: Storage of account data is kept to a minimum.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.2
      ref_id: 3.2.1
      description: 'Account data storage is kept to a minimum through implementation
        of data retention and disposal policies, procedures, and processes that include
        at least the following:

        - Coverage for all locations of stored account data.

        - Coverage for any sensitive authentication data (SAD) stored prior to completion
        of authorization. This bullet is a best practice until its effective date;
        refer to Applicability Notes below for details.

        - Limiting data storage amount and retention time to that which is required
        for legal or regulatory, and/or business requirements.

        - Specific retention requirements for stored account data that defines length
        of retention period and includes a documented business justification.

        - Processes for secure deletion or rendering account data unrecoverable when
        no longer

        needed per the retention policy.

        - A process for verifying, at least once every three months, that stored account
        data exceeding the defined retention period has been securely deleted or rendered
        unrecoverable.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3
      ref_id: '3.3'
      description: Sensitive authentication data (SAD) is not stored after authorization.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.3
      ref_id: 3.3.1
      description: ' SAD is not retained after authorization, even if encrypted. All
        sensitive authentication data received is rendered unrecoverable upon completion
        of the authorization process.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.3.1.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.3.1
      ref_id: 3.3.1.1
      description: The full contents of any track are not retained upon completion
        of the authorization process.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.3.1.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.3.1
      ref_id: 3.3.1.2
      description: The card verification code is not retained upon completion of the
        authorization process.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.3.1.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.3.1
      ref_id: 3.3.1.3
      description: The personal identification number (PIN) and the PIN block are
        not retained upon completion of the authorization process
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.3
      ref_id: 3.3.2
      description: 'SAD that is stored electronically prior to completion of authorization
        is encrypted using

        strong cryptography.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.3
      ref_id: 3.3.3
      description: 'Additional requirement for issuers and companies that support
        issuing services and store sensitive authentication data: Any storage of sensitive
        authentication data is:

        - Limited to that which is needed for a legitimate issuing business need and
        is secured.

        - Encrypted using strong cryptography. This bullet is a best practice until
        its effective date.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3
      ref_id: '3.4'
      description: Access to displays of full PAN and ability to copy cardholder data
        are restricted.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.4
      ref_id: 3.4.1
      description: 'PAN is masked when displayed (the BIN and last four digits are
        the maximum number of digits

        to be displayed), such that only personnel with a legitimate business need
        can see more than the BIN and last four digits of the PAN.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.4
      ref_id: 3.4.2
      description: 'When using remote-access technologies, technical controls prevent
        copy and/or relocation of

        PAN for all personnel, except for those with documented, explicit authorization
        and a legitimate, defined business need.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3
      ref_id: '3.5'
      description: Primary account number (PAN) is secured wherever it is stored.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.5
      ref_id: 3.5.1
      description: "PAN is rendered unreadable anywhere it is stored by using any\
        \ of the following approaches:\n- One-way hashes based on strong cryptography\
        \ of the entire PAN.\n- Truncation (hashing cannot be used to replace the\
        \ truncated segment of PAN).\n\u2013 If hashed and truncated versions of the\
        \ same PAN, or different truncation formats of the same PAN, are present in\
        \ an environment, additional controls are in place such that the different\
        \ versions cannot be correlated to reconstruct the original PAN.\n-  Index\
        \ tokens.\n- Strong cryptography with associated key-management processes\
        \ and procedures."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.5
      ref_id: 3.5.2
      description: Hashes used to render PAN unreadable (per the first bullet of Requirement
        3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management
        processes and procedures in accordance with Requirements 3.6 and 3.7.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.5.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.5
      ref_id: 3.5.3
      description: 'If disk-level or partition-level encryption rather than file-,
        column-, or field-level database encryption) is used to render PAN unreadable,
        it is implemented only as follows:

        - On removable electronic media.

        OR

        - If used for non-removable electronic media, PAN is also rendered unreadable
        via another mechanism that meets Requirement 3.5.1.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.5.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.5
      ref_id: 3.5.4
      description: 'If disk-level or partition-level encryption is used (rather than
        file-, column-, or field--level database encryption) to render PAN unreadable,
        it is managed as follows:

        - Logical access is managed separately and independently of native operating
        system authentication and access control mechanisms.

        - Decryption keys are not associated with user accounts.

        - Authentication factors (passwords, passphrases, or cryptographic keys) that
        allow access to - nencrypted data are stored securely.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3
      ref_id: '3.6'
      description: Cryptographic keys used to protect stored account data are secured.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.6
      ref_id: 3.6.1
      description: 'Procedures are defined and implemented to protect cryptographic
        keys used to protect stored account data against disclosure and misuse that
        include:

        - Access to keys is restricted to the fewest number of custodians necessary.

        - Key-encrypting keys are at least as strong as the data-encrypting keys they
        protect.

        - Key-encrypting keys are stored separately from data-encrypting keys.

        - Keys are stored securely in the fewest possible locations and forms.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.6.1.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.6.1
      ref_id: 3.6.1.1
      description: 'Additional requirement for service providers only: A documented
        description of the cryptographic architecture is maintained that includes:

        - Details of all algorithms, protocols, and keys used for the protection of
        stored account data, including key strength and expiry date.

        - Preventing the use of the same cryptographic keys in production and test
        environments. This bullet is a best practice until its effective date.

        - Description of the key usage for each key.

        - Inventory of any hardware security modules (HSMs), key management systems
        (KMS), and other secure cryptographic devices (SCDs) used for key management,
        including type and location of devices, as outlined in Requirement 12.3.4.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.6.1.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.6.1
      ref_id: 3.6.1.2
      description: 'Secret and private keys used to encrypt/decrypt stored account
        data are stored in one (or more) of the following forms at all times:

        - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting
        key, and that is stored separately from the data-encrypting key.

        - Within a secure cryptographic device (SCD), such as a hardware security
        module (HSM) or PTS-approved point-of-interaction device.

        - As at least two full-length key components or key shares, in accordance
        with an industry-accepted method'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.6.1.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.6.1
      ref_id: 3.6.1.3
      description: Access to cleartext cryptographic key components is restricted
        to the fewest number of custodians necessary.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.6.1.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.6.1
      ref_id: 3.6.1.4
      description: Cryptographic keys are stored in the fewest possible location.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3
      ref_id: '3.7'
      description: Where cryptography is used to protect stored account data, key
        management processes and procedures covering all aspects of the key
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7
      ref_id: 3.7.1
      description: Key-management policies and procedures are implemented to include
        generation of strong cryptographic keys used to protect stored account data.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7
      ref_id: 3.7.2
      description: Key-management policies and procedures are implemented to include
        secure distribution of cryptographic keys used to protect stored account data.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7
      ref_id: 3.7.3
      description: Key-management policies and procedures are implemented to include
        secure storage of cryptographic keys used to protect stored account data.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7
      ref_id: 3.7.4
      description: 'Key management policies and procedures are implemented for cryptographic
        key changes for keys that have reached the end of their cryptoperiod, as defined
        by the associated application vendor or key owner, and based on industry best
        practices and guidelines, including the following:

        - A defined cryptoperiod for each key type in use.

        - A process for key changes at the end of the defined cryptoperiod.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7
      ref_id: 3.7.5
      description: 'Key management policies procedures are implemented to include
        the retirement, replacement, or destruction of keys used to protect stored
        account data, as deemed necessary when:

        - The key has reached the end of its defined cryptoperiod.

        - The integrity of the key has been weakened, including when personnel with
        knowledge of a cleartext key component leaves the company, or the role for
        which the key component was known.

        - The key is suspected of or known to be compromised.

        - Retired or replaced keys are not used for encryption operations.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7
      ref_id: 3.7.6
      description: Where manual cleartext cryptographic key-management operations
        are performed by personnel, key-management policies and procedures are implemented
        include managing these operations using split knowledge and dual control.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7.7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7
      ref_id: 3.7.7
      description: Key management policies and procedures are implemented to include
        the prevention of unauthorized substitution of cryptographic keys.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7.8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7
      ref_id: 3.7.8
      description: Key management policies and procedures are implemented to include
        that cryptographic key custodians formally acknowledge (in writing or electronically)
        that they understand and accept their key-custodian responsibilities.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7.9
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:3.7
      ref_id: 3.7.9
      description: "Additional testing procedure for service provider assessments\
        \ only: If the service provider shares cryptographic keys with its customers\
        \ for transmission or storage of account data, examine the documentation that\
        \ the service provider provides to its customers to verify it includes guidance\
        \ on how to securely transmit, store, and update customers\u2019 keys in accordance\
        \ with all elements specified in Requirements 3.7.1 through 3.7.8 above."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:4
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:protect-account-data
      ref_id: '4'
      name: Requirement 4
      description: Protect Cardholder Data with Strong Cryptography During Transmission
        Over Open, Public Networks
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:4.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:4
      ref_id: '4.1'
      description: Processes and mechanisms for protecting cardholder data with strong
        cryptography during transmission over open, public networks are defined and
        documented.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:4.1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:4.1
      ref_id: 4.1.1
      description: 'All security policies and operational procedures that are identified
        in Requirement 4 are:

        - Documented.

        - Kept up to date.

        - In use.

        - Known to all affected parties'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:4.1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:4.1
      ref_id: 4.1.2
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:4.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:4
      ref_id: '4.2'
      description: PAN is protected with strong cryptography during transmission.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:4.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:4.2
      ref_id: 4.2.1
      description: 'Strong cryptography and security protocols are implemented as
        follows to safeguard PAN during transmission over open, public networks:

        - Only trusted keys and certificates are accepted.

        - Certificates used to safeguard PAN during transmission over open, public
        networks are confirmed as valid and are not expired or revoked. This bullet
        is a best practice until its effective date; refer to applicability notes
        below for details.

        - The protocol in use supports only secure versions or configurations and
        does not support fallback to, or use of insecure versions, algorithms, key
        sizes, or implementations.

        - The encryption strength is appropriate for the encryption methodology in
        use.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:4.2.1.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:4.2.1
      ref_id: 4.2.1.1
      description: "An inventory of the entity\u2019s trusted keys and certificates\
        \ used to protect PAN during transmission is maintained."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:4.2.1.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:4.2.1
      ref_id: 4.2.1.2
      description: Wireless networks transmitting PAN or connected to the CDE use
        industry best practices to implement strong cryptography for authentication
        and transmission.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:4.2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:4.2
      ref_id: 4.2.2
      description: PAN is secured with strong cryptography whenever it is sent via
        end-user messaging technologies.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:maintain-a-vulnerability-management-program
      assessable: false
      depth: 1
      name: Maintain a Vulnerability Management Program
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:maintain-a-vulnerability-management-program
      ref_id: '5'
      name: Requirement 5
      description: Protect All Systems and Networks from Malicious Software
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5
      ref_id: '5.1'
      description: Processes and mechanisms for protecting all systems and networks
        from malicious software are defined and understood.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5.1
      ref_id: 5.1.1
      description: 'All security policies and operational procedures that are identified
        in Requirement 5 are:

        - Documented.

        - Kept up to date.

        - In use.

        - Known to all affected parties.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5.1
      ref_id: 5.1.2
      description: Roles and responsibilities for performing activities in Requirement
        5 are documented, assigned, and understood.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5
      ref_id: '5.2'
      description: Malicious software (malware) is prevented, or detected and addressed.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5.2
      ref_id: 5.2.1
      description: An anti-malware solution(s) is deployed on all system components,
        except for those system components identified in periodic evaluations per
        Requirement 5.2.3 that concludes the system components are not at risk from
        malware.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5.2
      ref_id: 5.2.2
      description: 'The deployed anti-malware solution(s):

        - Detects all known types of malware.

        - Removes, blocks, or contains all known types of malware.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5.2
      ref_id: 5.2.3
      description: 'Any system components that are not at risk for malware are evaluated
        periodically to include the following:

        - A documented list of all system components not at risk for malware.

        - Identification and evaluation of evolving malware threats for those system
        components.

        - Confirmation whether such system components continue to not require anti-malware
        protection.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.2.3.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5.2.3
      ref_id: 5.2.3.1
      description: "The frequency of periodic evaluations of system components identified\
        \ as not at risk for malware is defined in the entity\u2019s targeted risk\
        \ analysis, which is performed according to all elements specified in Requirement\
        \ 12.3.1."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5
      ref_id: '5.3'
      description: Anti-malware mechanisms and processes are active, maintained, and
        monitored.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5.3
      ref_id: 5.3.1
      description: The anti-malware solution(s) is kept current via automatic updates.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5.3
      ref_id: 5.3.2
      description: "The anti-malware solution(s):\n- Performs periodic scans and active\
        \ or real-time scans. \nOR\n- Performs continuous behavioral analysis of systems\
        \ or processes."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.3.2.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5.3.2
      ref_id: 5.3.2.1
      description: "If periodic malware scans are performed to meet Requirement 5.3.2,\
        \ the frequency of scans is defined in the entity\u2019s targeted risk analysis,\
        \ which is performed according to all elements specified in Requirement 12.3.1."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5.3
      ref_id: 5.3.3
      description: 'For removable electronic media, the anti-malware solution(s):

        - Performs automatic scans of when the media is inserted, connected, or logically
        mounted,

        OR

        - Performs continuous behavioral analysis of systems or processes when the
        media is inserted, connected, or logically mounted.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.3.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5.3
      ref_id: 5.3.4
      description: Audit logs for the anti-malware solution(s) are enabled and retained
        in accordance with Requirement 10.5.1.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.3.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5.3
      ref_id: 5.3.5
      description: Anti-malware mechanisms cannot be disabled or altered by users,
        unless specifically documented, and authorized by management on a case-by-case
        basis for a limited time period.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5
      ref_id: '5.4'
      description: Anti-phishing mechanisms protect users against phishing attacks.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:5.4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:5.4
      ref_id: 5.4.1
      description: Processes and automated mechanisms are in place to detect and protect
        personnel against phishing attacks.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:maintain-a-vulnerability-management-program
      ref_id: '6'
      name: Requirement 6
      description: Develop and Maintain Secure Systems and Software
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6
      ref_id: '6.1'
      description: Processes and mechanisms for developing and maintaining secure
        systems and software are defined and understood.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.1
      ref_id: 6.1.1
      description: 'All security policies and operational procedures that are identified
        in Requirement 6 are:

        - Documented.

        - Kept up to date.

        - In use.

        - Known to all affected parties.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.1
      ref_id: 6.1.2
      description: Roles and responsibilities for performing activities in Requirement
        6 are documented, assigned, and understood.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6
      ref_id: '6.2'
      description: Bespoke and custom software are developed securely.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.2
      ref_id: 6.2.1
      description: 'Bespoke and custom software are developed

        securely, as follows:

        - Based on industry standards and/or best practices for secure development.

        - In accordance with PCI DSS (for example, secure authentication and logging).

        - Incorporating consideration of information security issues during each stage
        of the software development lifecycle.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.2
      ref_id: 6.2.2
      description: 'Software development personnel working on bespoke and custom software
        are trained at least once every 12 months as follows:

        - On software security relevant to their job function and development languages.

        - Including secure software design and secure coding techniques.

        - Including, if security testing tools are used, how to use the tools for
        detecting vulnerabilities in software.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.2
      ref_id: 6.2.3
      description: 'Bespoke and custom software is reviewed prior to being released
        into production or to customers, to identify and correct potential coding
        vulnerabilities, as follows:

        - Code reviews ensure code is developed according to secure coding guidelines.

        - Code reviews look for both existing and emerging software vulnerabilities.

        - Appropriate corrections are implemented prior to release.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.2.3.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.2.3
      ref_id: 6.2.3.1
      description: 'If manual code reviews are performed for bespoke and custom software
        prior to release to production, code changes are:

        - Reviewed by individuals other than the originating code author, and who
        are knowledgeable about code-review techniques

        and secure coding practices.

        - Reviewed and approved by management prior to release.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.2.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.2
      ref_id: 6.2.4
      description: "Software engineering techniques or other methods are defined and\
        \ in use by software development personnel to prevent or mitigate common software\
        \ attacks and related vulnerabilities in bespoke and custom software, including\
        \ but not limited to the following:\n- Injection attacks, including SQL, LDAP,\
        \ XPath, or other command, parameter, object, fault, or injection-type flaws.\n\
        - Attacks on data and data structures, including attempts to manipulate buffers,\
        \ pointers, input data, or shared data.\n- Attacks on cryptography usage,\
        \ including attempts to exploit weak, insecure, or inappropriate cryptographic\
        \ implementations, algorithms, cipher suites, or modes of operation.\n- Attacks\
        \ on business logic, including attempts to abuse or bypass application features\
        \ and functionalities through the manipulation of APIs, communication protocols\
        \ and channels, client-side functionality, or other system/application functions\
        \ and resources. This includes cross-site scripting (XSS) and cross-site request\
        \ forgery (CSRF).\n-  Attacks on access control mechanisms, including attempts\
        \ to bypass or abuse identification, authentication, or authorization mechanisms,\
        \ or attempts to exploit weaknesses in the implementation of such mechanisms.\n\
        - Attacks via any \u201Chigh-risk\u201D vulnerabilities identified in the\
        \ vulnerability identification process, as defined in Requirement 6.3.1."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6
      ref_id: '6.3'
      description: Security vulnerabilities are identified and addressed.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.3
      ref_id: 6.3.1
      description: 'Security vulnerabilities are identified and managed as follows:

        - New security vulnerabilities are identified using industry-recognized sources
        for security vulnerability information, including alerts from international
        and national computer emergency response teams (CERTs).

        - Vulnerabilities are assigned a risk ranking based on industry best practices
        and consideration of potential impact.

        - Risk rankings identify, at a minimum, all vulnerabilities considered to
        be a high-risk or critical to the environment.

        - Vulnerabilities for bespoke and custom, and third-party software (for example
        operating systems and databases) are covered.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.3
      ref_id: 6.3.2
      description: An inventory of bespoke and custom software, and third-party software
        components incorporated into bespoke and custom software is maintained to
        facilitate vulnerability and patch management.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.3
      ref_id: 6.3.3
      description: 'All system components are protected from known vulnerabilities
        by installing applicable security patches/updates as follows:

        - Critical or high-security patches/updates (identified according to the risk
        ranking process at Requirement 6.3.1) are installed within one month of release.

        - All other applicable security patches/updates are installed within an appropriate
        time frame as determined by the entity (for example, within three months of
        release).'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6
      ref_id: '6.4'
      description: Public-facing web applications are protected against attacks.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.4
      ref_id: 6.4.1
      description: " For public-facing web applications, new threats and vulnerabilities\
        \ are addressed on an ongoing basis and these applications are protected against\
        \ known attacks as follows:\n-  Reviewing public-facing web applications via\
        \ manual or automated application vulnerability security assessment tools\
        \ or methods as follows:\n    \u2013 At least once every 12 months and after\
        \ significant changes.\n    \u2013 By an entity that specializes in application\
        \ security.\n    \u2013 Including, at a minimum, all common software attacks\
        \ in Requirement 6.2.4.\n    \u2013 All vulnerabilities are ranked in accordance\
        \ with requirement 6.3.1.\n    \u2013 All vulnerabilities are corrected.\n\
        \    \u2013 The application is re-evaluated after the corrections\nOR\n- Installing\
        \ an automated technical solution(s) that continually detects and prevents\
        \ web-based attacks as follows:\n    \u2013 Installed in front of public-facing\
        \ web applications to detect and prevent web-based attacks.\n    \u2013 Actively\
        \ running and up to date as applicable.\n    \u2013 Generating audit logs.\n\
        \    \u2013 Configured to either block web-based attacks or generate an alert\
        \ that is immediately investigated."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.4
      ref_id: 6.4.2
      description: 'For public-facing web applications, an automated technical solution
        is deployed that continually detects and prevents web-based attacks, with
        at least the following:

        - Is installed in front of public-facing web applications and is configured
        to detect and prevent web-based attacks.

        - Actively running and up to date as applicable.

        - Generating audit logs.

        - Configured to either block web-based attacks or generate an alert that is
        immediately investigated.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.4.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.4
      ref_id: 6.4.3
      description: "All payment page scripts that are loaded and executed in the consumer\u2019\
        s browser are managed as follows:\n\u2022 A method is implemented to confirm\
        \ that each script is authorized.\n\u2022 A method is implemented to assure\
        \ the integrity of each script.\n\u2022 An inventory of all scripts is maintained\
        \ with written justification as to why each is necessary."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6
      ref_id: '6.5'
      description: Changes to all system components are managed securely.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.5
      ref_id: 6.5.1
      description: 'Changes to all system components in the production environment
        are made according to established procedures that include:

        - Reason for, and description of, the change.

        - Documentation of security impact.

        - Documented change approval by authorized parties.

        - Testing to verify that the change does not adversely impact system security.

        - For bespoke and custom software changes, all updates are tested for compliance
        with Requirement 6.2.4 before being deployed into production.

        - Procedures to address failures and return to a secure state.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.5
      ref_id: 6.5.2
      description: Upon completion of a significant change, all applicable PCI DSS
        requirements are confirmed to be in place on all new or changed systems and
        networks, and documentation is updated as applicable.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.5.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.5
      ref_id: 6.5.3
      description: Pre-production environments are separated from production environments
        and the separation is enforced with access controls.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.5.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.5
      ref_id: 6.5.4
      description: Roles and functions are separated between production and pre-production
        environments to provide accountability such that only reviewed and approved
        changes are deployed.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.5.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.5
      ref_id: 6.5.5
      description: Live PANs are not used in pre-production environments, except where
        those environments are included in the CDE and protected in accordance with
        all applicable PCI DSS requirements.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:6.5.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:6.5
      ref_id: 6.5.6
      description: Test data and test accounts are removed from system components
        before the system goes into production.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:implement-strong-access-control-measures
      assessable: false
      depth: 1
      name: Implement Strong Access Control Measures
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:implement-strong-access-control-measures
      ref_id: '7'
      name: Requirement 7
      description: Restrict Access to System Components and Cardholder Data by Business
        Need to Know
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:7
      ref_id: '7.1'
      description: Processes and mechanisms for restricting access to system components
        and cardholder data by business need to know are defined and understood.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7.1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:7.1
      ref_id: 7.1.1
      description: 'All security policies and operational procedures that are identified
        in Requirement 7 are:

        - Documented.

        - Kept up to date.

        - In use.

        - Known to all affected parties.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7.1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:7.1
      ref_id: 7.1.2
      description: Roles and responsibilities for performing activities in Requirement
        7 are documented, assigned, and understood.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:7
      ref_id: '7.2'
      description: Access to system components and data is appropriately defined and
        assigned.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:7.2
      ref_id: 7.2.1
      description: "An access control model is defined and includes granting access\
        \ as follows:\n- Appropriate access depending on the entity\u2019s business\
        \ and access needs.\n- Access to system components and data resources that\
        \ is based on users\u2019 job classification and functions.\n- The least privileges\
        \ required (for example, user, administrator) to perform a job function."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7.2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:7.2
      ref_id: 7.2.2
      description: 'Access is assigned to users, including privileged users, based
        on:

        - Job classification and function.

        - Least privileges necessary to perform job responsibilities.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7.2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:7.2
      ref_id: 7.2.3
      description: Required privileges are approved by authorized personnel.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7.2.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:7.2
      ref_id: 7.2.4
      description: 'All user accounts and related access privileges, including third-party/vendor
        accounts, are reviewed as follows:

        - At least once every six months.

        - To ensure user accounts and access remain appropriate based on job function.

        - Any inappropriate access is addressed.

        - Management acknowledges that access remains appropriate.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7.2.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:7.2
      ref_id: 7.2.5
      description: 'All application and system accounts and related access privileges
        are assigned and managed as follows:

        - Based on the least privileges necessary for the operability of the system
        or application.

        - Access is limited to the systems, applications, or processes that specifically
        require their use.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7.2.5.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:7.2.5
      ref_id: 7.2.5.1
      description: "All access by application and system accounts and related access\
        \ privileges are reviewed as follows:\n- Periodically (at the frequency defined\
        \ in the entity\u2019s targeted risk analysis, which is performed according\
        \ to all elements specified in Requirement 12.3.1).\n- The application/system\
        \ access remains appropriate for the function being performed.\n- Any inappropriate\
        \ access is addressed.\n- Management acknowledges that access remains appropriate."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7.2.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:7.2
      ref_id: 7.2.6
      description: 'All user access to query repositories of stored cardholder data
        is restricted as follows:

        - Via applications or other programmatic methods, with access and allowed
        actions based on user roles and least privileges.

        - Only the responsible administrator(s) can directly access or query repositories
        of stored CHD.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:7
      ref_id: '7.3'
      description: Access to system components and data is managed via an access control
        system(s).
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7.3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:7.3
      ref_id: 7.3.1
      description: "An access control system(s) is in place that restricts access\
        \ based on a user\u2019s need to know and covers all system components."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7.3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:7.3
      ref_id: 7.3.2
      description: The access control system(s) is configured to enforce permissions
        assigned to individuals, applications, and systems based on job classification
        and function.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:7.3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:7.3
      ref_id: 7.3.3
      description: "The access control system(s) is set to \u201Cdeny all\u201D by\
        \ default."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:implement-strong-access-control-measures
      ref_id: '8'
      name: Requirement 8
      description: Identify Users and Authenticate Access to System Components
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8
      ref_id: '8.1'
      description: Processes and mechanisms for identifying users and authenticating
        access to system components are defined and understood.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.1
      ref_id: 8.1.1
      description: 'All security policies and operational procedures that are identified
        in Requirement 8 are:

        - Documented.

        - Kept up to date.

        - In use.

        - Known to all affected parties.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.1
      ref_id: 8.1.2
      description: Roles and responsibilities for performing activities in Requirement
        8 are documented, assigned, and understood.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8
      ref_id: '8.2'
      description: "User identification and related accounts for users and administrators\
        \ are strictly managed throughout an account\u2019s lifecycle."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2
      ref_id: 8.2.1
      description: All users are assigned a unique ID before access to system components
        or cardholder data is allowed.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2
      ref_id: 8.2.2
      description: 'Group, shared, or generic accounts, or other shared authentication
        credentials are only used when necessary on an exception basis, and are managed
        as follows:

        -  Account use is prevented unless needed for an exceptional circumstance.

        - Use is limited to the time needed for the exceptional circumstance.

        - Business justification for use is documented.

        - Use is explicitly approved by management.

        - Individual user identity is confirmed before access to an account is granted.

        - Every action taken is attributable to an individual user.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2
      ref_id: 8.2.3
      description: 'Additional requirement for service providers only: Service providers
        with remote access to customer premises use unique authentication factors
        for each customer premises.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2
      ref_id: 8.2.4
      description: 'Addition, deletion, and modification of user IDs, authentication
        factors, and other identifier objects are managed as follows:

        - Authorized with the appropriate approval.

        - Implemented with only the privileges specified on the documented approval.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2
      ref_id: 8.2.5
      description: Access for terminated users is immediately revoked.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2
      ref_id: 8.2.6
      description: Inactive user accounts are removed or disabled within 90 days of
        inactivity.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2.7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2
      ref_id: 8.2.7
      description: 'Accounts used by third parties to access, support, or maintain
        system components via remote access are managed as follows:

        - Enabled only during the time period needed and disabled when not in use.

        - Use is monitored for unexpected activity.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2.8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.2
      ref_id: 8.2.8
      description: If a user session has been idle for more than 15 minutes, the user
        is required to re-authenticate to re-activate the terminal or session.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8
      ref_id: '8.3'
      description: Strong authentication for users and administrators is established
        and managed.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3
      ref_id: 8.3.1
      description: "All user access to system components for users and administrators\
        \ is authenticated via at least one of the following authentication factors:\n\
        \u2022 Something you know, such as a password or passphrase.\n\u2022 Something\
        \ you have, such as a token device or smart card.\n\u2022 Something you are,\
        \ such as a biometric element."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3
      ref_id: 8.3.2
      description: Strong cryptography is used to render all authentication factors
        unreadable during transmission and storage on all system components.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3
      ref_id: 8.3.3
      description: User identity is verified before modifying any authentication factor.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3
      ref_id: 8.3.4
      description: "Invalid authentication attempts are limited by:\n- Locking out\
        \ the user ID after not more than 10 attempts.\n- Setting the lockout duration\
        \ to a minimum of 30 minutes or until the user\u2019s identity is confirmed."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3
      ref_id: 8.3.5
      description: 'If passwords/passphrases are used as authentication factors to
        meet Requirement 8.3.1, they are set and reset for each user as follows:

        - Set to a unique value for first-time use and upon reset.

        - Forced to be changed immediately after the first use.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3
      ref_id: 8.3.6
      description: 'If passwords/passphrases are used as authentication factors to
        meet Requirement 8.3.1, they meet the following minimum level of complexity:

        - A minimum length of 12 characters (or IF the system does not support 12
        characters, a minimum length of eight characters).

        - Contain both numeric and alphabetic characters.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3.7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3
      ref_id: 8.3.7
      description: Individuals are not allowed to submit a new password/passphrase
        that is the same as any of the last four passwords/passphrases used.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3.8
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3
      ref_id: 8.3.8
      description: 'Authentication policies and procedures are documented and communicated
        to all users including:

        - Guidance on selecting strong authentication factors.

        - Guidance for how users should protect their authentication factors.

        - Instructions not to reuse previously used passwords/passphrases.

        - Instructions to change passwords/passphrases if there is any suspicion or
        knowledge that the password/passphrases have been compromised and how to report
        the incident.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3.9
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3
      ref_id: 8.3.9
      description: "If passwords/passphrases are used as the only authentication factor\
        \ for user access (i.e., in any single-factor authentication implementation)\
        \ then either:\n\u2022 Passwords/passphrases are changed at least once every\
        \ 90 days,\nOR\n\u2022 The security posture of accounts is dynamically analyzed,\
        \ and real-time access to resources is automatically determined accordingly."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3.10
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3
      ref_id: 8.3.10
      description: 'Additional requirement for service providers only: If passwords/passphrases
        are used as the only authentication factor for customer user access to cardholder
        data (i.e., in any single- factor authentication implementation), then guidance
        is provided to customer users including:

        - Guidance for customers to change their user passwords/passphrases periodically.

        - Guidance as to when, and under what circumstances, passwords/passphrases
        are to be changed.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3.10.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3.10
      ref_id: 8.3.10.1
      description: "Additional requirement for service providers only: If passwords/passphrases\
        \ are used as the only authentication factor for customer user access (i.e.,\
        \ in any single-factor authentication implementation) then either:\n\u2022\
        \ Passwords/passphrases are changed at least once every 90 days,\nOR\n\u2022\
        \ The security posture of accounts is dynamically analyzed, and real-time\
        \ access to resources is automatically determined accordingly."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3.11
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.3
      ref_id: 8.3.11
      description: 'Where authentication factors such as physical or logical security
        tokens, smart cards, or certificates are used:

        - Factors are assigned to an individual user and not shared among multiple
        users.

        - Physical and/or logical controls ensure only the intended user can use that
        factor to gain access.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8
      ref_id: '8.4'
      description: Multi-factor authentication (MFA) is implemented to secure access
        into the CDE.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.4
      ref_id: 8.4.1
      description: MFA is implemented for all non-console access into the CDE for
        personnel with administrative access.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.4
      ref_id: 8.4.2
      description: MFA is implemented for all access into the CDE.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.4.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.4
      ref_id: 8.4.3
      description: "MFA is implemented for all remote network access originating from\
        \ outside the entity\u2019s network that could access or impact the CDE as\
        \ follows:\n- All remote access by all personnel, both users and administrators,\
        \ originating from outside the entity\u2019s network.\n- All remote access\
        \ by third parties and vendors."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8
      ref_id: '8.5'
      description: Multi-factor authentication (MFA) systems are configured to prevent
        misuse.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.5
      ref_id: 8.5.1
      description: 'MFA systems are implemented as follows:

        - The MFA system is not susceptible to replay attacks.

        - MFA systems cannot be bypassed by any users, including administrative users
        unless specifically documented, and authorized by management on an exception
        basis, for a limited time period.

        - At least two different types of authentication factors are used.

        - Success of all authentication factors is required before access is granted.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8
      ref_id: '8.6'
      description: Use of application and system accounts and associated authentication
        factors is strictly managed.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.6
      ref_id: 8.6.1
      description: 'If accounts used by systems or applications can be used for interactive
        login, they are managed as follows:

        - Interactive use is prevented unless needed for an exceptional circumstance.

        - Interactive use is limited to the time needed for the exceptional circumstance.

        - Business justification for interactive use is documented.

        - Interactive use is explicitly approved by management.

        - Individual user identity is confirmed before access to account is granted.

        - Every action taken is attributable to an individual user.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.6.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.6
      ref_id: 8.6.2
      description: Passwords/passphrases for any application and system accounts that
        can be used for interactive login are not hard coded in scripts, configuration/property
        files, or bespoke and custom source code.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:8.6.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:8.6
      ref_id: 8.6.3
      description: "Passwords/passphrases for any application and system accounts\
        \ are protected against misuse as follows:\n- Passwords/passphrases are changed\
        \ periodically (at the frequency defined in the entity\u2019s targeted risk\
        \ analysis, which is performed according to all elements specified in Requirement\
        \ 12.3.1) and upon suspicion or confirmation of compromise.\n- Passwords/passphrases\
        \ are constructed with sufficient complexity appropriate for how frequently\
        \ the entity changes the passwords/passphrases."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:implement-strong-access-control-measures
      ref_id: '9'
      name: Requirement 9
      description: Restrict Physical Access to Cardholder Data
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9
      ref_id: '9.1'
      description: Processes and mechanisms for restricting physical access to cardholder
        data are defined and undood.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.1
      ref_id: 9.1.1
      description: 'All security policies and operational procedures that are identified
        in Requirement 9 are:

        - Documented.

        - Kept up to date.

        - In use.

        - Known to all affected parties.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.1
      ref_id: 9.1.2
      description: Roles and responsibilities for performing activities in Requirement
        9 are documented, assigned, and understood.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9
      ref_id: '9.2'
      description: Physical access controls manage entry into facilities and systems
        containing cardholder data.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.2
      ref_id: 9.2.1
      description: Appropriate facility entry controls are in place to restrict physical
        access to systems in the CDE.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.2.1.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.2.1
      ref_id: 9.2.1.1
      description: 'Individual physical access to sensitive areas within the CDE is
        monitored with either video cameras or physical access control mechanisms
        (or both) as follows:

        - Entry and exit points to/from sensitive areas within the CDE are monitored.

        - Monitoring devices or mechanisms are protected from tampering or disabling.

        - Collected data is reviewed and correlated with other entries.

        - Collected data is stored for at least three months, unless otherwise restricted
        by law.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.2
      ref_id: 9.2.2
      description: Physical and/or logical controls are implemented to restrict use
        of publicly accessible network jacks within the facility.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.2
      ref_id: 9.2.3
      description: Physical access to wireless access points, gateways, networking/communications
        hardware, and telecommunication lines within the facility is restricted.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.2.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.2
      ref_id: 9.2.4
      description: Access to consoles in sensitive areas is restricted via locking
        when not in use.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9
      ref_id: '9.3'
      description: Physical access for personnel and visitors is authorized and managed.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.3
      ref_id: 9.3.1
      description: "Procedures are implemented for authorizing and managing physical\
        \ access of personnel to the CDE, including:\n- Identifying personnel.\n-\
        \ Managing changes to an individual\u2019s physical access requirements.\n\
        - Revoking or terminating personnel identification.\n- Limiting access to\
        \ the identification process or system to authorized personnel"
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.3.1.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.3.1
      ref_id: 9.3.1.1
      description: 'Physical access to sensitive areas within the CDE for personnel
        is controlled as follows:

        - Access is authorized and based on individual job function.

        - Access is revoked immediately upon termination.

        - All physical access mechanisms, such as keys, access cards, etc., are returned
        or disabled upon termination.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.3
      ref_id: 9.3.2
      description: 'Procedures are implemented for authorizing and managing visitor
        access to the CDE, including:

        - Visitors are authorized before entering.

        - Visitors are escorted at all times.

        - Visitors are clearly identified and given a badge or other identification
        that expires.

        - Visitor badges or other identification visibly distinguishes visitors from
        personnel.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.3
      ref_id: 9.3.3
      description: Visitor badges or identification are surrendered or deactivated
        before visitors leave the facility or at the date of expiration.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.3.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.3
      ref_id: 9.3.4
      description: "A visitor log is used to maintain a physical record of visitor\
        \ activity within the facility and within sensitive areas, including:\n- The\
        \ visitor\u2019s name and the organization represented.\n- The date and time\
        \ of the visit.\n- The name of the personnel authorizing physical access.\n\
        - Retaining the log for at least three months, unless otherwise restricted\
        \ by law."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9
      ref_id: '9.4'
      description: Media with cardholder data is securely stored, accessed, distributed,
        and destroyed.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4
      ref_id: 9.4.1
      description: All media with cardholder data is physically secured.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4.1.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4.1
      ref_id: 9.4.1.1
      description: Offline media backups with cardholder data are stored in a secure
        location.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4.1.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4.1
      ref_id: 9.4.1.2
      description: The security of the offline media backup location(s) with cardholder
        data is reviewed at least once every 12 months.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4
      ref_id: 9.4.2
      description: All media with cardholder data is classified in accordance with
        the sensitivity of the data.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4
      ref_id: 9.4.3
      description: 'Media with cardholder data sent outside the facility is secured
        as follows:

        - Media sent outside the facility is logged.

        - Media is sent by secured courier or other delivery method that can be accurately
        tracked.

        - Offsite tracking logs include details about media location.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4
      ref_id: 9.4.4
      description: Management approves all media with cardholder data that is moved
        outside the facility (including when media is distributed to individuals).
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4
      ref_id: 9.4.5
      description: Inventory logs of all electronic media with cardholder data are
        maintained.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4.5.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4.5
      ref_id: 9.4.5.1
      description: Inventories of electronic media with cardholder data are conducted
        at least once every 12 months.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4
      ref_id: 9.4.6
      description: "Hard-copy materials with cardholder data are destroyed when no\
        \ longer needed for business or legal reasons, as follows:\n\u2022 Materials\
        \ are cross-cut shredded, incinerated, or pulped so that cardholder data cannot\
        \ be reconstructed.\n\u2022 Materials are stored in secure storage containers\
        \ prior to destruction."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4.7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.4
      ref_id: 9.4.7
      description: 'Electronic media with cardholder data is destroyed when no longer
        needed for business or legal reasons via one of the following:

        - The electronic media is destroyed.

        - The cardholder data is rendered unrecoverable so that it cannot be reconstructed.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9
      ref_id: '9.5'
      description: Point of interaction (POI) devices are protected from tampering
        and unauthorized substitution.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.5
      ref_id: 9.5.1
      description: 'POI devices that capture payment card data via direct physical
        interaction with the payment card form factor are protected from tampering
        and unauthorized substitution, including the following:

        - Maintaining a list of POI devices.

        - Periodically inspecting POI devices to look for tampering or unauthorized
        substitution.

        - Training personnel to be aware of suspicious behavior and to report tampering
        or unauthorized substitution of devices.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.5.1.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.5.1
      ref_id: 9.5.1.1
      description: 'An up-to-date list of POI devices is maintained, including:

        - Make and model of the device.

        - Location of device.

        - Device serial number or other methods of unique identification.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.5.1.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.5.1
      ref_id: 9.5.1.2
      description: POI device surfaces are periodically inspected to detect tampering
        and unauthorized substitution.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.5.1.2.1
      assessable: true
      depth: 6
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.5.1.2
      ref_id: 9.5.1.2.1
      description: "The frequency of periodic POI device inspections and the type\
        \ of inspections performed is defined in the entity\u2019s targeted risk analysis,\
        \ which is performed according to all elements specified in Requirement 12.3.1."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:9.5.1.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:9.5.1
      ref_id: 9.5.1.3
      description: 'Training is provided for personnel in POI environments to be aware
        of attempted tampering or replacement of POI devices, and includes:

        - Verifying the identity of any third-party persons claiming to be repair
        or maintenance personnel, before granting them access to modify or troubleshoot
        devices.

        - Procedures to ensure devices are not installed, replaced, or returned without
        verification.

        - Being aware of suspicious behavior around devices.

        - Reporting suspicious behavior and indications of device tampering or substitution
        to appropriate personnel.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:regularly-monitor-and-test-networks
      assessable: false
      depth: 1
      name: Regularly Monitor and Test Networks
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:regularly-monitor-and-test-networks
      ref_id: '10'
      name: Requirement 10
      description: Log and Monitor All Access to System Components and Cardholder
        Data
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10
      ref_id: '10.1'
      description: Processes and mechanisms for logging and monitoring all access
        to system components and cardholder data are defined and documented.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.1
      ref_id: 10.1.1
      description: 'All security policies and operational procedures that are identified
        in Requirement 10 are:

        - Documented.

        - Kept up to date.

        - In use.

        - Known to all affected parties.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.1
      ref_id: 10.1.2
      description: Roles and responsibilities for performing activities in Requirement
        10 are documented, assigned, and understood
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10
      ref_id: '10.2'
      description: Audit logs are implemented to support the detection of anomalies
        and suspicious activity, and the forensic analysis of events.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2
      ref_id: 10.2.1
      description: Audit logs are enabled and active for all system components and
        cardholder data.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.1.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.1
      ref_id: 10.2.1.1
      description: Audit logs capture all individual user access to cardholder data.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.1.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.1
      ref_id: 10.2.1.2
      description: Audit logs capture all actions taken by any individual with administrative
        access, including any interactive use of application or system accounts.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.1.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.1
      ref_id: 10.2.1.3
      description: Audit logs capture all access to audit logs.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.1.4
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.1
      ref_id: 10.2.1.4
      description: Audit logs capture all invalid logical access attempts.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.1.5
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.1
      ref_id: 10.2.1.5
      description: 'Audit logs capture all changes to identification and authentication
        credentials including, but not limited to:

        - Creation of new accounts.

        - Elevation of privileges.

        - All changes, additions, or deletions to accounts with administrative access.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.1.6
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.1
      ref_id: 10.2.1.6
      description: 'Audit logs capture the following:

        - All initialization of new audit logs, and

        - All starting, stopping, or pausing of the existing audit logs.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.1.7
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.1
      ref_id: 10.2.1.7
      description: Audit logs capture all creation and deletion of system-level objects.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.2
      ref_id: 10.2.2
      description: 'Audit logs record the following details for each auditable event:

        - User identification.

        - Type of event.

        - Date and time.

        - Success and failure indication.

        - Origination of event.

        - Identity or name of affected data, system component, resource, or service
        (for example, name and protocol).'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10
      ref_id: '10.3'
      description: Audit logs are protected from destruction and unauthorized modifications.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.3
      ref_id: 10.3.1
      description: Read access to audit logs files is limited to those with a job-related
        need.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.3
      ref_id: 10.3.2
      description: Audit log files are protected to prevent modifications by individuals.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.3
      ref_id: 10.3.3
      description: Audit log files, including those for external-facing technologies,
        are promptly backed up to a secure, central, internal log server(s) or other
        media that is difficult to modify.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.3.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.3
      ref_id: 10.3.4
      description: File integrity monitoring or change-detection mechanisms is used
        on audit logs to ensure that existing log data cannot be changed without generating
        alerts.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10
      ref_id: '10.4'
      description: Audit logs are reviewed to identify anomalies or suspicious activity.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.4
      ref_id: 10.4.1
      description: 'The following audit logs are reviewed at least once daily:

        - All security events.

        - Logs of all system components that store, process, or transmit CHD and/or
        SAD.

        - Logs of all critical system components.

        - Logs of all servers and system components that perform security functions
        (for example, network security controls, intrusion-detection systems/intrusion-prevention
        systems (IDS/IPS), authentication servers).'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.4.1.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.4.1
      ref_id: 10.4.1.1
      description: Automated mechanisms are used to perform audit log reviews.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.4
      ref_id: 10.4.2
      description: Logs of all other system components (those not specified in Requirement
        10.4.1) are reviewed periodically.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.4.2.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.4.2
      ref_id: 10.4.2.1
      description: "The frequency of periodic log reviews for all other system components\
        \ (not defined in Requirement 10.4.1) is defined in the entity\u2019s targeted\
        \ risk analysis, which is performed according to all elements specified in\
        \ Requirement 12.3.1."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.4.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.4
      ref_id: 10.4.3
      description: Exceptions and anomalies identified during the review process are
        addressed.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10
      ref_id: '10.5'
      description: Audit log history is retained and available for analysis.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.5
      ref_id: 10.5.1
      description: Retain audit log history for at least 12 months, with at least
        the most recent three months immediately available for analysis.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10
      ref_id: '10.6'
      description: Time-synchronization mechanisms support consistent time settings
        across all systems.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.6
      ref_id: 10.6.1
      description: System clocks and time are synchronized using time-synchronization
        technology.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.6.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.6
      ref_id: 10.6.2
      description: 'Systems are configured to the correct and consistent time as follows:

        - One or more designated time servers are in use.

        - Only the designated central time server(s) receives time from external sources.

        - Time received from external sources is based on International Atomic Time
        or Coordinated Universal Time (UTC).

        - The designated time server(s) accept time updates only from specific industry-accepted
        external sources.

        - Where there is more than one designated time server, the time servers peer
        with one another to keep accurate time.

        - Internal systems receive time information only from designated central time
        server(s).'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.6.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.6
      ref_id: 10.6.3
      description: 'Time synchronization settings and data are protected as follows:

        - Access to time data is restricted to only personnel with a business need.

        - Any changes to time settings on critical systems are logged, monitored,
        and reviewed.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10
      ref_id: '10.7'
      description: Failures of critical security control systems are detected, reported,
        and responded to promptly.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.7.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.7
      ref_id: 10.7.1
      description: 'Additional requirement for service providers only: Failures of
        critical security control systems are detected, alerted, and addressed promptly,
        including but not limited to failure of the following critical security control
        systems:

        - Network security controls.

        - IDS/IPS.

        - FIM.

        - Anti-malware solutions.

        - Physical access controls.

        - Logical access controls.

        - Audit logging mechanisms.

        - Segmentation controls (if used).'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.7.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.7
      ref_id: 10.7.2
      description: 'Failures of critical security control systems are detected, alerted,
        and addressed promptly, including but not limited to failure of the following
        critical security control systems:

        - Network security controls.

        - IDS/IPS.

        - Change-detection mechanisms.

        - Anti-malware solutions.

        - Physical access controls.

        - Logical access controls.

        - Audit logging mechanisms.

        - Segmentation controls (if used).

        - Audit log review mechanisms.

        - Automated security testing tools (if used).'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:10.7.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:10.7
      ref_id: 10.7.3
      description: 'Failures of any critical security controls systems are responded
        to promptly, including but not limited to:

        - Restoring security functions.

        - Identifying and documenting the duration (date and time from start to end)
        of the security failure.

        - Identifying and documenting the cause(s) of failure and documenting required
        remediation.

        - Identifying and addressing any security issues that arose during the failure.

        - Determining whether further actions are required as a result of the security
        failure.

        - Implementing controls to prevent the cause of failure from reoccurring.

        - Resuming monitoring of security controls.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:regularly-monitor-and-test-networks
      ref_id: '11'
      name: Requirement 11
      description: Test Security of Systems and Networks Regularly
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11
      ref_id: '11.1'
      description: Processes and mechanisms for regularly testing security of systems
        and networks are defined and understood.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.1
      ref_id: 11.1.1
      description: 'All security policies and operational procedures that are identified
        in Requirement 11 are:

        - Documented.

        - Kept up to date.

        - In use.

        - Known to all affected parties.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.1
      ref_id: 11.1.2
      description: Roles and responsibilities for performing activities in Requirement
        11 are documented, assigned, and understood.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11
      ref_id: '11.2'
      description: Wireless access points are identified and monitored, and unauthorized
        wireless access points are addressed.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.2
      ref_id: 11.2.1
      description: 'Authorized and unauthorized wireless access points are managed
        as follows:

        - The presence of wireless (Wi-Fi) access points is tested for,

        - All authorized and unauthorized wireless access points are detected and
        identified,

        - Testing, detection, and identification occurs at least once every three
        months.

        - If automated monitoring is used, personnel are notified via generated alerts.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.2
      ref_id: 11.2.2
      description: An inventory of authorized wireless access points is maintained,
        including a documented business justification.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11
      ref_id: '11.3'
      description: External and internal vulnerabilities are regularly identified,
        prioritized, and addressed.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.3
      ref_id: 11.3.1
      description: "Internal vulnerability scans are performed as follows:\n- At least\
        \ once every three months.\n- High-risk and critical vulnerabilities (per\
        \ the entity\u2019s vulnerability risk rankings defined at Requirement 6.3.1)\
        \ are resolved.\n- Rescans are performed that confirm all high- risk and critical\
        \ vulnerabilities (as noted above) have been resolved.\n- Scan tool is kept\
        \ up to date with latest vulnerability information.\n- Scans are performed\
        \ by qualified personnel and organizational independence of the tester exists."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.3.1.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.3.1
      ref_id: 11.3.1.1
      description: "All other applicable vulnerabilities (those not ranked as high-risk\
        \ or critical per the entity\u2019s vulnerability risk rankings defined at\
        \ Requirement 6.3.1) are managed as follows:\n- Addressed based on the risk\
        \ defined in the entity\u2019s targeted risk analysis, which is performed\
        \ according to all elements specified in Requirement 12.3.1.\n- Rescans are\
        \ conducted as needed."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.3.1.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.3.1
      ref_id: 11.3.1.2
      description: 'Internal vulnerability scans are performed via authenticated scanning
        as follows:

        - Systems that are unable to accept credentials for authenticated scanning
        are documented.

        - Sufficient privileges are used for those systems that accept credentials
        for scanning.

        - If accounts used for authenticated scanning can be used for interactive
        login, they are managed in accordance with Requirement 8.2.2.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.3.1.3
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.3.1
      ref_id: 11.3.1.3
      description: "Internal vulnerability scans are performed after any significant\
        \ change as follows:\n- High-risk and critical vulnerabilities (per the entity\u2019\
        s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.\n\
        - Rescans are conducted as needed.\n- Scans are performed by qualified personnel\
        \ and organizational independence of the tester exists (not required to be\
        \ a QSA or ASV)."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.3
      ref_id: 11.3.2
      description: "External vulnerability scans are performed as follows:\n\u2022\
        \ At least once every three months.\n\u2022 By a PCI SSC Approved Scanning\
        \ Vendor (ASV).\n\u2022 Vulnerabilities are resolved and ASV Program Guide\
        \ requirements for a passing scan are met.\n\u2022 Rescans are performed as\
        \ needed to confirm that vulnerabilities are resolved per the ASV Program\
        \ Guide requirements for a passing scan."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.3.2.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.3.2
      ref_id: 11.3.2.1
      description: 'External vulnerability scans are performed after any significant
        change as follows:

        - Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved.

        - Rescans are conducted as needed.

        - Scans are performed by qualified personnel and organizational independence
        of the tester exists (not required to be a QSA or ASV).'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11
      ref_id: '11.4'
      description: External and internal penetration testing is regularly performed,
        and exploitable vulnerabilities and security weaknesses are corrected.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.4
      ref_id: 11.4.1
      description: 'A penetration testing methodology is defined, documented, and
        implemented by the entity, and includes:

        - Industry-accepted penetration testing approaches.

        - Coverage for the entire CDE perimeter and critical systems.

        - Testing from both inside and outside the network.

        - Testing to validate any segmentation and scope- reduction controls.

        - Application-layer penetration testing to identify, at a minimum, the vulnerabilities
        listed in Requirement 6.2.4.

        - Network-layer penetration tests that encompass all components that support
        network functions as well as operating systems.

        - Review and consideration of threats and vulnerabilities experienced in the
        last 12 months.

        - Documented approach to assessing and addressing the risk posed by exploitable
        vulnerabilities and security weaknesses found during penetration testing.

        - Retention of penetration testing results and remediation activities results
        for at least 12 months.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.4
      ref_id: 11.4.2
      description: "Internal penetration testing is performed:\n- Per the entity\u2019\
        s defined methodology.\n- At least once every 12 months.\n- After any significant\
        \ infrastructure or application upgrade or change.\n- By a qualified internal\
        \ resource or qualified external third-party.\n- Organizational independence\
        \ of the tester exists (not required to be a QSA or ASV)."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.4.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.4
      ref_id: 11.4.3
      description: "External penetration testing is performed:\n- Per the entity\u2019\
        s defined methodology.\n- At least once every 12 months.\n- After any significant\
        \ infrastructure or application upgrade or change.\n- By a qualified internal\
        \ resource or qualified external third party.\n- Organizational independence\
        \ of the tester exists (not required to be a QSA or ASV)."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.4.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.4
      ref_id: 11.4.4
      description: "Exploitable vulnerabilities and security weaknesses found during\
        \ penetration testing are corrected as follows:\n- In accordance with the\
        \ entity\u2019s assessment of the risk posed by the security issue as defined\
        \ in Requirement 6.3.1.\n- Penetration testing is repeated to verify the corrections."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.4.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.4
      ref_id: 11.4.5
      description: "If segmentation is used to isolate the CDE from other networks,\
        \ penetration tests are performed on segmentation controls as follows:\n-\
        \ At least once every 12 months and after any changes to segmentation controls/methods.\n\
        - Covering all segmentation controls/methods in use.\n- According to the entity\u2019\
        s defined penetration testing methodology.\n- Confirming that the segmentation\
        \ controls/methods are operational and effective, and isolate the CDE from\
        \ all out-of-scope systems.\n- Confirming effectiveness of any use of isolation\
        \ to separate systems with differing security levels (see Requirement 2.2.3).\n\
        - Performed by a qualified internal resource or qualified external third party.\n\
        - Organizational independence of the tester exists (not required to be a QSA\
        \ or ASV)."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.4.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.4
      ref_id: 11.4.6
      description: "Additional requirement for service providers only: If segmentation\
        \ is used to isolate the CDE from other networks, penetration tests are performed\
        \ on segmentation controls as follows:\n- At least once every six months and\
        \ after any changes to segmentation controls/methods.\n- Covering all segmentation\
        \ controls/methods in use.\n- According to the entity\u2019s defined penetration\
        \ testing methodology.\n- Confirming that the segmentation controls/methods\
        \ are operational and effective, and isolate the CDE from all out-of-scope\
        \ systems.\n- Confirming effectiveness of any use of isolation to separate\
        \ systems with differing security levels (see Requirement 2.2.3).\n- Performed\
        \ by a qualified internal resource or qualified external third party.\n- Organizational\
        \ independence of the tester exists (not required to be a QSA or ASV)."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.4.7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.4
      ref_id: 11.4.7
      description: 'Additional requirement for multi-tenant service providers only:
        Multi-tenant service providers support their customers for external penetration
        testing per Requirement 11.4.3 and 11.4.4.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11
      ref_id: '11.5'
      description: Network intrusions and unexpected file changes are detected and
        responded to.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.5
      ref_id: 11.5.1
      description: 'Intrusion-detection and/or intrusion- prevention techniques are
        used to detect and/or prevent intrusions into the network as follows:

        - All traffic is monitored at the perimeter of the CDE.

        - All traffic is monitored at critical points in the CDE.

        - Personnel are alerted to suspected compromises.

        - All intrusion-detection and prevention engines, baselines, and signatures
        are kept up to date'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.5.1.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.5.1
      ref_id: 11.5.1.1
      description: 'Additional requirement for service providers only: Intrusion-detection
        and/or intrusion-prevention techniques detect, alert

        on/prevent, and address covert malware communication channels.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.5
      ref_id: 11.5.2
      description: 'A change-detection mechanism (for example, file integrity monitoring
        tools) is deployed as follows:

        - To alert personnel to unauthorized modification (including changes, additions,
        and deletions) of critical files.

        - To perform critical file comparisons at least once weekly.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11
      ref_id: '11.6'
      description: Unauthorized changes on payment pages are detected and responded
        to.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:11.6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:11.6
      ref_id: 11.6.1
      description: "A change- and tamper-detection mechanism is deployed as follows:\n\
        - To alert personnel to unauthorized modification (including indicators of\
        \ compromise, changes, additions, and deletions) to the HTTP headers and the\
        \ contents of payment pages as received by the consumer browser.\n- The mechanism\
        \ is configured to evaluate the received HTTP header and payment page.\n-\
        \ The mechanism functions are performed as follows:\n    \u2013 At least once\
        \ every seven days.\n    OR\n    \u2013 Periodically (at the frequency defined\
        \ in the entity\u2019s targeted risk analysis, which is performed according\
        \ to all elements specified in Requirement 12.3.1)."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:maintain-an-information-security-policy
      assessable: false
      depth: 1
      name: Maintain an Information Security Policy
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:maintain-an-information-security-policy
      ref_id: '12'
      name: Requirement 12
      description: Support Information Security with Organizational Policies and Programs
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12
      ref_id: '12.1'
      description: "A comprehensive information security policy that governs and provides\
        \ direction for protection of the entity\u2019s information assets is known\
        \ and current."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.1
      ref_id: 12.1.1
      description: 'An overall information security policy is:

        - Established.

        - Published.

        - Maintained.

        - Disseminated to all relevant personnel, as well as to relevant vendors and
        business partners.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.1
      ref_id: 12.1.2
      description: 'The information security policy is:

        - Reviewed at least once every 12 months.

        - Updated as needed to reflect changes to business objectives or risks to
        the environment.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.1
      ref_id: 12.1.3
      description: The security policy clearly defines information security roles
        and responsibilities for all personnel, and all personnel are aware of and
        acknowledge their information security responsibilities.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.1.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.1
      ref_id: 12.1.4
      description: Responsibility for information security is formally assigned to
        a Chief Information Security Officer or other information security knowledgeable
        member of executive management.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12
      ref_id: '12.2'
      description: Acceptable use policies for end-user technologies are defined and
        implemented.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.2
      ref_id: 12.2.1
      description: 'Acceptable use policies for end-user technologies are documented
        and implemented, including:

        - Explicit approval by authorized parties.

        - Acceptable uses of the technology.

        - List of products approved by the company for employee use, including hardware
        and software.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12
      ref_id: '12.3'
      description: Risks to the cardholder data environment are formally identified,
        evaluated, and managed.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.3
      ref_id: 12.3.1
      description: 'Each PCI DSS requirement that provides flexibility for how frequently
        it is performed (for example, requirements to be performed periodically) is
        supported by a targeted risk analysis that is documented and includes:

        - Identification of the assets being protected.

        - Identification of the threat(s) that the requirement is protecting against.

        - Identification of factors that contribute to the likelihood and/or impact
        of a threat being realized.

        - Resulting analysis that determines, and includes justification for, how
        frequently the requirement must be performed to minimize the likelihood of
        the threat being realized.

        - Review of each targeted risk analysis at least once every 12 months to determine
        whether the results are still valid or if an updated risk analysis is needed.

        - Performance of updated risk analyses when needed, as determined by the annual
        review.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.3
      ref_id: 12.3.2
      description: 'A targeted risk analysis is performed for each PCI DSS requirement
        that the entity meets with the customized approach, to include:

        - Documented evidence detailing each element specified in Appendix D: Customized
        Approach (including, at a minimum, a controls matrix and risk analysis).

        - Approval of documented evidence by senior management.

        - Performance of the targeted analysis of risk at least once every 12 months.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.3
      ref_id: 12.3.3
      description: 'Cryptographic cipher suites and protocols in use are documented
        and reviewed at least once every 12 months, including at least the following:

        - An up-to-date inventory of all cryptographic cipher suites and protocols
        in use, including purpose and where used.

        - Active monitoring of industry trends regarding continued viability of all
        cryptographic cipher suites and protocols in use.

        - A documented strategy to respond to anticipated changes in cryptographic
        vulnerabilities.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.3.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.3
      ref_id: 12.3.4
      description: "Hardware and software technologies in use are reviewed at least\
        \ once every 12 months, including at least the following:\n\u2022 Analysis\
        \ that the technologies continue to receive security fixes from vendors promptly.\n\
        \u2022 Analysis that the technologies continue to support (and do not preclude)\
        \ the entity\u2019s PCI DSS compliance.\n\u2022 Documentation of any industry\
        \ announcements or trends related to a technology, such as when a vendor has\
        \ announced \u201Cend of life\u201D plans for a technology.\n\u2022 Documentation\
        \ of a plan, approved by senior management, to remediate outdated technologies,\
        \ including those for which vendors have announced \u201Cend of life\u201D\
        \ plans."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12
      ref_id: '12.4'
      description: PCI DSS compliance is managed.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.4
      ref_id: 12.4.1
      description: 'Additional requirement for service providers only: Responsibility
        is established by executive management for the protection of cardholder data
        and a PCI DSS compliance program to include:

        - Overall accountability for maintaining PCI DSS compliance.

        - Defining a charter for a PCI DSS compliance program and communication to
        executive management.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.4.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.4
      ref_id: 12.4.2
      description: "Additional requirement for service providers only: Reviews are\
        \ performed at least once every three months to confirm that personnel are\
        \ performing their tasks in accordance with all security policies and operational\
        \ procedures. \nReviews are performed by personnel other than those responsible\
        \ for performing the given task and include, but are not limited to, the following\
        \ tasks:\n- Daily log reviews.\n- Configuration reviews for network security\
        \ controls.\n- Applying configuration standards to new systems.\n- Responding\
        \ to security alerts.\n- Change-management processes."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.4.2.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.4.2
      ref_id: 12.4.2.1
      description: 'Additional requirement for service providers only: Reviews conducted
        in accordance with Requirement 12.4.2 are documented to include:

        - Results of the reviews.

        - Documented remediation actions taken for any tasks that were found to not
        be performed at Requirement 12.4.2.

        - Review and sign-off of results by personnel assigned responsibility for
        the PCI DSS compliance program.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12
      ref_id: '12.5'
      description: PCI DSS scope is documented and validated.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.5
      ref_id: 12.5.1
      description: An inventory of system components that are in scope for PCI DSS,
        including a description of function/use, is maintained and kept current.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.5.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.5
      ref_id: 12.5.2
      description: 'PCI DSS scope is documented and confirmed by the entity at least
        once every 12 months and upon significant change to the in-scope environment.
        At a minimum, the scoping validation includes:

        - Identifying all data flows for the various payment stages (for example,
        authorization, capture settlement, chargebacks, and refunds) and acceptance
        channels (for example, card-present, card-not-present, and e-commerce).

        - Updating all data-flow diagrams per Requirement 1.2.4.

        - Identifying all locations where account data is stored, processed, and transmitted,
        including but not limited to: 1) any locations outside of the currently defined
        CDE, 2) applications that process CHD, 3) transmissions between systems and
        networks, and 4) file backups.

        - Identifying all system components in the CDE, connected to the CDE, or that
        could impact security of the CDE.

        - Identifying all segmentation controls in use and the environment(s) from
        which the CDE is segmented, including justification for environments being
        out of scope.

        - Identifying all connections from third-party entities with access to the
        CDE.

        - Confirming that all identified data flows, account data, system components,
        segmentation controls, and connections from third parties with access to the
        CDE are included in scope.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.5.2.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.5.2
      ref_id: 12.5.2.1
      description: 'Additional requirement for service providers only: PCI DSS scope
        is documented and confirmed by the entity at least once every six months and
        upon significant change to the in-scope environment. At a minimum, the scoping
        validation includes all the elements specified in Requirement 12.5.2.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.5.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.5
      ref_id: 12.5.3
      description: 'Additional requirement for service providers only: Significant
        changes to organizational structure result in a documented (internal) review
        of the impact to PCI DSS scope and applicability of controls, with results
        communicated to executive management.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12
      ref_id: '12.6'
      description: Security awareness education is an ongoing activity.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.6.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.6
      ref_id: 12.6.1
      description: "A formal security awareness program is implemented to make all\
        \ personnel aware of the entity\u2019s information security policy and procedures,\
        \ and their role in protecting the cardholder data."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.6.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.6
      ref_id: 12.6.2
      description: "The security awareness program is:\n- Reviewed at least once every\
        \ 12 months, and\n- Updated as needed to address any new threats and vulnerabilities\
        \ that may impact the security of the entity\u2019s CDE, or the information\
        \ provided to personnel about their role in protecting cardholder data."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.6.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.6
      ref_id: 12.6.3
      description: 'Personnel receive security awareness training as follows:

        - Upon hire and at least once every 12 months.

        - Multiple methods of communication are used.

        - Personnel acknowledge at least once every 12 months that they have read
        and understood the information security policy and procedures.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.6.3.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.6.3
      ref_id: 12.6.3.1
      description: 'Security awareness training includes awareness of threats and
        vulnerabilities that could impact the security of the CDE, including but not
        limited to:

        - Phishing and related attacks.

        - Social engineering.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.6.3.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.6.3
      ref_id: 12.6.3.2
      description: Security awareness training includes awareness about the acceptable
        use of end-user technologies in accordance with Requirement 12.2.1.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12
      ref_id: '12.7'
      description: Personnel are screened to reduce risks from insider threats.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.7.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.7
      ref_id: 12.7.1
      description: Potential personnel who will have access to the CDE are screened,
        within the constraints of local laws, prior to hire to minimize the risk of
        attacks from internal sources
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12
      ref_id: '12.8'
      description: Risk to information assets associated with third-party service
        provider (TPSP) relationships is managed.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.8.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.8
      ref_id: 12.8.1
      description: A list of all third-party service providers (TPSPs) with which
        account data is shared or that could affect the security of account data is
        maintained, including a description for each of the services provided.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.8.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.8
      ref_id: 12.8.2
      description: "Written agreements with TPSPs are maintained as follows:\n- Written\
        \ agreements are maintained with all TPSPs with which account data is shared\
        \ or that could affect the security of the CDE.\n- Written agreements include\
        \ acknowledgments from TPSPs that they are responsible for the security of\
        \ account data the TPSPs possess or otherwise store, process, or transmit\
        \ on behalf of the entity, or to the extent that they could impact the security\
        \ of the entity\u2019s CDE."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.8.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.8
      ref_id: 12.8.3
      description: An established process is implemented for engaging TPSPs, including
        proper due diligence prior to engagement.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.8.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.8
      ref_id: 12.8.4
      description: "A program is implemented to monitor TPSPs\u2019 PCI DSS compliance\
        \ status at least once every 12 months."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.8.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.8
      ref_id: 12.8.5
      description: Information is maintained about which PCI DSS requirements are
        managed by each TPSP, which are managed by the entity, and any that are shared
        between the TPSP and the entity.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.9
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12
      ref_id: '12.9'
      description: "Third-party service providers (TPSPs) support their customers\u2019\
        \ PCI DSS compliance."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.9.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.9
      ref_id: 12.9.1
      description: "Additional requirement for service providers only: TPSPs acknowledge\
        \ in writing to customers that they are responsible for the security of account\
        \ data the TPSP possesses or otherwise stores, processes, or transmits on\
        \ behalf of the customer, or to the extent that they could impact the security\
        \ of the customer\u2019s CDE."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.9.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.9
      ref_id: 12.9.2
      description: "Additional requirement for service providers only: TPSPs support\
        \ their customers\u2019 requests for information to meet Requirements 12.8.4\
        \ and 12.8.5 by providing the following upon customer request:\n- PCI DSS\
        \ compliance status information for any service the TPSP performs on behalf\
        \ of customers (Requirement 12.8.4).\n- Information about which PCI DSS requirements\
        \ are the responsibility of the TPSP and which are the responsibility of the\
        \ customer, including any shared responsibilities (Requirement 12.8.5)"
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12
      ref_id: '12.10'
      description: Suspected and confirmed security incidents that could impact the
        CDE are responded to immediately.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10
      ref_id: 12.10.1
      description: 'An incident response plan exists and is ready to be activated
        in the event of a suspected or confirmed security incident. The plan includes,
        but is not limited to:

        - Roles, responsibilities, and communication and contact strategies in the
        event of a suspected or confirmed security incident, including notification
        of payment brands and acquirers, at a minimum.

        - Incident response procedures with specific containment and mitigation activities
        for different types of incidents.

        - Business recovery and continuity procedures.

        - Data backup processes.

        - Analysis of legal requirements for reporting compromises.

        - Coverage and responses of all critical system components.

        - Reference or inclusion of incident response procedures from the payment
        brands.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10
      ref_id: 12.10.2
      description: 'At least once every 12 months, the security incident response
        plan is:

        - Reviewed and the content is updated as needed.

        - Tested, including all elements listed in Requirement 12.10.1.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10
      ref_id: 12.10.3
      description: Specific personnel are designated to be available on a 24/7 basis
        to respond to suspected or confirmed security incidents.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10
      ref_id: 12.10.4
      description: Personnel responsible for responding to suspected and confirmed
        security incidents are appropriately and periodically trained on their incident
        response responsibilities.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10.4.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10.4
      ref_id: 12.10.4.1
      description: "The frequency of periodic training for incident response personnel\
        \ is defined in the entity\u2019s targeted risk analysis, which is performed\
        \ according to all elements specified in Requirement 12.3.1."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10
      ref_id: 12.10.5
      description: 'The security incident response plan includes monitoring and responding
        to alerts from security monitoring systems, including but not limited to:

        - Intrusion-detection and intrusion-prevention systems.

        - Network security controls.

        - Change-detection mechanisms for critical files.

        - The change-and tamper-detection mechanism for payment pages. This bullet
        is a best practice until its effective date; refer to Applicability Notes
        below for details.

        - Detection of unauthorized wireless access points.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10
      ref_id: 12.10.6
      description: The security incident response plan is modified and evolved according
        to lessons learned and to incorporate industry developments.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10.7
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:12.10
      ref_id: 12.10.7
      description: 'Incident response procedures are in place, to be initiated upon
        the detection of stored PAN anywhere it is not expected, and include:

        - Determining what to do if PAN is discovered outside the CDE, including its
        retrieval, secure deletion, and/or migration into the currently defined CDE,
        as applicable.

        - Identifying whether sensitive authentication data is stored with PAN.

        - Determining where the account data came from and how it ended up where it
        was not expected.

        - Remediating data leaks or process gaps that resulted in the account data
        being where it was not expected.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a
      assessable: false
      depth: 1
      ref_id: A
      name: Appendix A
      description: Additional PCI DSS Requirements
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a1
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a
      ref_id: A1
      name: Appendix A1
      description: Additional PCI DSS Requirements for Multi-Tenant Service Providers
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a1
      ref_id: A1.1
      description: Multi-tenant service providers protect and separate all customer
        environments and data.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.1
      ref_id: A1.1.1
      description: "Logical separation is implemented as follows:\n- The provider\
        \ cannot access its customers\u2019 environments without authorization.\n\
        - Customers cannot access the provider\u2019s environment without authorization."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.1
      ref_id: A1.1.2
      description: Controls are implemented such that each customer only has permission
        to access its own cardholder data and CDE.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.1
      ref_id: A1.1.3
      description: Controls are implemented such that each customer can only access
        resources allocated to them.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.1.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.1
      ref_id: A1.1.4
      description: The effectiveness of logical separation controls used to separate
        customer environments is confirmed at least once every six months via penetration
        testing.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a1
      ref_id: A1.2
      description: Multi-tenant service providers facilitate logging and incident
        response for all customers.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.2
      ref_id: A1.2.1
      description: "Audit log capability is enabled for each customer\u2019s environment\
        \ that is consistent with PCI DSS Requirement 10, including:\n- Logs are enabled\
        \ for common third-party applications.\n- Logs are active by default.\n- Logs\
        \ are available for review only by the owning customer.\n- Log locations are\
        \ clearly communicated to the owning customer.\n- Log data and availability\
        \ is consistent with PCI DSS Requirement 10."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.2
      ref_id: A1.2.2
      description: Processes or mechanisms are implemented to support and/or facilitate
        prompt forensic investigations in the event of a suspected or confirmed security
        incident for any customer.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a1.2
      ref_id: A1.2.3
      description: 'Processes or mechanisms are implemented for reporting and addressing
        suspected or confirmed security incidents and vulnerabilities, including:

        - Customers can securely report security incidents and vulnerabilities to
        the provider.

        - The provider addresses and remediates suspected or confirmed security incidents
        and vulnerabilities according to Requirement 6.3.1.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a2
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a
      ref_id: A2
      name: Appendix A2
      description: Additional PCI DSS Requirements for Entities Using SSL/Early TLS
        for Card-Present POS POI Terminal Connections
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a2.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a2
      ref_id: A2.1
      description: POI terminals using SSL and/or early TLS are confirmed as not susceptible
        to known SSL/TLS exploits.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a2.1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a2.1
      ref_id: A2.1.1
      description: Where POS POI terminals at the merchant or payment acceptance location
        use SSL and/or early TLS, the entity confirms the devices are not susceptible
        to any known exploits for those protocols.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a2.1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a2.1
      ref_id: A2.1.2
      description: 'Additional requirement for service providers only: All service
        providers with existing connection points to POS POI terminals that use SSL
        and/or early TLS as defined in A2.1 have a formal Risk Mitigation and Migration
        Plan in place that includes:

        - Description of usage, including what data is being transmitted, types and
        number of systems that use and/or support SSL/early TLS, and type of environment.

        - Risk-assessment results and risk-reduction controls in place.

        - Description of processes to monitor for new vulnerabilities associated with
        SSL/early TLS.

        - Description of change control processes that are implemented to ensure SSL/early
        TLS is not implemented into new environments.

        - Overview of migration project plan to replace SSL/early TLS at a future
        date.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a2.1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a2.1
      ref_id: A2.1.3
      description: 'Additional requirement for service providers only: All service
        providers provide a secure service offering.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a
      ref_id: A3
      name: Appendix A3
      description: Designated Entities Supplemental Validation (DESV)
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3
      ref_id: A3.1
      description: A PCI DSS compliance program is implemented.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.1.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.1
      ref_id: A3.1.1
      description: 'Responsibility is established by executive management for the
        protection of account data and a PCI DSS compliance program that includes:

        - Overall accountability for maintaining PCI DSS compliance.

        - Defining a charter for a PCI DSS compliance program.

        - Providing updates to executive management and board of directors on PCI
        DSS compliance initiatives and issues, including remediation activities, at
        least once every 12 months.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.1.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.1
      ref_id: A3.1.2
      description: 'A formal PCI DSS compliance program is in place that includes:

        - Definition of activities for maintaining and monitoring overall PCI DSS
        compliance, including business-as-usual activities.

        - Annual PCI DSS assessment processes.

        - Processes for the continuous validation of PCI DSS requirements (for example,
        daily, weekly, every three months, as applicable per the requirement).

        - A process for performing business-impact analysis to determine potential
        PCI DSS impacts for strategic business decisions.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.1.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.1
      ref_id: A3.1.3
      description: 'PCI DSS compliance roles and responsibilities are specifically
        defined and formally assigned to one or more personnel, including:

        - Managing PCI DSS business-as-usual activities.

        - Managing annual PCI DSS assessments.

        - Managing continuous validation of PCI DSS requirements (for example, daily,
        weekly, every three months, as applicable per the requirement).

        - Managing business-impact analysis to determine potential PCI DSS impacts
        for strategic business decisions.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.1.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.1
      ref_id: A3.1.4
      description: Up-to-date PCI DSS and/or information security training is provided
        at least once every 12 months to personnel with PCI DSS compliance responsibilities
        (as identified in A3.1.3).
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3
      ref_id: A3.2
      description: PCI DSS scope is documented and validated.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2
      ref_id: A3.2.1
      description: 'PCI DSS scope is documented and confirmed for accuracy at least
        once every three months and upon significant changes to the in-scope environment.
        At a minimum, the scoping validation includes:

        - Identifying all data flows for the various payment stages (for example,
        authorization, capture, settlement, chargebacks, and refunds) and acceptance
        channels (for example, card-present, card-not-present, and e-commerce).

        - Updating all data-flow diagrams per Requirement 1.2.4.

        - Identifying all locations where account data is stored, processed, and transmitted,
        including but not limited to 1) any locations outside of the currently defined
        CDE, 2) applications that process CHD, 3) transmissions between systems and
        networks, and 4) file backups.

        - For any account data found outside of the currently defined CDE, either
        1) securely delete it, 2) migrate it into the currently defined CDE, or 3)
        expand the currently defined CDE to include it.

        - Identifying all system components in the CDE, connected to the CDE, or that
        could impact security of the CDE.

        - Identifying all segmentation controls in use and the environment(s) from
        which the CDE is segmented, including justification for environments being
        out of scope.

        - Identifying all connections to third-party entities with access to the CDE.

        - Confirming that all identified data flows, account data, system components,
        segmentation controls, and connections from third parties with access to the
        CDE are included in scope.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2
      ref_id: A3.2.2
      description: 'PCI DSS scope impact for all changes to systems or networks is
        determined, including additions of new systems and new network connections.
        Processes include:

        - Performing a formal PCI DSS impact assessment.

        - Identifying applicable PCI DSS requirements to the system or network.

        - Updating PCI DSS scope as appropriate.

        - Documented sign-off of the results of the impact assessment by responsible
        personnel (as defined in A3.1.3).'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2.2.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2.2
      ref_id: A3.2.2.1
      description: Upon completion of a change, all relevant PCI DSS requirements
        are confirmed to be implemented on all new or changed systems and networks,
        and documentation is updated as applicable.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2
      ref_id: A3.2.3
      description: Changes to organizational structure result in a formal (internal)
        review of the impact to PCI DSS scope and applicability of controls.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2.4
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2
      ref_id: A3.2.4
      description: "If segmentation is used, PCI DSS scope is confirmed as follows:\n\
        \u2022 Per the entity\u2019s methodology defined at Requirement 11.4.1.\n\u2022\
        \ Penetration testing is performed on segmentation controls at least once\
        \ every six months and after any changes to segmentation controls/methods.\n\
        \u2022 The penetration testing covers all segmentation controls/methods in\
        \ use.\n\u2022 The penetration testing verifies that segmentation controls/methods\
        \ are operational and effective, and isolate the CDE from all out-of-scope\
        \ systems."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2.5
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2
      ref_id: A3.2.5
      description: 'A data-discovery methodology is implemented that:

        - Confirms PCI DSS scope.

        - Locates all sources and locations of cleartext PAN at least once every three
        months and upon significant changes to the CDE or processes.

        - Addresses the potential for cleartext PAN to reside on systems and networks
        outside the currently defined CDE'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2.5.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2.5
      ref_id: A3.2.5.1
      description: 'Data discovery methods are confirmed as follows:

        - Effectiveness of methods is tested.

        - Methods are able to discover cleartext PAN on all types of system components
        and file formats in use.

        - The effectiveness of data-discovery methods is confirmed at least once every
        12 months.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2.5.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2.5
      ref_id: A3.2.5.2
      description: 'Response procedures are implemented to be initiated upon the detection
        of cleartext PAN outside the CDE to include:

        - Determining what to do if cleartext PAN is discovered outside the CDE, including
        its retrieval, secure deletion, and/or migration into the currently defined
        CDE, as applicable.

        - Determining how the data ended up outside the CDE.

        - Remediating data leaks or process gaps that resulted in the data being outside
        the CDE.

        - Identifying the source of the data.

        - Identifying whether any track data is stored with the PANs.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2.6
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2
      ref_id: A3.2.6
      description: 'Mechanisms are implemented for detecting and preventing cleartext
        PAN from leaving the CDE via an unauthorized channel, method, or process,
        including mechanisms that are:

        - Actively running.

        - Configured to detect and prevent cleartext PAN leaving the CDE via an unauthorized
        channel, method, or process.

        - Generating audit logs and alerts upon detection of cleartext PAN leaving
        the CDE via an unauthorized channel, method, or process.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2.6.1
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.2.6
      ref_id: A3.2.6.1
      description: 'Response procedures are implemented to be initiated upon the detection
        of attempts to remove cleartext PAN from the CDE via an unauthorized channel,
        method, or process. Response procedures include:

        - Procedures for the prompt investigation of alerts by responsible personnel.

        - Procedures for remediating data leaks or process gaps, as necessary, to
        prevent any data loss.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3
      ref_id: A3.3
      description: PCI DSS is incorporated into business-as-usual (BAU) activities.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.3.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.3
      ref_id: A3.3.1
      description: 'Failures of critical security control systems are detected, alerted,
        and addressed promptly, including but not limited to failure of:

        - Network security controls

        - IDS/IPS

        - FIM

        - Anti-malware solutions

        - Physical access controls

        - Logical access controls

        - Audit logging mechanisms

        - Segmentation controls (if used)

        - Automated audit log review mechanisms. This bullet is a best practice until
        its effective date.

        - Automated code review tools (if used). This bullet is a best practice until
        its effective date.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.3.1.2
      assessable: true
      depth: 5
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.3.1
      ref_id: A3.3.1.2
      description: 'Failures of any critical security control systems are responded
        to promptly. Processes for responding to failures in security control systems
        include:

        - Restoring security functions.

        - Identifying and documenting the duration (date and time from start to end)
        of the security failure.

        - Identifying and documenting the cause(s) of failure, including root cause,
        and documenting remediation required to address the root cause.

        - Identifying and addressing any security issues that arose during the failure.

        - Determining whether further actions are required as a result of the security
        failure.

        - Implementing controls to prevent the cause of failure from reoccurring.

        - Resuming monitoring of security controls.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.3.2
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.3
      ref_id: A3.3.2
      description: "Hardware and software technologies are reviewed at least once\
        \ every 12 months to confirm whether they continue to meet the organization\u2019\
        s PCI DSS requirements."
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.3.3
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.3
      ref_id: A3.3.3
      description: 'Reviews are performed at least once every three months to verify
        BAU activities are being followed. Reviews are performed by personnel assigned
        to the PCI DSS compliance program (as identified in A3.1.3), and include:

        - Confirmation that all BAU activities, including A3.2.2, A3.2.6, and A3.3.1,
        are being performed.

        - Confirmation that personnel are following security policies and operational
        procedures (for example, daily log reviews, ruleset reviews for network security
        controls, configuration standards for new systems).

        - Documenting how the reviews were completed, including how all BAU activities
        were verified as being in place.

        - Collection of documented evidence as required for the annual PCI DSS assessment.

        - Review and sign-off of results by personnel assigned responsibility for
        the PCI DSS compliance program, as identified in A3.1.3.

        - Retention of records and documentation for at least 12 months, covering
        all BAU activities.'
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3
      ref_id: A3.4
      description: Logical access to the cardholder data environment is controlled
        and managed.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.4.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.4
      ref_id: A3.4.1
      description: User accounts and access privileges to in-scope system components
        are reviewed at least once every six months to ensure user accounts and access
        privileges remain appropriate based on job function, and that all access is
        authorized.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3
      ref_id: A3.5
      description: Suspicious events are identified and responded to.
    - urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.5.1
      assessable: true
      depth: 4
      parent_urn: urn:intuitem:risk:req_node:pcidss-4_0:a3.5
      ref_id: A3.5.1
      description: 'A methodology is implemented for the prompt identification of
        attack patterns and undesirable behavior across systems that includes:

        - Identification of anomalies or suspicious activity as it occurs.

        - Issuance of prompt alerts upon detection of suspicious activity or anomaly
        to responsible personnel.

        - Response to alerts in accordance with documented response procedures.'