PCI DSS v4.0
All 12 PCI DSS v4.0 requirements with sub-requirements.
Install and Maintain Network Security Controls — 1.1
Processes and mechanisms for installing and maintaining network security controls are defined.
Install and Maintain Network Security Controls — 1.2
NSCs are configured and maintained.
Install and Maintain Network Security Controls — 1.3
Network access to and from the cardholder data environment is restricted.
Install and Maintain Network Security Controls — 1.4
Network connections between trusted and untrusted networks are controlled.
Install and Maintain Network Security Controls — 1.5
Risks to the CDE from computing devices able to connect to both untrusted and trusted networks are mitigated.
Apply Secure Configurations to All System Components — 2.1
Processes and mechanisms for applying secure configurations are defined.
Apply Secure Configurations to All System Components — 2.2
System components are configured and managed securely.
Apply Secure Configurations to All System Components — 2.3
Wireless environments are configured and managed securely.
Protect Stored Account Data — 3.1
Processes and mechanisms for protecting stored account data are defined.
Protect Stored Account Data — 3.2
Storage of account data is kept to a minimum.
Protect Stored Account Data — 3.3
Sensitive authentication data is not stored after authorization.
Protect Stored Account Data — 3.4
Access to displays of full PAN and ability to copy PAN is restricted.
Protect Stored Account Data — 3.5
PAN is secured wherever it is stored.
Protect Stored Account Data — 3.6
Cryptographic keys used to protect stored account data are secured.
Protect Stored Account Data — 3.7
Where cryptography is used to protect stored account data, key management processes are defined and implemented.
Protect Cardholder Data with Strong Cryptography During Transmission — 4.1
Processes and mechanisms for protecting cardholder data with strong cryptography during transmission are defined.
Protect Cardholder Data with Strong Cryptography During Transmission — 4.2
PAN is protected with strong cryptography during transmission.
Protect All Systems and Networks from Malicious Software — 5.1
Processes and mechanisms for protecting systems from malicious software are defined.
Protect All Systems and Networks from Malicious Software — 5.2
Malicious software is prevented or detected and addressed.
Protect All Systems and Networks from Malicious Software — 5.3
Anti-malware mechanisms and processes are active, maintained, and monitored.
Protect All Systems and Networks from Malicious Software — 5.4
Anti-phishing mechanisms protect users.
Develop and Maintain Secure Systems and Software — 6.1
Processes and mechanisms for developing and maintaining secure systems and software are defined.
Develop and Maintain Secure Systems and Software — 6.2
Bespoke and custom software are developed securely.
Develop and Maintain Secure Systems and Software — 6.3
Security vulnerabilities are identified and addressed.
Develop and Maintain Secure Systems and Software — 6.4
Public-facing web applications are protected against attacks.
Develop and Maintain Secure Systems and Software — 6.5
Changes to all system components are managed securely.
Restrict Access to System Components and Cardholder Data by Business Need to Know — 7.1
Processes and mechanisms for restricting access by business need to know are defined.
Restrict Access to System Components and Cardholder Data by Business Need to Know — 7.2
Access to system components and data is appropriately defined and assigned.
Restrict Access to System Components and Cardholder Data by Business Need to Know — 7.3
Access is managed via an access control system.
Identify Users and Authenticate Access to System Components — 8.1
Processes and mechanisms for identifying users and authenticating access are defined.
Identify Users and Authenticate Access to System Components — 8.2
User identification and related accounts for users and admins are strictly managed.
Identify Users and Authenticate Access to System Components — 8.3
Strong authentication for users and admins is established and managed.
Identify Users and Authenticate Access to System Components — 8.4
Multi-factor authentication is implemented to secure access into the CDE.
Identify Users and Authenticate Access to System Components — 8.5
MFA systems are configured to prevent misuse.
Identify Users and Authenticate Access to System Components — 8.6
Use of application and system accounts and associated authentication factors is strictly managed.
Restrict Physical Access to Cardholder Data — 9.1
Processes and mechanisms for restricting physical access are defined.
Restrict Physical Access to Cardholder Data — 9.2
Physical access controls manage entry into facilities and systems containing account data.
Restrict Physical Access to Cardholder Data — 9.3
Physical access for personnel and visitors is authorized and managed.
Restrict Physical Access to Cardholder Data — 9.4
Media with cardholder data is securely stored, accessed, distributed, and destroyed.
Restrict Physical Access to Cardholder Data — 9.5
POI devices are protected from tampering and unauthorized substitution.
Log and Monitor All Access to System Components and Cardholder Data — 10.1
Processes and mechanisms for logging and monitoring access are defined.
Log and Monitor All Access to System Components and Cardholder Data — 10.2
Audit logs are implemented to support detection of anomalies and forensics.
Log and Monitor All Access to System Components and Cardholder Data — 10.3
Audit logs are protected from destruction and unauthorized modifications.
Log and Monitor All Access to System Components and Cardholder Data — 10.4
Audit logs are reviewed to identify anomalies or suspicious activity.
Log and Monitor All Access to System Components and Cardholder Data — 10.5
Audit log history is retained and available for analysis.
Log and Monitor All Access to System Components and Cardholder Data — 10.6
Time-synchronization mechanisms support consistent time settings across all systems.
Log and Monitor All Access to System Components and Cardholder Data — 10.7
Failures of critical security control systems are detected, reported, and responded to promptly.
Test Security of Systems and Networks Regularly — 11.1
Processes and mechanisms for regularly testing security are defined.
Test Security of Systems and Networks Regularly — 11.2
Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.
Test Security of Systems and Networks Regularly — 11.3
External and internal vulnerabilities are regularly identified, prioritized, and addressed.
Test Security of Systems and Networks Regularly — 11.4
External and internal penetration testing is regularly performed, and exploitable vulnerabilities are corrected.
Test Security of Systems and Networks Regularly — 11.5
Network intrusions and unexpected file changes are detected and responded to.
Test Security of Systems and Networks Regularly — 11.6
Unauthorized changes on payment pages are detected and responded to.
Support Information Security with Organizational Policies and Programs — 12.1
A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current.
Support Information Security with Organizational Policies and Programs — 12.2
Acceptable use policies for end-user technologies are defined and implemented.
Support Information Security with Organizational Policies and Programs — 12.3
Risks to the cardholder data environment are formally identified, evaluated, and managed.
Support Information Security with Organizational Policies and Programs — 12.4
PCI DSS compliance is managed.
Support Information Security with Organizational Policies and Programs — 12.5
PCI DSS scope is documented and validated.
Support Information Security with Organizational Policies and Programs — 12.6
Security awareness education is an ongoing activity.
Support Information Security with Organizational Policies and Programs — 12.7
Personnel are screened to reduce risks from insider threats.
Support Information Security with Organizational Policies and Programs — 12.8
Risk to information assets associated with third-party service provider relationships is managed.
Support Information Security with Organizational Policies and Programs — 12.9
Third-party service providers support their customers' PCI DSS compliance.
Support Information Security with Organizational Policies and Programs — 12.10
Suspected and confirmed security incidents that could impact the CDE are responded to immediately.