diff --git a/library/libraries/pcidss.yaml b/library/libraries/pcidss.yaml new file mode 100644 index 000000000..78b3c893b --- /dev/null +++ b/library/libraries/pcidss.yaml @@ -0,0 +1,3067 @@ +urn: urn:intuitem:risk:library:pcidss-4.0 +locale: en +name: PCI DSS 4.0 +description: PCI DSS 4.0 +version: 1 +objects: + framework: + urn: urn:intuitem:risk:framework:pcidss-4.0 + provider: PCI Security Standards Council + name: PCI DSS 4.0 + description: PCI DSS 4.0 + version: '1.0' + requirement_groups: + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems + name: Build and Maintain a Secure Network and Systems + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1 + name: Requirement 1 + description: Install and Maintain Network Security Controls + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.1 + name: '1.1' + description: Processes and mechanisms for installing and maintaining network + security controls are defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + name: '1.2' + description: Network security controls (NSCs) are configured and maintained. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.3 + name: '1.3' + description: Network access to and from the cardholder data environment is restricted. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4 + name: '1.4' + description: Network connections between trusted and untrusted networks are + controlled. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.5 + name: '1.5' + description: Risks to the CDE from computing devices that are able to connect + to both untrusted networks and the CDE are mitigated. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2 + name: Requirement 2 + description: Apply Secure Configurations to All System Components + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.1 + name: '2.1' + description: Processes and mechanisms for applying secure configurations to + all system components are defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + name: '2.2' + description: System components are configured and managed securely. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.3 + name: '2.3' + description: Wireless environments are configured and managed securely. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data + name: Protect Account Data + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + name: Requirement 3 + description: Protect Stored Account Data + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.1 + name: '3.1' + description: Processes and mechanisms for protecting stored account data are + defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.2 + name: '3.2' + description: Storage of account data is kept to a minimum. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.3 + name: '3.3' + description: Sensitive authentication data (SAD) is not stored after authorization. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.4 + name: '3.4' + description: Access to displays of full PAN and ability to copy cardholder data + are restricted. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.5 + name: '3.5' + description: Primary account number (PAN) is secured wherever it is stored. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.6 + name: '3.6' + description: Cryptographic keys used to protect stored account data are secured. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + name: '3.7' + description: Where cryptography is used to protect stored account data, key + management processes and procedures covering all aspects of the key + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4 + name: Requirement 4 + description: Protect Cardholder Data with Strong Cryptography During Transmission + Over Open, Public Networks + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.1 + name: '4.1' + description: Processes and mechanisms for protecting cardholder data with strong + cryptography during transmission over open, public networks are defined and + documented. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.2 + name: '4.2' + description: PAN is protected with strong cryptography during transmission. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program + name: Maintain a Vulnerability Management Program + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5 + name: Requirement 5 + description: Protect All Systems and Networks from Malicious Software + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.1 + name: '5.1' + description: Processes and mechanisms for protecting all systems and networks + from malicious software are defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2 + name: '5.2' + description: Malicious software (malware) is prevented, or detected and addressed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3 + name: '5.3' + description: Anti-malware mechanisms and processes are active, maintained, and + monitored. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.4 + name: '5.4' + description: Anti-phishing mechanisms protect users against phishing attacks. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6 + name: Requirement 6 + description: Develop and Maintain Secure Systems and Software + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.1 + name: '6.1' + description: Processes and mechanisms for developing and maintaining secure + systems and software are defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2 + name: '6.2' + description: Bespoke and custom software are developed securely. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.3 + name: '6.3' + description: Security vulnerabilities are identified and addressed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.4 + name: '6.4' + description: Public-facing web applications are protected against attacks. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5 + name: '6.5' + description: Changes to all system components are managed securely. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures + name: Implement Strong Access Control Measures + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7 + name: Requirement 7 + description: Restrict Access to System Components and Cardholder Data by Business + Need to Know + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.1 + name: '7.1' + description: Processes and mechanisms for restricting access to system components + and cardholder data by business need to know are defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + name: '7.2' + description: Access to system components and data is appropriately defined and + assigned. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.3 + name: '7.3' + description: Access to system components and data is managed via an access control + system(s). + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8 + name: Requirement 8 + description: Identify Users and Authenticate Access to System Components + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.1 + name: '8.1' + description: Processes and mechanisms for identifying users and authenticating + access to system components are defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + name: '8.2' + description: "User identification and related accounts for users and administrators\ + \ are strictly managed throughout an account\u2019s lifecycle." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + name: '8.3' + description: Strong authentication for users and administrators is established + and managed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.4 + name: '8.4' + description: Multi-factor authentication (MFA) is implemented to secure access + into the CDE. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.5 + name: '8.5' + description: Multi-factor authentication (MFA) systems are configured to prevent + misuse. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.6 + name: '8.6' + description: Use of application and system accounts and associated authentication + factors is strictly managed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9 + name: Requirement 9 + description: Restrict Physical Access to Cardholder Data + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.1 + name: '9.1' + description: Processes and mechanisms for restricting physical access to cardholder + data are defined and undood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2 + name: '9.2' + description: Physical access controls manage entry into facilities and systems + containing cardholder data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3 + name: '9.3' + description: Physical access for personnel and visitors is authorized and managed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + name: '9.4' + description: Media with cardholder data is securely stored, accessed, distributed, + and destroyed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5 + name: '9.5' + description: Point of interaction (POI) devices are protected from tampering + and unauthorized substitution. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks + name: Regularly Monitor and Test Networks + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + name: Requirement 10 + description: Log and Monitor All Access to System Components and Cardholder + Data + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.1 + name: '10.1' + description: Processes and mechanisms for logging and monitoring all access + to system components and cardholder data are defined and documented. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + name: '10.2' + description: Audit logs are implemented to support the detection of anomalies + and suspicious activity, and the forensic analysis of events. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3 + name: '10.3' + description: Audit logs are protected from destruction and unauthorized modifications. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4 + name: '10.4' + description: Audit logs are reviewed to identify anomalies or suspicious activity. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.5 + name: '10.5' + description: Audit log history is retained and available for analysis. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.6 + name: '10.6' + description: Time-synchronization mechanisms support consistent time settings + across all systems. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.7 + name: '10.7' + description: Failures of critical security control systems are detected, reported, + and responded to promptly. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11 + name: Requirement 11 + description: Test Security of Systems and Networks Regularly + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.1 + name: '11.1' + description: Processes and mechanisms for regularly testing security of systems + and networks are defined and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.2 + name: '11.2' + description: Wireless access points are identified and monitored, and unauthorized + wireless access points are addressed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3 + name: '11.3' + description: External and internal vulnerabilities are regularly identified, + prioritized, and addressed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + name: '11.4' + description: External and internal penetration testing is regularly performed, + and exploitable vulnerabilities and security weaknesses are corrected. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.5 + name: '11.5' + description: Network intrusions and unexpected file changes are detected and + responded to. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.6 + name: '11.6' + description: Unauthorized changes on payment pages are detected and responded + to. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy + name: Maintain an Information Security Policy + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + name: Requirement 12 + description: Support Information Security with Organizational Policies and Programs + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1 + name: '12.1' + description: "A comprehensive information security policy that governs and provides\ + \ direction for protection of the entity\u2019s information assets is known\ + \ and current." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.2 + name: '12.2' + description: Acceptable use policies for end-user technologies are defined and + implemented. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3 + name: '12.3' + description: Risks to the cardholder data environment are formally identified, + evaluated, and managed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.4 + name: '12.4' + description: PCI DSS compliance is managed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5 + name: '12.5' + description: PCI DSS scope is documented and validated. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6 + name: '12.6' + description: Security awareness education is an ongoing activity. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.7 + name: '12.7' + description: Personnel are screened to reduce risks from insider threats. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8 + name: '12.8' + description: Risk to information assets associated with third-party service + provider (TPSP) relationships is managed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.9 + name: '12.9' + description: "Third-party service providers (TPSPs) support their customers\u2019\ + \ PCI DSS compliance." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + name: '12.10' + description: Suspected and confirmed security incidents that could impact the + CDE are responded to immediately. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a + name: Appendix A + description: Additional PCI DSS Requirements + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1 + name: Appendix A1 + description: Additional PCI DSS Requirements for Multi-Tenant Service Providers + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.1 + name: A1.1 + description: Multi-tenant service providers protect and separate all customer + environments and data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.2 + name: A1.2 + description: Multi-tenant service providers facilitate logging and incident + response for all customers. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a2 + name: Appendix A2 + description: Additional PCI DSS Requirements for Entities Using SSL/Early TLS + for Card-Present POS POI Terminal Connections + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a2:a2.1 + name: A2.1 + description: POI terminals using SSL and/or early TLS are confirmed as not susceptible + to known SSL/TLS exploits. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a2 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3 + name: Appendix A3 + description: Designated Entities Supplemental Validation (DESV) + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.1 + name: A3.1 + description: A PCI DSS compliance program is implemented. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + name: A3.2 + description: PCI DSS scope is documented and validated. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.3 + name: A3.3 + description: PCI DSS is incorporated into business-as-usual (BAU) activities. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.4 + name: A3.4 + description: Logical access to the cardholder data environment is controlled + and managed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3 + - urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.5 + name: A3.5 + description: Suspicious events are identified and responded to. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3 + requirements: + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.1:1 + name: 1.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 1 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.1:2 + name: 1.1.2 + description: Roles and responsibilities for performing activities in Requirement + 1 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:1 + name: 1.2.1 + description: 'Configuration standards for NSC rulesets are + + - Defined. + + - Implemented + + - Maintained.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:2 + name: 1.2.2 + description: All changes to network connections and to configurations of NSCs + are approved and managed in accordance with the change control process defined + at Requirement 6.5.1. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:3 + name: 1.2.3 + description: An accurate network diagram(s) is maintained that shows all connections + between the CDE and other networks, including any wireless networks. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:4 + name: 1.2.4 + description: 'An accurate data-flow diagram(s) is maintained that meets the + following: + + - Shows all account data flows across systems and networks. + + - Updated as needed upon changes to the environment.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:5 + name: 1.2.5 + description: All services, protocols, and ports allowed are identified, approved, + and have a defined business need. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:6 + name: 1.2.6 + description: Security features are defined and implemented for all services, + protocols, and ports that are in use and considered to be insecure, such that + the risk is mitigated. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:7 + name: 1.2.7 + description: Configurations of NSCs are reviewed at least once every six months + to confirm they are relevant and effective. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2:8 + name: 1.2.8 + description: 'Configuration files for NSCs are: + + - Secured from unauthorized access. + + - Kept consistent with active network configurations.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.3:1 + name: 1.3.1 + description: "Inbound traffic to the CDE is restricted as follows: \n- To only\ + \ traffic that is necessary. \n- All other traffic is specifically denied." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.3:2 + name: 1.3.2 + description: 'Outbound traffic from the CDE is restricted as follows: + + - To only traffic that is necessary. + + - All other traffic is specifically denied.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.3:3 + name: 1.3.3 + description: "NSCs are installed between all wireless networks and the CDE,\ + \ regardless of whether the wireless network is a CDE, such that: \n- All\ + \ wireless traffic from wireless networks into the CDE is denied by default.\n\ + - Only wireless traffic with an authorized business purpose is allowed into\ + \ the CDE." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4:1 + name: 1.4.1 + description: NSCs are implemented between trusted and untrusted networks. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4:2 + name: 1.4.2 + description: 'Inbound traffic from untrusted networks to trusted networks is + restricted to: + + - Communications with system components that are authorized to provide publicly + accessible services, protocols, and ports. + + - Stateful responses to communications initiated by system components in a + trusted network. + + - All other traffic is denied.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4:3 + name: 1.4.3 + description: Anti-spoofing measures are implemented to detect and block forged + source IP addresses from entering the trusted network. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4:4 + name: 1.4.4 + description: System components that store cardholder data are not directly accessible + from untrusted networks. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4:5 + name: 1.4.5 + description: The disclosure of internal IP addresses and routing information + is limited to only authorized parties. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.5:1 + name: 1.5.1 + description: "Security controls are implemented on any computing devices, including\ + \ company- and employee-owned devices, that connect to both untrusted networks\ + \ (including the Internet) and the CDE as follows:\n- Specific configuration\ + \ settings are defined to prevent threats being introduced into the entity\u2019\ + s network.\n- Security controls are actively running.\n- Security controls\ + \ are not alterable by users of the computing devices unless specifically\ + \ documented and authorized by Management on a case-by-case basis for a limited\ + \ period." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-1:1.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.1:1 + name: 2.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 2 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.1:2 + name: 2.1.2 + description: Roles and responsibilities for performing activities in Requirement + 2 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2:1 + name: 2.2.1 + description: 'Configuration standards are developed, implemented, and maintained + to: + + - Cover all system components. + + - Be consistent with industry-accepted system hardening standards or vendor + hardening recommendations. + + - Be updated as new vulnerability issues are identified, as defined in Requirement + 6.3.1. + + - Be applied when new systems are configured and verified as in place before + or immediately after a system component is connected to a production environment.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2:2 + name: 2.2.2 + description: 'Vendor default accounts are managed as follows: + + - If the vendor default account(s) will be used, the default password is changed + per Requirement 8.3.6. + + - If the vendor default account(s) will not be used, the account is removed + or disabled.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2:3 + name: 2.2.3 + description: "Primary functions requiring different security levels are managed\ + \ as follows: \n- Only one primary function exists on a system component.\n\ + OR \n- Primary functions with differing security levels that exist on the\ + \ same system component are isolated from each other.\nOR\n- Primary functions\ + \ with differing security levels on the same system component are all secured\ + \ to the level required by the function with the highest security need." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2:4 + name: 2.2.4 + description: Only necessary services, protocols, daemons, and functions are + enabled, and all unnecessary functionality is removed or disabled. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2:5 + name: 2.2.5 + description: 'If any insecure services, protocols, or daemons are present: + + - business justification is documented. + + - additional security features are documented and implemented that reduce + the risk of using insecure services, protocols, or daemons.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2:6 + name: 2.2.6 + description: System security parameters are configured to prevent misuse. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2:7 + name: 2.2.7 + description: All non-console administrative access is encrypted using strong + cryptography. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.3:1 + name: 2.3.1 + description: "For wireless environments connected to the CDE or transmitting\ + \ account data, all wireless vendor defaults are changed at installation or\ + \ are confirmed to be secure, including but not limited to: \_\n- Default\ + \ wireless encryption keys.\n- Default wireless encryption keys.\n- Passwords\ + \ on wireless access points.\n- SNMP defaults.\n- Any other security-related\ + \ wireless vendor defaults." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.3:2 + name: 2.3.2 + description: 'For wireless environments connected to the CDE or transmitting + account data, wireless encryption keys are changed as follows: + + - Whenever personnel with knowledge of the key leave the company or the role + for which the knowledge was necessary. + + - Whenever a key is suspected of or known to be compromised.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:build-and-maintain-a-secure-network-and-systems:requirement-2:2.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.1:1 + name: 3.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 3 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.1:2 + name: 3.1.2 + description: Roles and responsibilities for performing activities in Requirement + 3 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.2:1 + name: 3.2.1 + description: 'Account data storage is kept to a minimum through implementation + of data retention and disposal policies, procedures, and processes that include + at least the following: + + - Coverage for all locations of stored account data. + + - Coverage for any sensitive authentication data (SAD) stored prior to completion + of authorization. This bullet is a best practice until its effective date; + refer to Applicability Notes below for details. + + - Limiting data storage amount and retention time to that which is required + for legal or regulatory, and/or business requirements. + + - Specific retention requirements for stored account data that defines length + of retention period and includes a documented business justification. + + - Processes for secure deletion or rendering account data unrecoverable when + no longer + + needed per the retention policy. + + - A process for verifying, at least once every three months, that stored account + data exceeding the defined retention period has been securely deleted or rendered + unrecoverable.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.3:1 + name: 3.3.1 + description: SAD is not retained after authorization, even if encrypted. All + sensitive authentication data received is rendered unrecoverable upon completion + of the authorization process. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.3:2 + name: 3.3.1.1 + description: The full contents of any track are not retained upon completion + of the authorization process. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.3:3 + name: 3.3.1.2 + description: The card verification code is not retained upon completion of the + authorization process. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.3:4 + name: 3.3.1.3 + description: The personal identification number (PIN) and the PIN block are + not retained upon completion of the authorization process + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.3:5 + name: 3.3.2 + description: 'SAD that is stored electronically prior to completion of authorization + is encrypted using + + strong cryptography.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.3:6 + name: 3.3.3 + description: 'Additional requirement for issuers and companies that support + issuing services and store sensitive authentication data: Any storage of sensitive + authentication data is: + + - Limited to that which is needed for a legitimate issuing business need and + is secured. + + - Encrypted using strong cryptography. This bullet is a best practice until + its effective date.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.4:1 + name: 3.4.1 + description: 'PAN is masked when displayed (the BIN and last four digits are + the maximum number of digits + + to be displayed), such that only personnel with a legitimate business need + can see more than the BIN and last four digits of the PAN.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.4:2 + name: 3.4.2 + description: 'When using remote-access technologies, technical controls prevent + copy and/or relocation of + + PAN for all personnel, except for those with documented, explicit authorization + and a legitimate, defined business need.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.5:1 + name: 3.5.1 + description: "PAN is rendered unreadable anywhere it is stored by using any\ + \ of the following approaches:\n- One-way hashes based on strong cryptography\ + \ of the entire PAN.\n- Truncation (hashing cannot be used to replace the\ + \ truncated segment of PAN).\n\u2013 If hashed and truncated versions of the\ + \ same PAN, or different truncation formats of the same PAN, are present in\ + \ an environment, additional controls are in place such that the different\ + \ versions cannot be correlated to reconstruct the original PAN.\n- Index\ + \ tokens.\n- Strong cryptography with associated key-management processes\ + \ and procedures." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.5:2 + name: 3.5.1.1 + description: Hashes used to render PAN unreadable (per the first bullet of Requirement + 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management + processes and procedures in accordance with Requirements 3.6 and 3.7. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.5:3 + name: 3.5.1.2 + description: 'If disk-level or partition-level encryption rather than file-, + column-, or field-level database encryption) is used to render PAN unreadable, + it is implemented only as follows: + + - On removable electronic media. + + OR + + - If used for non-removable electronic media, PAN is also rendered unreadable + via another mechanism that meets Requirement 3.5.1.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.5:4 + name: 3.5.1.3 + description: 'If disk-level or partition-level encryption is used (rather than + file-, column-, or field--level database encryption) to render PAN unreadable, + it is managed as follows: + + - Logical access is managed separately and independently of native operating + system authentication and access control mechanisms. + + - Decryption keys are not associated with user accounts. + + - Authentication factors (passwords, passphrases, or cryptographic keys) that + allow access to - nencrypted data are stored securely.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.6:1 + name: 3.6.1 + description: 'Procedures are defined and implemented to protect cryptographic + keys used to protect stored account data against disclosure and misuse that + include: + + - Access to keys is restricted to the fewest number of custodians necessary. + + - Key-encrypting keys are at least as strong as the data-encrypting keys they + protect. + + - Key-encrypting keys are stored separately from data-encrypting keys. + + - Keys are stored securely in the fewest possible locations and forms.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.6:2 + name: 3.6.1.1 + description: 'Additional requirement for service providers only: A documented + description of the cryptographic architecture is maintained that includes: + + - Details of all algorithms, protocols, and keys used for the protection of + stored account data, including key strength and expiry date. + + - Preventing the use of the same cryptographic keys in production and test + environments. This bullet is a best practice until its effective date. + + - Description of the key usage for each key. + + - Inventory of any hardware security modules (HSMs), key management systems + (KMS), and other secure cryptographic devices (SCDs) used for key management, + including type and location of devices, as outlined in Requirement 12.3.4.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.6:3 + name: 3.6.1.2 + description: 'Secret and private keys used to encrypt/decrypt stored account + data are stored in one (or more) of the following forms at all times: + + - Encrypted with a key-encrypting key that is at least as strong as the data-encrypting + key, and that is stored separately from the data-encrypting key. + + - Within a secure cryptographic device (SCD), such as a hardware security + module (HSM) or PTS-approved point-of-interaction device. + + - As at least two full-length key components or key shares, in accordance + with an industry-accepted method' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.6:4 + name: 3.6.1.3 + description: Access to cleartext cryptographic key components is restricted + to the fewest number of custodians necessary. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.6:5 + name: 3.6.1.4 + description: Cryptographic keys are stored in the fewest possible location. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:1 + name: 3.7.1 + description: Key-management policies and procedures are implemented to include + generation of strong cryptographic keys used to protect stored account data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:2 + name: 3.7.2 + description: Key-management policies and procedures are implemented to include + secure distribution of cryptographic keys used to protect stored account data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:3 + name: 3.7.3 + description: Key-management policies and procedures are implemented to include + secure storage of cryptographic keys used to protect stored account data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:4 + name: 3.7.4 + description: 'Key management policies and procedures are implemented for cryptographic + key changes for keys that have reached the end of their cryptoperiod, as defined + by the associated application vendor or key owner, and based on industry best + practices and guidelines, including the following: + + - A defined cryptoperiod for each key type in use. + + - A process for key changes at the end of the defined cryptoperiod.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:5 + name: 3.7.5 + description: 'Key management policies procedures are implemented to include + the retirement, replacement, or destruction of keys used to protect stored + account data, as deemed necessary when: + + - The key has reached the end of its defined cryptoperiod. + + - The integrity of the key has been weakened, including when personnel with + knowledge of a cleartext key component leaves the company, or the role for + which the key component was known. + + - The key is suspected of or known to be compromised. + + - Retired or replaced keys are not used for encryption operations.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:6 + name: 3.7.6 + description: Where manual cleartext cryptographic key-management operations + are performed by personnel, key-management policies and procedures are implemented + include managing these operations using split knowledge and dual control. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:7 + name: 3.7.7 + description: Key management policies and procedures are implemented to include + the prevention of unauthorized substitution of cryptographic keys. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:8 + name: 3.7.8 + description: Key management policies and procedures are implemented to include + that cryptographic key custodians formally acknowledge (in writing or electronically) + that they understand and accept their key-custodian responsibilities. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-3:3.7:9 + name: 3.7.9 + description: "Additional testing procedure for service provider assessments\ + \ only: If the service provider shares cryptographic keys with its customers\ + \ for transmission or storage of account data, examine the documentation that\ + \ the service provider provides to its customers to verify it includes guidance\ + \ on how to securely transmit, store, and update customers\u2019 keys in accordance\ + \ with all elements specified in Requirements 3.7.1 through 3.7.8 above." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-3:3.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-4:4.1:1 + name: 4.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 4 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-4:4.1:2 + name: 4.1.2 + description: Roles and responsibilities for performing activities in Requirement + 4 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-4:4.2:1 + name: 4.2.1 + description: 'Strong cryptography and security protocols are implemented as + follows to safeguard PAN during transmission over open, public networks: + + - Only trusted keys and certificates are accepted. + + - Certificates used to safeguard PAN during transmission over open, public + networks are confirmed as valid and are not expired or revoked. This bullet + is a best practice until its effective date; refer to applicability notes + below for details. + + - The protocol in use supports only secure versions or configurations and + does not support fallback to, or use of insecure versions, algorithms, key + sizes, or implementations. + + - The encryption strength is appropriate for the encryption methodology in + use.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-4:4.2:2 + name: 4.2.1.1 + description: "An inventory of the entity\u2019s trusted keys and certificates\ + \ used to protect PAN during transmission is maintained." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-4:4.2:3 + name: 4.2.1.2 + description: Wireless networks transmitting PAN or connected to the CDE use + industry best practices to implement strong cryptography for authentication + and transmission. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:protect-account-data:requirement-4:4.2:4 + name: 4.2.2 + description: PAN is secured with strong cryptography whenever it is sent via + end-user messaging technologies. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:protect-account-data:requirement-4:4.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.1:1 + name: 5.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 5 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.1:2 + name: 5.1.2 + description: Roles and responsibilities for performing activities in Requirement + 5 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2:1 + name: 5.2.1 + description: An anti-malware solution(s) is deployed on all system components, + except for those system components identified in periodic evaluations per + Requirement 5.2.3 that concludes the system components are not at risk from + malware. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2:2 + name: 5.2.2 + description: 'The deployed anti-malware solution(s): + + - Detects all known types of malware. + + - Removes, blocks, or contains all known types of malware.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2:3 + name: 5.2.3 + description: 'Any system components that are not at risk for malware are evaluated + periodically to include the following: + + - A documented list of all system components not at risk for malware. + + - Identification and evaluation of evolving malware threats for those system + components. + + - Confirmation whether such system components continue to not require anti-malware + protection.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2:4 + name: 5.2.3.1 + description: "The frequency of periodic evaluations of system components identified\ + \ as not at risk for malware is defined in the entity\u2019s targeted risk\ + \ analysis, which is performed according to all elements specified in Requirement\ + \ 12.3.1." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3:1 + name: 5.3.1 + description: The anti-malware solution(s) is kept current via automatic updates. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3:2 + name: 5.3.2 + description: "The anti-malware solution(s):\n- Performs periodic scans and active\ + \ or real-time scans. \nOR\n- Performs continuous behavioral analysis of systems\ + \ or processes." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3:3 + name: 5.3.2.1 + description: "If periodic malware scans are performed to meet Requirement 5.3.2,\ + \ the frequency of scans is defined in the entity\u2019s targeted risk analysis,\ + \ which is performed according to all elements specified in Requirement 12.3.1." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3:4 + name: 5.3.3 + description: 'For removable electronic media, the anti-malware solution(s): + + - Performs automatic scans of when the media is inserted, connected, or logically + mounted, + + OR + + - Performs continuous behavioral analysis of systems or processes when the + media is inserted, connected, or logically mounted.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3:5 + name: 5.3.4 + description: Audit logs for the anti-malware solution(s) are enabled and retained + in accordance with Requirement 10.5.1. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3:6 + name: 5.3.5 + description: Anti-malware mechanisms cannot be disabled or altered by users, + unless specifically documented, and authorized by management on a case-by-case + basis for a limited time period. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.4:1 + name: 5.4.1 + description: Processes and automated mechanisms are in place to detect and protect + personnel against phishing attacks. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-5:5.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.1:1 + name: 6.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 6 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.1:2 + name: 6.1.2 + description: Roles and responsibilities for performing activities in Requirement + 6 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2:1 + name: 6.2.1 + description: 'Bespoke and custom software are developed + + securely, as follows: + + - Based on industry standards and/or best practices for secure development. + + - In accordance with PCI DSS (for example, secure authentication and logging). + + - Incorporating consideration of information security issues during each stage + of the software development lifecycle.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2:2 + name: 6.2.2 + description: 'Software development personnel working on bespoke and custom software + are trained at least once every 12 months as follows: + + - On software security relevant to their job function and development languages. + + - Including secure software design and secure coding techniques. + + - Including, if security testing tools are used, how to use the tools for + detecting vulnerabilities in software.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2:3 + name: 6.2.3 + description: 'Bespoke and custom software is reviewed prior to being released + into production or to customers, to identify and correct potential coding + vulnerabilities, as follows: + + - Code reviews ensure code is developed according to secure coding guidelines. + + - Code reviews look for both existing and emerging software vulnerabilities. + + - Appropriate corrections are implemented prior to release.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2:4 + name: 6.2.3.1 + description: 'If manual code reviews are performed for bespoke and custom software + prior to release to production, code changes are: + + - Reviewed by individuals other than the originating code author, and who + are knowledgeable about code-review techniques + + and secure coding practices. + + - Reviewed and approved by management prior to release.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2:5 + name: 6.2.4 + description: "Software engineering techniques or other methods are defined and\ + \ in use by software development personnel to prevent or mitigate common software\ + \ attacks and related vulnerabilities in bespoke and custom software, including\ + \ but not limited to the following:\n- Injection attacks, including SQL, LDAP,\ + \ XPath, or other command, parameter, object, fault, or injection-type flaws.\n\ + - Attacks on data and data structures, including attempts to manipulate buffers,\ + \ pointers, input data, or shared data.\n- Attacks on cryptography usage,\ + \ including attempts to exploit weak, insecure, or inappropriate cryptographic\ + \ implementations, algorithms, cipher suites, or modes of operation.\n- Attacks\ + \ on business logic, including attempts to abuse or bypass application features\ + \ and functionalities through the manipulation of APIs, communication protocols\ + \ and channels, client-side functionality, or other system/application functions\ + \ and resources. This includes cross-site scripting (XSS) and cross-site request\ + \ forgery (CSRF).\n- Attacks on access control mechanisms, including attempts\ + \ to bypass or abuse identification, authentication, or authorization mechanisms,\ + \ or attempts to exploit weaknesses in the implementation of such mechanisms.\n\ + - Attacks via any \u201Chigh-risk\u201D vulnerabilities identified in the\ + \ vulnerability identification process, as defined in Requirement 6.3.1." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.3:1 + name: 6.3.1 + description: 'Security vulnerabilities are identified and managed as follows: + + - New security vulnerabilities are identified using industry-recognized sources + for security vulnerability information, including alerts from international + and national computer emergency response teams (CERTs). + + - Vulnerabilities are assigned a risk ranking based on industry best practices + and consideration of potential impact. + + - Risk rankings identify, at a minimum, all vulnerabilities considered to + be a high-risk or critical to the environment. + + - Vulnerabilities for bespoke and custom, and third-party software (for example + operating systems and databases) are covered.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.3:2 + name: 6.3.2 + description: An inventory of bespoke and custom software, and third-party software + components incorporated into bespoke and custom software is maintained to + facilitate vulnerability and patch management. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.3:3 + name: 6.3.3 + description: 'All system components are protected from known vulnerabilities + by installing applicable security patches/updates as follows: + + - Critical or high-security patches/updates (identified according to the risk + ranking process at Requirement 6.3.1) are installed within one month of release. + + - All other applicable security patches/updates are installed within an appropriate + time frame as determined by the entity (for example, within three months of + release).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.4:1 + name: 6.4.1 + description: "For public-facing web applications, new threats and vulnerabilities\ + \ are addressed on an ongoing basis and these applications are protected against\ + \ known attacks as follows:\n- Reviewing public-facing web applications via\ + \ manual or automated application vulnerability security assessment tools\ + \ or methods as follows:\n \u2013 At least once every 12 months and after\ + \ significant changes.\n \u2013 By an entity that specializes in application\ + \ security.\n \u2013 Including, at a minimum, all common software attacks\ + \ in Requirement 6.2.4.\n \u2013 All vulnerabilities are ranked in accordance\ + \ with requirement 6.3.1.\n \u2013 All vulnerabilities are corrected.\n\ + \ \u2013 The application is re-evaluated after the corrections\nOR\n- Installing\ + \ an automated technical solution(s) that continually detects and prevents\ + \ web-based attacks as follows:\n \u2013 Installed in front of public-facing\ + \ web applications to detect and prevent web-based attacks.\n \u2013 Actively\ + \ running and up to date as applicable.\n \u2013 Generating audit logs.\n\ + \ \u2013 Configured to either block web-based attacks or generate an alert\ + \ that is immediately investigated." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.4:2 + name: 6.4.2 + description: 'For public-facing web applications, an automated technical solution + is deployed that continually detects and prevents web-based attacks, with + at least the following: + + - Is installed in front of public-facing web applications and is configured + to detect and prevent web-based attacks. + + - Actively running and up to date as applicable. + + - Generating audit logs. + + - Configured to either block web-based attacks or generate an alert that is + immediately investigated.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.4:3 + name: 6.4.3 + description: "All payment page scripts that are loaded and executed in the consumer\u2019\ + s browser are managed as follows:\n\u2022 A method is implemented to confirm\ + \ that each script is authorized.\n\u2022 A method is implemented to assure\ + \ the integrity of each script.\n\u2022 An inventory of all scripts is maintained\ + \ with written justification as to why each is necessary." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5:1 + name: 6.5.1 + description: 'Changes to all system components in the production environment + are made according to established procedures that include: + + - Reason for, and description of, the change. + + - Documentation of security impact. + + - Documented change approval by authorized parties. + + - Testing to verify that the change does not adversely impact system security. + + - For bespoke and custom software changes, all updates are tested for compliance + with Requirement 6.2.4 before being deployed into production. + + - Procedures to address failures and return to a secure state.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5:2 + name: 6.5.2 + description: Upon completion of a significant change, all applicable PCI DSS + requirements are confirmed to be in place on all new or changed systems and + networks, and documentation is updated as applicable. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5:3 + name: 6.5.3 + description: Pre-production environments are separated from production environments + and the separation is enforced with access controls. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5:4 + name: 6.5.4 + description: Roles and functions are separated between production and pre-production + environments to provide accountability such that only reviewed and approved + changes are deployed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5:5 + name: 6.5.5 + description: Live PANs are not used in pre-production environments, except where + those environments are included in the CDE and protected in accordance with + all applicable PCI DSS requirements. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5:6 + name: 6.5.6 + description: Test data and test accounts are removed from system components + before the system goes into production. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-a-vulnerability-management-program:requirement-6:6.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.1:1 + name: 7.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 7 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.1:2 + name: 7.1.2 + description: Roles and responsibilities for performing activities in Requirement + 7 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2:1 + name: 7.2.1 + description: "An access control model is defined and includes granting access\ + \ as follows:\n- Appropriate access depending on the entity\u2019s business\ + \ and access needs.\n- Access to system components and data resources that\ + \ is based on users\u2019 job classification and functions.\n- The least privileges\ + \ required (for example, user, administrator) to perform a job function." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2:2 + name: 7.2.2 + description: 'Access is assigned to users, including privileged users, based + on: + + - Job classification and function. + + - Least privileges necessary to perform job responsibilities.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2:3 + name: 7.2.3 + description: Required privileges are approved by authorized personnel. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2:4 + name: 7.2.4 + description: 'All user accounts and related access privileges, including third-party/vendor + accounts, are reviewed as follows: + + - At least once every six months. + + - To ensure user accounts and access remain appropriate based on job function. + + - Any inappropriate access is addressed. + + - Management acknowledges that access remains appropriate.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2:5 + name: 7.2.5 + description: 'All application and system accounts and related access privileges + are assigned and managed as follows: + + - Based on the least privileges necessary for the operability of the system + or application. + + - Access is limited to the systems, applications, or processes that specifically + require their use.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2:6 + name: 7.2.5.1 + description: "All access by application and system accounts and related access\ + \ privileges are reviewed as follows:\n- Periodically (at the frequency defined\ + \ in the entity\u2019s targeted risk analysis, which is performed according\ + \ to all elements specified in Requirement 12.3.1).\n- The application/system\ + \ access remains appropriate for the function being performed.\n- Any inappropriate\ + \ access is addressed.\n- Management acknowledges that access remains appropriate." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2:7 + name: 7.2.6 + description: 'All user access to query repositories of stored cardholder data + is restricted as follows: + + - Via applications or other programmatic methods, with access and allowed + actions based on user roles and least privileges. + + - Only the responsible administrator(s) can directly access or query repositories + of stored CHD.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.3:1 + name: 7.3.1 + description: "An access control system(s) is in place that restricts access\ + \ based on a user\u2019s need to know and covers all system components." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.3:2 + name: 7.3.2 + description: The access control system(s) is configured to enforce permissions + assigned to individuals, applications, and systems based on job classification + and function. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.3:3 + name: 7.3.3 + description: "The access control system(s) is set to \u201Cdeny all\u201D by\ + \ default." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-7:7.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.1:1 + name: 8.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 8 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.1:2 + name: 8.1.2 + description: Roles and responsibilities for performing activities in Requirement + 8 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:1 + name: 8.2.1 + description: All users are assigned a unique ID before access to system components + or cardholder data is allowed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:2 + name: 8.2.2 + description: 'Group, shared, or generic accounts, or other shared authentication + credentials are only used when necessary on an exception basis, and are managed + as follows: + + - Account use is prevented unless needed for an exceptional circumstance. + + - Use is limited to the time needed for the exceptional circumstance. + + - Business justification for use is documented. + + - Use is explicitly approved by management. + + - Individual user identity is confirmed before access to an account is granted. + + - Every action taken is attributable to an individual user.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:3 + name: 8.2.3 + description: 'Additional requirement for service providers only: Service providers + with remote access to customer premises use unique authentication factors + for each customer premises.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:4 + name: 8.2.4 + description: 'Addition, deletion, and modification of user IDs, authentication + factors, and other identifier objects are managed as follows: + + - Authorized with the appropriate approval. + + - Implemented with only the privileges specified on the documented approval.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:5 + name: 8.2.5 + description: Access for terminated users is immediately revoked. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:6 + name: 8.2.6 + description: Inactive user accounts are removed or disabled within 90 days of + inactivity. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:7 + name: 8.2.7 + description: 'Accounts used by third parties to access, support, or maintain + system components via remote access are managed as follows: + + - Enabled only during the time period needed and disabled when not in use. + + - Use is monitored for unexpected activity.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2:8 + name: 8.2.8 + description: If a user session has been idle for more than 15 minutes, the user + is required to re-authenticate to re-activate the terminal or session. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:1 + name: 8.3.1 + description: "All user access to system components for users and administrators\ + \ is authenticated via at least one of the following authentication factors:\n\ + \u2022 Something you know, such as a password or passphrase.\n\u2022 Something\ + \ you have, such as a token device or smart card.\n\u2022 Something you are,\ + \ such as a biometric element." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:2 + name: 8.3.2 + description: Strong cryptography is used to render all authentication factors + unreadable during transmission and storage on all system components. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:3 + name: 8.3.3 + description: User identity is verified before modifying any authentication factor. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:4 + name: 8.3.4 + description: "Invalid authentication attempts are limited by:\n- Locking out\ + \ the user ID after not more than 10 attempts.\n- Setting the lockout duration\ + \ to a minimum of 30 minutes or until the user\u2019s identity is confirmed." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:5 + name: 8.3.5 + description: 'If passwords/passphrases are used as authentication factors to + meet Requirement 8.3.1, they are set and reset for each user as follows: + + - Set to a unique value for first-time use and upon reset. + + - Forced to be changed immediately after the first use.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:6 + name: 8.3.6 + description: 'If passwords/passphrases are used as authentication factors to + meet Requirement 8.3.1, they meet the following minimum level of complexity: + + - A minimum length of 12 characters (or IF the system does not support 12 + characters, a minimum length of eight characters). + + - Contain both numeric and alphabetic characters.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:7 + name: 8.3.7 + description: Individuals are not allowed to submit a new password/passphrase + that is the same as any of the last four passwords/passphrases used. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:8 + name: 8.3.8 + description: 'Authentication policies and procedures are documented and communicated + to all users including: + + - Guidance on selecting strong authentication factors. + + - Guidance for how users should protect their authentication factors. + + - Instructions not to reuse previously used passwords/passphrases. + + - Instructions to change passwords/passphrases if there is any suspicion or + knowledge that the password/passphrases have been compromised and how to report + the incident.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:9 + name: 8.3.9 + description: "If passwords/passphrases are used as the only authentication factor\ + \ for user access (i.e., in any single-factor authentication implementation)\ + \ then either:\n\u2022 Passwords/passphrases are changed at least once every\ + \ 90 days,\nOR\n\u2022 The security posture of accounts is dynamically analyzed,\ + \ and real-time access to resources is automatically determined accordingly." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:10 + name: 8.3.10 + description: 'Additional requirement for service providers only: If passwords/passphrases + are used as the only authentication factor for customer user access to cardholder + data (i.e., in any single- factor authentication implementation), then guidance + is provided to customer users including: + + - Guidance for customers to change their user passwords/passphrases periodically. + + - Guidance as to when, and under what circumstances, passwords/passphrases + are to be changed.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:11 + name: 8.3.10.1 + description: "Additional requirement for service providers only: If passwords/passphrases\ + \ are used as the only authentication factor for customer user access (i.e.,\ + \ in any single-factor authentication implementation) then either:\n\u2022\ + \ Passwords/passphrases are changed at least once every 90 days,\nOR\n\u2022\ + \ The security posture of accounts is dynamically analyzed, and real-time\ + \ access to resources is automatically determined accordingly." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3:12 + name: 8.3.11 + description: 'Where authentication factors such as physical or logical security + tokens, smart cards, or certificates are used: + + - Factors are assigned to an individual user and not shared among multiple + users. + + - Physical and/or logical controls ensure only the intended user can use that + factor to gain access.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.4:1 + name: 8.4.1 + description: MFA is implemented for all non-console access into the CDE for + personnel with administrative access. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.4:2 + name: 8.4.2 + description: MFA is implemented for all access into the CDE. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.4:3 + name: 8.4.3 + description: "MFA is implemented for all remote network access originating from\ + \ outside the entity\u2019s network that could access or impact the CDE as\ + \ follows:\n- All remote access by all personnel, both users and administrators,\ + \ originating from outside the entity\u2019s network.\n- All remote access\ + \ by third parties and vendors." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.5:1 + name: 8.5.1 + description: 'MFA systems are implemented as follows: + + - The MFA system is not susceptible to replay attacks. + + - MFA systems cannot be bypassed by any users, including administrative users + unless specifically documented, and authorized by management on an exception + basis, for a limited time period. + + - At least two different types of authentication factors are used. + + - Success of all authentication factors is required before access is granted.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.6:1 + name: 8.6.1 + description: 'If accounts used by systems or applications can be used for interactive + login, they are managed as follows: + + - Interactive use is prevented unless needed for an exceptional circumstance. + + - Interactive use is limited to the time needed for the exceptional circumstance. + + - Business justification for interactive use is documented. + + - Interactive use is explicitly approved by management. + + - Individual user identity is confirmed before access to account is granted. + + - Every action taken is attributable to an individual user.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.6:2 + name: 8.6.2 + description: Passwords/passphrases for any application and system accounts that + can be used for interactive login are not hard coded in scripts, configuration/property + files, or bespoke and custom source code. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.6:3 + name: 8.6.3 + description: "Passwords/passphrases for any application and system accounts\ + \ are protected against misuse as follows:\n- Passwords/passphrases are changed\ + \ periodically (at the frequency defined in the entity\u2019s targeted risk\ + \ analysis, which is performed according to all elements specified in Requirement\ + \ 12.3.1) and upon suspicion or confirmation of compromise.\n- Passwords/passphrases\ + \ are constructed with sufficient complexity appropriate for how frequently\ + \ the entity changes the passwords/passphrases." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-8:8.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.1:1 + name: 9.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 9 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.1:2 + name: 9.1.2 + description: Roles and responsibilities for performing activities in Requirement + 9 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2:1 + name: 9.2.1 + description: Appropriate facility entry controls are in place to restrict physical + access to systems in the CDE. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2:2 + name: 9.2.1.1 + description: 'Individual physical access to sensitive areas within the CDE is + monitored with either video cameras or physical access control mechanisms + (or both) as follows: + + - Entry and exit points to/from sensitive areas within the CDE are monitored. + + - Monitoring devices or mechanisms are protected from tampering or disabling. + + - Collected data is reviewed and correlated with other entries. + + - Collected data is stored for at least three months, unless otherwise restricted + by law.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2:3 + name: 9.2.2 + description: Physical and/or logical controls are implemented to restrict use + of publicly accessible network jacks within the facility. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2:4 + name: 9.2.3 + description: Physical access to wireless access points, gateways, networking/communications + hardware, and telecommunication lines within the facility is restricted. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2:5 + name: 9.2.4 + description: Access to consoles in sensitive areas is restricted via locking + when not in use. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3:1 + name: 9.3.1 + description: "Procedures are implemented for authorizing and managing physical\ + \ access of personnel to the CDE, including:\n- Identifying personnel.\n-\ + \ Managing changes to an individual\u2019s physical access requirements.\n\ + - Revoking or terminating personnel identification.\n- Limiting access to\ + \ the identification process or system to authorized personnel" + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3:2 + name: 9.3.1.1 + description: 'Physical access to sensitive areas within the CDE for personnel + is controlled as follows: + + - Access is authorized and based on individual job function. + + - Access is revoked immediately upon termination. + + - All physical access mechanisms, such as keys, access cards, etc., are returned + or disabled upon termination.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3:3 + name: 9.3.2 + description: 'Procedures are implemented for authorizing and managing visitor + access to the CDE, including: + + - Visitors are authorized before entering. + + - Visitors are escorted at all times. + + - Visitors are clearly identified and given a badge or other identification + that expires. + + - Visitor badges or other identification visibly distinguishes visitors from + personnel.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3:4 + name: 9.3.3 + description: Visitor badges or identification are surrendered or deactivated + before visitors leave the facility or at the date of expiration. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3:5 + name: 9.3.4 + description: "A visitor log is used to maintain a physical record of visitor\ + \ activity within the facility and within sensitive areas, including:\n- The\ + \ visitor\u2019s name and the organization represented.\n- The date and time\ + \ of the visit.\n- The name of the personnel authorizing physical access.\n\ + - Retaining the log for at least three months, unless otherwise restricted\ + \ by law." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:1 + name: 9.4.1 + description: All media with cardholder data is physically secured. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:2 + name: 9.4.1.1 + description: Offline media backups with cardholder data are stored in a secure + location. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:3 + name: 9.4.1.2 + description: The security of the offline media backup location(s) with cardholder + data is reviewed at least once every 12 months. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:4 + name: 9.4.2 + description: All media with cardholder data is classified in accordance with + the sensitivity of the data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:5 + name: 9.4.3 + description: 'Media with cardholder data sent outside the facility is secured + as follows: + + - Media sent outside the facility is logged. + + - Media is sent by secured courier or other delivery method that can be accurately + tracked. + + - Offsite tracking logs include details about media location.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:6 + name: 9.4.4 + description: Management approves all media with cardholder data that is moved + outside the facility (including when media is distributed to individuals). + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:7 + name: 9.4.5 + description: Inventory logs of all electronic media with cardholder data are + maintained. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:8 + name: 9.4.5.1 + description: Inventories of electronic media with cardholder data are conducted + at least once every 12 months. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:9 + name: 9.4.6 + description: "Hard-copy materials with cardholder data are destroyed when no\ + \ longer needed for business or legal reasons, as follows:\n\u2022 Materials\ + \ are cross-cut shredded, incinerated, or pulped so that cardholder data cannot\ + \ be reconstructed.\n\u2022 Materials are stored in secure storage containers\ + \ prior to destruction." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4:10 + name: 9.4.7 + description: 'Electronic media with cardholder data is destroyed when no longer + needed for business or legal reasons via one of the following: + + - The electronic media is destroyed. + + - The cardholder data is rendered unrecoverable so that it cannot be reconstructed.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5:1 + name: 9.5.1 + description: 'POI devices that capture payment card data via direct physical + interaction with the payment card form factor are protected from tampering + and unauthorized substitution, including the following: + + - Maintaining a list of POI devices. + + - Periodically inspecting POI devices to look for tampering or unauthorized + substitution. + + - Training personnel to be aware of suspicious behavior and to report tampering + or unauthorized substitution of devices.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5:2 + name: 9.5.1.1 + description: 'An up-to-date list of POI devices is maintained, including: + + - Make and model of the device. + + - Location of device. + + - Device serial number or other methods of unique identification.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5:3 + name: 9.5.1.2 + description: POI device surfaces are periodically inspected to detect tampering + and unauthorized substitution. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5:4 + name: 9.5.1.2.1 + description: "The frequency of periodic POI device inspections and the type\ + \ of inspections performed is defined in the entity\u2019s targeted risk analysis,\ + \ which is performed according to all elements specified in Requirement 12.3.1." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5:5 + name: 9.5.1.3 + description: 'Training is provided for personnel in POI environments to be aware + of attempted tampering or replacement of POI devices, and includes: + + - Verifying the identity of any third-party persons claiming to be repair + or maintenance personnel, before granting them access to modify or troubleshoot + devices. + + - Procedures to ensure devices are not installed, replaced, or returned without + verification. + + - Being aware of suspicious behavior around devices. + + - Reporting suspicious behavior and indications of device tampering or substitution + to appropriate personnel.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:implement-strong-access-control-measures:requirement-9:9.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.1:1 + name: 10.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 10 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.1:2 + name: 10.1.2 + description: Roles and responsibilities for performing activities in Requirement + 10 are documented, assigned, and understood + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:1 + name: 10.2.1 + description: Audit logs are enabled and active for all system components and + cardholder data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:2 + name: 10.2.1.1 + description: Audit logs capture all individual user access to cardholder data. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:3 + name: 10.2.1.2 + description: Audit logs capture all actions taken by any individual with administrative + access, including any interactive use of application or system accounts. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:4 + name: 10.2.1.3 + description: Audit logs capture all access to audit logs. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:5 + name: 10.2.1.4 + description: Audit logs capture all invalid logical access attempts. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:6 + name: 10.2.1.5 + description: 'Audit logs capture all changes to identification and authentication + credentials including, but not limited to: + + - Creation of new accounts. + + - Elevation of privileges. + + - All changes, additions, or deletions to accounts with administrative access.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:7 + name: 10.2.1.6 + description: 'Audit logs capture the following: + + - All initialization of new audit logs, and + + - All starting, stopping, or pausing of the existing audit logs.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:8 + name: 10.2.1.7 + description: Audit logs capture all creation and deletion of system-level objects. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2:9 + name: 10.2.2 + description: 'Audit logs record the following details for each auditable event: + + - User identification. + + - Type of event. + + - Date and time. + + - Success and failure indication. + + - Origination of event. + + - Identity or name of affected data, system component, resource, or service + (for example, name and protocol).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3:1 + name: 10.3.1 + description: Read access to audit logs files is limited to those with a job-related + need. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3:2 + name: 10.3.2 + description: Audit log files are protected to prevent modifications by individuals. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3:3 + name: 10.3.3 + description: Audit log files, including those for external-facing technologies, + are promptly backed up to a secure, central, internal log server(s) or other + media that is difficult to modify. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3:4 + name: 10.3.4 + description: File integrity monitoring or change-detection mechanisms is used + on audit logs to ensure that existing log data cannot be changed without generating + alerts. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4:1 + name: 10.4.1 + description: 'The following audit logs are reviewed at least once daily: + + - All security events. + + - Logs of all system components that store, process, or transmit CHD and/or + SAD. + + - Logs of all critical system components. + + - Logs of all servers and system components that perform security functions + (for example, network security controls, intrusion-detection systems/intrusion-prevention + systems (IDS/IPS), authentication servers).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4:2 + name: 10.4.1.1 + description: Automated mechanisms are used to perform audit log reviews. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4:3 + name: 10.4.2 + description: Logs of all other system components (those not specified in Requirement + 10.4.1) are reviewed periodically. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4:4 + name: 10.4.2.1 + description: "The frequency of periodic log reviews for all other system components\ + \ (not defined in Requirement 10.4.1) is defined in the entity\u2019s targeted\ + \ risk analysis, which is performed according to all elements specified in\ + \ Requirement 12.3.1." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4:5 + name: 10.4.3 + description: Exceptions and anomalies identified during the review process are + addressed. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.5:1 + name: 10.5.1 + description: Retain audit log history for at least 12 months, with at least + the most recent three months immediately available for analysis. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.6:1 + name: 10.6.1 + description: System clocks and time are synchronized using time-synchronization + technology. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.6:2 + name: 10.6.2 + description: 'Systems are configured to the correct and consistent time as follows: + + - One or more designated time servers are in use. + + - Only the designated central time server(s) receives time from external sources. + + - Time received from external sources is based on International Atomic Time + or Coordinated Universal Time (UTC). + + - The designated time server(s) accept time updates only from specific industry-accepted + external sources. + + - Where there is more than one designated time server, the time servers peer + with one another to keep accurate time. + + - Internal systems receive time information only from designated central time + server(s).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.6:3 + name: 10.6.3 + description: 'Time synchronization settings and data are protected as follows: + + - Access to time data is restricted to only personnel with a business need. + + - Any changes to time settings on critical systems are logged, monitored, + and reviewed.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.7:1 + name: 10.7.1 + description: 'Additional requirement for service providers only: Failures of + critical security control systems are detected, alerted, and addressed promptly, + including but not limited to failure of the following critical security control + systems: + + - Network security controls. + + - IDS/IPS. + + - FIM. + + - Anti-malware solutions. + + - Physical access controls. + + - Logical access controls. + + - Audit logging mechanisms. + + - Segmentation controls (if used).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.7:2 + name: 10.7.2 + description: 'Failures of critical security control systems are detected, alerted, + and addressed promptly, including but not limited to failure of the following + critical security control systems: + + - Network security controls. + + - IDS/IPS. + + - Change-detection mechanisms. + + - Anti-malware solutions. + + - Physical access controls. + + - Logical access controls. + + - Audit logging mechanisms. + + - Segmentation controls (if used). + + - Audit log review mechanisms. + + - Automated security testing tools (if used).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.7:3 + name: 10.7.3 + description: 'Failures of any critical security controls systems are responded + to promptly, including but not limited to: + + - Restoring security functions. + + - Identifying and documenting the duration (date and time from start to end) + of the security failure. + + - Identifying and documenting the cause(s) of failure and documenting required + remediation. + + - Identifying and addressing any security issues that arose during the failure. + + - Determining whether further actions are required as a result of the security + failure. + + - Implementing controls to prevent the cause of failure from reoccurring. + + - Resuming monitoring of security controls.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-10:10.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.1:1 + name: 11.1.1 + description: 'All security policies and operational procedures that are identified + in Requirement 11 are: + + - Documented. + + - Kept up to date. + + - In use. + + - Known to all affected parties.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.1:2 + name: 11.1.2 + description: Roles and responsibilities for performing activities in Requirement + 11 are documented, assigned, and understood. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.2:1 + name: 11.2.1 + description: 'Authorized and unauthorized wireless access points are managed + as follows: + + - The presence of wireless (Wi-Fi) access points is tested for, + + - All authorized and unauthorized wireless access points are detected and + identified, + + - Testing, detection, and identification occurs at least once every three + months. + + - If automated monitoring is used, personnel are notified via generated alerts.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.2:2 + name: 11.2.2 + description: An inventory of authorized wireless access points is maintained, + including a documented business justification. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3:1 + name: 11.3.1 + description: "Internal vulnerability scans are performed as follows:\n- At least\ + \ once every three months.\n- High-risk and critical vulnerabilities (per\ + \ the entity\u2019s vulnerability risk rankings defined at Requirement 6.3.1)\ + \ are resolved.\n- Rescans are performed that confirm all high- risk and critical\ + \ vulnerabilities (as noted above) have been resolved.\n- Scan tool is kept\ + \ up to date with latest vulnerability information.\n- Scans are performed\ + \ by qualified personnel and organizational independence of the tester exists." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3:2 + name: 11.3.1.1 + description: "All other applicable vulnerabilities (those not ranked as high-risk\ + \ or critical per the entity\u2019s vulnerability risk rankings defined at\ + \ Requirement 6.3.1) are managed as follows:\n- Addressed based on the risk\ + \ defined in the entity\u2019s targeted risk analysis, which is performed\ + \ according to all elements specified in Requirement 12.3.1.\n- Rescans are\ + \ conducted as needed." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3:3 + name: 11.3.1.2 + description: 'Internal vulnerability scans are performed via authenticated scanning + as follows: + + - Systems that are unable to accept credentials for authenticated scanning + are documented. + + - Sufficient privileges are used for those systems that accept credentials + for scanning. + + - If accounts used for authenticated scanning can be used for interactive + login, they are managed in accordance with Requirement 8.2.2.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3:4 + name: 11.3.1.3 + description: "Internal vulnerability scans are performed after any significant\ + \ change as follows:\n- High-risk and critical vulnerabilities (per the entity\u2019\ + s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.\n\ + - Rescans are conducted as needed.\n- Scans are performed by qualified personnel\ + \ and organizational independence of the tester exists (not required to be\ + \ a QSA or ASV)." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3:5 + name: 11.3.2 + description: "External vulnerability scans are performed as follows:\n\u2022\ + \ At least once every three months.\n\u2022 By a PCI SSC Approved Scanning\ + \ Vendor (ASV).\n\u2022 Vulnerabilities are resolved and ASV Program Guide\ + \ requirements for a passing scan are met.\n\u2022 Rescans are performed as\ + \ needed to confirm that vulnerabilities are resolved per the ASV Program\ + \ Guide requirements for a passing scan." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3:6 + name: 11.3.2.1 + description: 'External vulnerability scans are performed after any significant + change as follows: + + - Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved. + + - Rescans are conducted as needed. + + - Scans are performed by qualified personnel and organizational independence + of the tester exists (not required to be a QSA or ASV).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4:1 + name: 11.4.1 + description: 'A penetration testing methodology is defined, documented, and + implemented by the entity, and includes: + + - Industry-accepted penetration testing approaches. + + - Coverage for the entire CDE perimeter and critical systems. + + - Testing from both inside and outside the network. + + - Testing to validate any segmentation and scope- reduction controls. + + - Application-layer penetration testing to identify, at a minimum, the vulnerabilities + listed in Requirement 6.2.4. + + - Network-layer penetration tests that encompass all components that support + network functions as well as operating systems. + + - Review and consideration of threats and vulnerabilities experienced in the + last 12 months. + + - Documented approach to assessing and addressing the risk posed by exploitable + vulnerabilities and security weaknesses found during penetration testing. + + - Retention of penetration testing results and remediation activities results + for at least 12 months.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4:2 + name: 11.4.2 + description: "Internal penetration testing is performed:\n- Per the entity\u2019\ + s defined methodology.\n- At least once every 12 months.\n- After any significant\ + \ infrastructure or application upgrade or change.\n- By a qualified internal\ + \ resource or qualified external third-party.\n- Organizational independence\ + \ of the tester exists (not required to be a QSA or ASV)." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4:3 + name: 11.4.3 + description: "External penetration testing is performed:\n- Per the entity\u2019\ + s defined methodology.\n- At least once every 12 months.\n- After any significant\ + \ infrastructure or application upgrade or change.\n- By a qualified internal\ + \ resource or qualified external third party.\n- Organizational independence\ + \ of the tester exists (not required to be a QSA or ASV)." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4:4 + name: 11.4.4 + description: "Exploitable vulnerabilities and security weaknesses found during\ + \ penetration testing are corrected as follows:\n- In accordance with the\ + \ entity\u2019s assessment of the risk posed by the security issue as defined\ + \ in Requirement 6.3.1.\n- Penetration testing is repeated to verify the corrections." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4:5 + name: 11.4.5 + description: "If segmentation is used to isolate the CDE from other networks,\ + \ penetration tests are performed on segmentation controls as follows:\n-\ + \ At least once every 12 months and after any changes to segmentation controls/methods.\n\ + - Covering all segmentation controls/methods in use.\n- According to the entity\u2019\ + s defined penetration testing methodology.\n- Confirming that the segmentation\ + \ controls/methods are operational and effective, and isolate the CDE from\ + \ all out-of-scope systems.\n- Confirming effectiveness of any use of isolation\ + \ to separate systems with differing security levels (see Requirement 2.2.3).\n\ + - Performed by a qualified internal resource or qualified external third party.\n\ + - Organizational independence of the tester exists (not required to be a QSA\ + \ or ASV)." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4:6 + name: 11.4.6 + description: "Additional requirement for service providers only: If segmentation\ + \ is used to isolate the CDE from other networks, penetration tests are performed\ + \ on segmentation controls as follows:\n- At least once every six months and\ + \ after any changes to segmentation controls/methods.\n- Covering all segmentation\ + \ controls/methods in use.\n- According to the entity\u2019s defined penetration\ + \ testing methodology.\n- Confirming that the segmentation controls/methods\ + \ are operational and effective, and isolate the CDE from all out-of-scope\ + \ systems.\n- Confirming effectiveness of any use of isolation to separate\ + \ systems with differing security levels (see Requirement 2.2.3).\n- Performed\ + \ by a qualified internal resource or qualified external third party.\n- Organizational\ + \ independence of the tester exists (not required to be a QSA or ASV)." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4:7 + name: 11.4.7 + description: 'Additional requirement for multi-tenant service providers only: + Multi-tenant service providers support their customers for external penetration + testing per Requirement 11.4.3 and 11.4.4.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.5:1 + name: 11.5.1 + description: 'Intrusion-detection and/or intrusion- prevention techniques are + used to detect and/or prevent intrusions into the network as follows: + + - All traffic is monitored at the perimeter of the CDE. + + - All traffic is monitored at critical points in the CDE. + + - Personnel are alerted to suspected compromises. + + - All intrusion-detection and prevention engines, baselines, and signatures + are kept up to date' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.5:2 + name: 11.5.1.1 + description: 'Additional requirement for service providers only: Intrusion-detection + and/or intrusion-prevention techniques detect, alert + + on/prevent, and address covert malware communication channels.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.5:3 + name: 11.5.2 + description: 'A change-detection mechanism (for example, file integrity monitoring + tools) is deployed as follows: + + - To alert personnel to unauthorized modification (including changes, additions, + and deletions) of critical files. + + - To perform critical file comparisons at least once weekly.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.6:1 + name: 11.6.1 + description: "A change- and tamper-detection mechanism is deployed as follows:\n\ + - To alert personnel to unauthorized modification (including indicators of\ + \ compromise, changes, additions, and deletions) to the HTTP headers and the\ + \ contents of payment pages as received by the consumer browser.\n- The mechanism\ + \ is configured to evaluate the received HTTP header and payment page.\n-\ + \ The mechanism functions are performed as follows:\n \u2013 At least once\ + \ every seven days.\n OR\n \u2013 Periodically (at the frequency defined\ + \ in the entity\u2019s targeted risk analysis, which is performed according\ + \ to all elements specified in Requirement 12.3.1)." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:regularly-monitor-and-test-networks:requirement-11:11.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1:1 + name: 12.1.1 + description: 'An overall information security policy is: + + - Established. + + - Published. + + - Maintained. + + - Disseminated to all relevant personnel, as well as to relevant vendors and + business partners.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1:2 + name: 12.1.2 + description: 'The information security policy is: + + - Reviewed at least once every 12 months. + + - Updated as needed to reflect changes to business objectives or risks to + the environment.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1:3 + name: 12.1.3 + description: The security policy clearly defines information security roles + and responsibilities for all personnel, and all personnel are aware of and + acknowledge their information security responsibilities. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1:4 + name: 12.1.4 + description: Responsibility for information security is formally assigned to + a Chief Information Security Officer or other information security knowledgeable + member of executive management. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.2:1 + name: 12.2.1 + description: 'Acceptable use policies for end-user technologies are documented + and implemented, including: + + - Explicit approval by authorized parties. + + - Acceptable uses of the technology. + + - List of products approved by the company for employee use, including hardware + and software.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3:1 + name: 12.3.1 + description: 'Each PCI DSS requirement that provides flexibility for how frequently + it is performed (for example, requirements to be performed periodically) is + supported by a targeted risk analysis that is documented and includes: + + - Identification of the assets being protected. + + - Identification of the threat(s) that the requirement is protecting against. + + - Identification of factors that contribute to the likelihood and/or impact + of a threat being realized. + + - Resulting analysis that determines, and includes justification for, how + frequently the requirement must be performed to minimize the likelihood of + the threat being realized. + + - Review of each targeted risk analysis at least once every 12 months to determine + whether the results are still valid or if an updated risk analysis is needed. + + - Performance of updated risk analyses when needed, as determined by the annual + review.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3:2 + name: 12.3.2 + description: 'A targeted risk analysis is performed for each PCI DSS requirement + that the entity meets with the customized approach, to include: + + - Documented evidence detailing each element specified in Appendix D: Customized + Approach (including, at a minimum, a controls matrix and risk analysis). + + - Approval of documented evidence by senior management. + + - Performance of the targeted analysis of risk at least once every 12 months.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3:3 + name: 12.3.3 + description: 'Cryptographic cipher suites and protocols in use are documented + and reviewed at least once every 12 months, including at least the following: + + - An up-to-date inventory of all cryptographic cipher suites and protocols + in use, including purpose and where used. + + - Active monitoring of industry trends regarding continued viability of all + cryptographic cipher suites and protocols in use. + + - A documented strategy to respond to anticipated changes in cryptographic + vulnerabilities.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3:4 + name: 12.3.4 + description: "Hardware and software technologies in use are reviewed at least\ + \ once every 12 months, including at least the following:\n\u2022 Analysis\ + \ that the technologies continue to receive security fixes from vendors promptly.\n\ + \u2022 Analysis that the technologies continue to support (and do not preclude)\ + \ the entity\u2019s PCI DSS compliance.\n\u2022 Documentation of any industry\ + \ announcements or trends related to a technology, such as when a vendor has\ + \ announced \u201Cend of life\u201D plans for a technology.\n\u2022 Documentation\ + \ of a plan, approved by senior management, to remediate outdated technologies,\ + \ including those for which vendors have announced \u201Cend of life\u201D\ + \ plans." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.4:1 + name: 12.4.1 + description: 'Additional requirement for service providers only: Responsibility + is established by executive management for the protection of cardholder data + and a PCI DSS compliance program to include: + + - Overall accountability for maintaining PCI DSS compliance. + + - Defining a charter for a PCI DSS compliance program and communication to + executive management.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.4:2 + name: 12.4.2 + description: "Additional requirement for service providers only: Reviews are\ + \ performed at least once every three months to confirm that personnel are\ + \ performing their tasks in accordance with all security policies and operational\ + \ procedures. \nReviews are performed by personnel other than those responsible\ + \ for performing the given task and include, but are not limited to, the following\ + \ tasks:\n- Daily log reviews.\n- Configuration reviews for network security\ + \ controls.\n- Applying configuration standards to new systems.\n- Responding\ + \ to security alerts.\n- Change-management processes." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.4:3 + name: 12.4.2.1 + description: 'Additional requirement for service providers only: Reviews conducted + in accordance with Requirement 12.4.2 are documented to include: + + - Results of the reviews. + + - Documented remediation actions taken for any tasks that were found to not + be performed at Requirement 12.4.2. + + - Review and sign-off of results by personnel assigned responsibility for + the PCI DSS compliance program.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5:1 + name: 12.5.1 + description: An inventory of system components that are in scope for PCI DSS, + including a description of function/use, is maintained and kept current. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5:2 + name: 12.5.2 + description: 'PCI DSS scope is documented and confirmed by the entity at least + once every 12 months and upon significant change to the in-scope environment. + At a minimum, the scoping validation includes: + + - Identifying all data flows for the various payment stages (for example, + authorization, capture settlement, chargebacks, and refunds) and acceptance + channels (for example, card-present, card-not-present, and e-commerce). + + - Updating all data-flow diagrams per Requirement 1.2.4. + + - Identifying all locations where account data is stored, processed, and transmitted, + including but not limited to: 1) any locations outside of the currently defined + CDE, 2) applications that process CHD, 3) transmissions between systems and + networks, and 4) file backups. + + - Identifying all system components in the CDE, connected to the CDE, or that + could impact security of the CDE. + + - Identifying all segmentation controls in use and the environment(s) from + which the CDE is segmented, including justification for environments being + out of scope. + + - Identifying all connections from third-party entities with access to the + CDE. + + - Confirming that all identified data flows, account data, system components, + segmentation controls, and connections from third parties with access to the + CDE are included in scope.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5:3 + name: 12.5.2.1 + description: 'Additional requirement for service providers only: PCI DSS scope + is documented and confirmed by the entity at least once every six months and + upon significant change to the in-scope environment. At a minimum, the scoping + validation includes all the elements specified in Requirement 12.5.2.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5:4 + name: 12.5.3 + description: 'Additional requirement for service providers only: Significant + changes to organizational structure result in a documented (internal) review + of the impact to PCI DSS scope and applicability of controls, with results + communicated to executive management.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.5 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6:1 + name: 12.6.1 + description: "A formal security awareness program is implemented to make all\ + \ personnel aware of the entity\u2019s information security policy and procedures,\ + \ and their role in protecting the cardholder data." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6:2 + name: 12.6.2 + description: "The security awareness program is:\n- Reviewed at least once every\ + \ 12 months, and\n- Updated as needed to address any new threats and vulnerabilities\ + \ that may impact the security of the entity\u2019s CDE, or the information\ + \ provided to personnel about their role in protecting cardholder data." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6:3 + name: 12.6.3 + description: 'Personnel receive security awareness training as follows: + + - Upon hire and at least once every 12 months. + + - Multiple methods of communication are used. + + - Personnel acknowledge at least once every 12 months that they have read + and understood the information security policy and procedures.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6:4 + name: 12.6.3.1 + description: 'Security awareness training includes awareness of threats and + vulnerabilities that could impact the security of the CDE, including but not + limited to: + + - Phishing and related attacks. + + - Social engineering.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6:5 + name: 12.6.3.2 + description: Security awareness training includes awareness about the acceptable + use of end-user technologies in accordance with Requirement 12.2.1. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.6 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.7:1 + name: 12.7.1 + description: Potential personnel who will have access to the CDE are screened, + within the constraints of local laws, prior to hire to minimize the risk of + attacks from internal sources + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.7 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8:1 + name: 12.8.1 + description: A list of all third-party service providers (TPSPs) with which + account data is shared or that could affect the security of account data is + maintained, including a description for each of the services provided. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8:2 + name: 12.8.2 + description: "Written agreements with TPSPs are maintained as follows:\n- Written\ + \ agreements are maintained with all TPSPs with which account data is shared\ + \ or that could affect the security of the CDE.\n- Written agreements include\ + \ acknowledgments from TPSPs that they are responsible for the security of\ + \ account data the TPSPs possess or otherwise store, process, or transmit\ + \ on behalf of the entity, or to the extent that they could impact the security\ + \ of the entity\u2019s CDE." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8:3 + name: 12.8.3 + description: An established process is implemented for engaging TPSPs, including + proper due diligence prior to engagement. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8:4 + name: 12.8.4 + description: "A program is implemented to monitor TPSPs\u2019 PCI DSS compliance\ + \ status at least once every 12 months." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8:5 + name: 12.8.5 + description: Information is maintained about which PCI DSS requirements are + managed by each TPSP, which are managed by the entity, and any that are shared + between the TPSP and the entity. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.8 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.9:1 + name: 12.9.1 + description: "Additional requirement for service providers only: TPSPs acknowledge\ + \ in writing to customers that they are responsible for the security of account\ + \ data the TPSP possesses or otherwise stores, processes, or transmits on\ + \ behalf of the customer, or to the extent that they could impact the security\ + \ of the customer\u2019s CDE." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.9 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.9:2 + name: 12.9.2 + description: "Additional requirement for service providers only: TPSPs support\ + \ their customers\u2019 requests for information to meet Requirements 12.8.4\ + \ and 12.8.5 by providing the following upon customer request:\n- PCI DSS\ + \ compliance status information for any service the TPSP performs on behalf\ + \ of customers (Requirement 12.8.4).\n- Information about which PCI DSS requirements\ + \ are the responsibility of the TPSP and which are the responsibility of the\ + \ customer, including any shared responsibilities (Requirement 12.8.5)" + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.9 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:1 + name: 12.10.1 + description: 'An incident response plan exists and is ready to be activated + in the event of a suspected or confirmed security incident. The plan includes, + but is not limited to: + + - Roles, responsibilities, and communication and contact strategies in the + event of a suspected or confirmed security incident, including notification + of payment brands and acquirers, at a minimum. + + - Incident response procedures with specific containment and mitigation activities + for different types of incidents. + + - Business recovery and continuity procedures. + + - Data backup processes. + + - Analysis of legal requirements for reporting compromises. + + - Coverage and responses of all critical system components. + + - Reference or inclusion of incident response procedures from the payment + brands.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:2 + name: 12.10.2 + description: 'At least once every 12 months, the security incident response + plan is: + + - Reviewed and the content is updated as needed. + + - Tested, including all elements listed in Requirement 12.10.1.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:3 + name: 12.10.3 + description: Specific personnel are designated to be available on a 24/7 basis + to respond to suspected or confirmed security incidents. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:4 + name: 12.10.4 + description: Personnel responsible for responding to suspected and confirmed + security incidents are appropriately and periodically trained on their incident + response responsibilities. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:5 + name: 12.10.4.1 + description: "The frequency of periodic training for incident response personnel\ + \ is defined in the entity\u2019s targeted risk analysis, which is performed\ + \ according to all elements specified in Requirement 12.3.1." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:6 + name: 12.10.5 + description: 'The security incident response plan includes monitoring and responding + to alerts from security monitoring systems, including but not limited to: + + - Intrusion-detection and intrusion-prevention systems. + + - Network security controls. + + - Change-detection mechanisms for critical files. + + - The change-and tamper-detection mechanism for payment pages. This bullet + is a best practice until its effective date; refer to Applicability Notes + below for details. + + - Detection of unauthorized wireless access points.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:7 + name: 12.10.6 + description: The security incident response plan is modified and evolved according + to lessons learned and to incorporate industry developments. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10:8 + name: 12.10.7 + description: 'Incident response procedures are in place, to be initiated upon + the detection of stored PAN anywhere it is not expected, and include: + + - Determining what to do if PAN is discovered outside the CDE, including its + retrieval, secure deletion, and/or migration into the currently defined CDE, + as applicable. + + - Identifying whether sensitive authentication data is stored with PAN. + + - Determining where the account data came from and how it ended up where it + was not expected. + + - Remediating data leaks or process gaps that resulted in the account data + being where it was not expected.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:maintain-an-information-security-policy:requirement-12:12.10 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a1:a1.1:1 + name: A1.1.1 + description: "Logical separation is implemented as follows:\n- The provider\ + \ cannot access its customers\u2019 environments without authorization.\n\ + - Customers cannot access the provider\u2019s environment without authorization." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a1:a1.1:2 + name: A1.1.2 + description: Controls are implemented such that each customer only has permission + to access its own cardholder data and CDE. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a1:a1.1:3 + name: A1.1.3 + description: Controls are implemented such that each customer can only access + resources allocated to them. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a1:a1.1:4 + name: A1.1.4 + description: The effectiveness of logical separation controls used to separate + customer environments is confirmed at least once every six months via penetration + testing. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a1:a1.2:1 + name: A1.2.1 + description: "Audit log capability is enabled for each customer\u2019s environment\ + \ that is consistent with PCI DSS Requirement 10, including:\n- Logs are enabled\ + \ for common third-party applications.\n- Logs are active by default.\n- Logs\ + \ are available for review only by the owning customer.\n- Log locations are\ + \ clearly communicated to the owning customer.\n- Log data and availability\ + \ is consistent with PCI DSS Requirement 10." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a1:a1.2:2 + name: A1.2.2 + description: Processes or mechanisms are implemented to support and/or facilitate + prompt forensic investigations in the event of a suspected or confirmed security + incident for any customer. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a1:a1.2:3 + name: A1.2.3 + description: 'Processes or mechanisms are implemented for reporting and addressing + suspected or confirmed security incidents and vulnerabilities, including: + + - Customers can securely report security incidents and vulnerabilities to + the provider. + + - The provider addresses and remediates suspected or confirmed security incidents + and vulnerabilities according to Requirement 6.3.1.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a1:a1.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a2:a2.1:1 + name: A2.1.1 + description: Where POS POI terminals at the merchant or payment acceptance location + use SSL and/or early TLS, the entity confirms the devices are not susceptible + to any known exploits for those protocols. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a2:a2.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a2:a2.1:2 + name: A2.1.2 + description: 'Additional requirement for service providers only: All service + providers with existing connection points to POS POI terminals that use SSL + and/or early TLS as defined in A2.1 have a formal Risk Mitigation and Migration + Plan in place that includes: + + - Description of usage, including what data is being transmitted, types and + number of systems that use and/or support SSL/early TLS, and type of environment. + + - Risk-assessment results and risk-reduction controls in place. + + - Description of processes to monitor for new vulnerabilities associated with + SSL/early TLS. + + - Description of change control processes that are implemented to ensure SSL/early + TLS is not implemented into new environments. + + - Overview of migration project plan to replace SSL/early TLS at a future + date.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a2:a2.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a2:a2.1:3 + name: A2.1.3 + description: 'Additional requirement for service providers only: All service + providers provide a secure service offering.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a2:a2.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.1:1 + name: A3.1.1 + description: 'Responsibility is established by executive management for the + protection of account data and a PCI DSS compliance program that includes: + + - Overall accountability for maintaining PCI DSS compliance. + + - Defining a charter for a PCI DSS compliance program. + + - Providing updates to executive management and board of directors on PCI + DSS compliance initiatives and issues, including remediation activities, at + least once every 12 months.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.1:2 + name: A3.1.2 + description: 'A formal PCI DSS compliance program is in place that includes: + + - Definition of activities for maintaining and monitoring overall PCI DSS + compliance, including business-as-usual activities. + + - Annual PCI DSS assessment processes. + + - Processes for the continuous validation of PCI DSS requirements (for example, + daily, weekly, every three months, as applicable per the requirement). + + - A process for performing business-impact analysis to determine potential + PCI DSS impacts for strategic business decisions.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.1:3 + name: A3.1.3 + description: 'PCI DSS compliance roles and responsibilities are specifically + defined and formally assigned to one or more personnel, including: + + - Managing PCI DSS business-as-usual activities. + + - Managing annual PCI DSS assessments. + + - Managing continuous validation of PCI DSS requirements (for example, daily, + weekly, every three months, as applicable per the requirement). + + - Managing business-impact analysis to determine potential PCI DSS impacts + for strategic business decisions.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.1:4 + name: A3.1.4 + description: Up-to-date PCI DSS and/or information security training is provided + at least once every 12 months to personnel with PCI DSS compliance responsibilities + (as identified in A3.1.3). + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.1 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:1 + name: A3.2.1 + description: 'PCI DSS scope is documented and confirmed for accuracy at least + once every three months and upon significant changes to the in-scope environment. + At a minimum, the scoping validation includes: + + - Identifying all data flows for the various payment stages (for example, + authorization, capture, settlement, chargebacks, and refunds) and acceptance + channels (for example, card-present, card-not-present, and e-commerce). + + - Updating all data-flow diagrams per Requirement 1.2.4. + + - Identifying all locations where account data is stored, processed, and transmitted, + including but not limited to 1) any locations outside of the currently defined + CDE, 2) applications that process CHD, 3) transmissions between systems and + networks, and 4) file backups. + + - For any account data found outside of the currently defined CDE, either + 1) securely delete it, 2) migrate it into the currently defined CDE, or 3) + expand the currently defined CDE to include it. + + - Identifying all system components in the CDE, connected to the CDE, or that + could impact security of the CDE. + + - Identifying all segmentation controls in use and the environment(s) from + which the CDE is segmented, including justification for environments being + out of scope. + + - Identifying all connections to third-party entities with access to the CDE. + + - Confirming that all identified data flows, account data, system components, + segmentation controls, and connections from third parties with access to the + CDE are included in scope.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:2 + name: A3.2.2 + description: 'PCI DSS scope impact for all changes to systems or networks is + determined, including additions of new systems and new network connections. + Processes include: + + - Performing a formal PCI DSS impact assessment. + + - Identifying applicable PCI DSS requirements to the system or network. + + - Updating PCI DSS scope as appropriate. + + - Documented sign-off of the results of the impact assessment by responsible + personnel (as defined in A3.1.3).' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:3 + name: A3.2.2.1 + description: Upon completion of a change, all relevant PCI DSS requirements + are confirmed to be implemented on all new or changed systems and networks, + and documentation is updated as applicable. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:4 + name: A3.2.3 + description: Changes to organizational structure result in a formal (internal) + review of the impact to PCI DSS scope and applicability of controls. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:5 + name: A3.2.4 + description: "If segmentation is used, PCI DSS scope is confirmed as follows:\n\ + \u2022 Per the entity\u2019s methodology defined at Requirement 11.4.1.\n\u2022\ + \ Penetration testing is performed on segmentation controls at least once\ + \ every six months and after any changes to segmentation controls/methods.\n\ + \u2022 The penetration testing covers all segmentation controls/methods in\ + \ use.\n\u2022 The penetration testing verifies that segmentation controls/methods\ + \ are operational and effective, and isolate the CDE from all out-of-scope\ + \ systems." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:6 + name: A3.2.5 + description: 'A data-discovery methodology is implemented that: + + - Confirms PCI DSS scope. + + - Locates all sources and locations of cleartext PAN at least once every three + months and upon significant changes to the CDE or processes. + + - Addresses the potential for cleartext PAN to reside on systems and networks + outside the currently defined CDE' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:7 + name: A3.2.5.1 + description: 'Data discovery methods are confirmed as follows: + + - Effectiveness of methods is tested. + + - Methods are able to discover cleartext PAN on all types of system components + and file formats in use. + + - The effectiveness of data-discovery methods is confirmed at least once every + 12 months.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:8 + name: A3.2.5.2 + description: 'Response procedures are implemented to be initiated upon the detection + of cleartext PAN outside the CDE to include: + + - Determining what to do if cleartext PAN is discovered outside the CDE, including + its retrieval, secure deletion, and/or migration into the currently defined + CDE, as applicable. + + - Determining how the data ended up outside the CDE. + + - Remediating data leaks or process gaps that resulted in the data being outside + the CDE. + + - Identifying the source of the data. + + - Identifying whether any track data is stored with the PANs.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:9 + name: A3.2.6 + description: 'Mechanisms are implemented for detecting and preventing cleartext + PAN from leaving the CDE via an unauthorized channel, method, or process, + including mechanisms that are: + + - Actively running. + + - Configured to detect and prevent cleartext PAN leaving the CDE via an unauthorized + channel, method, or process. + + - Generating audit logs and alerts upon detection of cleartext PAN leaving + the CDE via an unauthorized channel, method, or process.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.2:10 + name: A3.2.6.1 + description: 'Response procedures are implemented to be initiated upon the detection + of attempts to remove cleartext PAN from the CDE via an unauthorized channel, + method, or process. Response procedures include: + + - Procedures for the prompt investigation of alerts by responsible personnel. + + - Procedures for remediating data leaks or process gaps, as necessary, to + prevent any data loss.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.2 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.3:1 + name: A3.3.1 + description: 'Failures of critical security control systems are detected, alerted, + and addressed promptly, including but not limited to failure of: + + - Network security controls + + - IDS/IPS + + - FIM + + - Anti-malware solutions + + - Physical access controls + + - Logical access controls + + - Audit logging mechanisms + + - Segmentation controls (if used) + + - Automated audit log review mechanisms. This bullet is a best practice until + its effective date. + + - Automated code review tools (if used). This bullet is a best practice until + its effective date.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.3:2 + name: A3.3.1.2 + description: 'Failures of any critical security control systems are responded + to promptly. Processes for responding to failures in security control systems + include: + + - Restoring security functions. + + - Identifying and documenting the duration (date and time from start to end) + of the security failure. + + - Identifying and documenting the cause(s) of failure, including root cause, + and documenting remediation required to address the root cause. + + - Identifying and addressing any security issues that arose during the failure. + + - Determining whether further actions are required as a result of the security + failure. + + - Implementing controls to prevent the cause of failure from reoccurring. + + - Resuming monitoring of security controls.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.3:3 + name: A3.3.2 + description: "Hardware and software technologies are reviewed at least once\ + \ every 12 months to confirm whether they continue to meet the organization\u2019\ + s PCI DSS requirements." + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.3:4 + name: A3.3.3 + description: 'Reviews are performed at least once every three months to verify + BAU activities are being followed. Reviews are performed by personnel assigned + to the PCI DSS compliance program (as identified in A3.1.3), and include: + + - Confirmation that all BAU activities, including A3.2.2, A3.2.6, and A3.3.1, + are being performed. + + - Confirmation that personnel are following security policies and operational + procedures (for example, daily log reviews, ruleset reviews for network security + controls, configuration standards for new systems). + + - Documenting how the reviews were completed, including how all BAU activities + were verified as being in place. + + - Collection of documented evidence as required for the annual PCI DSS assessment. + + - Review and sign-off of results by personnel assigned responsibility for + the PCI DSS compliance program, as identified in A3.1.3. + + - Retention of records and documentation for at least 12 months, covering + all BAU activities.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.3 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.4:1 + name: A3.4.1 + description: User accounts and access privileges to in-scope system components + are reviewed at least once every six months to ensure user accounts and access + privileges remain appropriate based on job function, and that all access is + authorized. + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.4 + - urn: urn:intuitem:risk:reqs:pcidss-4.0:appendix-a:appendix-a3:a3.5:1 + name: A3.5.1 + description: 'A methodology is implemented for the prompt identification of + attack patterns and undesirable behavior across systems that includes: + + - Identification of anomalies or suspicious activity as it occurs. + + - Issuance of prompt alerts upon detection of suspicious activity or anomaly + to responsible personnel. + + - Response to alerts in accordance with documented response procedures.' + parent_urn: urn:intuitem:risk:req_groups:pcidss-4.0:appendix-a:appendix-a3:a3.5 + security_functions: [] + threats: []