0002773
Payment Card Industry (PCI), PIN Transaction Security (PTS) Point of Interaction (POI) - Modular Security Requirements, Version 4.1c
PCI Security Standards Council
Contractual Obligation
Free
PCI PTS POI SRs 4.1c
Payment Card Industry (PCI), PIN Transaction Security (PTS) Point of Interaction (POI) - Modular Security Requirements
2015-11-01
0002773
Free
PCI Security Standards Council
Contractual Obligation
PCI PTS POI SRs 4.1c
Payment Card Industry (PCI), PIN Transaction Security (PTS) Point of Interaction (POI) - Modular Security Requirements
2015-11-01
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Payment Card Industry (PCI), PIN Transaction Security (PTS) Point of Interaction (POI) - Modular Security Requirements, Version 4.1c that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Payment Card Industry (PCI), PIN Transaction Security (PTS) Point of Interaction (POI) - Modular Security Requirements, Version 4.1c are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Acquisition or sale of facilities, technology, and services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
| Plan for selling facilities, technology, or services. CC ID 06893 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain equipment shipping procedures. CC ID 11449 | Acquisition/Sale of Assets or Services | Preventive | |
| Ship equipment to customers in tamper-evident packaging, as necessary. CC ID 12271 [{physical alteration} While in transit from the manufacturer’s facility to the initial key-loading facility, the device is:\ - Shipped and stored in tamper-evident packaging; and/or\ - Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel. M3] | Physical and Environmental Protection | Preventive | |
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2] | Establish/Maintain Documentation | Preventive | |
| Document organizational risk criteria. CC ID 12277 | Establish/Maintain Documentation | Preventive | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Technical Security | Preventive | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Investigate | Detective | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and Risk Management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and Risk Management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and Risk Management | Preventive | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Establish/Maintain Documentation | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and Risk Management | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Business Processes | Preventive | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2] | Testing | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Establish/Maintain Documentation | Preventive | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Establish/Maintain Documentation | Preventive | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Establish/Maintain Documentation | Preventive | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and Risk Management | Preventive | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 | Establish/Maintain Documentation | Detective | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and Risk Management | Preventive | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 | Establish/Maintain Documentation | Detective | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and Risk Management | Preventive | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Establish/Maintain Documentation | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Communicate | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and Risk Management | Detective | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Communicate | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a testing program. CC ID 00654 | Behavior | Preventive | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Establish/Maintain Documentation | Preventive | |
| Perform vulnerability scans, as necessary. CC ID 11637 [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2 The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2] | Technical Security | Detective | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Testing | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [The device vendor has internal policies and procedures that ensure that the vendor maintains an effective process for detecting vulnerabilities that may exist within their device. This process is expected to be robust enough to include all interfaces defined in requirement F1. This process must be effective enough to detect vulnerabilities which may have not been publicly known during the last vulnerability assessment. G1 The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2] | Technical Security | Detective | |
| Rank discovered vulnerabilities. CC ID 11940 | Investigate | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Technical Security | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Technical Security | Detective | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Communicate | Preventive | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Records Management | Preventive | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Technical Security | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Testing | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Technical Security | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Technical Security | Detective | |
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Configuration | Corrective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Technical Security | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Technical Security | Detective | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Business Processes | Preventive | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Testing | Preventive | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Technical Security | Detective | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Behavior | Corrective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2 The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2] | Technical Security | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Technical Security | Detective | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Establish/Maintain Documentation | Preventive | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 | Systems Continuity | Corrective | |
| Execute fail-safe procedures when an emergency occurs. CC ID 07108 [{integrity test}{authenticity test} The device performs a self-test, which includes integrity and authenticity tests upon start-up and at least once per day to check whether the device is in a compromised state. In the event of a failure, the device and its functionality fail in a secure manner. The device must reinitialize memory at least every 24 hours. B1] | Systems Continuity | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 [The device vendor maintains guidance describing configuration management for the device.\ a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.\ b) The guidance covers the complete device—including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.\ c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.\ d) The security guidance ensures that unauthorized modification is not possible.\ e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier. J1] | Establish/Maintain Documentation | Preventive | |
| Include physical safeguards in the information security program. CC ID 12375 | Establish/Maintain Documentation | Preventive | |
| Include technical safeguards in the information security program. CC ID 12374 | Establish/Maintain Documentation | Preventive | |
| Include administrative safeguards in the information security program. CC ID 12373 | Establish/Maintain Documentation | Preventive | |
| Include system development in the information security program. CC ID 12389 | Establish/Maintain Documentation | Preventive | |
| Include system maintenance in the information security program. CC ID 12388 | Establish/Maintain Documentation | Preventive | |
| Include system acquisition in the information security program. CC ID 12387 | Establish/Maintain Documentation | Preventive | |
| Include access control in the information security program. CC ID 12386 | Establish/Maintain Documentation | Preventive | |
| Review and approve access controls, as necessary. CC ID 13074 | Process or Activity | Detective | |
| Include operations management in the information security program. CC ID 12385 | Establish/Maintain Documentation | Preventive | |
| Include communication management in the information security program. CC ID 12384 | Establish/Maintain Documentation | Preventive | |
| Include environmental security in the information security program. CC ID 12383 | Establish/Maintain Documentation | Preventive | |
| Include physical security in the information security program. CC ID 12382 | Establish/Maintain Documentation | Preventive | |
| Include human resources security in the information security program. CC ID 12381 | Establish/Maintain Documentation | Preventive | |
| Include asset management in the information security program. CC ID 12380 | Establish/Maintain Documentation | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Establish/Maintain Documentation | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Establish/Maintain Documentation | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
| Include how the information security department is organized in the information security program. CC ID 12379 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the information security program. CC ID 12378 | Establish/Maintain Documentation | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
| Provide management direction and support for the information security program. CC ID 11999 | Process or Activity | Preventive | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 | Establish/Maintain Documentation | Preventive | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Business Processes | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Establish/Maintain Documentation | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 | Establish/Maintain Documentation | Preventive | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Establish/Maintain Documentation | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 | Process or Activity | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Business Processes | Preventive | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Process or Activity | Preventive | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Establish Roles | Preventive | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Human Resources Management | Preventive | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Establish/Maintain Documentation | Preventive | |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Human Resources Management | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Communicate | Preventive | |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Behavior | Preventive | |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Establish/Maintain Documentation | Preventive | |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Establish/Maintain Documentation | Preventive | |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Establish/Maintain Documentation | Preventive | |
| Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Establish/Maintain Documentation | Preventive | |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Establish/Maintain Documentation | Preventive | |
| Include startup processes in operational control procedures. CC ID 00833 | Establish/Maintain Documentation | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a data processing run manual. CC ID 00832 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Establish/Maintain Documentation | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Records Management | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Business Processes | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Business Processes | Preventive | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Establish/Maintain Documentation | Corrective | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Communicate | Preventive | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Establish/Maintain Documentation | Preventive | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Establish/Maintain Documentation | Preventive | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Establish/Maintain Documentation | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Establish/Maintain Documentation | Preventive | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Establish/Maintain Documentation | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Establish/Maintain Documentation | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Establish/Maintain Documentation | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Establish/Maintain Documentation | Preventive | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Establish/Maintain Documentation | Preventive | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Establish/Maintain Documentation | Preventive | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Establish/Maintain Documentation | Preventive | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Establish/Maintain Documentation | Corrective | |
| Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Establish/Maintain Documentation | Preventive | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Communicate | Preventive | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Establish/Maintain Documentation | Preventive | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Business Processes | Preventive | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Establish/Maintain Documentation | Preventive | |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Establish/Maintain Documentation | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Data and Information Management | Preventive | |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [{document and maintain} The vendor documents, maintains and makes available to integrators details on how to implement the protection system against unauthorized removal. E4.2] | Behavior | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Business Processes | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Establish/Maintain Documentation | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 [The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain maintenance reports. CC ID 11749 [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain system inspection reports. CC ID 06346 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the system maintenance policy. CC ID 14214 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Communicate | Preventive | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Communicate | Preventive | |
| Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Establish/Maintain Documentation | Preventive | |
| Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Physical and Environmental Protection | Preventive | |
| Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Behavior | Preventive | |
| Use system components only when third party support is available. CC ID 10644 | Maintenance | Preventive | |
| Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Maintenance | Preventive | |
| Control and monitor all maintenance tools. CC ID 01432 | Physical and Environmental Protection | Detective | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Business Processes | Preventive | |
| Control remote maintenance according to the system's asset classification. CC ID 01433 [The update mechanism ensures security, i.e., integrity, mutual authentication, and protection against replay, by using an appropriate and declared security protocol when using a network connection. For manual updates, administrator rights must be implemented using password/PINs and/or cryptographic authentication techniques. J4] | Technical Security | Preventive | |
| Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Configuration | Preventive | |
| Approve all remote maintenance sessions. CC ID 10615 | Technical Security | Preventive | |
| Log the performance of all remote maintenance. CC ID 13202 | Log Management | Preventive | |
| Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Technical Security | Preventive | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Maintenance | Preventive | |
| Conduct maintenance with authorized personnel. CC ID 01434 | Testing | Detective | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Maintenance | Preventive | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Maintenance | Preventive | |
| Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Behavior | Preventive | |
| Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Establish/Maintain Documentation | Preventive | |
| Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Acquisition/Sale of Assets or Services | Preventive | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2] | Behavior | Preventive | |
| Restart systems on a periodic basis. CC ID 16498 | Maintenance | Preventive | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Maintenance | Preventive | |
| Employ dedicated systems during system maintenance. CC ID 12108 | Technical Security | Preventive | |
| Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Technical Security | Preventive | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Human Resources Management | Preventive | |
| Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Physical and Environmental Protection | Preventive | |
| Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Testing | Detective | |
| Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Establish/Maintain Documentation | Preventive | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Process or Activity | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 [Change-control procedures are in place so that any intended change to the physical or functional capabilities of the POI causes a re-certification of the device under the Physical Security Requirements or the Logical Security Requirements of this document. Immediate re-certification is not required for changes that purely rectify errors and faults in software in order to make it function as intended and do not otherwise remove, modify, or add functionality. Approval of delta submissions is contingent on evidence of the ongoing change control and vulnerability management process. L1] | Establish/Maintain Documentation | Preventive | |
| Include potential consequences of unintended changes in the change control program. CC ID 12243 | Establish/Maintain Documentation | Preventive | |
| Include version control in the change control program. CC ID 13119 | Establish/Maintain Documentation | Preventive | |
| Include service design and transition in the change control program. CC ID 13920 | Establish/Maintain Documentation | Preventive | |
| Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Maintenance | Preventive | |
| Integrate configuration management procedures into the change control program. CC ID 13646 | Technical Security | Preventive | |
| Establish, implement, and maintain a back-out plan. CC ID 13623 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Establish/Maintain Documentation | Preventive | |
| Approve back-out plans, as necessary. CC ID 13627 | Establish/Maintain Documentation | Corrective | |
| Manage change requests. CC ID 00887 | Business Processes | Preventive | |
| Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a change request approver list. CC ID 06795 | Establish/Maintain Documentation | Preventive | |
| Document all change requests in change request forms. CC ID 06794 | Establish/Maintain Documentation | Preventive | |
| Test proposed changes prior to their approval. CC ID 00548 | Testing | Detective | |
| Examine all changes to ensure they correspond with the change request. CC ID 12345 | Business Processes | Detective | |
| Approve tested change requests. CC ID 11783 | Data and Information Management | Preventive | |
| Validate the system before implementing approved changes. CC ID 01510 | Systems Design, Build, and Implementation | Preventive | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Behavior | Preventive | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 | Establish/Maintain Documentation | Preventive | |
| Perform emergency changes, as necessary. CC ID 12707 | Process or Activity | Preventive | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Process or Activity | Preventive | |
| Log emergency changes after they have been performed. CC ID 12733 | Establish/Maintain Documentation | Preventive | |
| Perform risk assessments prior to approving change requests. CC ID 00888 | Testing | Preventive | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Process or Activity | Detective | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Investigate | Detective | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Investigate | Detective | |
| Implement changes according to the change control program. CC ID 11776 | Business Processes | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a patch management program. CC ID 00896 | Process or Activity | Preventive | |
| Document the sources of all software updates. CC ID 13316 | Establish/Maintain Documentation | Preventive | |
| Implement patch management software, as necessary. CC ID 12094 | Technical Security | Preventive | |
| Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Technical Security | Preventive | |
| Establish, implement, and maintain a patch management policy. CC ID 16432 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain patch management procedures. CC ID 15224 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a patch log. CC ID 01642 | Establish/Maintain Documentation | Preventive | |
| Review the patch log for missing patches. CC ID 13186 | Technical Security | Detective | |
| Perform a patch test prior to deploying a patch. CC ID 00898 | Testing | Detective | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Business Processes | Preventive | |
| Deploy software patches in accordance with organizational standards. CC ID 07032 | Configuration | Corrective | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 | Testing | Detective | |
| Patch software. CC ID 11825 | Technical Security | Corrective | |
| Patch the operating system, as necessary. CC ID 11824 | Technical Security | Corrective | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Configuration | Corrective | |
| Remove outdated software after software has been updated. CC ID 11792 | Configuration | Corrective | |
| Update computer firmware, as necessary. CC ID 11755 | Configuration | Corrective | |
| Review changes to computer firmware. CC ID 12226 [The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions. B3] | Testing | Detective | |
| Certify changes to computer firmware are free of malicious logic. CC ID 12227 [The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions. B3] | Testing | Detective | |
| Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Configuration | Corrective | |
| Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 [If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. B4 The firmware must support the authentication of applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates updates consistent with B4. B4.1 If the manufacturer is in charge of initial key loading, the manufacturer must verify the authenticity of the POI security-related components. M5 If the manufacturer is not in charge of initial key loading, the manufacturer must provide the means to the initial key-loading facility to assure the verification of the authenticity of the POI security-related components. M6 The firmware, and any changes thereafter, have been inspected and reviewed consistent with B3. K10 The firmware must confirm the authenticity of all applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates all updates consistent with B4. K11.1 The firmware must confirm the authenticity of all applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates all updates consistent with B4. K11.1 If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. K12] | Technical Security | Detective | |
| Establish, implement, and maintain a software release policy. CC ID 00893 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 | Systems Design, Build, and Implementation | Preventive | |
| Disseminate and communicate software update information to users and regulators. CC ID 06602 | Behavior | Preventive | |
| Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Data and Information Management | Preventive | |
| Mitigate the adverse effects of unauthorized changes. CC ID 12244 | Business Processes | Corrective | |
| Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Establish/Maintain Documentation | Detective | |
| Test the system's operational functionality after implementing approved changes. CC ID 06294 | Testing | Detective | |
| Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Testing | Detective | |
| Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Establish/Maintain Documentation | Corrective | |
| Update associated documentation after the system configuration has been changed. CC ID 00891 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 | Configuration | Detective | |
| Document approved configuration deviations. CC ID 08711 | Establish/Maintain Documentation | Corrective | |
| Document the organization's local environments. CC ID 06726 [The PIN-encryption technique implemented in the device is a technique included in ISO 9564. B12 It is neither feasible to penetrate the ICC reader to make any additions, substitutions, or modifications to either the ICC reader’s hardware or software, in order to determine or modify any sensitive data, without requiring an attack potential of at least 20 for identification and initial exploitation, with a minimum of 10 for exploitation, nor is it possible for both an IC card and any other foreign object to reside within the card insertion slot. D1 If the device is capable of communicating over an IP network or uses a public domain protocol (such as but not limited to Wi-Fi or Bluetooth), then requirements specified in DTR Module 3: Open Protocols Requirements have been met. K14 The key-management techniques implemented in the device are consistent with B11. K17 Sensitive services are protected from unauthorized use consistent with B8. K23 The key-management techniques implemented in the device conform to ISO 11568 and/or ANSI X9.24. Key-management techniques must support the ANSI TR-31 key-derivation methodology or an equivalent methodology for maintaining the TDEA key bundle. B11] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain local environment security profiles. CC ID 07037 | Establish/Maintain Documentation | Preventive | |
| Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 | Establish/Maintain Documentation | Preventive | |
| Include security requirements in the local environment security profile. CC ID 15717 | Establish/Maintain Documentation | Preventive | |
| Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 | Establish/Maintain Documentation | Preventive | |
| Include the technology used in the local environment in the local environment security profile. CC ID 07040 | Establish/Maintain Documentation | Preventive | |
| Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 | Establish/Maintain Documentation | Preventive | |
| Include facility information for the local environment in the local environment security profile. CC ID 07042 | Establish/Maintain Documentation | Preventive | |
| Include facility access information for the local environment in the local environment security profile. CC ID 11773 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Communicate | Preventive | |
| Update the local environment security profile, as necessary. CC ID 07043 | Establish/Maintain Documentation | Preventive | |
Physical and environmental protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Physical and environmental protection CC ID 00709 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Monitor and Evaluate Occurrences | Detective | |
| Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 [The device protects all account data upon entry (consistent with A9 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitation. K1.1 {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1] | Configuration | Preventive | |
| Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 [The security of the device is not compromised by altering: \ - Environmental conditions\ - Operational conditions A3 The security of the device is not compromised by altering: \ - Environmental conditions\ - Operational conditions A3] | Configuration | Preventive | |
| Protect assets from tampering or unapproved substitution. CC ID 11902 [The unauthorized alteration of prompts for non-PIN data entry into the PIN entry key pad such that PINs are compromised, i.e., by prompting for the PIN entry when the output is not encrypted, cannot occur without requiring an attack potential of at least 18 per device for identification and initial exploitation with a minimum of 9 for exploitation. A7 It is not feasible to penetrate the device to make any additions, substitutions, or modifications to the magnetic-stripe reader and associated hardware or software, in order to determine or modify magnetic-stripe track data, without requiring an attack potential of at least 16 per device, for identification and initial exploitation, with a minimum of 8 for exploitation. A9 Secure components intended for unattended devices contain an anti-removal mechanism to protect against unauthorized removal and/or unauthorized re-installation. Defeating or circumventing this mechanism must require an attack potential of at least 18 per device for identification and initial exploitation, with a minimum of 9 for exploitation. A10 The POI should be protected from unauthorized modification with tamper-evident security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.\ Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time.\ Where multiple parties are involved in organizing the shipping, it is the responsibility of each party to ensure that the shipping and storage they are managing is compliant with this requirement. M1 The device is assembled in a manner that the components used in the manufacturing process are those components that were certified by the Core PIN Entry and/or POS Terminal Integration Security Requirements evaluation, and that unauthorized substitutions have not been made. L3 Subsequent to production but prior to shipment from the manufacturer’s or reseller’s facility, the device and any of its components are stored in a protected, access-controlled area or sealed within tamper-evident packaging to prevent undetected unauthorized access to the device or its components. L5 The PIN entry POI terminal is equipped with mechanisms to prevent attacks aiming at retaining and stealing the payment card (e.g., Lebanese Loop attack). E3.2 {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1 {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1 Failure of a single security mechanism does not compromise device security. Protection against a threat is based on a combination of at least two independent security mechanisms. A2] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 | Establish/Maintain Documentation | Preventive | |
| Protect facilities from eavesdropping. CC ID 02222 [{prevent} {facility} There is no feasible way to determine any entered and internally transmitted PIN digit by monitoring sound, electro-magnetic emissions, power consumption or any other external characteristic available for monitoring—even with the cooperation of the device operator or sales clerk—without requiring an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. A5] | Physical and Environmental Protection | Preventive | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and Environmental Protection | Detective | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Technical Security | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Establish/Maintain Documentation | Preventive | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and Environmental Protection | Preventive | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and Environmental Protection | Preventive | |
| Protect distributed assets against theft. CC ID 06799 [The device is protected against unauthorized removal. Defeating or circumventing this mechanism must require an attack potential of at least 18 per device for identification and initial exploitation, with a minimum of 9 for exploitation. E4.1] | Physical and Environmental Protection | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Establish/Maintain Documentation | Preventive | |
| Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Communicate | Preventive | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Establish/Maintain Documentation | Preventive | |
| Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Process or Activity | Preventive | |
| Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 | Physical and Environmental Protection | Preventive | |
| Control the removal of assets through physical entry points and physical exit points. CC ID 11681 | Physical and Environmental Protection | Preventive | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Log Management | Preventive | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Technical Security | Preventive | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Technical Security | Preventive | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Establish/Maintain Documentation | Preventive | |
| Attach asset location technologies to distributed assets. CC ID 10626 | Physical and Environmental Protection | Detective | |
| Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and Environmental Protection | Preventive | |
| Monitor the location of distributed assets. CC ID 11684 | Monitor and Evaluate Occurrences | Detective | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Technical Security | Corrective | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Process or Activity | Corrective | |
| Unpair missing Bluetooth devices. CC ID 12428 | Physical and Environmental Protection | Corrective | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 [{environmental conditions} Environmental or operational conditions cannot be altered to compromise the security of the device, or cause the device to output clear-text account data.\ (An example includes subjecting the device to temperatures or operating voltages outside the stated operating ranges.) K19] | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain clean energy standards. CC ID 16285 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain environmental control procedures. CC ID 12246 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a telecommunications equipment room, as necessary. CC ID 06708 | Configuration | Preventive | |
| Protect power equipment and power cabling from damage or destruction. CC ID 01438 | Physical and Environmental Protection | Preventive | |
| Install and maintain power distribution boards. CC ID 16486 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a battery room, as necessary. CC ID 06706 | Configuration | Preventive | |
| Establish and maintain a generator room, as necessary. CC ID 06704 | Configuration | Preventive | |
| Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain facility maintenance procedures. CC ID 00710 | Establish/Maintain Documentation | Preventive | |
| Design the Information Technology facility with consideration given to natural disasters and man-made disasters. CC ID 00712 | Physical and Environmental Protection | Preventive | |
| Design the Information Technology facility with a low profile. CC ID 16140 | Physical and Environmental Protection | Preventive | |
| Prohibit signage indicating computer room location and uses. CC ID 06343 | Physical and Environmental Protection | Preventive | |
| Require critical facilities to have adequate room for facility maintenance. CC ID 06361 | Physical and Environmental Protection | Preventive | |
| Require critical facilities to have adequate room for evacuation. CC ID 11686 | Physical and Environmental Protection | Preventive | |
| Build critical facilities according to applicable building codes. CC ID 06366 | Physical and Environmental Protection | Preventive | |
| Build critical facilities with fire resistant materials. CC ID 06365 | Physical and Environmental Protection | Preventive | |
| Build critical facilities with materials that limit electromagnetic interference. CC ID 16131 | Physical and Environmental Protection | Preventive | |
| Build critical facilities with water-resistant materials. CC ID 11679 | Physical and Environmental Protection | Preventive | |
| Monitor operational conditions at unmanned facilities. CC ID 06327 | Physical and Environmental Protection | Preventive | |
| Remotely control operational conditions at unmanned facilities. CC ID 11680 | Technical Security | Preventive | |
| Inspect and maintain the facility and supporting assets. CC ID 06345 | Physical and Environmental Protection | Preventive | |
| Test and inspect assets under full load working conditions. CC ID 06356 | Testing | Detective | |
| Define selection criteria for facility locations. CC ID 06351 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain facility demolition procedures. CC ID 16133 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain work environment requirements. CC ID 06613 | Establish/Maintain Documentation | Preventive | |
| Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain system cleanliness requirements. CC ID 06614 | Establish/Maintain Documentation | Preventive | |
| House system components in areas where the physical damage potential is minimized. CC ID 01623 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695 | Establish/Maintain Documentation | Preventive | |
| Install and maintain fire protection equipment. CC ID 00728 | Configuration | Preventive | |
| Install and maintain fire suppression systems. CC ID 00729 | Configuration | Preventive | |
| Install and maintain smoke detectors. CC ID 15264 | Physical and Environmental Protection | Preventive | |
| Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888 | Physical and Environmental Protection | Preventive | |
| Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362 | Physical and Environmental Protection | Preventive | |
| Conduct fire drills, as necessary. CC ID 13985 | Process or Activity | Preventive | |
| Employ environmental protections. CC ID 12570 | Process or Activity | Preventive | |
| Monitor and review environmental protections. CC ID 12571 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472 | Establish/Maintain Documentation | Preventive | |
| Install and maintain seismic detectors in critical facilities. CC ID 06364 | Physical and Environmental Protection | Detective | |
| Protect physical assets against static electricity, as necessary. CC ID 06363 | Physical and Environmental Protection | Preventive | |
| Install and maintain emergency lighting for use in a power failure. CC ID 01440 | Physical and Environmental Protection | Preventive | |
| Install and maintain lightning protection mechanisms in critical facilities. CC ID 06367 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain pest control systems in organizational facilities. CC ID 16139 | Physical and Environmental Protection | Preventive | |
| Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727 | Configuration | Preventive | |
| Install and maintain an environment control monitoring system. CC ID 06370 | Monitor and Evaluate Occurrences | Detective | |
| Protect air intakes into the organizational facility. CC ID 02211 | Physical and Environmental Protection | Preventive | |
| Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368 | Configuration | Preventive | |
| Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369 | Configuration | Preventive | |
| Install and maintain a moisture control system as a part of the climate control system. CC ID 06694 | Configuration | Preventive | |
| Install and maintain hydrogen sensors, as necessary. CC ID 06705 | Configuration | Preventive | |
| Protect physical assets from water damage. CC ID 00730 | Configuration | Preventive | |
| Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 | Communicate | Preventive | |
| Install and maintain water detection devices. CC ID 11678 | Physical and Environmental Protection | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Establish/Maintain Documentation | Preventive | |
| Use personal data for specified purposes. CC ID 11831 [Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6] | Data and Information Management | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Data and Information Management | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 [The vendor must provide clear security guidance consistent with B2 and B6 to all application developers to ensure:\ - That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.\ - That account data is not retained any longer, or used more often, than strictly necessary. K11.2 Account data (in either clear-text or encrypted form) shall not be retained any longer, or used more often, than strictly necessary. K15.2 Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6] | Configuration | Preventive | |
System hardening through configuration management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| System hardening through configuration management CC ID 00860 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 [The device vendor maintains guidance describing configuration management for the device.\ a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.\ b) The guidance covers the complete device—including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.\ c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.\ d) The security guidance ensures that unauthorized modification is not possible.\ e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier. J1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 | Business Processes | Preventive | |
| Establish, implement, and maintain appropriate system labeling. CC ID 01900 | Establish/Maintain Documentation | Preventive | |
| Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041 | Establish/Maintain Documentation | Preventive | |
| Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040 | Establish/Maintain Documentation | Preventive | |
| Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555 | Configuration | Preventive | |
| Establish, implement, and maintain a configuration management policy. CC ID 14023 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain configuration management procedures. CC ID 14074 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 | Communicate | Preventive | |
| Include compliance requirements in the configuration management policy. CC ID 14072 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the configuration management policy. CC ID 14071 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the configuration management policy. CC ID 14070 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the configuration management policy. CC ID 14069 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the configuration management policy. CC ID 14068 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the configuration management policy. CC ID 14067 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066 | Communicate | Preventive | |
| Establish, implement, and maintain a configuration management plan. CC ID 01901 | Establish/Maintain Documentation | Preventive | |
| Include configuration management procedures in the configuration management plan. CC ID 14248 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the configuration management plan. CC ID 14247 | Establish/Maintain Documentation | Preventive | |
| Approve the configuration management plan. CC ID 14717 | Business Processes | Preventive | |
| Establish, implement, and maintain system tracking documentation. CC ID 15266 | Establish/Maintain Documentation | Preventive | |
| Include prioritization codes in the system tracking documentation. CC ID 15283 | Establish/Maintain Documentation | Preventive | |
| Include the type and category of the request in the system tracking documentation. CC ID 15281 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the system tracking documentation. CC ID 15280 | Establish/Maintain Documentation | Preventive | |
| Include the username in the system tracking documentation. CC ID 15278 | Establish/Maintain Documentation | Preventive | |
| Include a problem description in the system tracking documentation. CC ID 15276 | Establish/Maintain Documentation | Preventive | |
| Include affected systems in the system tracking documentation. CC ID 15275 | Establish/Maintain Documentation | Preventive | |
| Include root causes in the system tracking documentation. CC ID 15274 | Establish/Maintain Documentation | Preventive | |
| Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273 | Establish/Maintain Documentation | Preventive | |
| Include current status in the system tracking documentation. CC ID 15272 | Establish/Maintain Documentation | Preventive | |
| Employ the Configuration Management program. CC ID 11904 | Configuration | Preventive | |
| Record Configuration Management items in the Configuration Management database. CC ID 00861 | Establish/Maintain Documentation | Preventive | |
| Test network access controls for proper Configuration Management settings. CC ID 01281 | Testing | Detective | |
| Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946 [The device vendor maintains guidance describing configuration management for the device.\ a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.\ b) The guidance covers the complete device—including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.\ c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.\ d) The security guidance ensures that unauthorized modification is not possible.\ e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier. J1] | Communicate | Preventive | |
| Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132 | Establish/Maintain Documentation | Preventive | |
| Document external connections for all systems. CC ID 06415 | Configuration | Preventive | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 | Establish/Maintain Documentation | Preventive | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | Establish/Maintain Documentation | Preventive | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | Establish/Maintain Documentation | Preventive | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | Establish/Maintain Documentation | Preventive | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | Establish/Maintain Documentation | Preventive | |
| Include installed custom software in the baseline configuration. CC ID 13274 | Establish/Maintain Documentation | Preventive | |
| Include network ports in the baseline configuration. CC ID 13273 | Establish/Maintain Documentation | Preventive | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | Establish/Maintain Documentation | Preventive | |
| Include backup procedures in the Configuration Management policy. CC ID 01314 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a system hardening standard. CC ID 00876 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain configuration standards for all systems based upon industry best practices. CC ID 11953 | Configuration | Preventive | |
| Configure security parameter settings on all system components appropriately. CC ID 12041 [The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18 The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21] | Technical Security | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | Establish/Maintain Documentation | Preventive | |
| Block and/or remove unnecessary software and unauthorized software. CC ID 00865 [If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. B4 The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18 If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. K12 The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21] | Configuration | Preventive | |
| Establish, implement, and maintain idle session termination and logout capabilities. CC ID 01418 [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6] | Configuration | Preventive | |
| Refrain from using assertion lifetimes to limit each session. CC ID 13871 | Technical Security | Preventive | |
| Configure Session Configuration settings in accordance with organizational standards. CC ID 07698 | Configuration | Preventive | |
| Invalidate unexpected session identifiers. CC ID 15307 | Configuration | Preventive | |
| Configure the "MaxStartups" settings to organizational standards. CC ID 15329 | Configuration | Preventive | |
| Reject session identifiers that are not valid. CC ID 15306 | Configuration | Preventive | |
| Configure the "MaxSessions" settings to organizational standards. CC ID 15330 | Configuration | Preventive | |
| Configure the "Interactive logon: Message title for users attempting to log on" to organizational standards. CC ID 07699 | Configuration | Preventive | |
| Configure the "LoginGraceTime" settings to organizational standards. CC ID 15328 | Configuration | Preventive | |
| Configure the "Network security: Force logoff when logon hours expire" to organizational standards. CC ID 07738 | Configuration | Preventive | |
| Configure the "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" to organizational standards. CC ID 07758 | Configuration | Preventive | |
| Configure the "Microsoft network server: Disconnect clients when logon hours expire" to organizational standards. CC ID 07824 | Configuration | Preventive | |
| Configure the "Microsoft network server: Amount of idle time required before suspending session" to organizational standards. CC ID 07826 | Configuration | Preventive | |
| Configure the "Interactive logon: Do not display last user name" to organizational standards. CC ID 07832 | Configuration | Preventive | |
| Configure the "Interactive logon: Display user information when the session is locked" to organizational standards. CC ID 07848 | Configuration | Preventive | |
| Configure the "Interactive logon: Message text for users attempting to log on" to organizational standards. CC ID 07870 | Configuration | Preventive | |
| Configure the "Always prompt for password upon connection" to organizational standards. CC ID 08229 | Configuration | Preventive | |
| Configure the "Interactive logon: Machine inactivity limit" to organizational standards. CC ID 08350 | Configuration | Preventive | |
| Remove all unnecessary functionality. CC ID 00882 [The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21 The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21] | Configuration | Preventive | |
| Document that all enabled functions support secure configurations. CC ID 11985 | Establish/Maintain Documentation | Preventive | |
| Find and eradicate unauthorized world writable files. CC ID 01541 | Configuration | Preventive | |
| Strip dangerous/unneeded SUID/SGID system executables. CC ID 01542 | Configuration | Preventive | |
| Find and eradicate unauthorized SUID/SGID system executables. CC ID 01543 | Configuration | Preventive | |
| Find and eradicate unowned files and unowned directories. CC ID 01544 | Configuration | Preventive | |
| Disable logon prompts on serial ports. CC ID 01553 | Configuration | Preventive | |
| Disable "nobody" access for Secure RPC. CC ID 01554 | Configuration | Preventive | |
| Disable all unnecessary interfaces. CC ID 04826 | Configuration | Preventive | |
| Enable or disable all unused USB ports as appropriate. CC ID 06042 | Configuration | Preventive | |
| Disable all user-mounted removable file systems. CC ID 01536 | Configuration | Preventive | |
| Set the Bluetooth Security Mode to the organizational standard. CC ID 00587 | Configuration | Preventive | |
| Secure the Bluetooth headset connections. CC ID 00593 | Configuration | Preventive | |
| Verify wireless peripherals meet organizational security requirements. CC ID 00657 | Testing | Detective | |
| Disable automatic dial-in access to computers that have installed modems. CC ID 02036 | Configuration | Preventive | |
| Configure the "Turn off AutoPlay" setting. CC ID 01787 | Configuration | Preventive | |
| Configure the "Devices: Restrict floppy access to locally logged on users only" setting. CC ID 01732 | Configuration | Preventive | |
| Configure the "Devices: Restrict CD-ROM access to locally logged on users" setting. CC ID 01731 | Configuration | Preventive | |
| Configure the "Remove CD Burning features" setting. CC ID 04379 | Configuration | Preventive | |
| Disable Autorun. CC ID 01790 | Configuration | Preventive | |
| Disable USB devices (aka hotplugger). CC ID 01545 | Configuration | Preventive | |
| Enable or disable all unused auxiliary ports as appropriate. CC ID 06414 | Configuration | Preventive | |
| Remove rhosts support unless absolutely necessary. CC ID 01555 | Configuration | Preventive | |
| Remove weak authentication services from Pluggable Authentication Modules. CC ID 01556 | Configuration | Preventive | |
| Remove the /etc/hosts.equiv file. CC ID 01559 | Configuration | Preventive | |
| Create the /etc/ftpd/ftpusers file. CC ID 01560 | Configuration | Preventive | |
| Remove the X Wrapper and enable the X Display Manager. CC ID 01564 | Configuration | Preventive | |
| Remove empty crontab files and restrict file permissions to the file. CC ID 01571 | Configuration | Preventive | |
| Remove all compilers and assemblers from the system. CC ID 01594 | Configuration | Preventive | |
| Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827 [The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21] | Configuration | Preventive | |
| Restrict and control the use of privileged utility programs. CC ID 12030 | Technical Security | Preventive | |
| Disable the storing of movies in cache in Apple's QuickTime. CC ID 04489 | Configuration | Preventive | |
| Install and enable file sharing utilities, as necessary. CC ID 02174 | Configuration | Preventive | |
| Disable boot services unless boot services are absolutely necessary. CC ID 01481 | Configuration | Preventive | |
| Disable File Services for Macintosh unless File Services for Macintosh are absolutely necessary. CC ID 04279 | Configuration | Preventive | |
| Configure the Trivial FTP Daemon service to organizational standards. CC ID 01484 | Configuration | Preventive | |
| Disable printer daemons or the printer service unless printer daemons or the printer service is absolutely necessary. CC ID 01487 | Configuration | Preventive | |
| Disable web server unless web server is absolutely necessary. CC ID 01490 | Configuration | Preventive | |
| Disable portmapper unless portmapper is absolutely necessary. CC ID 01492 | Configuration | Preventive | |
| Disable writesrv, pmd, and httpdlite unless writesrv, pmd, and httpdlite are absolutely necessary. CC ID 01498 | Configuration | Preventive | |
| Disable hwscan hardware detection unless hwscan hardware detection is absolutely necessary. CC ID 01504 | Configuration | Preventive | |
| Configure the “xinetd” service to organizational standards. CC ID 01509 | Configuration | Preventive | |
| Configure the /etc/xinetd.conf file permissions as appropriate. CC ID 01568 | Configuration | Preventive | |
| Disable inetd unless inetd is absolutely necessary. CC ID 01508 | Configuration | Preventive | |
| Disable Network Computing System unless it is absolutely necessary. CC ID 01497 | Configuration | Preventive | |
| Disable print server for macintosh unless print server for macintosh is absolutely necessary. CC ID 04284 | Configuration | Preventive | |
| Disable Print Server unless Print Server is absolutely necessary. CC ID 01488 | Configuration | Preventive | |
| Disable ruser/remote login/remote shell/rcp command, unless it is absolutely necessary. CC ID 01480 | Configuration | Preventive | |
| Disable xfsmd unless xfsmd is absolutely necessary. CC ID 02179 | Configuration | Preventive | |
| Disable RPC-based services unless RPC-based services are absolutely necessary. CC ID 01455 | Configuration | Preventive | |
| Disable netfs script unless netfs script is absolutely necessary. CC ID 01495 | Configuration | Preventive | |
| Disable Remote Procedure Calls unless Remote Procedure Calls are absolutely necessary and if enabled, set restrictions. CC ID 01456 | Configuration | Preventive | |
| Configure the "RPC Endpoint Mapper Client Authentication" setting. CC ID 04327 | Configuration | Preventive | |
| Disable ncpfs Script unless ncpfs Script is absolutely necessary. CC ID 01494 | Configuration | Preventive | |
| Disable sendmail server unless sendmail server is absolutely necessary. CC ID 01511 | Configuration | Preventive | |
| Disable postfix unless postfix is absolutely necessary. CC ID 01512 | Configuration | Preventive | |
| Disable directory server unless directory server is absolutely necessary. CC ID 01464 | Configuration | Preventive | |
| Disable Windows-compatibility client processes unless Windows-compatibility client processes are absolutely necessary. CC ID 01471 | Configuration | Preventive | |
| Disable Windows-compatibility servers unless Windows-compatibility servers are absolutely necessary. CC ID 01470 | Configuration | Preventive | |
| Configure the “Network File System” server to organizational standards CC ID 01472 | Configuration | Preventive | |
| Configure NFS to respond or not as appropriate to NFS client requests that do not include a User ID. CC ID 05981 | Configuration | Preventive | |
| Configure NFS with appropriate authentication methods. CC ID 05982 | Configuration | Preventive | |
| Configure the "AUTH_DES authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08971 | Configuration | Preventive | |
| Configure the "AUTH_KERB authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08972 | Configuration | Preventive | |
| Configure the "AUTH_NONE authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08973 | Configuration | Preventive | |
| Configure the "AUTH_UNIX authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08974 | Configuration | Preventive | |
| Disable webmin processes unless the webmin process is absolutely necessary. CC ID 01501 | Configuration | Preventive | |
| Disable automount daemon unless automount daemon is absolutely necessary. CC ID 01476 | Configuration | Preventive | |
| Disable CDE-related daemons unless CDE-related daemons are absolutely necessary. CC ID 01474 | Configuration | Preventive | |
| Disable finger unless finger is absolutely necessary. CC ID 01505 | Configuration | Preventive | |
| Disable Rexec unless Rexec is absolutely necessary. CC ID 02164 | Configuration | Preventive | |
| Disable Squid cache server unless Squid cache server is absolutely necessary. CC ID 01502 | Configuration | Preventive | |
| Disable Kudzu hardware detection unless Kudzu hardware detection is absolutely necessary. CC ID 01503 | Configuration | Preventive | |
| Install and enable public Instant Messaging clients as necessary. CC ID 02173 | Configuration | Preventive | |
| Disable x font server unless x font server is absolutely necessary. CC ID 01499 | Configuration | Preventive | |
| Validate, approve, and document all UNIX shells prior to use. CC ID 02161 | Establish/Maintain Documentation | Preventive | |
| Disable NFS client processes unless NFS client processes are absolutely necessary. CC ID 01475 | Configuration | Preventive | |
| Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary. CC ID 06681 | Data and Information Management | Preventive | |
| Disable removable storage media daemon unless the removable storage media daemon is absolutely necessary. CC ID 01477 | Configuration | Preventive | |
| Disable GSS daemon unless GSS daemon is absolutely necessary. CC ID 01465 | Configuration | Preventive | |
| Disable Computer Browser unless Computer Browser is absolutely necessary. CC ID 01814 | Configuration | Preventive | |
| Configure the Computer Browser ResetBrowser Frames as appropriate. CC ID 05984 | Configuration | Preventive | |
| Configure the /etc/samba/smb.conf file file permissions as appropriate. CC ID 05989 | Configuration | Preventive | |
| Disable NetMeeting remote desktop sharing unless NetMeeting remote desktop sharing is absolutely necessary. CC ID 01821 | Configuration | Preventive | |
| Disable web directory browsing on all web-enabled devices. CC ID 01874 | Configuration | Preventive | |
| Disable WWW publishing services unless WWW publishing services are absolutely necessary. CC ID 01833 | Configuration | Preventive | |
| Install and enable samba, as necessary. CC ID 02175 | Configuration | Preventive | |
| Configure the samba hosts allow option with an appropriate set of networks. CC ID 05985 | Configuration | Preventive | |
| Configure the samba security option option as appropriate. CC ID 05986 | Configuration | Preventive | |
| Configure the samba encrypt passwords option as appropriate. CC ID 05987 | Configuration | Preventive | |
| Configure the Samba 'smb passwd file' option with an appropriate password file or no password file. CC ID 05988 | Configuration | Preventive | |
| Disable Usenet Internet news package file capabilities unless Usenet Internet news package file capabilities are absolutely necessary. CC ID 02176 | Configuration | Preventive | |
| Disable iPlanet Web Server unless iPlanet Web Server is absolutely necessary. CC ID 02172 | Configuration | Preventive | |
| Disable volume manager unless volume manager is absolutely necessary. CC ID 01469 | Configuration | Preventive | |
| Disable Solaris Management Console unless Solaris Management Console is absolutely necessary. CC ID 01468 | Configuration | Preventive | |
| Disable the Graphical User Interface unless it is absolutely necessary. CC ID 01466 | Configuration | Preventive | |
| Disable help and support unless help and support is absolutely necessary. CC ID 04280 | Configuration | Preventive | |
| Disable speech recognition unless speech recognition is absolutely necessary. CC ID 04491 | Configuration | Preventive | |
| Disable or secure the NetWare QuickFinder search engine. CC ID 04453 | Configuration | Preventive | |
| Disable messenger unless messenger is absolutely necessary. CC ID 01819 | Configuration | Preventive | |
| Configure the "Do not allow Windows Messenger to be run" setting. CC ID 04516 | Configuration | Preventive | |
| Configure the "Do not automatically start Windows Messenger initially" setting. CC ID 04517 | Configuration | Preventive | |
| Configure the "Turn off the Windows Messenger Customer Experience Improvement Program" setting. CC ID 04330 | Configuration | Preventive | |
| Disable automatic updates unless automatic updates are absolutely necessary. CC ID 01811 | Configuration | Preventive | |
| Configure automatic update installation and shutdown/restart options and shutdown/restart procedures to organizational standards. CC ID 05979 | Configuration | Preventive | |
| Disable Name Service Cache Daemon unless Name Service Cache Daemon is absolutely necessary. CC ID 04846 | Configuration | Preventive | |
| Prohibit R-command files from existing for root or administrator. CC ID 16322 | Configuration | Preventive | |
| Verify the /bin/rsh file exists or not, as appropriate. CC ID 05101 | Configuration | Preventive | |
| Verify the /sbin/rsh file exists or not, as appropriate. CC ID 05102 | Configuration | Preventive | |
| Verify the /usr/bin/rsh file exists or not, as appropriate. CC ID 05103 | Configuration | Preventive | |
| Verify the /etc/ftpusers file exists or not, as appropriate. CC ID 05104 | Configuration | Preventive | |
| Verify the /etc/rsh file exists or not, as appropriate. CC ID 05105 | Configuration | Preventive | |
| Install or uninstall the AIDE package, as appropriate. CC ID 05106 | Configuration | Preventive | |
| Enable the GNOME automounter (gnome-volume-manager) as necessary. CC ID 05107 | Configuration | Preventive | |
| Install or uninstall the setroubleshoot package, as appropriate. CC ID 05108 | Configuration | Preventive | |
| Configure Avahi properly. CC ID 05109 | Configuration | Preventive | |
| Install or uninstall OpenNTPD, as appropriate. CC ID 05110 | Configuration | Preventive | |
| Configure the "httpd" service to organizational standards. CC ID 05111 | Configuration | Preventive | |
| Install or uninstall the net-smtp package properly. CC ID 05112 | Configuration | Preventive | |
| Configure the apache web service properly. CC ID 05113 | Configuration | Preventive | |
| Configure the vlock package properly. CC ID 05114 | Configuration | Preventive | |
| Establish, implement, and maintain service accounts. CC ID 13861 | Technical Security | Preventive | |
| Review the ownership of service accounts, as necessary. CC ID 13863 | Technical Security | Detective | |
| Manage access credentials for service accounts. CC ID 13862 | Technical Security | Preventive | |
| Configure the daemon account properly. CC ID 05115 | Configuration | Preventive | |
| Configure the bin account properly. CC ID 05116 | Configuration | Preventive | |
| Configure the nuucp account properly. CC ID 05117 | Configuration | Preventive | |
| Configure the smmsp account properly. CC ID 05118 | Configuration | Preventive | |
| Configure the listen account properly. CC ID 05119 | Configuration | Preventive | |
| Configure the gdm account properly. CC ID 05120 | Configuration | Preventive | |
| Configure the webservd account properly. CC ID 05121 | Configuration | Preventive | |
| Configure the nobody account properly. CC ID 05122 | Configuration | Preventive | |
| Configure the noaccess account properly. CC ID 05123 | Configuration | Preventive | |
| Configure the nobody4 account properly. CC ID 05124 | Configuration | Preventive | |
| Configure the sys account properly. CC ID 05125 | Configuration | Preventive | |
| Configure the adm account properly. CC ID 05126 | Configuration | Preventive | |
| Configure the lp account properly. CC ID 05127 | Configuration | Preventive | |
| Configure the uucp account properly. CC ID 05128 | Configuration | Preventive | |
| Install or uninstall the tftp-server package, as appropriate. CC ID 05130 | Configuration | Preventive | |
| Enable the web console as necessary. CC ID 05131 | Configuration | Preventive | |
| Enable rlogin auth by Pluggable Authentication Modules or pam.d properly. CC ID 05132 | Configuration | Preventive | |
| Enable rsh auth by Pluggable Authentication Modules properly. CC ID 05133 | Configuration | Preventive | |
| Enable the listening sendmail daemon, as appropriate. CC ID 05134 | Configuration | Preventive | |
| Configure Squid properly. CC ID 05135 | Configuration | Preventive | |
| Configure the "global Package signature checking" setting to organizational standards. CC ID 08735 | Establish/Maintain Documentation | Preventive | |
| Configure the "Package signature checking" setting for "all configured repositories" to organizational standards. CC ID 08736 | Establish/Maintain Documentation | Preventive | |
| Configure the "verify against the package database" setting for "all installed software packages" to organizational standards. CC ID 08737 | Establish/Maintain Documentation | Preventive | |
| Configure the "isdn4k-utils" package to organizational standards. CC ID 08738 | Establish/Maintain Documentation | Preventive | |
| Configure the "postfix" package to organizational standards. CC ID 08739 | Establish/Maintain Documentation | Preventive | |
| Configure the "vsftpd" package to organizational standards. CC ID 08740 | Establish/Maintain Documentation | Preventive | |
| Configure the "net-snmpd" package to organizational standards. CC ID 08741 | Establish/Maintain Documentation | Preventive | |
| Configure the "rsyslog" package to organizational standards. CC ID 08742 | Establish/Maintain Documentation | Preventive | |
| Configure the "ipsec-tools" package to organizational standards. CC ID 08743 | Establish/Maintain Documentation | Preventive | |
| Configure the "pam_ccreds" package to organizational standards. CC ID 08744 | Establish/Maintain Documentation | Preventive | |
| Configure the "talk-server" package to organizational standards. CC ID 08745 | Establish/Maintain Documentation | Preventive | |
| Configure the "talk" package to organizational standards. CC ID 08746 | Establish/Maintain Documentation | Preventive | |
| Configure the "irda-utils" package to organizational standards. CC ID 08747 | Establish/Maintain Documentation | Preventive | |
| Configure the "/etc/shells" file to organizational standards. CC ID 08978 | Configuration | Preventive | |
| Configure the LDAP package to organizational standards. CC ID 09937 | Configuration | Preventive | |
| Configure the "FTP server" package to organizational standards. CC ID 09938 | Configuration | Preventive | |
| Configure the "HTTP Proxy Server" package to organizational standards. CC ID 09939 | Configuration | Preventive | |
| Configure the "prelink" package to organizational standards. CC ID 11379 | Configuration | Preventive | |
| Configure the Network Information Service (NIS) package to organizational standards. CC ID 11380 | Configuration | Preventive | |
| Configure the "time" setting to organizational standards. CC ID 11381 | Configuration | Preventive | |
| Configure the "biosdevname" package to organizational standards. CC ID 11383 | Configuration | Preventive | |
| Configure the "ufw" setting to organizational standards. CC ID 11384 | Configuration | Preventive | |
| Configure the "Devices: Allow undock without having to log on" setting. CC ID 01728 | Configuration | Preventive | |
| Limit the user roles that are allowed to format and eject removable storage media. CC ID 01729 | Configuration | Preventive | |
| Prevent users from installing printer drivers. CC ID 01730 | Configuration | Preventive | |
| Minimize the inetd.conf file and set the file to the appropriate permissions. CC ID 01506 | Configuration | Preventive | |
| Configure the unsigned driver installation behavior. CC ID 01733 | Configuration | Preventive | |
| Configure the unsigned non-driver installation behavior. CC ID 02038 | Configuration | Preventive | |
| Remove all demonstration applications on the system. CC ID 01875 | Configuration | Preventive | |
| Configure the system to disallow optional Subsystems. CC ID 04265 | Configuration | Preventive | |
| Configure the "Remove Security tab" setting. CC ID 04380 | Configuration | Preventive | |
| Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 | Configuration | Preventive | |
| Disable rquotad unless rquotad is absolutely necessary. CC ID 01473 | Configuration | Preventive | |
| Configure the rquotad service to use a static port or a dynamic portmapper port as appropriate. CC ID 05983 | Configuration | Preventive | |
| Disable telnet unless telnet use is absolutely necessary. CC ID 01478 | Configuration | Preventive | |
| Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary. CC ID 01479 | Configuration | Preventive | |
| Configure anonymous FTP to restrict the use of restricted data. CC ID 16314 | Configuration | Preventive | |
| Disable anonymous access to File Transfer Protocol. CC ID 06739 | Configuration | Preventive | |
| Disable Internet Message Access Protocol unless Internet Message Access Protocol use is absolutely necessary. CC ID 01485 | Configuration | Preventive | |
| Disable Post Office Protocol unless its use is absolutely necessary. CC ID 01486 | Configuration | Preventive | |
| Disable SQLServer processes unless SQLServer processes use is absolutely necessary. CC ID 01500 | Configuration | Preventive | |
| Disable alerter unless alerter use is absolutely necessary. CC ID 01810 | Configuration | Preventive | |
| Disable Background Intelligent Transfer Service unless Background Intelligent Transfer Service use is absolutely necessary. CC ID 01812 | Configuration | Preventive | |
| Disable ClipBook unless ClipBook use is absolutely necessary. CC ID 01813 | Configuration | Preventive | |
| Disable Fax Service unless Fax Service use is absolutely necessary. CC ID 01815 | Configuration | Preventive | |
| Disable IIS admin service unless IIS admin service use is absolutely necessary. CC ID 01817 | Configuration | Preventive | |
| Disable indexing service unless indexing service use is absolutely necessary. CC ID 01818 | Configuration | Preventive | |
| Disable net logon unless net logon use is absolutely necessary. CC ID 01820 | Configuration | Preventive | |
| Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary. CC ID 01822 | Configuration | Preventive | |
| Disable the "Offer Remote Assistance" setting. CC ID 04325 | Configuration | Preventive | |
| Disable the "Solicited Remote Assistance" setting. CC ID 04326 | Configuration | Preventive | |
| Disable Remote Registry Service unless Remote Registry Service use is absolutely necessary. CC ID 01823 | Configuration | Preventive | |
| Disable Routing and Remote Access unless Routing and Remote Access use is necessary. CC ID 01824 | Configuration | Preventive | |
| Disable task scheduler unless task scheduler use is absolutely necessary. CC ID 01829 | Configuration | Preventive | |
| Disable Terminal Services unless Terminal Services use is absolutely necessary. CC ID 01831 | Configuration | Preventive | |
| Disable Universal Plug and Play device host unless Universal Plug and Play device host use is absolutely necessary. CC ID 01832 | Configuration | Preventive | |
| Disable File Service Protocol. CC ID 02167 | Configuration | Preventive | |
| Disable the License Logging Service unless unless it is absolutely necessary. CC ID 04282 | Configuration | Preventive | |
| Disable Remote Access Auto Connection Manager unless Remote Access Auto Connection Manager use is absolutely necessary. CC ID 04285 | Configuration | Preventive | |
| Disable Remote Access Connection Manager unless Remote Access Connection Manager use is absolutely necessary. CC ID 04286 | Configuration | Preventive | |
| Disable Remote Administration Service unless remote administration management is absolutely necessary. CC ID 04287 | Configuration | Preventive | |
| Disable remote installation unless remote installation is absolutely necessary. CC ID 04288 | Configuration | Preventive | |
| Disable Remote Server Manager unless Remote Server Manager is absolutely necessary. CC ID 04289 | Configuration | Preventive | |
| Disable Remote Server Monitor unless Remote Server Monitor use is absolutely necessary. CC ID 04290 | Configuration | Preventive | |
| Disable Remote Storage Notification unless Remote Storage Notification use is absolutely necessary. CC ID 04291 | Configuration | Preventive | |
| Disable Remote Storage Server unless Remote Storage Server use is absolutely necessary. CC ID 04292 | Configuration | Preventive | |
| Disable telephony services unless telephony services use is absolutely necessary. CC ID 04293 | Configuration | Preventive | |
| Disable Wireless Zero Configuration service unless Wireless Zero Configuration service use is absolutely necessary. CC ID 04294 | Configuration | Preventive | |
| Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary. CC ID 04315 | Configuration | Preventive | |
| Configure the "ntpd service" setting to organizational standards. CC ID 04911 | Configuration | Preventive | |
| Configure the "echo service" setting to organizational standards. CC ID 04912 | Configuration | Preventive | |
| Configure the "echo-dgram service" setting to organizational standards. CC ID 09927 | Configuration | Preventive | |
| Configure the "echo-stream service" setting to organizational standards. CC ID 09928 | Configuration | Preventive | |
| Configure the "AllowTcpForwarding" to organizational standards. CC ID 15327 | Configuration | Preventive | |
| Configure the "tcpmux-server" setting to organizational standards. CC ID 09929 | Configuration | Preventive | |
| Configure the "netstat service" setting to organizational standards. CC ID 04913 | Configuration | Preventive | |
| Configure the "character generator protocol (chargen)" setting to organizational standards. CC ID 04914 | Configuration | Preventive | |
| Configure the "tftpd service" setting to organizational standards. CC ID 04915 | Configuration | Preventive | |
| Configure the "walld service" setting to organizational standards. CC ID 04916 | Configuration | Preventive | |
| Configure the "rstatd service" setting to organizational standards. CC ID 04917 | Configuration | Preventive | |
| Configure the "sprayd service" setting to organizational standards. CC ID 04918 | Configuration | Preventive | |
| Configure the "rusersd service" setting to organizational standards. CC ID 04919 | Configuration | Preventive | |
| Configure the "inn service" setting to organizational standards. CC ID 04920 | Configuration | Preventive | |
| Configure the "font service" setting to organizational standards. CC ID 04921 | Configuration | Preventive | |
| Configure the "ident service" setting to organizational standards. CC ID 04922 | Configuration | Preventive | |
| Configure the "rexd service" setting to organizational standards. CC ID 04923 | Configuration | Preventive | |
| Configure the "daytime service" setting to organizational standards. CC ID 04924 | Configuration | Preventive | |
| Configure the "dtspc (cde-spc) service" setting to organizational standards. CC ID 04925 | Configuration | Preventive | |
| Configure the "cmsd service" setting to organizational standards. CC ID 04926 | Configuration | Preventive | |
| Configure the "ToolTalk service" setting to organizational standards. CC ID 04927 | Configuration | Preventive | |
| Configure the "discard service" setting to organizational standards. CC ID 04928 | Configuration | Preventive | |
| Configure the "vino-server service" setting to organizational standards. CC ID 04929 | Configuration | Preventive | |
| Configure the "bind service" setting to organizational standards. CC ID 04930 | Configuration | Preventive | |
| Configure the "nfsd service" setting to organizational standards. CC ID 04931 | Configuration | Preventive | |
| Configure the "mountd service" setting to organizational standards. CC ID 04932 | Configuration | Preventive | |
| Configure the "statd service" setting to organizational standards. CC ID 04933 | Configuration | Preventive | |
| Configure the "lockd service" setting to organizational standards. CC ID 04934 | Configuration | Preventive | |
| Configure the lockd service to use a static port or a dynamic portmapper port for User Datagram Protocol as appropriate. CC ID 05980 | Configuration | Preventive | |
| Configure the "decode sendmail alias" setting to organizational standards. CC ID 04935 | Configuration | Preventive | |
| Configure the sendmail vrfy command, as appropriate. CC ID 04936 | Configuration | Preventive | |
| Configure the sendmail expn command, as appropriate. CC ID 04937 | Configuration | Preventive | |
| Configure .netrc with an appropriate set of services. CC ID 04938 | Configuration | Preventive | |
| Enable NFS insecure locks as necessary. CC ID 04939 | Configuration | Preventive | |
| Configure the "X server ac" setting to organizational standards. CC ID 04940 | Configuration | Preventive | |
| Configure the "X server core" setting to organizational standards. CC ID 04941 | Configuration | Preventive | |
| Enable or disable the setroubleshoot service, as appropriate. CC ID 05540 | Configuration | Preventive | |
| Configure the "X server nolock" setting to organizational standards. CC ID 04942 | Configuration | Preventive | |
| Enable or disable the mcstrans service, as appropriate. CC ID 05541 | Configuration | Preventive | |
| Configure the "PAM console" setting to organizational standards. CC ID 04943 | Configuration | Preventive | |
| Enable or disable the restorecond service, as appropriate. CC ID 05542 | Configuration | Preventive | |
| Enable the rhnsd service as necessary. CC ID 04944 | Configuration | Preventive | |
| Enable the yum-updatesd service as necessary. CC ID 04945 | Configuration | Preventive | |
| Enable the autofs service as necessary. CC ID 04946 | Configuration | Preventive | |
| Enable the ip6tables service as necessary. CC ID 04947 | Configuration | Preventive | |
| Configure syslog to organizational standards. CC ID 04949 | Configuration | Preventive | |
| Enable the auditd service as necessary. CC ID 04950 | Configuration | Preventive | |
| Enable the logwatch service as necessary. CC ID 04951 | Configuration | Preventive | |
| Enable the logrotate (syslog rotator) service as necessary. CC ID 04952 | Configuration | Preventive | |
| Install or uninstall the telnet server package, only if absolutely necessary. CC ID 04953 | Configuration | Preventive | |
| Enable the ypbind service as necessary. CC ID 04954 | Configuration | Preventive | |
| Enable the ypserv service as necessary. CC ID 04955 | Configuration | Preventive | |
| Enable the firstboot service as necessary. CC ID 04956 | Configuration | Preventive | |
| Enable the gpm service as necessary. CC ID 04957 | Configuration | Preventive | |
| Enable the irqbalance service as necessary. CC ID 04958 | Configuration | Preventive | |
| Enable the isdn service as necessary. CC ID 04959 | Configuration | Preventive | |
| Enable the kdump service as necessary. CC ID 04960 | Configuration | Preventive | |
| Enable the mdmonitor service as necessary. CC ID 04961 | Configuration | Preventive | |
| Enable the microcode_ctl service as necessary. CC ID 04962 | Configuration | Preventive | |
| Enable the pcscd service as necessary. CC ID 04963 | Configuration | Preventive | |
| Enable the smartd service as necessary. CC ID 04964 | Configuration | Preventive | |
| Enable the readahead_early service as necessary. CC ID 04965 | Configuration | Preventive | |
| Enable the readahead_later service as necessary. CC ID 04966 | Configuration | Preventive | |
| Enable the messagebus service as necessary. CC ID 04967 | Configuration | Preventive | |
| Enable the haldaemon service as necessary. CC ID 04968 | Configuration | Preventive | |
| Enable the apmd service as necessary. CC ID 04969 | Configuration | Preventive | |
| Enable the acpid service as necessary. CC ID 04970 | Configuration | Preventive | |
| Enable the cpuspeed service as necessary. CC ID 04971 | Configuration | Preventive | |
| Enable the network service as necessary. CC ID 04972 | Configuration | Preventive | |
| Enable the hidd service as necessary. CC ID 04973 | Configuration | Preventive | |
| Enable the crond service as necessary. CC ID 04974 | Configuration | Preventive | |
| Install and enable the anacron service as necessary. CC ID 04975 | Configuration | Preventive | |
| Enable the xfs service as necessary. CC ID 04976 | Configuration | Preventive | |
| Install and enable the Avahi daemon service, as necessary. CC ID 04977 | Configuration | Preventive | |
| Enable the CUPS service, as necessary. CC ID 04978 | Configuration | Preventive | |
| Enable the hplip service as necessary. CC ID 04979 | Configuration | Preventive | |
| Enable the dhcpd service as necessary. CC ID 04980 | Configuration | Preventive | |
| Enable the nfslock service as necessary. CC ID 04981 | Configuration | Preventive | |
| Enable the rpcgssd service as necessary. CC ID 04982 | Configuration | Preventive | |
| Enable the rpcidmapd service as necessary. CC ID 04983 | Configuration | Preventive | |
| Enable the rpcsvcgssd service as necessary. CC ID 04985 | Configuration | Preventive | |
| Configure root squashing for all NFS shares, as appropriate. CC ID 04986 | Configuration | Preventive | |
| Configure write access to NFS shares, as appropriate. CC ID 04987 | Configuration | Preventive | |
| Configure the named service, as appropriate. CC ID 04988 | Configuration | Preventive | |
| Configure the vsftpd service, as appropriate. CC ID 04989 | Configuration | Preventive | |
| Configure the “dovecot” service to organizational standards. CC ID 04990 | Configuration | Preventive | |
| Configure Server Message Block (SMB) to organizational standards. CC ID 04991 | Configuration | Preventive | |
| Enable the snmpd service as necessary. CC ID 04992 | Configuration | Preventive | |
| Enable the calendar manager as necessary. CC ID 04993 | Configuration | Preventive | |
| Enable the GNOME logon service as necessary. CC ID 04994 | Configuration | Preventive | |
| Enable the WBEM services as necessary. CC ID 04995 | Configuration | Preventive | |
| Enable the keyserv service as necessary. CC ID 04996 | Configuration | Preventive | |
| Enable the Generic Security Service daemon as necessary. CC ID 04997 | Configuration | Preventive | |
| Enable the volfs service as necessary. CC ID 04998 | Configuration | Preventive | |
| Enable the smserver service as necessary. CC ID 04999 | Configuration | Preventive | |
| Enable the mpxio-upgrade service as necessary. CC ID 05000 | Configuration | Preventive | |
| Enable the metainit service as necessary. CC ID 05001 | Configuration | Preventive | |
| Enable the meta service as necessary. CC ID 05003 | Configuration | Preventive | |
| Enable the metaed service as necessary. CC ID 05004 | Configuration | Preventive | |
| Enable the metamh service as necessary. CC ID 05005 | Configuration | Preventive | |
| Enable the Local RPC Port Mapping Service as necessary. CC ID 05006 | Configuration | Preventive | |
| Enable the Kerberos kadmind service as necessary. CC ID 05007 | Configuration | Preventive | |
| Enable the Kerberos krb5kdc service as necessary. CC ID 05008 | Configuration | Preventive | |
| Enable the Kerberos kpropd service as necessary. CC ID 05009 | Configuration | Preventive | |
| Enable the Kerberos ktkt_warnd service as necessary. CC ID 05010 | Configuration | Preventive | |
| Enable the sadmin service as necessary. CC ID 05011 | Configuration | Preventive | |
| Enable the IPP listener as necessary. CC ID 05012 | Configuration | Preventive | |
| Enable the serial port listener as necessary. CC ID 05013 | Configuration | Preventive | |
| Enable the Smart Card Helper service as necessary. CC ID 05014 | Configuration | Preventive | |
| Enable the Application Management service as necessary. CC ID 05015 | Configuration | Preventive | |
| Enable the Resultant Set of Policy (RSoP) Provider service as necessary. CC ID 05016 | Configuration | Preventive | |
| Enable the Network News Transport Protocol service as necessary. CC ID 05017 | Configuration | Preventive | |
| Enable the network Dynamic Data Exchange service as necessary. CC ID 05018 | Configuration | Preventive | |
| Enable the Distributed Link Tracking Server service as necessary. CC ID 05019 | Configuration | Preventive | |
| Enable the RARP service as necessary. CC ID 05020 | Configuration | Preventive | |
| Configure the ".NET Framework service" setting to organizational standards. CC ID 05021 | Configuration | Preventive | |
| Enable the Network DDE Share Database Manager service as necessary. CC ID 05022 | Configuration | Preventive | |
| Enable the Certificate Services service as necessary. CC ID 05023 | Configuration | Preventive | |
| Configure the ATI hotkey poller service properly. CC ID 05024 | Configuration | Preventive | |
| Configure the Interix Subsystem Startup service properly. CC ID 05025 | Configuration | Preventive | |
| Configure the Cluster Service service properly. CC ID 05026 | Configuration | Preventive | |
| Configure the IAS Jet Database Access service properly. CC ID 05027 | Configuration | Preventive | |
| Configure the IAS service properly. CC ID 05028 | Configuration | Preventive | |
| Configure the IP Version 6 Helper service properly. CC ID 05029 | Configuration | Preventive | |
| Configure "Message Queuing service" to organizational standards. CC ID 05030 | Configuration | Preventive | |
| Configure the Message Queuing Down Level Clients service properly. CC ID 05031 | Configuration | Preventive | |
| Configure the Windows Management Instrumentation Driver Extensions service properly. CC ID 05033 | Configuration | Preventive | |
| Configure the TCP/IP NetBIOS Helper Service properly. CC ID 05034 | Configuration | Preventive | |
| Configure the Utility Manager service properly. CC ID 05035 | Configuration | Preventive | |
| Configure the secondary logon service properly. CC ID 05036 | Configuration | Preventive | |
| Configure the Windows Management Instrumentation service properly. CC ID 05037 | Configuration | Preventive | |
| Configure the Workstation service properly. CC ID 05038 | Configuration | Preventive | |
| Configure the Windows Installer service properly. CC ID 05039 | Configuration | Preventive | |
| Configure the Windows System Resource Manager service properly. CC ID 05040 | Configuration | Preventive | |
| Configure the WinHTTP Web Proxy Auto-Discovery Service properly. CC ID 05041 | Configuration | Preventive | |
| Configure the Services for Unix Client for NFS service properly. CC ID 05042 | Configuration | Preventive | |
| Configure the Services for Unix Server for PCNFS service properly. CC ID 05043 | Configuration | Preventive | |
| Configure the Services for Unix Perl Socket service properly. CC ID 05044 | Configuration | Preventive | |
| Configure the Services for Unix User Name Mapping service properly. CC ID 05045 | Configuration | Preventive | |
| Configure the Services for Unix Windows Cron service properly. CC ID 05046 | Configuration | Preventive | |
| Configure the Windows Media Services service properly. CC ID 05047 | Configuration | Preventive | |
| Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly. CC ID 05048 | Configuration | Preventive | |
| Configure the Web Element Manager service properly. CC ID 05049 | Configuration | Preventive | |
| Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly. CC ID 05050 | Configuration | Preventive | |
| Configure the Terminal Services Licensing service properly. CC ID 05051 | Configuration | Preventive | |
| Configure the COM+ Event System service properly. CC ID 05052 | Configuration | Preventive | |
| Configure the Event Log service properly. CC ID 05053 | Configuration | Preventive | |
| Configure the Infrared Monitor service properly. CC ID 05054 | Configuration | Preventive | |
| Configure the Services for Unix Server for NFS service properly. CC ID 05055 | Configuration | Preventive | |
| Configure the System Event Notification Service properly. CC ID 05056 | Configuration | Preventive | |
| Configure the NTLM Security Support Provider service properly. CC ID 05057 | Configuration | Preventive | |
| Configure the Performance Logs and Alerts service properly. CC ID 05058 | Configuration | Preventive | |
| Configure the Protected Storage service properly. CC ID 05059 | Configuration | Preventive | |
| Configure the QoS Admission Control (RSVP) service properly. CC ID 05060 | Configuration | Preventive | |
| Configure the Remote Procedure Call service properly. CC ID 05061 | Configuration | Preventive | |
| Configure the Removable Storage service properly. CC ID 05062 | Configuration | Preventive | |
| Configure the Server service properly. CC ID 05063 | Configuration | Preventive | |
| Configure the Security Accounts Manager service properly. CC ID 05064 | Configuration | Preventive | |
| Configure the “Network Connections” service to organizational standards. CC ID 05065 | Configuration | Preventive | |
| Configure the Logical Disk Manager service properly. CC ID 05066 | Configuration | Preventive | |
| Configure the Logical Disk Manager Administrative Service properly. CC ID 05067 | Configuration | Preventive | |
| Configure the File Replication service properly. CC ID 05068 | Configuration | Preventive | |
| Configure the Kerberos Key Distribution Center service properly. CC ID 05069 | Configuration | Preventive | |
| Configure the Intersite Messaging service properly. CC ID 05070 | Configuration | Preventive | |
| Configure the Remote Procedure Call locator service properly. CC ID 05071 | Configuration | Preventive | |
| Configure the Distributed File System service properly. CC ID 05072 | Configuration | Preventive | |
| Configure the Windows Internet Name Service service properly. CC ID 05073 | Configuration | Preventive | |
| Configure the FTP Publishing Service properly. CC ID 05074 | Configuration | Preventive | |
| Configure the Windows Search service properly. CC ID 05075 | Configuration | Preventive | |
| Configure the Microsoft Peer-to-Peer Networking Services service properly. CC ID 05076 | Configuration | Preventive | |
| Configure the Remote Shell service properly. CC ID 05077 | Configuration | Preventive | |
| Configure Simple TCP/IP services to organizational standards. CC ID 05078 | Configuration | Preventive | |
| Configure the Print Services for Unix service properly. CC ID 05079 | Configuration | Preventive | |
| Configure the File Shares service to organizational standards. CC ID 05080 | Configuration | Preventive | |
| Configure the NetMeeting service properly. CC ID 05081 | Configuration | Preventive | |
| Configure the Application Layer Gateway service properly. CC ID 05082 | Configuration | Preventive | |
| Configure the Cryptographic Services service properly. CC ID 05083 | Configuration | Preventive | |
| Configure the Help and Support Service properly. CC ID 05084 | Configuration | Preventive | |
| Configure the Human Interface Device Access service properly. CC ID 05085 | Configuration | Preventive | |
| Configure the IMAPI CD-Burning COM service properly. CC ID 05086 | Configuration | Preventive | |
| Configure the MS Software Shadow Copy Provider service properly. CC ID 05087 | Configuration | Preventive | |
| Configure the Network Location Awareness service properly. CC ID 05088 | Configuration | Preventive | |
| Configure the Portable Media Serial Number Service service properly. CC ID 05089 | Configuration | Preventive | |
| Configure the System Restore Service service properly. CC ID 05090 | Configuration | Preventive | |
| Configure the Themes service properly. CC ID 05091 | Configuration | Preventive | |
| Configure the Uninterruptible Power Supply service properly. CC ID 05092 | Configuration | Preventive | |
| Configure the Upload Manager service properly. CC ID 05093 | Configuration | Preventive | |
| Configure the Volume Shadow Copy Service properly. CC ID 05094 | Configuration | Preventive | |
| Configure the WebClient service properly. CC ID 05095 | Configuration | Preventive | |
| Configure the Windows Audio service properly. CC ID 05096 | Configuration | Preventive | |
| Configure the Windows Image Acquisition service properly. CC ID 05097 | Configuration | Preventive | |
| Configure the WMI Performance Adapter service properly. CC ID 05098 | Configuration | Preventive | |
| Enable file uploads via vsftpd service, as appropriate. CC ID 05100 | Configuration | Preventive | |
| Disable or remove sadmind unless use of sadmind is absolutely necessary. CC ID 06885 | Configuration | Preventive | |
| Configure the "SNMP version 1" setting to organizational standards. CC ID 08976 | Configuration | Preventive | |
| Configure the "xdmcp service" setting to organizational standards. CC ID 08985 | Configuration | Preventive | |
| Disable the automatic display of remote images in HTML-formatted e-mail. CC ID 04494 | Configuration | Preventive | |
| Disable Remote Apply Events unless Remote Apply Events are absolutely necessary. CC ID 04495 | Configuration | Preventive | |
| Disable Xgrid unless Xgrid is absolutely necessary. CC ID 04496 | Configuration | Preventive | |
| Configure the "Do Not Show First Use Dialog Boxes" setting for Windows Media Player properly. CC ID 05136 | Configuration | Preventive | |
| Disable Core dumps unless absolutely necessary. CC ID 01507 | Configuration | Preventive | |
| Set hard core dump size limits, as appropriate. CC ID 05990 | Configuration | Preventive | |
| Configure the "Prevent Desktop Shortcut Creation" setting for Windows Media Player properly. CC ID 05137 | Configuration | Preventive | |
| Set the Squid EUID and Squid GUID to an appropriate user and group. CC ID 05138 | Configuration | Preventive | |
| Verify groups referenced in /etc/passwd are included in /etc/group, as appropriate. CC ID 05139 | Configuration | Preventive | |
| Use of the cron.allow file should be enabled or disabled as appropriate. CC ID 06014 | Configuration | Preventive | |
| Use of the at.allow file should be enabled or disabled as appropriate. CC ID 06015 | Configuration | Preventive | |
| Enable or disable the Dynamic DNS feature of the DHCP Server as appropriate. CC ID 06039 | Configuration | Preventive | |
| Enable or disable each user's Screen saver software, as necessary. CC ID 06050 | Configuration | Preventive | |
| Disable any unnecessary scripting languages, as necessary. CC ID 12137 | Configuration | Preventive | |
| Establish, implement, and maintain authenticators. CC ID 15305 | Technical Security | Preventive | |
| Establish, implement, and maintain an authenticator standard. CC ID 01702 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an authenticator management system. CC ID 12031 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain authenticator procedures. CC ID 12002 | Establish/Maintain Documentation | Preventive | |
| Configure authenticators to comply with organizational standards. CC ID 06412 | Configuration | Preventive | |
| Configure the system to mask authenticators. CC ID 02037 [The device never displays the entered PIN digits. Any array related to PIN entry displays only non-significant symbols, e.g., asterisks. B5] | Configuration | Preventive | |
| Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881 | Configuration | Preventive | |
| Configure the system to a default secure level. CC ID 01519 [The device has guidance that describes the default configuration for each protocol and services for each interface that is available on the device. Each interface and protocol on the device should default to secure settings. If the interface has the ability to be configurable to non-secure settings, vendor guidance should strongly recommend against configuring to non-secure settings. H2] | Configuration | Preventive | |
| Establish, implement, and maintain a Configuration Baseline Documentation Record. CC ID 02130 [The device has guidance that describes the default configuration for each protocol and services for each interface that is available on the device. Each interface and protocol on the device should default to secure settings. If the interface has the ability to be configurable to non-secure settings, vendor guidance should strongly recommend against configuring to non-secure settings. H2] | Establish/Maintain Documentation | Preventive | |
| Document and approve any changes to the Configuration Baseline Documentation Record. CC ID 12104 | Establish/Maintain Documentation | Preventive | |
| Create a hardened image of the baseline configuration to be used for building new systems. CC ID 07063 | Configuration | Preventive | |
| Store master images on securely configured servers. CC ID 12089 | Technical Security | Preventive | |
| Test systems to ensure they conform to configuration baselines. CC ID 13062 | Testing | Detective | |
| Update the security configuration of hardened images, as necessary. CC ID 12088 | Technical Security | Corrective | |
Systems design, build, and implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 | Systems Design, Build, and Implementation | Preventive | |
| Include information security throughout the system development life cycle. CC ID 12042 [Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components. L7] | Systems Design, Build, and Implementation | Preventive | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Data and Information Management | Preventive | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems Design, Build, and Implementation | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems Design, Build, and Implementation | Preventive | |
| Protect stored manufacturing components prior to assembly. CC ID 12248 [The certified firmware is protected and stored in such a manner as to preclude unauthorized modification during its entire manufacturing life cycle—e.g., by using dual control or standardized cryptographic authentication procedures. L2] | Systems Design, Build, and Implementation | Preventive | |
| Store manufacturing components in a controlled access area. CC ID 12256 [Subsequent to production but prior to shipment from the manufacturer’s or reseller’s facility, the device and any of its components are stored in a protected, access-controlled area or sealed within tamper-evident packaging to prevent undetected unauthorized access to the device or its components. L5] | Physical and Environmental Protection | Preventive | |
| Develop new products based on best practices. CC ID 01095 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a system design specification. CC ID 04557 | Establish/Maintain Documentation | Preventive | |
| Include security requirements in the system design specification. CC ID 06826 | Systems Design, Build, and Implementation | Preventive | |
| Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 [The PIN pad (PIN entry area) and the surrounding area must be designed and engineered in such a way that the complete device does not facilitate the fraudulent placement of an overlay over the PIN pad.\ An overlay attack must require an attack potential of at least 18 for identification and initial exploitation, with a minimum of 9 for exploitation. E2.2] | Monitor and Evaluate Occurrences | Detective | |
| Implement security controls when developing systems. CC ID 06270 [Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components. L7] | Systems Design, Build, and Implementation | Preventive | |
| Analyze and minimize attack surfaces when developing systems. CC ID 06828 | Systems Design, Build, and Implementation | Preventive | |
| Include restricted data encryption and restricted information encryption in the security controls. CC ID 01083 | Technical Security | Preventive | |
| Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 | Technical Security | Preventive | |
| Audit all modifications to the application being developed. CC ID 01614 | Testing | Detective | |
| Implement a hardware security module, as necessary. CC ID 12222 | Systems Design, Build, and Implementation | Preventive | |
| Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 | Systems Design, Build, and Implementation | Preventive | |
| Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 | Systems Design, Build, and Implementation | Preventive | |
| Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 [If random numbers are generated by the device in connection with security over sensitive data, the random number generator has been assessed to ensure it is generating numbers sufficiently unpredictable. B9] | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to enforce the separation between applications. CC ID 12254 [If the device supports multiple applications, it must enforce the separation between applications. It must not be possible that one application interferes with or tampers with another application or the OS of the device including, but not limited to, modifying data objects belonging to another application or the OS. B17 If the device supports multiple applications, it must enforce the separation between applications consistent with B17. K20] | Systems Design, Build, and Implementation | Preventive | |
| Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 [Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, PINs, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. B7] | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 [Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6] | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 [Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6] | Systems Design, Build, and Implementation | Preventive | |
| Design the hardware security module to erase sensitive data when compromised. CC ID 12275 [{physical alteration} While in transit from the manufacturer’s facility to the initial key-loading facility, the device is:\ - Shipped and stored in tamper-evident packaging; and/or\ - Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel. M3] | Systems Design, Build, and Implementation | Preventive | |
| Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 | Systems Design, Build, and Implementation | Preventive | |
| Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 [It is not possible to encrypt or decrypt any arbitrary data using any PIN-encrypting key or key-encrypting key contained in the device. The device must enforce that data keys, key-encipherment keys, and PIN-encryption keys have different values. B13] | Systems Design, Build, and Implementation | Preventive | |
| Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 [{TOE} The device’s development-security documentation must provide means to the initial key-loading facility to assure the authenticity of the TOE’s security relevant components. M4] | Establish/Maintain Documentation | Preventive | |
| Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 [{sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4 {sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4] | Systems Design, Build, and Implementation | Preventive | |
| Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 [{sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4 {sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4] | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain an acceptable use policy for the hardware security module. CC ID 12247 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Establish/Maintain Documentation | Preventive | |
| Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Establish/Maintain Documentation | Preventive | |
| Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Establish/Maintain Documentation | Preventive | |
| Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Establish/Maintain Documentation | Preventive | |
| Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Establish/Maintain Documentation | Preventive | |
| Install secret information into the hardware security module during manufacturing. CC ID 12249 | Systems Design, Build, and Implementation | Preventive | |
| Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 [{initial-key-loading facility} If the device will be authenticated at the key-loading facility or the facility of initial deployment by means of secret information placed in the device during manufacturing, then this secret information is unique to each device, unknown and unpredictable to any person, and installed in the device under dual control to ensure that it is not disclosed during installation. L6 {physical alteration} While in transit from the manufacturer’s facility to the initial key-loading facility, the device is:\ - Shipped and stored in tamper-evident packaging; and/or\ - Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel. M3] | Systems Design, Build, and Implementation | Preventive | |
| Install secret information under dual control into the hardware security module. CC ID 12257 [{initial-key-loading facility} If the device will be authenticated at the key-loading facility or the facility of initial deployment by means of secret information placed in the device during manufacturing, then this secret information is unique to each device, unknown and unpredictable to any person, and installed in the device under dual control to ensure that it is not disclosed during installation. L6] | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain session security coding standards. CC ID 04584 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a cryptographic architecture document. CC ID 12476 | Establish/Maintain Documentation | Preventive | |
| Include the algorithms used in the cryptographic architecture document. CC ID 12483 | Establish/Maintain Documentation | Preventive | |
| Include an inventory of all protected areas in the cryptographic architecture document. CC ID 12486 | Establish/Maintain Documentation | Preventive | |
| Include a description of the key usage for each key in the cryptographic architecture document. CC ID 12484 | Establish/Maintain Documentation | Preventive | |
| Include descriptions of all cryptographic keys in the cryptographic architecture document. CC ID 12487 | Establish/Maintain Documentation | Preventive | |
| Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document. CC ID 12488 | Establish/Maintain Documentation | Preventive | |
| Include each cryptographic key's expiration date in the cryptographic architecture document. CC ID 12489 | Establish/Maintain Documentation | Preventive | |
| Include the protocols used in the cryptographic architecture document. CC ID 12485 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain system security documentation. CC ID 06271 [Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components. L7 {document and maintain} The vendor documents, maintains and makes available to integrators details on how to implement the protection system against unauthorized removal. E4.2 The device has security guidance that describes how protocols and services must be used for each interface that is accessible by the device applications. H1] | Establish/Maintain Documentation | Preventive | |
| Document the procedures and environment used to create the system or software. CC ID 06609 | Establish/Maintain Documentation | Preventive | |
| Develop new products based on secure coding techniques. CC ID 11733 | Systems Design, Build, and Implementation | Preventive | |
| Establish and maintain a coding manual for secure coding techniques. CC ID 11863 [The vendor must provide clear security guidance consistent with B2 and B6 to all application developers to ensure:\ - That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.\ - That account data is not retained any longer, or used more often, than strictly necessary. K11.2] | Establish/Maintain Documentation | Preventive | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Technical Security | Preventive | |
| Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 | Technical Security | Preventive | |
| Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937 [The device’s functionality shall not be influenced by logical anomalies such as (but not limited to) unexpected command sequences, unknown commands, commands in a wrong device mode and supplying wrong parameters or data which could result in the device outputting the clear- text PIN or other sensitive data. B2 The device’s functionality shall not be influenced by logical anomalies consistent with B2. K13] | Technical Security | Preventive | |
| Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 | Technical Security | Preventive | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems Design, Build, and Implementation | Preventive | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Technical Security | Preventive | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Technical Security | Preventive | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems Design, Build, and Implementation | Preventive | |
| Refrain from hard-coding usernames in source code. CC ID 06561 | Technical Security | Preventive | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Technical Security | Preventive | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Technical Security | Preventive | |
| Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 | Technical Security | Preventive | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems Design, Build, and Implementation | Preventive | |
| Control user account management through secure coding techniques in source code. CC ID 11909 | Technical Security | Preventive | |
| Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 | Technical Security | Preventive | |
| Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 | Technical Security | Preventive | |
| Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 | Process or Activity | Preventive | |
| Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897 [The vendor must provide clear security guidance consistent with B2 and B6 to all application developers to ensure:\ - That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.\ - That account data is not retained any longer, or used more often, than strictly necessary. K11.2] | Process or Activity | Preventive | |
| Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 | Process or Activity | Preventive | |
| Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 | Technical Security | Preventive | |
| Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 | Process or Activity | Preventive | |
| Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 | Technical Security | Preventive | |
| Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 | Systems Design, Build, and Implementation | Preventive | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems Design, Build, and Implementation | Preventive | |
| Manage the system implementation process. CC ID 01115 | Behavior | Preventive | |
| Implement systems to allow for maintenance, cleaning, adjustment, and use. CC ID 06213 [{inspection process} Controls exist over the repair process, including the resetting of tamper mechanisms, and the inspection/testing process subsequent to repair to ensure that the device has not been subject to unauthorized modification. L8] | Systems Design, Build, and Implementation | Preventive | |
| Establish and maintain end user support communications. CC ID 06615 | Business Processes | Preventive | |
| Establish, implement, and maintain user documentation. CC ID 12250 | Establish/Maintain Documentation | Preventive | |
| Include loss or theft instructions in the user documentation, as necessary. CC ID 12270 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Establish/Maintain Documentation | Preventive | |
| Include disposition instructions in the user documentation, as necessary. CC ID 12269 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Establish/Maintain Documentation | Preventive | |
| Include maintenance instructions in the user documentation, as necessary. CC ID 12268 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Establish/Maintain Documentation | Preventive | |
| Include instructions on recording the location of the system in the user documentation, as necessary. CC ID 12267 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Establish/Maintain Documentation | Preventive | |
| Include personalization instructions within the user documentation, as necessary. CC ID 12266 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Establish/Maintain Documentation | Preventive | |
| Include life cycle management instructions for all components within the user documentation. CC ID 12265 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Establish/Maintain Documentation | Preventive | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Establish/Maintain Documentation | Preventive | |
| Control access rights to organizational assets. CC ID 00004 | Technical Security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 [The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18 The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21] | Technical Security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical Security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical Security | Preventive | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Configuration | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 [The device has characteristics that prevent or significantly deter the use of the device for exhaustive PAN determination. K18] | Technical Security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Configuration | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Communicate | Corrective | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical Security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6] | Configuration | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6] | Configuration | Preventive | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical Security | Preventive | |
| Require proper authentication for user identifiers. CC ID 11785 [The update mechanism ensures security, i.e., integrity, mutual authentication, and protection against replay, by using an appropriate and declared security protocol when using a network connection. For manual updates, administrator rights must be implemented using password/PINs and/or cryptographic authentication techniques. J4 Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, account data, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. K22 Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, PINs, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. B7] | Technical Security | Preventive | |
| Assign authenticators to user accounts. CC ID 06855 | Configuration | Preventive | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 | Configuration | Preventive | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical Security | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Establish/Maintain Documentation | Preventive | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Configuration | Preventive | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical Security | Preventive | |
| Use biometric authentication for identification and authentication, as necessary. CC ID 06857 | Establish Roles | Preventive | |
| Employ live scans to verify biometric authentication. CC ID 06847 | Technical Security | Preventive | |
| Identify the user when enrolling them in the biometric system. CC ID 06882 | Testing | Detective | |
| Disallow self-enrollment of biometric information. CC ID 11834 | Process or Activity | Preventive | |
| Tune the biometric identification equipment, as necessary. CC ID 07077 | Configuration | Corrective | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Communicate | Preventive | |
| Enforce information flow control. CC ID 11781 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Establish/Maintain Documentation | Preventive | |
| Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 [{POI application} The POI (application) must enforce the correspondence between the display messages visible to the cardholder and the operating state (i.e., secure or non-secure mode) of the PIN entry device, e.g., by using cryptographic authentication.\ If commands impacting the correspondence between the display messages and the operating state of the PIN entry device are received from an external device (e.g., a store controller), the commands enabling data entry must be authenticated.\ The alteration of the correspondence between the display messages visible to the cardholder and the operating state of the PIN entry device cannot occur without requiring an attack potential of at least 18 per POI for identification and initial exploitation with a minimum of 9 for exploitation. E3.4 {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4] | Testing | Preventive | |
| Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629 | Establish/Maintain Documentation | Preventive | |
| Constrain the information flow of restricted data or restricted information. CC ID 06763 [When operating in encrypting mode, the secure controller can only release clear-text account data to authenticated applications executing within the device. K15.1] | Data and Information Management | Preventive | |
| Quarantine data that fails security tests. CC ID 16500 | Data and Information Management | Corrective | |
| Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 | Data and Information Management | Preventive | |
| Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725 | Data and Information Management | Preventive | |
| Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310 | Data and Information Management | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 | Establish/Maintain Documentation | Preventive | |
| Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 [All account data is either encrypted immediately upon entry or entered in clear-text into a secure device and processed within the secure controller of the device. K1 The device protects all account data upon entry (consistent with A9 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitation. K1.1 The logical and physical integration of an approved secure card reader into a PIN entry POI terminal does not create new attack paths to the account data. The account data is protected from the input component to the secure controller of the device—i.e., it is not possible to insert a bug that would disclose sensitive data. K2] | Data and Information Management | Preventive | |
| Control all methods of remote access and teleworking. CC ID 00559 | Technical Security | Preventive | |
| Protect remote access accounts with encryption. CC ID 00562 [If the device may be accessed remotely for the purposes of administration, all access attempts must be cryptographically authenticated. If the authenticity of the access request cannot be confirmed, the access request is denied. K9] | Configuration | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 [Public keys must be stored and used in a manner that protects against unauthorized modification or substitution. Unauthorized modification or substitution requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3.1 {mode of operation} All account data shall be encrypted using only ANSI X9 or ISO-approved encryption algorithms (e.g., AES, TDES) and should use ANSI X9 or ISO-approved modes of operation. K4] | Technical Security | Preventive | |
| Comply with the encryption laws of the local country. CC ID 16377 | Business Processes | Preventive | |
| Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 | Establish/Maintain Documentation | Preventive | |
| Define the cryptographic boundaries. CC ID 06543 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 | Establish/Maintain Documentation | Preventive | |
| Implement the documented cryptographic module security functions. CC ID 06755 | Data and Information Management | Preventive | |
| Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 | Establish/Maintain Documentation | Preventive | |
| Document the operation of the cryptographic module. CC ID 06546 | Establish/Maintain Documentation | Preventive | |
| Employ cryptographic controls that comply with applicable requirements. CC ID 12491 | Technical Security | Preventive | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Data and Information Management | Preventive | |
| Include the expiration date in digital signatures. CC ID 13833 | Data and Information Management | Preventive | |
| Include audience restrictions in digital signatures. CC ID 13834 | Data and Information Management | Preventive | |
| Include the subject in digital signatures. CC ID 13832 | Data and Information Management | Preventive | |
| Include the issuer in digital signatures. CC ID 13831 | Data and Information Management | Preventive | |
| Include identifiers in the digital signature. CC ID 13829 | Data and Information Management | Preventive | |
| Generate and protect a secret random number for each digital signature. CC ID 06577 | Establish/Maintain Documentation | Preventive | |
| Establish the security strength requirements for the digital signature process. CC ID 06578 [The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 | Establish/Maintain Documentation | Preventive | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 [{refrain from allowing} When operating in encrypting mode, there is no mechanism in the device that would allow the outputting of clear-text account data. Changing between an encrypting and non-encrypting mode of operation requires explicit authentication. K15 There is no mechanism in the device that would allow the outputting of a private or secret clear-text key or clear-text PIN, the encryption of a key or PIN under a key that might itself be disclosed, or the transfer of a clear-text key from a component of high security into a component of lesser security. B14] | Configuration | Preventive | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 [PIN protection during transmission between the device encrypting the PIN and the ICC reader (at least two must apply):\ If the device encrypting the PIN and the ICC reader are not integrated into the same secure module, and the cardholder verification method is determined to be:\ - An enciphered PIN, the PIN block shall be enciphered between the device encrypting the PIN and the ICC reader using either an authenticated encipherment key of the IC card, or in accordance with ISO 9564.\ - A plaintext PIN, the PIN block shall be enciphered from the device encrypting the PIN to the ICC reader (the ICC reader will then decipher the PIN for transmission in plaintext to the IC card) in accordance with ISO 9564.\ If the device encrypting the PIN and the ICC reader are integrated into the same secure module, and the cardholder verification method is determined to be:\ - An enciphered PIN, the PIN block shall be enciphered using an authenticated encipherment key of the IC card.\ - A plaintext PIN, then encipherment is not required if the PIN block is transmitted wholly through a protected environment (as defined in ISO 9564). If the plaintext PIN is transmitted to the ICC reader through an unprotected environment, the PIN block shall be enciphered in accordance with ISO 9564. D4 The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3 {mode of operation} All account data shall be encrypted using only ANSI X9 or ISO-approved encryption algorithms (e.g., AES, TDES) and should use ANSI X9 or ISO-approved modes of operation. K4 Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6] | Data and Information Management | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Data and Information Management | Preventive | |
| Make key usage for data fields unique for each device. CC ID 04828 [{secret keys}{private keys} Secret and private keys that reside within the device to support account data encryption are unique per device. K7 Encryption or decryption of any arbitrary data using any account data-encrypting key or key-encrypting key contained in the device is not permitted.\ The device must enforce that account data keys, key-encipherment keys, and PIN-encryption keys have different values. K8 It is not possible to encrypt or decrypt any arbitrary data using any PIN-encrypting key or key-encrypting key contained in the device. The device must enforce that data keys, key-encipherment keys, and PIN-encryption keys have different values. B13] | Technical Security | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Data and Information Management | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Data and Information Management | Preventive | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical Security | Preventive | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 [The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2 {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4 If using a hash function to generate surrogate PAN values, input to the hash function must use a salt with minimum length of 64 bits. K16.1] | Data and Information Management | Preventive | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Process or Activity | Preventive | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Process or Activity | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Communicate | Preventive | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Process or Activity | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Data and Information Management | Preventive | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 [The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3 The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Communicate | Preventive | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 | Establish/Maintain Documentation | Preventive | |
| Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Establish Roles | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3 The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3 The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2 {turnkey system} The vendor must provide a defined and documented process containing specific details on how any signing mechanisms must be implemented. This must include any “turnkey” systems required for compliance with the management of display prompts, or any mechanisms used for authenticating any application code. This must ensure:\ - The signing process is performed under dual control.\ - All executable files are signed.\ - Software is only signed using a secure cryptographic device provided by the terminal vendor. B4.2] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Communicate | Preventive | |
| Bind keys to each identity. CC ID 12337 | Technical Security | Preventive | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Establish/Maintain Documentation | Preventive | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Establish/Maintain Documentation | Preventive | |
| Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Data and Information Management | Preventive | |
| Generate strong cryptographic keys. CC ID 01299 | Data and Information Management | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical Security | Preventive | |
| Use approved random number generators for creating cryptographic keys. CC ID 06574 | Data and Information Management | Preventive | |
| Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical Security | Preventive | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 [{determine}{reside}{penetrate} Determination of any PIN-security-related cryptographic key resident in the device, by penetration of the device and/or by monitoring emanations from the device (including power fluctuations), requires an attack potential of at least 35 for identification and initial exploitation with a minimum of 15 for exploitation. A6 The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3 {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 [If remote key distribution is used, the device supports mutual authentication between the sending key-distribution host and receiving device. K5] | Data and Information Management | Preventive | |
| Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Data and Information Management | Preventive | |
| Store cryptographic keys securely. CC ID 01298 [If the device can hold multiple PIN-encryption keys and if the key to be used to encrypt the PIN can be externally selected, the device prohibits unauthorized key replacement and key misuse. C1 Determination of any cryptographic keys used for account-data encryption, by penetration of the device and/or by monitoring emanations from the device (including power fluctuations), requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3 Public keys must be stored and used in a manner that protects against unauthorized modification or substitution. Unauthorized modification or substitution requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3.1] | Data and Information Management | Preventive | |
| Restrict access to cryptographic keys. CC ID 01297 | Data and Information Management | Preventive | |
| Store cryptographic keys in encrypted format. CC ID 06084 [If using a hash function to generate surrogate PAN values, the salt is kept secret and appropriately protected. Disclosure of the salt cannot occur without requiring an attack potential of at least 16 per device for identification and initial exploitation with a minimum of 8 for exploitation. K16.2] | Data and Information Management | Preventive | |
| Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical Security | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Establish/Maintain Documentation | Preventive | |
| Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Data and Information Management | Preventive | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Data and Information Management | Preventive | |
| Control cryptographic keys with split knowledge and dual control. CC ID 01304 [{turnkey system} The vendor must provide a defined and documented process containing specific details on how any signing mechanisms must be implemented. This must include any “turnkey” systems required for compliance with the management of display prompts, or any mechanisms used for authenticating any application code. This must ensure:\ - The signing process is performed under dual control.\ - All executable files are signed.\ - Software is only signed using a secure cryptographic device provided by the terminal vendor. B4.2] | Data and Information Management | Preventive | |
| Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Data and Information Management | Preventive | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical Security | Preventive | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Data and Information Management | Corrective | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Data and Information Management | Corrective | |
| Archive outdated cryptographic keys. CC ID 06884 | Data and Information Management | Preventive | |
| Archive revoked cryptographic keys. CC ID 11819 | Data and Information Management | Preventive | |
| Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Establish/Maintain Documentation | Preventive | |
| Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Human Resources Management | Preventive | |
| Test cryptographic key management applications, as necessary. CC ID 04829 | Testing | Detective | |
| Manage the digital signature cryptographic key pair. CC ID 06576 | Data and Information Management | Preventive | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Establish/Maintain Documentation | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Establish Roles | Preventive | |
| Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Establish/Maintain Documentation | Preventive | |
| Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Establish/Maintain Documentation | Preventive | |
| Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Establish/Maintain Documentation | Preventive | |
| Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Establish/Maintain Documentation | Preventive | |
| Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Establish/Maintain Documentation | Preventive | |
| Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical Security | Preventive | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4] | Technical Security | Preventive | |
| Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4] | Establish/Maintain Documentation | Preventive | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4] | Establish/Maintain Documentation | Preventive | |
| Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Establish/Maintain Documentation | Preventive | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Establish/Maintain Documentation | Preventive | |
| Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical Security | Preventive | |
| Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Records Management | Preventive | |
| Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 | Technical Security | Preventive | |
| Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 | Technical Security | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2] | Technical Security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Configuration | Preventive | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical Security | Preventive | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical Security | Preventive | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Establish/Maintain Documentation | Preventive | |
| Implement non-repudiation for transactions. CC ID 00567 [The device supports data origin authentication of encrypted messages. K6] | Testing | Detective | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical Security | Preventive | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical Security | Preventive | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical Security | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 | Establish/Maintain Documentation | Preventive | |
| Protect the system against replay attacks. CC ID 04552 [The device is able to detect replay of messages and enables the secure handling of the exceptions. I5] | Technical Security | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Process or Activity | Detective | |
| Request attestation of compliance from third parties. CC ID 12067 | Establish/Maintain Documentation | Detective | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [The POI should be protected from unauthorized modification with tamper-evident security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.\ Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time.\ Where multiple parties are involved in organizing the shipping, it is the responsibility of each party to ensure that the shipping and storage they are managing is compliant with this requirement. M1] | Business Processes | Preventive | |
| Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Business Processes | Preventive | |
| Define the traceability documentation required for chain of custody certification. CC ID 08895 [The POI should be protected from unauthorized modification with tamper-evident security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.\ Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time.\ Where multiple parties are involved in organizing the shipping, it is the responsibility of each party to ensure that the shipping and storage they are managing is compliant with this requirement. M1] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain physical security controls for the supply chain. CC ID 08931 | Business Processes | Preventive | |
| Assign unique reference numbers to all products and their subcomponents. CC ID 08932 [Each device shall have a unique visible identifier affixed to it. M7] | Business Processes | Preventive | |
| Establish, implement, and maintain product shipment procedures. CC ID 08934 [Procedures are in place to transfer accountability for the device from the manufacturer to the facility of initial deployment. Where the device is shipped via intermediaries such as resellers, accountability will be with the intermediary from the time at which they receive the device until the time it is received by the next intermediary or the point of initial deployment. M2] | Establish/Maintain Documentation | Preventive | |
| Coordinate and support suppliers' physical security controls. CC ID 08935 | Business Processes | Preventive | |
| Inspect all incoming shipments for conformity to information from the supplier. CC ID 08936 | Business Processes | Preventive | |
| Use authorized personnel to unseal and open incoming shipments. CC ID 08938 | Behavior | Preventive | |
| Report tampering when tampering indicators are identified in incoming shipments. CC ID 08937 | Business Processes | Detective | |
| Document accurate outgoing shipment information. CC ID 08939 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain export records of outgoing shipments. CC ID 08954 | Establish/Maintain Documentation | Preventive | |
| Report incoming shipment inconsistencies when an incoming shipment inconsistency is identified. CC ID 08940 | Behavior | Detective | |
| Segregate and secure shipments that have incoming shipment inconsistencies. CC ID 08941 | Business Processes | Preventive | |
| Provide access to outgoing shipment information, as necessary. CC ID 08942 | Data and Information Management | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Operational management | Preventive | |
| Plan for selling facilities, technology, or services. CC ID 06893 | Acquisition or sale of facilities, technology, and services | Preventive | |
| Establish, implement, and maintain equipment shipping procedures. CC ID 11449 | Acquisition or sale of facilities, technology, and services | Preventive | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and risk management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Detective | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Preventive | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Preventive | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Preventive | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Preventive | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Detective | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Preventive | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Corrective | |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Preventive | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [{document and maintain} The vendor documents, maintains and makes available to integrators details on how to implement the protection system against unauthorized removal. E4.2] | Operational management | Preventive | |
| Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Operational management | Preventive | |
| Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Operational management | Preventive | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2] | Operational management | Preventive | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Operational management | Preventive | |
| Disseminate and communicate software update information to users and regulators. CC ID 06602 | Operational management | Preventive | |
| Manage the system implementation process. CC ID 01115 | Systems design, build, and implementation | Preventive | |
| Use authorized personnel to unseal and open incoming shipments. CC ID 08938 | Third Party and supply chain oversight | Preventive | |
| Report incoming shipment inconsistencies when an incoming shipment inconsistency is identified. CC ID 08940 | Third Party and supply chain oversight | Detective | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Preventive | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Preventive | |
| Comply with the encryption laws of the local country. CC ID 16377 | Technical security | Preventive | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Preventive | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Preventive | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Preventive | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Preventive | |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Preventive | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Preventive | |
| Manage change requests. CC ID 00887 | Operational management | Preventive | |
| Examine all changes to ensure they correspond with the change request. CC ID 12345 | Operational management | Detective | |
| Implement changes according to the change control program. CC ID 11776 | Operational management | Preventive | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Operational management | Preventive | |
| Mitigate the adverse effects of unauthorized changes. CC ID 12244 | Operational management | Corrective | |
| Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 | System hardening through configuration management | Preventive | |
| Approve the configuration management plan. CC ID 14717 | System hardening through configuration management | Preventive | |
| Establish and maintain end user support communications. CC ID 06615 | Systems design, build, and implementation | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [The POI should be protected from unauthorized modification with tamper-evident security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.\ Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time.\ Where multiple parties are involved in organizing the shipping, it is the responsibility of each party to ensure that the shipping and storage they are managing is compliant with this requirement. M1] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain physical security controls for the supply chain. CC ID 08931 | Third Party and supply chain oversight | Preventive | |
| Assign unique reference numbers to all products and their subcomponents. CC ID 08932 [Each device shall have a unique visible identifier affixed to it. M7] | Third Party and supply chain oversight | Preventive | |
| Coordinate and support suppliers' physical security controls. CC ID 08935 | Third Party and supply chain oversight | Preventive | |
| Inspect all incoming shipments for conformity to information from the supplier. CC ID 08936 | Third Party and supply chain oversight | Preventive | |
| Report tampering when tampering indicators are identified in incoming shipments. CC ID 08937 | Third Party and supply chain oversight | Detective | |
| Segregate and secure shipments that have incoming shipment inconsistencies. CC ID 08941 | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Audits and risk management | Preventive | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Preventive | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Corrective | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Technical security | Preventive | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Preventive | |
| Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Technical security | Preventive | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Technical security | Preventive | |
| Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Physical and environmental protection | Preventive | |
| Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 | Physical and environmental protection | Preventive | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Preventive | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Preventive | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Preventive | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Preventive | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Preventive | |
| Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Operational management | Preventive | |
| Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 | System hardening through configuration management | Preventive | |
| Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066 | System hardening through configuration management | Preventive | |
| Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946 [The device vendor maintains guidance describing configuration management for the device.\ a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.\ b) The guidance covers the complete device—including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.\ c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.\ d) The security guidance ensures that unauthorized modification is not possible.\ e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier. J1] | System hardening through configuration management | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Corrective | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Preventive | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Preventive | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6] | Technical security | Preventive | |
| Limit concurrent sessions according to account type. CC ID 01416 [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6] | Technical security | Preventive | |
| Assign authenticators to user accounts. CC ID 06855 | Technical security | Preventive | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 | Technical security | Preventive | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Technical security | Preventive | |
| Tune the biometric identification equipment, as necessary. CC ID 07077 | Technical security | Corrective | |
| Protect remote access accounts with encryption. CC ID 00562 [If the device may be accessed remotely for the purposes of administration, all access attempts must be cryptographically authenticated. If the authenticity of the access request cannot be confirmed, the access request is denied. K9] | Technical security | Preventive | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 [{refrain from allowing} When operating in encrypting mode, there is no mechanism in the device that would allow the outputting of clear-text account data. Changing between an encrypting and non-encrypting mode of operation requires explicit authentication. K15 There is no mechanism in the device that would allow the outputting of a private or secret clear-text key or clear-text PIN, the encryption of a key or PIN under a key that might itself be disclosed, or the transfer of a clear-text key from a component of high security into a component of lesser security. B14] | Technical security | Preventive | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Preventive | |
| Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 [The device protects all account data upon entry (consistent with A9 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitation. K1.1 {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1] | Physical and environmental protection | Preventive | |
| Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 [The security of the device is not compromised by altering: \ - Environmental conditions\ - Operational conditions A3 The security of the device is not compromised by altering: \ - Environmental conditions\ - Operational conditions A3] | Physical and environmental protection | Preventive | |
| Establish and maintain a telecommunications equipment room, as necessary. CC ID 06708 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a battery room, as necessary. CC ID 06706 | Physical and environmental protection | Preventive | |
| Establish and maintain a generator room, as necessary. CC ID 06704 | Physical and environmental protection | Preventive | |
| Install and maintain fire protection equipment. CC ID 00728 | Physical and environmental protection | Preventive | |
| Install and maintain fire suppression systems. CC ID 00729 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727 | Physical and environmental protection | Preventive | |
| Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368 | Physical and environmental protection | Preventive | |
| Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369 | Physical and environmental protection | Preventive | |
| Install and maintain a moisture control system as a part of the climate control system. CC ID 06694 | Physical and environmental protection | Preventive | |
| Install and maintain hydrogen sensors, as necessary. CC ID 06705 | Physical and environmental protection | Preventive | |
| Protect physical assets from water damage. CC ID 00730 | Physical and environmental protection | Preventive | |
| Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Operational management | Preventive | |
| Deploy software patches in accordance with organizational standards. CC ID 07032 | Operational management | Corrective | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Corrective | |
| Remove outdated software after software has been updated. CC ID 11792 | Operational management | Corrective | |
| Update computer firmware, as necessary. CC ID 11755 | Operational management | Corrective | |
| Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Operational management | Corrective | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 | Operational management | Detective | |
| Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555 | System hardening through configuration management | Preventive | |
| Employ the Configuration Management program. CC ID 11904 | System hardening through configuration management | Preventive | |
| Document external connections for all systems. CC ID 06415 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain configuration standards for all systems based upon industry best practices. CC ID 11953 | System hardening through configuration management | Preventive | |
| Block and/or remove unnecessary software and unauthorized software. CC ID 00865 [If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. B4 The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18 If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. K12 The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21] | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain idle session termination and logout capabilities. CC ID 01418 [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6] | System hardening through configuration management | Preventive | |
| Configure Session Configuration settings in accordance with organizational standards. CC ID 07698 | System hardening through configuration management | Preventive | |
| Invalidate unexpected session identifiers. CC ID 15307 | System hardening through configuration management | Preventive | |
| Configure the "MaxStartups" settings to organizational standards. CC ID 15329 | System hardening through configuration management | Preventive | |
| Reject session identifiers that are not valid. CC ID 15306 | System hardening through configuration management | Preventive | |
| Configure the "MaxSessions" settings to organizational standards. CC ID 15330 | System hardening through configuration management | Preventive | |
| Configure the "Interactive logon: Message title for users attempting to log on" to organizational standards. CC ID 07699 | System hardening through configuration management | Preventive | |
| Configure the "LoginGraceTime" settings to organizational standards. CC ID 15328 | System hardening through configuration management | Preventive | |
| Configure the "Network security: Force logoff when logon hours expire" to organizational standards. CC ID 07738 | System hardening through configuration management | Preventive | |
| Configure the "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" to organizational standards. CC ID 07758 | System hardening through configuration management | Preventive | |
| Configure the "Microsoft network server: Disconnect clients when logon hours expire" to organizational standards. CC ID 07824 | System hardening through configuration management | Preventive | |
| Configure the "Microsoft network server: Amount of idle time required before suspending session" to organizational standards. CC ID 07826 | System hardening through configuration management | Preventive | |
| Configure the "Interactive logon: Do not display last user name" to organizational standards. CC ID 07832 | System hardening through configuration management | Preventive | |
| Configure the "Interactive logon: Display user information when the session is locked" to organizational standards. CC ID 07848 | System hardening through configuration management | Preventive | |
| Configure the "Interactive logon: Message text for users attempting to log on" to organizational standards. CC ID 07870 | System hardening through configuration management | Preventive | |
| Configure the "Always prompt for password upon connection" to organizational standards. CC ID 08229 | System hardening through configuration management | Preventive | |
| Configure the "Interactive logon: Machine inactivity limit" to organizational standards. CC ID 08350 | System hardening through configuration management | Preventive | |
| Remove all unnecessary functionality. CC ID 00882 [The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21 The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21] | System hardening through configuration management | Preventive | |
| Find and eradicate unauthorized world writable files. CC ID 01541 | System hardening through configuration management | Preventive | |
| Strip dangerous/unneeded SUID/SGID system executables. CC ID 01542 | System hardening through configuration management | Preventive | |
| Find and eradicate unauthorized SUID/SGID system executables. CC ID 01543 | System hardening through configuration management | Preventive | |
| Find and eradicate unowned files and unowned directories. CC ID 01544 | System hardening through configuration management | Preventive | |
| Disable logon prompts on serial ports. CC ID 01553 | System hardening through configuration management | Preventive | |
| Disable "nobody" access for Secure RPC. CC ID 01554 | System hardening through configuration management | Preventive | |
| Disable all unnecessary interfaces. CC ID 04826 | System hardening through configuration management | Preventive | |
| Enable or disable all unused USB ports as appropriate. CC ID 06042 | System hardening through configuration management | Preventive | |
| Disable all user-mounted removable file systems. CC ID 01536 | System hardening through configuration management | Preventive | |
| Set the Bluetooth Security Mode to the organizational standard. CC ID 00587 | System hardening through configuration management | Preventive | |
| Secure the Bluetooth headset connections. CC ID 00593 | System hardening through configuration management | Preventive | |
| Disable automatic dial-in access to computers that have installed modems. CC ID 02036 | System hardening through configuration management | Preventive | |
| Configure the "Turn off AutoPlay" setting. CC ID 01787 | System hardening through configuration management | Preventive | |
| Configure the "Devices: Restrict floppy access to locally logged on users only" setting. CC ID 01732 | System hardening through configuration management | Preventive | |
| Configure the "Devices: Restrict CD-ROM access to locally logged on users" setting. CC ID 01731 | System hardening through configuration management | Preventive | |
| Configure the "Remove CD Burning features" setting. CC ID 04379 | System hardening through configuration management | Preventive | |
| Disable Autorun. CC ID 01790 | System hardening through configuration management | Preventive | |
| Disable USB devices (aka hotplugger). CC ID 01545 | System hardening through configuration management | Preventive | |
| Enable or disable all unused auxiliary ports as appropriate. CC ID 06414 | System hardening through configuration management | Preventive | |
| Remove rhosts support unless absolutely necessary. CC ID 01555 | System hardening through configuration management | Preventive | |
| Remove weak authentication services from Pluggable Authentication Modules. CC ID 01556 | System hardening through configuration management | Preventive | |
| Remove the /etc/hosts.equiv file. CC ID 01559 | System hardening through configuration management | Preventive | |
| Create the /etc/ftpd/ftpusers file. CC ID 01560 | System hardening through configuration management | Preventive | |
| Remove the X Wrapper and enable the X Display Manager. CC ID 01564 | System hardening through configuration management | Preventive | |
| Remove empty crontab files and restrict file permissions to the file. CC ID 01571 | System hardening through configuration management | Preventive | |
| Remove all compilers and assemblers from the system. CC ID 01594 | System hardening through configuration management | Preventive | |
| Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827 [The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21] | System hardening through configuration management | Preventive | |
| Disable the storing of movies in cache in Apple's QuickTime. CC ID 04489 | System hardening through configuration management | Preventive | |
| Install and enable file sharing utilities, as necessary. CC ID 02174 | System hardening through configuration management | Preventive | |
| Disable boot services unless boot services are absolutely necessary. CC ID 01481 | System hardening through configuration management | Preventive | |
| Disable File Services for Macintosh unless File Services for Macintosh are absolutely necessary. CC ID 04279 | System hardening through configuration management | Preventive | |
| Configure the Trivial FTP Daemon service to organizational standards. CC ID 01484 | System hardening through configuration management | Preventive | |
| Disable printer daemons or the printer service unless printer daemons or the printer service is absolutely necessary. CC ID 01487 | System hardening through configuration management | Preventive | |
| Disable web server unless web server is absolutely necessary. CC ID 01490 | System hardening through configuration management | Preventive | |
| Disable portmapper unless portmapper is absolutely necessary. CC ID 01492 | System hardening through configuration management | Preventive | |
| Disable writesrv, pmd, and httpdlite unless writesrv, pmd, and httpdlite are absolutely necessary. CC ID 01498 | System hardening through configuration management | Preventive | |
| Disable hwscan hardware detection unless hwscan hardware detection is absolutely necessary. CC ID 01504 | System hardening through configuration management | Preventive | |
| Configure the “xinetd” service to organizational standards. CC ID 01509 | System hardening through configuration management | Preventive | |
| Configure the /etc/xinetd.conf file permissions as appropriate. CC ID 01568 | System hardening through configuration management | Preventive | |
| Disable inetd unless inetd is absolutely necessary. CC ID 01508 | System hardening through configuration management | Preventive | |
| Disable Network Computing System unless it is absolutely necessary. CC ID 01497 | System hardening through configuration management | Preventive | |
| Disable print server for macintosh unless print server for macintosh is absolutely necessary. CC ID 04284 | System hardening through configuration management | Preventive | |
| Disable Print Server unless Print Server is absolutely necessary. CC ID 01488 | System hardening through configuration management | Preventive | |
| Disable ruser/remote login/remote shell/rcp command, unless it is absolutely necessary. CC ID 01480 | System hardening through configuration management | Preventive | |
| Disable xfsmd unless xfsmd is absolutely necessary. CC ID 02179 | System hardening through configuration management | Preventive | |
| Disable RPC-based services unless RPC-based services are absolutely necessary. CC ID 01455 | System hardening through configuration management | Preventive | |
| Disable netfs script unless netfs script is absolutely necessary. CC ID 01495 | System hardening through configuration management | Preventive | |
| Disable Remote Procedure Calls unless Remote Procedure Calls are absolutely necessary and if enabled, set restrictions. CC ID 01456 | System hardening through configuration management | Preventive | |
| Configure the "RPC Endpoint Mapper Client Authentication" setting. CC ID 04327 | System hardening through configuration management | Preventive | |
| Disable ncpfs Script unless ncpfs Script is absolutely necessary. CC ID 01494 | System hardening through configuration management | Preventive | |
| Disable sendmail server unless sendmail server is absolutely necessary. CC ID 01511 | System hardening through configuration management | Preventive | |
| Disable postfix unless postfix is absolutely necessary. CC ID 01512 | System hardening through configuration management | Preventive | |
| Disable directory server unless directory server is absolutely necessary. CC ID 01464 | System hardening through configuration management | Preventive | |
| Disable Windows-compatibility client processes unless Windows-compatibility client processes are absolutely necessary. CC ID 01471 | System hardening through configuration management | Preventive | |
| Disable Windows-compatibility servers unless Windows-compatibility servers are absolutely necessary. CC ID 01470 | System hardening through configuration management | Preventive | |
| Configure the “Network File System” server to organizational standards CC ID 01472 | System hardening through configuration management | Preventive | |
| Configure NFS to respond or not as appropriate to NFS client requests that do not include a User ID. CC ID 05981 | System hardening through configuration management | Preventive | |
| Configure NFS with appropriate authentication methods. CC ID 05982 | System hardening through configuration management | Preventive | |
| Configure the "AUTH_DES authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08971 | System hardening through configuration management | Preventive | |
| Configure the "AUTH_KERB authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08972 | System hardening through configuration management | Preventive | |
| Configure the "AUTH_NONE authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08973 | System hardening through configuration management | Preventive | |
| Configure the "AUTH_UNIX authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08974 | System hardening through configuration management | Preventive | |
| Disable webmin processes unless the webmin process is absolutely necessary. CC ID 01501 | System hardening through configuration management | Preventive | |
| Disable automount daemon unless automount daemon is absolutely necessary. CC ID 01476 | System hardening through configuration management | Preventive | |
| Disable CDE-related daemons unless CDE-related daemons are absolutely necessary. CC ID 01474 | System hardening through configuration management | Preventive | |
| Disable finger unless finger is absolutely necessary. CC ID 01505 | System hardening through configuration management | Preventive | |
| Disable Rexec unless Rexec is absolutely necessary. CC ID 02164 | System hardening through configuration management | Preventive | |
| Disable Squid cache server unless Squid cache server is absolutely necessary. CC ID 01502 | System hardening through configuration management | Preventive | |
| Disable Kudzu hardware detection unless Kudzu hardware detection is absolutely necessary. CC ID 01503 | System hardening through configuration management | Preventive | |
| Install and enable public Instant Messaging clients as necessary. CC ID 02173 | System hardening through configuration management | Preventive | |
| Disable x font server unless x font server is absolutely necessary. CC ID 01499 | System hardening through configuration management | Preventive | |
| Disable NFS client processes unless NFS client processes are absolutely necessary. CC ID 01475 | System hardening through configuration management | Preventive | |
| Disable removable storage media daemon unless the removable storage media daemon is absolutely necessary. CC ID 01477 | System hardening through configuration management | Preventive | |
| Disable GSS daemon unless GSS daemon is absolutely necessary. CC ID 01465 | System hardening through configuration management | Preventive | |
| Disable Computer Browser unless Computer Browser is absolutely necessary. CC ID 01814 | System hardening through configuration management | Preventive | |
| Configure the Computer Browser ResetBrowser Frames as appropriate. CC ID 05984 | System hardening through configuration management | Preventive | |
| Configure the /etc/samba/smb.conf file file permissions as appropriate. CC ID 05989 | System hardening through configuration management | Preventive | |
| Disable NetMeeting remote desktop sharing unless NetMeeting remote desktop sharing is absolutely necessary. CC ID 01821 | System hardening through configuration management | Preventive | |
| Disable web directory browsing on all web-enabled devices. CC ID 01874 | System hardening through configuration management | Preventive | |
| Disable WWW publishing services unless WWW publishing services are absolutely necessary. CC ID 01833 | System hardening through configuration management | Preventive | |
| Install and enable samba, as necessary. CC ID 02175 | System hardening through configuration management | Preventive | |
| Configure the samba hosts allow option with an appropriate set of networks. CC ID 05985 | System hardening through configuration management | Preventive | |
| Configure the samba security option option as appropriate. CC ID 05986 | System hardening through configuration management | Preventive | |
| Configure the samba encrypt passwords option as appropriate. CC ID 05987 | System hardening through configuration management | Preventive | |
| Configure the Samba 'smb passwd file' option with an appropriate password file or no password file. CC ID 05988 | System hardening through configuration management | Preventive | |
| Disable Usenet Internet news package file capabilities unless Usenet Internet news package file capabilities are absolutely necessary. CC ID 02176 | System hardening through configuration management | Preventive | |
| Disable iPlanet Web Server unless iPlanet Web Server is absolutely necessary. CC ID 02172 | System hardening through configuration management | Preventive | |
| Disable volume manager unless volume manager is absolutely necessary. CC ID 01469 | System hardening through configuration management | Preventive | |
| Disable Solaris Management Console unless Solaris Management Console is absolutely necessary. CC ID 01468 | System hardening through configuration management | Preventive | |
| Disable the Graphical User Interface unless it is absolutely necessary. CC ID 01466 | System hardening through configuration management | Preventive | |
| Disable help and support unless help and support is absolutely necessary. CC ID 04280 | System hardening through configuration management | Preventive | |
| Disable speech recognition unless speech recognition is absolutely necessary. CC ID 04491 | System hardening through configuration management | Preventive | |
| Disable or secure the NetWare QuickFinder search engine. CC ID 04453 | System hardening through configuration management | Preventive | |
| Disable messenger unless messenger is absolutely necessary. CC ID 01819 | System hardening through configuration management | Preventive | |
| Configure the "Do not allow Windows Messenger to be run" setting. CC ID 04516 | System hardening through configuration management | Preventive | |
| Configure the "Do not automatically start Windows Messenger initially" setting. CC ID 04517 | System hardening through configuration management | Preventive | |
| Configure the "Turn off the Windows Messenger Customer Experience Improvement Program" setting. CC ID 04330 | System hardening through configuration management | Preventive | |
| Disable automatic updates unless automatic updates are absolutely necessary. CC ID 01811 | System hardening through configuration management | Preventive | |
| Configure automatic update installation and shutdown/restart options and shutdown/restart procedures to organizational standards. CC ID 05979 | System hardening through configuration management | Preventive | |
| Disable Name Service Cache Daemon unless Name Service Cache Daemon is absolutely necessary. CC ID 04846 | System hardening through configuration management | Preventive | |
| Prohibit R-command files from existing for root or administrator. CC ID 16322 | System hardening through configuration management | Preventive | |
| Verify the /bin/rsh file exists or not, as appropriate. CC ID 05101 | System hardening through configuration management | Preventive | |
| Verify the /sbin/rsh file exists or not, as appropriate. CC ID 05102 | System hardening through configuration management | Preventive | |
| Verify the /usr/bin/rsh file exists or not, as appropriate. CC ID 05103 | System hardening through configuration management | Preventive | |
| Verify the /etc/ftpusers file exists or not, as appropriate. CC ID 05104 | System hardening through configuration management | Preventive | |
| Verify the /etc/rsh file exists or not, as appropriate. CC ID 05105 | System hardening through configuration management | Preventive | |
| Install or uninstall the AIDE package, as appropriate. CC ID 05106 | System hardening through configuration management | Preventive | |
| Enable the GNOME automounter (gnome-volume-manager) as necessary. CC ID 05107 | System hardening through configuration management | Preventive | |
| Install or uninstall the setroubleshoot package, as appropriate. CC ID 05108 | System hardening through configuration management | Preventive | |
| Configure Avahi properly. CC ID 05109 | System hardening through configuration management | Preventive | |
| Install or uninstall OpenNTPD, as appropriate. CC ID 05110 | System hardening through configuration management | Preventive | |
| Configure the "httpd" service to organizational standards. CC ID 05111 | System hardening through configuration management | Preventive | |
| Install or uninstall the net-smtp package properly. CC ID 05112 | System hardening through configuration management | Preventive | |
| Configure the apache web service properly. CC ID 05113 | System hardening through configuration management | Preventive | |
| Configure the vlock package properly. CC ID 05114 | System hardening through configuration management | Preventive | |
| Configure the daemon account properly. CC ID 05115 | System hardening through configuration management | Preventive | |
| Configure the bin account properly. CC ID 05116 | System hardening through configuration management | Preventive | |
| Configure the nuucp account properly. CC ID 05117 | System hardening through configuration management | Preventive | |
| Configure the smmsp account properly. CC ID 05118 | System hardening through configuration management | Preventive | |
| Configure the listen account properly. CC ID 05119 | System hardening through configuration management | Preventive | |
| Configure the gdm account properly. CC ID 05120 | System hardening through configuration management | Preventive | |
| Configure the webservd account properly. CC ID 05121 | System hardening through configuration management | Preventive | |
| Configure the nobody account properly. CC ID 05122 | System hardening through configuration management | Preventive | |
| Configure the noaccess account properly. CC ID 05123 | System hardening through configuration management | Preventive | |
| Configure the nobody4 account properly. CC ID 05124 | System hardening through configuration management | Preventive | |
| Configure the sys account properly. CC ID 05125 | System hardening through configuration management | Preventive | |
| Configure the adm account properly. CC ID 05126 | System hardening through configuration management | Preventive | |
| Configure the lp account properly. CC ID 05127 | System hardening through configuration management | Preventive | |
| Configure the uucp account properly. CC ID 05128 | System hardening through configuration management | Preventive | |
| Install or uninstall the tftp-server package, as appropriate. CC ID 05130 | System hardening through configuration management | Preventive | |
| Enable the web console as necessary. CC ID 05131 | System hardening through configuration management | Preventive | |
| Enable rlogin auth by Pluggable Authentication Modules or pam.d properly. CC ID 05132 | System hardening through configuration management | Preventive | |
| Enable rsh auth by Pluggable Authentication Modules properly. CC ID 05133 | System hardening through configuration management | Preventive | |
| Enable the listening sendmail daemon, as appropriate. CC ID 05134 | System hardening through configuration management | Preventive | |
| Configure Squid properly. CC ID 05135 | System hardening through configuration management | Preventive | |
| Configure the "/etc/shells" file to organizational standards. CC ID 08978 | System hardening through configuration management | Preventive | |
| Configure the LDAP package to organizational standards. CC ID 09937 | System hardening through configuration management | Preventive | |
| Configure the "FTP server" package to organizational standards. CC ID 09938 | System hardening through configuration management | Preventive | |
| Configure the "HTTP Proxy Server" package to organizational standards. CC ID 09939 | System hardening through configuration management | Preventive | |
| Configure the "prelink" package to organizational standards. CC ID 11379 | System hardening through configuration management | Preventive | |
| Configure the Network Information Service (NIS) package to organizational standards. CC ID 11380 | System hardening through configuration management | Preventive | |
| Configure the "time" setting to organizational standards. CC ID 11381 | System hardening through configuration management | Preventive | |
| Configure the "biosdevname" package to organizational standards. CC ID 11383 | System hardening through configuration management | Preventive | |
| Configure the "ufw" setting to organizational standards. CC ID 11384 | System hardening through configuration management | Preventive | |
| Configure the "Devices: Allow undock without having to log on" setting. CC ID 01728 | System hardening through configuration management | Preventive | |
| Limit the user roles that are allowed to format and eject removable storage media. CC ID 01729 | System hardening through configuration management | Preventive | |
| Prevent users from installing printer drivers. CC ID 01730 | System hardening through configuration management | Preventive | |
| Minimize the inetd.conf file and set the file to the appropriate permissions. CC ID 01506 | System hardening through configuration management | Preventive | |
| Configure the unsigned driver installation behavior. CC ID 01733 | System hardening through configuration management | Preventive | |
| Configure the unsigned non-driver installation behavior. CC ID 02038 | System hardening through configuration management | Preventive | |
| Remove all demonstration applications on the system. CC ID 01875 | System hardening through configuration management | Preventive | |
| Configure the system to disallow optional Subsystems. CC ID 04265 | System hardening through configuration management | Preventive | |
| Configure the "Remove Security tab" setting. CC ID 04380 | System hardening through configuration management | Preventive | |
| Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 | System hardening through configuration management | Preventive | |
| Disable rquotad unless rquotad is absolutely necessary. CC ID 01473 | System hardening through configuration management | Preventive | |
| Configure the rquotad service to use a static port or a dynamic portmapper port as appropriate. CC ID 05983 | System hardening through configuration management | Preventive | |
| Disable telnet unless telnet use is absolutely necessary. CC ID 01478 | System hardening through configuration management | Preventive | |
| Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary. CC ID 01479 | System hardening through configuration management | Preventive | |
| Configure anonymous FTP to restrict the use of restricted data. CC ID 16314 | System hardening through configuration management | Preventive | |
| Disable anonymous access to File Transfer Protocol. CC ID 06739 | System hardening through configuration management | Preventive | |
| Disable Internet Message Access Protocol unless Internet Message Access Protocol use is absolutely necessary. CC ID 01485 | System hardening through configuration management | Preventive | |
| Disable Post Office Protocol unless its use is absolutely necessary. CC ID 01486 | System hardening through configuration management | Preventive | |
| Disable SQLServer processes unless SQLServer processes use is absolutely necessary. CC ID 01500 | System hardening through configuration management | Preventive | |
| Disable alerter unless alerter use is absolutely necessary. CC ID 01810 | System hardening through configuration management | Preventive | |
| Disable Background Intelligent Transfer Service unless Background Intelligent Transfer Service use is absolutely necessary. CC ID 01812 | System hardening through configuration management | Preventive | |
| Disable ClipBook unless ClipBook use is absolutely necessary. CC ID 01813 | System hardening through configuration management | Preventive | |
| Disable Fax Service unless Fax Service use is absolutely necessary. CC ID 01815 | System hardening through configuration management | Preventive | |
| Disable IIS admin service unless IIS admin service use is absolutely necessary. CC ID 01817 | System hardening through configuration management | Preventive | |
| Disable indexing service unless indexing service use is absolutely necessary. CC ID 01818 | System hardening through configuration management | Preventive | |
| Disable net logon unless net logon use is absolutely necessary. CC ID 01820 | System hardening through configuration management | Preventive | |
| Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary. CC ID 01822 | System hardening through configuration management | Preventive | |
| Disable the "Offer Remote Assistance" setting. CC ID 04325 | System hardening through configuration management | Preventive | |
| Disable the "Solicited Remote Assistance" setting. CC ID 04326 | System hardening through configuration management | Preventive | |
| Disable Remote Registry Service unless Remote Registry Service use is absolutely necessary. CC ID 01823 | System hardening through configuration management | Preventive | |
| Disable Routing and Remote Access unless Routing and Remote Access use is necessary. CC ID 01824 | System hardening through configuration management | Preventive | |
| Disable task scheduler unless task scheduler use is absolutely necessary. CC ID 01829 | System hardening through configuration management | Preventive | |
| Disable Terminal Services unless Terminal Services use is absolutely necessary. CC ID 01831 | System hardening through configuration management | Preventive | |
| Disable Universal Plug and Play device host unless Universal Plug and Play device host use is absolutely necessary. CC ID 01832 | System hardening through configuration management | Preventive | |
| Disable File Service Protocol. CC ID 02167 | System hardening through configuration management | Preventive | |
| Disable the License Logging Service unless unless it is absolutely necessary. CC ID 04282 | System hardening through configuration management | Preventive | |
| Disable Remote Access Auto Connection Manager unless Remote Access Auto Connection Manager use is absolutely necessary. CC ID 04285 | System hardening through configuration management | Preventive | |
| Disable Remote Access Connection Manager unless Remote Access Connection Manager use is absolutely necessary. CC ID 04286 | System hardening through configuration management | Preventive | |
| Disable Remote Administration Service unless remote administration management is absolutely necessary. CC ID 04287 | System hardening through configuration management | Preventive | |
| Disable remote installation unless remote installation is absolutely necessary. CC ID 04288 | System hardening through configuration management | Preventive | |
| Disable Remote Server Manager unless Remote Server Manager is absolutely necessary. CC ID 04289 | System hardening through configuration management | Preventive | |
| Disable Remote Server Monitor unless Remote Server Monitor use is absolutely necessary. CC ID 04290 | System hardening through configuration management | Preventive | |
| Disable Remote Storage Notification unless Remote Storage Notification use is absolutely necessary. CC ID 04291 | System hardening through configuration management | Preventive | |
| Disable Remote Storage Server unless Remote Storage Server use is absolutely necessary. CC ID 04292 | System hardening through configuration management | Preventive | |
| Disable telephony services unless telephony services use is absolutely necessary. CC ID 04293 | System hardening through configuration management | Preventive | |
| Disable Wireless Zero Configuration service unless Wireless Zero Configuration service use is absolutely necessary. CC ID 04294 | System hardening through configuration management | Preventive | |
| Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary. CC ID 04315 | System hardening through configuration management | Preventive | |
| Configure the "ntpd service" setting to organizational standards. CC ID 04911 | System hardening through configuration management | Preventive | |
| Configure the "echo service" setting to organizational standards. CC ID 04912 | System hardening through configuration management | Preventive | |
| Configure the "echo-dgram service" setting to organizational standards. CC ID 09927 | System hardening through configuration management | Preventive | |
| Configure the "echo-stream service" setting to organizational standards. CC ID 09928 | System hardening through configuration management | Preventive | |
| Configure the "AllowTcpForwarding" to organizational standards. CC ID 15327 | System hardening through configuration management | Preventive | |
| Configure the "tcpmux-server" setting to organizational standards. CC ID 09929 | System hardening through configuration management | Preventive | |
| Configure the "netstat service" setting to organizational standards. CC ID 04913 | System hardening through configuration management | Preventive | |
| Configure the "character generator protocol (chargen)" setting to organizational standards. CC ID 04914 | System hardening through configuration management | Preventive | |
| Configure the "tftpd service" setting to organizational standards. CC ID 04915 | System hardening through configuration management | Preventive | |
| Configure the "walld service" setting to organizational standards. CC ID 04916 | System hardening through configuration management | Preventive | |
| Configure the "rstatd service" setting to organizational standards. CC ID 04917 | System hardening through configuration management | Preventive | |
| Configure the "sprayd service" setting to organizational standards. CC ID 04918 | System hardening through configuration management | Preventive | |
| Configure the "rusersd service" setting to organizational standards. CC ID 04919 | System hardening through configuration management | Preventive | |
| Configure the "inn service" setting to organizational standards. CC ID 04920 | System hardening through configuration management | Preventive | |
| Configure the "font service" setting to organizational standards. CC ID 04921 | System hardening through configuration management | Preventive | |
| Configure the "ident service" setting to organizational standards. CC ID 04922 | System hardening through configuration management | Preventive | |
| Configure the "rexd service" setting to organizational standards. CC ID 04923 | System hardening through configuration management | Preventive | |
| Configure the "daytime service" setting to organizational standards. CC ID 04924 | System hardening through configuration management | Preventive | |
| Configure the "dtspc (cde-spc) service" setting to organizational standards. CC ID 04925 | System hardening through configuration management | Preventive | |
| Configure the "cmsd service" setting to organizational standards. CC ID 04926 | System hardening through configuration management | Preventive | |
| Configure the "ToolTalk service" setting to organizational standards. CC ID 04927 | System hardening through configuration management | Preventive | |
| Configure the "discard service" setting to organizational standards. CC ID 04928 | System hardening through configuration management | Preventive | |
| Configure the "vino-server service" setting to organizational standards. CC ID 04929 | System hardening through configuration management | Preventive | |
| Configure the "bind service" setting to organizational standards. CC ID 04930 | System hardening through configuration management | Preventive | |
| Configure the "nfsd service" setting to organizational standards. CC ID 04931 | System hardening through configuration management | Preventive | |
| Configure the "mountd service" setting to organizational standards. CC ID 04932 | System hardening through configuration management | Preventive | |
| Configure the "statd service" setting to organizational standards. CC ID 04933 | System hardening through configuration management | Preventive | |
| Configure the "lockd service" setting to organizational standards. CC ID 04934 | System hardening through configuration management | Preventive | |
| Configure the lockd service to use a static port or a dynamic portmapper port for User Datagram Protocol as appropriate. CC ID 05980 | System hardening through configuration management | Preventive | |
| Configure the "decode sendmail alias" setting to organizational standards. CC ID 04935 | System hardening through configuration management | Preventive | |
| Configure the sendmail vrfy command, as appropriate. CC ID 04936 | System hardening through configuration management | Preventive | |
| Configure the sendmail expn command, as appropriate. CC ID 04937 | System hardening through configuration management | Preventive | |
| Configure .netrc with an appropriate set of services. CC ID 04938 | System hardening through configuration management | Preventive | |
| Enable NFS insecure locks as necessary. CC ID 04939 | System hardening through configuration management | Preventive | |
| Configure the "X server ac" setting to organizational standards. CC ID 04940 | System hardening through configuration management | Preventive | |
| Configure the "X server core" setting to organizational standards. CC ID 04941 | System hardening through configuration management | Preventive | |
| Enable or disable the setroubleshoot service, as appropriate. CC ID 05540 | System hardening through configuration management | Preventive | |
| Configure the "X server nolock" setting to organizational standards. CC ID 04942 | System hardening through configuration management | Preventive | |
| Enable or disable the mcstrans service, as appropriate. CC ID 05541 | System hardening through configuration management | Preventive | |
| Configure the "PAM console" setting to organizational standards. CC ID 04943 | System hardening through configuration management | Preventive | |
| Enable or disable the restorecond service, as appropriate. CC ID 05542 | System hardening through configuration management | Preventive | |
| Enable the rhnsd service as necessary. CC ID 04944 | System hardening through configuration management | Preventive | |
| Enable the yum-updatesd service as necessary. CC ID 04945 | System hardening through configuration management | Preventive | |
| Enable the autofs service as necessary. CC ID 04946 | System hardening through configuration management | Preventive | |
| Enable the ip6tables service as necessary. CC ID 04947 | System hardening through configuration management | Preventive | |
| Configure syslog to organizational standards. CC ID 04949 | System hardening through configuration management | Preventive | |
| Enable the auditd service as necessary. CC ID 04950 | System hardening through configuration management | Preventive | |
| Enable the logwatch service as necessary. CC ID 04951 | System hardening through configuration management | Preventive | |
| Enable the logrotate (syslog rotator) service as necessary. CC ID 04952 | System hardening through configuration management | Preventive | |
| Install or uninstall the telnet server package, only if absolutely necessary. CC ID 04953 | System hardening through configuration management | Preventive | |
| Enable the ypbind service as necessary. CC ID 04954 | System hardening through configuration management | Preventive | |
| Enable the ypserv service as necessary. CC ID 04955 | System hardening through configuration management | Preventive | |
| Enable the firstboot service as necessary. CC ID 04956 | System hardening through configuration management | Preventive | |
| Enable the gpm service as necessary. CC ID 04957 | System hardening through configuration management | Preventive | |
| Enable the irqbalance service as necessary. CC ID 04958 | System hardening through configuration management | Preventive | |
| Enable the isdn service as necessary. CC ID 04959 | System hardening through configuration management | Preventive | |
| Enable the kdump service as necessary. CC ID 04960 | System hardening through configuration management | Preventive | |
| Enable the mdmonitor service as necessary. CC ID 04961 | System hardening through configuration management | Preventive | |
| Enable the microcode_ctl service as necessary. CC ID 04962 | System hardening through configuration management | Preventive | |
| Enable the pcscd service as necessary. CC ID 04963 | System hardening through configuration management | Preventive | |
| Enable the smartd service as necessary. CC ID 04964 | System hardening through configuration management | Preventive | |
| Enable the readahead_early service as necessary. CC ID 04965 | System hardening through configuration management | Preventive | |
| Enable the readahead_later service as necessary. CC ID 04966 | System hardening through configuration management | Preventive | |
| Enable the messagebus service as necessary. CC ID 04967 | System hardening through configuration management | Preventive | |
| Enable the haldaemon service as necessary. CC ID 04968 | System hardening through configuration management | Preventive | |
| Enable the apmd service as necessary. CC ID 04969 | System hardening through configuration management | Preventive | |
| Enable the acpid service as necessary. CC ID 04970 | System hardening through configuration management | Preventive | |
| Enable the cpuspeed service as necessary. CC ID 04971 | System hardening through configuration management | Preventive | |
| Enable the network service as necessary. CC ID 04972 | System hardening through configuration management | Preventive | |
| Enable the hidd service as necessary. CC ID 04973 | System hardening through configuration management | Preventive | |
| Enable the crond service as necessary. CC ID 04974 | System hardening through configuration management | Preventive | |
| Install and enable the anacron service as necessary. CC ID 04975 | System hardening through configuration management | Preventive | |
| Enable the xfs service as necessary. CC ID 04976 | System hardening through configuration management | Preventive | |
| Install and enable the Avahi daemon service, as necessary. CC ID 04977 | System hardening through configuration management | Preventive | |
| Enable the CUPS service, as necessary. CC ID 04978 | System hardening through configuration management | Preventive | |
| Enable the hplip service as necessary. CC ID 04979 | System hardening through configuration management | Preventive | |
| Enable the dhcpd service as necessary. CC ID 04980 | System hardening through configuration management | Preventive | |
| Enable the nfslock service as necessary. CC ID 04981 | System hardening through configuration management | Preventive | |
| Enable the rpcgssd service as necessary. CC ID 04982 | System hardening through configuration management | Preventive | |
| Enable the rpcidmapd service as necessary. CC ID 04983 | System hardening through configuration management | Preventive | |
| Enable the rpcsvcgssd service as necessary. CC ID 04985 | System hardening through configuration management | Preventive | |
| Configure root squashing for all NFS shares, as appropriate. CC ID 04986 | System hardening through configuration management | Preventive | |
| Configure write access to NFS shares, as appropriate. CC ID 04987 | System hardening through configuration management | Preventive | |
| Configure the named service, as appropriate. CC ID 04988 | System hardening through configuration management | Preventive | |
| Configure the vsftpd service, as appropriate. CC ID 04989 | System hardening through configuration management | Preventive | |
| Configure the “dovecot” service to organizational standards. CC ID 04990 | System hardening through configuration management | Preventive | |
| Configure Server Message Block (SMB) to organizational standards. CC ID 04991 | System hardening through configuration management | Preventive | |
| Enable the snmpd service as necessary. CC ID 04992 | System hardening through configuration management | Preventive | |
| Enable the calendar manager as necessary. CC ID 04993 | System hardening through configuration management | Preventive | |
| Enable the GNOME logon service as necessary. CC ID 04994 | System hardening through configuration management | Preventive | |
| Enable the WBEM services as necessary. CC ID 04995 | System hardening through configuration management | Preventive | |
| Enable the keyserv service as necessary. CC ID 04996 | System hardening through configuration management | Preventive | |
| Enable the Generic Security Service daemon as necessary. CC ID 04997 | System hardening through configuration management | Preventive | |
| Enable the volfs service as necessary. CC ID 04998 | System hardening through configuration management | Preventive | |
| Enable the smserver service as necessary. CC ID 04999 | System hardening through configuration management | Preventive | |
| Enable the mpxio-upgrade service as necessary. CC ID 05000 | System hardening through configuration management | Preventive | |
| Enable the metainit service as necessary. CC ID 05001 | System hardening through configuration management | Preventive | |
| Enable the meta service as necessary. CC ID 05003 | System hardening through configuration management | Preventive | |
| Enable the metaed service as necessary. CC ID 05004 | System hardening through configuration management | Preventive | |
| Enable the metamh service as necessary. CC ID 05005 | System hardening through configuration management | Preventive | |
| Enable the Local RPC Port Mapping Service as necessary. CC ID 05006 | System hardening through configuration management | Preventive | |
| Enable the Kerberos kadmind service as necessary. CC ID 05007 | System hardening through configuration management | Preventive | |
| Enable the Kerberos krb5kdc service as necessary. CC ID 05008 | System hardening through configuration management | Preventive | |
| Enable the Kerberos kpropd service as necessary. CC ID 05009 | System hardening through configuration management | Preventive | |
| Enable the Kerberos ktkt_warnd service as necessary. CC ID 05010 | System hardening through configuration management | Preventive | |
| Enable the sadmin service as necessary. CC ID 05011 | System hardening through configuration management | Preventive | |
| Enable the IPP listener as necessary. CC ID 05012 | System hardening through configuration management | Preventive | |
| Enable the serial port listener as necessary. CC ID 05013 | System hardening through configuration management | Preventive | |
| Enable the Smart Card Helper service as necessary. CC ID 05014 | System hardening through configuration management | Preventive | |
| Enable the Application Management service as necessary. CC ID 05015 | System hardening through configuration management | Preventive | |
| Enable the Resultant Set of Policy (RSoP) Provider service as necessary. CC ID 05016 | System hardening through configuration management | Preventive | |
| Enable the Network News Transport Protocol service as necessary. CC ID 05017 | System hardening through configuration management | Preventive | |
| Enable the network Dynamic Data Exchange service as necessary. CC ID 05018 | System hardening through configuration management | Preventive | |
| Enable the Distributed Link Tracking Server service as necessary. CC ID 05019 | System hardening through configuration management | Preventive | |
| Enable the RARP service as necessary. CC ID 05020 | System hardening through configuration management | Preventive | |
| Configure the ".NET Framework service" setting to organizational standards. CC ID 05021 | System hardening through configuration management | Preventive | |
| Enable the Network DDE Share Database Manager service as necessary. CC ID 05022 | System hardening through configuration management | Preventive | |
| Enable the Certificate Services service as necessary. CC ID 05023 | System hardening through configuration management | Preventive | |
| Configure the ATI hotkey poller service properly. CC ID 05024 | System hardening through configuration management | Preventive | |
| Configure the Interix Subsystem Startup service properly. CC ID 05025 | System hardening through configuration management | Preventive | |
| Configure the Cluster Service service properly. CC ID 05026 | System hardening through configuration management | Preventive | |
| Configure the IAS Jet Database Access service properly. CC ID 05027 | System hardening through configuration management | Preventive | |
| Configure the IAS service properly. CC ID 05028 | System hardening through configuration management | Preventive | |
| Configure the IP Version 6 Helper service properly. CC ID 05029 | System hardening through configuration management | Preventive | |
| Configure "Message Queuing service" to organizational standards. CC ID 05030 | System hardening through configuration management | Preventive | |
| Configure the Message Queuing Down Level Clients service properly. CC ID 05031 | System hardening through configuration management | Preventive | |
| Configure the Windows Management Instrumentation Driver Extensions service properly. CC ID 05033 | System hardening through configuration management | Preventive | |
| Configure the TCP/IP NetBIOS Helper Service properly. CC ID 05034 | System hardening through configuration management | Preventive | |
| Configure the Utility Manager service properly. CC ID 05035 | System hardening through configuration management | Preventive | |
| Configure the secondary logon service properly. CC ID 05036 | System hardening through configuration management | Preventive | |
| Configure the Windows Management Instrumentation service properly. CC ID 05037 | System hardening through configuration management | Preventive | |
| Configure the Workstation service properly. CC ID 05038 | System hardening through configuration management | Preventive | |
| Configure the Windows Installer service properly. CC ID 05039 | System hardening through configuration management | Preventive | |
| Configure the Windows System Resource Manager service properly. CC ID 05040 | System hardening through configuration management | Preventive | |
| Configure the WinHTTP Web Proxy Auto-Discovery Service properly. CC ID 05041 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Client for NFS service properly. CC ID 05042 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Server for PCNFS service properly. CC ID 05043 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Perl Socket service properly. CC ID 05044 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix User Name Mapping service properly. CC ID 05045 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Windows Cron service properly. CC ID 05046 | System hardening through configuration management | Preventive | |
| Configure the Windows Media Services service properly. CC ID 05047 | System hardening through configuration management | Preventive | |
| Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly. CC ID 05048 | System hardening through configuration management | Preventive | |
| Configure the Web Element Manager service properly. CC ID 05049 | System hardening through configuration management | Preventive | |
| Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly. CC ID 05050 | System hardening through configuration management | Preventive | |
| Configure the Terminal Services Licensing service properly. CC ID 05051 | System hardening through configuration management | Preventive | |
| Configure the COM+ Event System service properly. CC ID 05052 | System hardening through configuration management | Preventive | |
| Configure the Event Log service properly. CC ID 05053 | System hardening through configuration management | Preventive | |
| Configure the Infrared Monitor service properly. CC ID 05054 | System hardening through configuration management | Preventive | |
| Configure the Services for Unix Server for NFS service properly. CC ID 05055 | System hardening through configuration management | Preventive | |
| Configure the System Event Notification Service properly. CC ID 05056 | System hardening through configuration management | Preventive | |
| Configure the NTLM Security Support Provider service properly. CC ID 05057 | System hardening through configuration management | Preventive | |
| Configure the Performance Logs and Alerts service properly. CC ID 05058 | System hardening through configuration management | Preventive | |
| Configure the Protected Storage service properly. CC ID 05059 | System hardening through configuration management | Preventive | |
| Configure the QoS Admission Control (RSVP) service properly. CC ID 05060 | System hardening through configuration management | Preventive | |
| Configure the Remote Procedure Call service properly. CC ID 05061 | System hardening through configuration management | Preventive | |
| Configure the Removable Storage service properly. CC ID 05062 | System hardening through configuration management | Preventive | |
| Configure the Server service properly. CC ID 05063 | System hardening through configuration management | Preventive | |
| Configure the Security Accounts Manager service properly. CC ID 05064 | System hardening through configuration management | Preventive | |
| Configure the “Network Connections” service to organizational standards. CC ID 05065 | System hardening through configuration management | Preventive | |
| Configure the Logical Disk Manager service properly. CC ID 05066 | System hardening through configuration management | Preventive | |
| Configure the Logical Disk Manager Administrative Service properly. CC ID 05067 | System hardening through configuration management | Preventive | |
| Configure the File Replication service properly. CC ID 05068 | System hardening through configuration management | Preventive | |
| Configure the Kerberos Key Distribution Center service properly. CC ID 05069 | System hardening through configuration management | Preventive | |
| Configure the Intersite Messaging service properly. CC ID 05070 | System hardening through configuration management | Preventive | |
| Configure the Remote Procedure Call locator service properly. CC ID 05071 | System hardening through configuration management | Preventive | |
| Configure the Distributed File System service properly. CC ID 05072 | System hardening through configuration management | Preventive | |
| Configure the Windows Internet Name Service service properly. CC ID 05073 | System hardening through configuration management | Preventive | |
| Configure the FTP Publishing Service properly. CC ID 05074 | System hardening through configuration management | Preventive | |
| Configure the Windows Search service properly. CC ID 05075 | System hardening through configuration management | Preventive | |
| Configure the Microsoft Peer-to-Peer Networking Services service properly. CC ID 05076 | System hardening through configuration management | Preventive | |
| Configure the Remote Shell service properly. CC ID 05077 | System hardening through configuration management | Preventive | |
| Configure Simple TCP/IP services to organizational standards. CC ID 05078 | System hardening through configuration management | Preventive | |
| Configure the Print Services for Unix service properly. CC ID 05079 | System hardening through configuration management | Preventive | |
| Configure the File Shares service to organizational standards. CC ID 05080 | System hardening through configuration management | Preventive | |
| Configure the NetMeeting service properly. CC ID 05081 | System hardening through configuration management | Preventive | |
| Configure the Application Layer Gateway service properly. CC ID 05082 | System hardening through configuration management | Preventive | |
| Configure the Cryptographic Services service properly. CC ID 05083 | System hardening through configuration management | Preventive | |
| Configure the Help and Support Service properly. CC ID 05084 | System hardening through configuration management | Preventive | |
| Configure the Human Interface Device Access service properly. CC ID 05085 | System hardening through configuration management | Preventive | |
| Configure the IMAPI CD-Burning COM service properly. CC ID 05086 | System hardening through configuration management | Preventive | |
| Configure the MS Software Shadow Copy Provider service properly. CC ID 05087 | System hardening through configuration management | Preventive | |
| Configure the Network Location Awareness service properly. CC ID 05088 | System hardening through configuration management | Preventive | |
| Configure the Portable Media Serial Number Service service properly. CC ID 05089 | System hardening through configuration management | Preventive | |
| Configure the System Restore Service service properly. CC ID 05090 | System hardening through configuration management | Preventive | |
| Configure the Themes service properly. CC ID 05091 | System hardening through configuration management | Preventive | |
| Configure the Uninterruptible Power Supply service properly. CC ID 05092 | System hardening through configuration management | Preventive | |
| Configure the Upload Manager service properly. CC ID 05093 | System hardening through configuration management | Preventive | |
| Configure the Volume Shadow Copy Service properly. CC ID 05094 | System hardening through configuration management | Preventive | |
| Configure the WebClient service properly. CC ID 05095 | System hardening through configuration management | Preventive | |
| Configure the Windows Audio service properly. CC ID 05096 | System hardening through configuration management | Preventive | |
| Configure the Windows Image Acquisition service properly. CC ID 05097 | System hardening through configuration management | Preventive | |
| Configure the WMI Performance Adapter service properly. CC ID 05098 | System hardening through configuration management | Preventive | |
| Enable file uploads via vsftpd service, as appropriate. CC ID 05100 | System hardening through configuration management | Preventive | |
| Disable or remove sadmind unless use of sadmind is absolutely necessary. CC ID 06885 | System hardening through configuration management | Preventive | |
| Configure the "SNMP version 1" setting to organizational standards. CC ID 08976 | System hardening through configuration management | Preventive | |
| Configure the "xdmcp service" setting to organizational standards. CC ID 08985 | System hardening through configuration management | Preventive | |
| Disable the automatic display of remote images in HTML-formatted e-mail. CC ID 04494 | System hardening through configuration management | Preventive | |
| Disable Remote Apply Events unless Remote Apply Events are absolutely necessary. CC ID 04495 | System hardening through configuration management | Preventive | |
| Disable Xgrid unless Xgrid is absolutely necessary. CC ID 04496 | System hardening through configuration management | Preventive | |
| Configure the "Do Not Show First Use Dialog Boxes" setting for Windows Media Player properly. CC ID 05136 | System hardening through configuration management | Preventive | |
| Disable Core dumps unless absolutely necessary. CC ID 01507 | System hardening through configuration management | Preventive | |
| Set hard core dump size limits, as appropriate. CC ID 05990 | System hardening through configuration management | Preventive | |
| Configure the "Prevent Desktop Shortcut Creation" setting for Windows Media Player properly. CC ID 05137 | System hardening through configuration management | Preventive | |
| Set the Squid EUID and Squid GUID to an appropriate user and group. CC ID 05138 | System hardening through configuration management | Preventive | |
| Verify groups referenced in /etc/passwd are included in /etc/group, as appropriate. CC ID 05139 | System hardening through configuration management | Preventive | |
| Use of the cron.allow file should be enabled or disabled as appropriate. CC ID 06014 | System hardening through configuration management | Preventive | |
| Use of the at.allow file should be enabled or disabled as appropriate. CC ID 06015 | System hardening through configuration management | Preventive | |
| Enable or disable the Dynamic DNS feature of the DHCP Server as appropriate. CC ID 06039 | System hardening through configuration management | Preventive | |
| Enable or disable each user's Screen saver software, as necessary. CC ID 06050 | System hardening through configuration management | Preventive | |
| Disable any unnecessary scripting languages, as necessary. CC ID 12137 | System hardening through configuration management | Preventive | |
| Configure authenticators to comply with organizational standards. CC ID 06412 | System hardening through configuration management | Preventive | |
| Configure the system to mask authenticators. CC ID 02037 [The device never displays the entered PIN digits. Any array related to PIN entry displays only non-significant symbols, e.g., asterisks. B5] | System hardening through configuration management | Preventive | |
| Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881 | System hardening through configuration management | Preventive | |
| Configure the system to a default secure level. CC ID 01519 [The device has guidance that describes the default configuration for each protocol and services for each interface that is available on the device. Each interface and protocol on the device should default to secure settings. If the interface has the ability to be configurable to non-secure settings, vendor guidance should strongly recommend against configuring to non-secure settings. H2] | System hardening through configuration management | Preventive | |
| Create a hardened image of the baseline configuration to be used for building new systems. CC ID 07063 | System hardening through configuration management | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 [The vendor must provide clear security guidance consistent with B2 and B6 to all application developers to ensure:\ - That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.\ - That account data is not retained any longer, or used more often, than strictly necessary. K11.2 Account data (in either clear-text or encrypted form) shall not be retained any longer, or used more often, than strictly necessary. K15.2 Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6] | Privacy protection for information and data | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Constrain the information flow of restricted data or restricted information. CC ID 06763 [When operating in encrypting mode, the secure controller can only release clear-text account data to authenticated applications executing within the device. K15.1] | Technical security | Preventive | |
| Quarantine data that fails security tests. CC ID 16500 | Technical security | Corrective | |
| Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 | Technical security | Preventive | |
| Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725 | Technical security | Preventive | |
| Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310 | Technical security | Preventive | |
| Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 [All account data is either encrypted immediately upon entry or entered in clear-text into a secure device and processed within the secure controller of the device. K1 The device protects all account data upon entry (consistent with A9 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitation. K1.1 The logical and physical integration of an approved secure card reader into a PIN entry POI terminal does not create new attack paths to the account data. The account data is protected from the input component to the secure controller of the device—i.e., it is not possible to insert a bug that would disclose sensitive data. K2] | Technical security | Preventive | |
| Implement the documented cryptographic module security functions. CC ID 06755 | Technical security | Preventive | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Preventive | |
| Include the expiration date in digital signatures. CC ID 13833 | Technical security | Preventive | |
| Include audience restrictions in digital signatures. CC ID 13834 | Technical security | Preventive | |
| Include the subject in digital signatures. CC ID 13832 | Technical security | Preventive | |
| Include the issuer in digital signatures. CC ID 13831 | Technical security | Preventive | |
| Include identifiers in the digital signature. CC ID 13829 | Technical security | Preventive | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 [PIN protection during transmission between the device encrypting the PIN and the ICC reader (at least two must apply):\ If the device encrypting the PIN and the ICC reader are not integrated into the same secure module, and the cardholder verification method is determined to be:\ - An enciphered PIN, the PIN block shall be enciphered between the device encrypting the PIN and the ICC reader using either an authenticated encipherment key of the IC card, or in accordance with ISO 9564.\ - A plaintext PIN, the PIN block shall be enciphered from the device encrypting the PIN to the ICC reader (the ICC reader will then decipher the PIN for transmission in plaintext to the IC card) in accordance with ISO 9564.\ If the device encrypting the PIN and the ICC reader are integrated into the same secure module, and the cardholder verification method is determined to be:\ - An enciphered PIN, the PIN block shall be enciphered using an authenticated encipherment key of the IC card.\ - A plaintext PIN, then encipherment is not required if the PIN block is transmitted wholly through a protected environment (as defined in ISO 9564). If the plaintext PIN is transmitted to the ICC reader through an unprotected environment, the PIN block shall be enciphered in accordance with ISO 9564. D4 The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3 {mode of operation} All account data shall be encrypted using only ANSI X9 or ISO-approved encryption algorithms (e.g., AES, TDES) and should use ANSI X9 or ISO-approved modes of operation. K4 Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6] | Technical security | Preventive | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Preventive | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Preventive | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Preventive | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 [The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2 {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4 If using a hash function to generate surrogate PAN values, input to the hash function must use a salt with minimum length of 64 bits. K16.1] | Technical security | Preventive | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Preventive | |
| Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Technical security | Preventive | |
| Generate strong cryptographic keys. CC ID 01299 | Technical security | Preventive | |
| Use approved random number generators for creating cryptographic keys. CC ID 06574 | Technical security | Preventive | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 [If remote key distribution is used, the device supports mutual authentication between the sending key-distribution host and receiving device. K5] | Technical security | Preventive | |
| Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Technical security | Preventive | |
| Store cryptographic keys securely. CC ID 01298 [If the device can hold multiple PIN-encryption keys and if the key to be used to encrypt the PIN can be externally selected, the device prohibits unauthorized key replacement and key misuse. C1 Determination of any cryptographic keys used for account-data encryption, by penetration of the device and/or by monitoring emanations from the device (including power fluctuations), requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3 Public keys must be stored and used in a manner that protects against unauthorized modification or substitution. Unauthorized modification or substitution requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3.1] | Technical security | Preventive | |
| Restrict access to cryptographic keys. CC ID 01297 | Technical security | Preventive | |
| Store cryptographic keys in encrypted format. CC ID 06084 [If using a hash function to generate surrogate PAN values, the salt is kept secret and appropriately protected. Disclosure of the salt cannot occur without requiring an attack potential of at least 16 per device for identification and initial exploitation with a minimum of 8 for exploitation. K16.2] | Technical security | Preventive | |
| Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Technical security | Preventive | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Technical security | Preventive | |
| Control cryptographic keys with split knowledge and dual control. CC ID 01304 [{turnkey system} The vendor must provide a defined and documented process containing specific details on how any signing mechanisms must be implemented. This must include any “turnkey” systems required for compliance with the management of display prompts, or any mechanisms used for authenticating any application code. This must ensure:\ - The signing process is performed under dual control.\ - All executable files are signed.\ - Software is only signed using a secure cryptographic device provided by the terminal vendor. B4.2] | Technical security | Preventive | |
| Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Technical security | Preventive | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Technical security | Corrective | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Technical security | Corrective | |
| Archive outdated cryptographic keys. CC ID 06884 | Technical security | Preventive | |
| Archive revoked cryptographic keys. CC ID 11819 | Technical security | Preventive | |
| Manage the digital signature cryptographic key pair. CC ID 06576 | Technical security | Preventive | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Preventive | |
| Approve tested change requests. CC ID 11783 | Operational management | Preventive | |
| Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Operational management | Preventive | |
| Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary. CC ID 06681 | System hardening through configuration management | Preventive | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Systems design, build, and implementation | Preventive | |
| Use personal data for specified purposes. CC ID 11831 [Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Preventive | |
| Provide access to outgoing shipment information, as necessary. CC ID 08942 | Third Party and supply chain oversight | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Use biometric authentication for identification and authentication, as necessary. CC ID 06857 | Technical security | Preventive | |
| Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Technical security | Preventive | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Preventive | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Preventive | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Preventive | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2] | Audits and risk management | Preventive | |
| Document organizational risk criteria. CC ID 12277 | Audits and risk management | Preventive | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Preventive | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Preventive | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Audits and risk management | Preventive | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Detective | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 | Audits and risk management | Detective | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Preventive | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Preventive | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Preventive | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Preventive | |
| Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629 | Technical security | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Technical security | Preventive | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 | Technical security | Preventive | |
| Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 | Technical security | Preventive | |
| Define the cryptographic boundaries. CC ID 06543 | Technical security | Preventive | |
| Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 | Technical security | Preventive | |
| Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 | Technical security | Preventive | |
| Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 | Technical security | Preventive | |
| Document the operation of the cryptographic module. CC ID 06546 | Technical security | Preventive | |
| Generate and protect a secret random number for each digital signature. CC ID 06577 | Technical security | Preventive | |
| Establish the security strength requirements for the digital signature process. CC ID 06578 [The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3] | Technical security | Preventive | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 | Technical security | Preventive | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 [The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3 The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3] | Technical security | Preventive | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 | Technical security | Preventive | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3 The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3 The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2 {turnkey system} The vendor must provide a defined and documented process containing specific details on how any signing mechanisms must be implemented. This must include any “turnkey” systems required for compliance with the management of display prompts, or any mechanisms used for authenticating any application code. This must ensure:\ - The signing process is performed under dual control.\ - All executable files are signed.\ - Software is only signed using a secure cryptographic device provided by the terminal vendor. B4.2] | Technical security | Preventive | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Technical security | Preventive | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Technical security | Preventive | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 [{determine}{reside}{penetrate} Determination of any PIN-security-related cryptographic key resident in the device, by penetration of the device and/or by monitoring emanations from the device (including power fluctuations), requires an attack potential of at least 35 for identification and initial exploitation with a minimum of 15 for exploitation. A6 The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3 {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4] | Technical security | Preventive | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Preventive | |
| Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Technical security | Preventive | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Technical security | Preventive | |
| Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Technical security | Preventive | |
| Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Technical security | Preventive | |
| Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Technical security | Preventive | |
| Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Technical security | Preventive | |
| Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Technical security | Preventive | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Technical security | Preventive | |
| Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Technical security | Preventive | |
| Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4] | Technical security | Preventive | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4] | Technical security | Preventive | |
| Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Technical security | Preventive | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Technical security | Preventive | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Preventive | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 | Technical security | Preventive | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Preventive | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Preventive | |
| Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain clean energy standards. CC ID 16285 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain environmental control procedures. CC ID 12246 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain facility maintenance procedures. CC ID 00710 | Physical and environmental protection | Preventive | |
| Define selection criteria for facility locations. CC ID 06351 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain facility demolition procedures. CC ID 16133 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain work environment requirements. CC ID 06613 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain system cleanliness requirements. CC ID 06614 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 [The device vendor maintains guidance describing configuration management for the device.\ a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.\ b) The guidance covers the complete device—including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.\ c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.\ d) The security guidance ensures that unauthorized modification is not possible.\ e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier. J1] | Operational management | Preventive | |
| Include physical safeguards in the information security program. CC ID 12375 | Operational management | Preventive | |
| Include technical safeguards in the information security program. CC ID 12374 | Operational management | Preventive | |
| Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Preventive | |
| Include system development in the information security program. CC ID 12389 | Operational management | Preventive | |
| Include system maintenance in the information security program. CC ID 12388 | Operational management | Preventive | |
| Include system acquisition in the information security program. CC ID 12387 | Operational management | Preventive | |
| Include access control in the information security program. CC ID 12386 | Operational management | Preventive | |
| Include operations management in the information security program. CC ID 12385 | Operational management | Preventive | |
| Include communication management in the information security program. CC ID 12384 | Operational management | Preventive | |
| Include environmental security in the information security program. CC ID 12383 | Operational management | Preventive | |
| Include physical security in the information security program. CC ID 12382 | Operational management | Preventive | |
| Include human resources security in the information security program. CC ID 12381 | Operational management | Preventive | |
| Include asset management in the information security program. CC ID 12380 | Operational management | Preventive | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Preventive | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Preventive | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Preventive | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
| Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Preventive | |
| Include risk management in the information security program. CC ID 12378 | Operational management | Preventive | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
| Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Preventive | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Preventive | |
| Include information security objectives in the information security policy. CC ID 13493 | Operational management | Preventive | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Preventive | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Preventive | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Preventive | |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Preventive | |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Preventive | |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Preventive | |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Preventive | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Preventive | |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Preventive | |
| Include startup processes in operational control procedures. CC ID 00833 | Operational management | Preventive | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
| Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Operational management | Preventive | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Corrective | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Preventive | |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Preventive | |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Preventive | |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Preventive | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Preventive | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Preventive | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Preventive | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Preventive | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Preventive | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Preventive | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Preventive | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Preventive | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Preventive | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Preventive | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Preventive | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Preventive | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Corrective | |
| Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Preventive | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Preventive | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Preventive | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Preventive | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Preventive | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Preventive | |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Preventive | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Preventive | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Preventive | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 [The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3] | Operational management | Preventive | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2] | Operational management | Preventive | |
| Establish and maintain maintenance reports. CC ID 11749 [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2] | Operational management | Preventive | |
| Establish and maintain system inspection reports. CC ID 06346 | Operational management | Preventive | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Preventive | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Preventive | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Preventive | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Preventive | |
| Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Preventive | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Preventive | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Preventive | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Preventive | |
| Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Operational management | Preventive | |
| Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Operational management | Preventive | |
| Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Operational management | Preventive | |
| Establish, implement, and maintain a change control program. CC ID 00886 [Change-control procedures are in place so that any intended change to the physical or functional capabilities of the POI causes a re-certification of the device under the Physical Security Requirements or the Logical Security Requirements of this document. Immediate re-certification is not required for changes that purely rectify errors and faults in software in order to make it function as intended and do not otherwise remove, modify, or add functionality. Approval of delta submissions is contingent on evidence of the ongoing change control and vulnerability management process. L1] | Operational management | Preventive | |
| Include potential consequences of unintended changes in the change control program. CC ID 12243 | Operational management | Preventive | |
| Include version control in the change control program. CC ID 13119 | Operational management | Preventive | |
| Include service design and transition in the change control program. CC ID 13920 | Operational management | Preventive | |
| Establish, implement, and maintain a back-out plan. CC ID 13623 | Operational management | Preventive | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Operational management | Preventive | |
| Approve back-out plans, as necessary. CC ID 13627 | Operational management | Corrective | |
| Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Operational management | Preventive | |
| Establish and maintain a change request approver list. CC ID 06795 | Operational management | Preventive | |
| Document all change requests in change request forms. CC ID 06794 | Operational management | Preventive | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 | Operational management | Preventive | |
| Log emergency changes after they have been performed. CC ID 12733 | Operational management | Preventive | |
| Provide audit trails for all approved changes. CC ID 13120 | Operational management | Preventive | |
| Document the sources of all software updates. CC ID 13316 | Operational management | Preventive | |
| Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Preventive | |
| Establish, implement, and maintain patch management procedures. CC ID 15224 | Operational management | Preventive | |
| Establish, implement, and maintain a patch log. CC ID 01642 | Operational management | Preventive | |
| Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Preventive | |
| Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Operational management | Detective | |
| Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Operational management | Corrective | |
| Update associated documentation after the system configuration has been changed. CC ID 00891 | Operational management | Preventive | |
| Document approved configuration deviations. CC ID 08711 | Operational management | Corrective | |
| Document the organization's local environments. CC ID 06726 [The PIN-encryption technique implemented in the device is a technique included in ISO 9564. B12 It is neither feasible to penetrate the ICC reader to make any additions, substitutions, or modifications to either the ICC reader’s hardware or software, in order to determine or modify any sensitive data, without requiring an attack potential of at least 20 for identification and initial exploitation, with a minimum of 10 for exploitation, nor is it possible for both an IC card and any other foreign object to reside within the card insertion slot. D1 If the device is capable of communicating over an IP network or uses a public domain protocol (such as but not limited to Wi-Fi or Bluetooth), then requirements specified in DTR Module 3: Open Protocols Requirements have been met. K14 The key-management techniques implemented in the device are consistent with B11. K17 Sensitive services are protected from unauthorized use consistent with B8. K23 The key-management techniques implemented in the device conform to ISO 11568 and/or ANSI X9.24. Key-management techniques must support the ANSI TR-31 key-derivation methodology or an equivalent methodology for maintaining the TDEA key bundle. B11] | Operational management | Preventive | |
| Establish, implement, and maintain local environment security profiles. CC ID 07037 | Operational management | Preventive | |
| Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 | Operational management | Preventive | |
| Include security requirements in the local environment security profile. CC ID 15717 | Operational management | Preventive | |
| Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 | Operational management | Preventive | |
| Include the technology used in the local environment in the local environment security profile. CC ID 07040 | Operational management | Preventive | |
| Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 | Operational management | Preventive | |
| Include facility information for the local environment in the local environment security profile. CC ID 07042 | Operational management | Preventive | |
| Include facility access information for the local environment in the local environment security profile. CC ID 11773 | Operational management | Preventive | |
| Update the local environment security profile, as necessary. CC ID 07043 | Operational management | Preventive | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 [The device vendor maintains guidance describing configuration management for the device.\ a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.\ b) The guidance covers the complete device—including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.\ c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.\ d) The security guidance ensures that unauthorized modification is not possible.\ e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier. J1] | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain appropriate system labeling. CC ID 01900 | System hardening through configuration management | Preventive | |
| Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041 | System hardening through configuration management | Preventive | |
| Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a configuration management policy. CC ID 14023 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain configuration management procedures. CC ID 14074 | System hardening through configuration management | Preventive | |
| Include compliance requirements in the configuration management policy. CC ID 14072 | System hardening through configuration management | Preventive | |
| Include coordination amongst entities in the configuration management policy. CC ID 14071 | System hardening through configuration management | Preventive | |
| Include management commitment in the configuration management policy. CC ID 14070 | System hardening through configuration management | Preventive | |
| Include roles and responsibilities in the configuration management policy. CC ID 14069 | System hardening through configuration management | Preventive | |
| Include the scope in the configuration management policy. CC ID 14068 | System hardening through configuration management | Preventive | |
| Include the purpose in the configuration management policy. CC ID 14067 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a configuration management plan. CC ID 01901 | System hardening through configuration management | Preventive | |
| Include configuration management procedures in the configuration management plan. CC ID 14248 | System hardening through configuration management | Preventive | |
| Include roles and responsibilities in the configuration management plan. CC ID 14247 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain system tracking documentation. CC ID 15266 | System hardening through configuration management | Preventive | |
| Include prioritization codes in the system tracking documentation. CC ID 15283 | System hardening through configuration management | Preventive | |
| Include the type and category of the request in the system tracking documentation. CC ID 15281 | System hardening through configuration management | Preventive | |
| Include contact information in the system tracking documentation. CC ID 15280 | System hardening through configuration management | Preventive | |
| Include the username in the system tracking documentation. CC ID 15278 | System hardening through configuration management | Preventive | |
| Include a problem description in the system tracking documentation. CC ID 15276 | System hardening through configuration management | Preventive | |
| Include affected systems in the system tracking documentation. CC ID 15275 | System hardening through configuration management | Preventive | |
| Include root causes in the system tracking documentation. CC ID 15274 | System hardening through configuration management | Preventive | |
| Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273 | System hardening through configuration management | Preventive | |
| Include current status in the system tracking documentation. CC ID 15272 | System hardening through configuration management | Preventive | |
| Record Configuration Management items in the Configuration Management database. CC ID 00861 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 | System hardening through configuration management | Preventive | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | System hardening through configuration management | Preventive | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | System hardening through configuration management | Preventive | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | System hardening through configuration management | Preventive | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | System hardening through configuration management | Preventive | |
| Include installed custom software in the baseline configuration. CC ID 13274 | System hardening through configuration management | Preventive | |
| Include network ports in the baseline configuration. CC ID 13273 | System hardening through configuration management | Preventive | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | System hardening through configuration management | Preventive | |
| Include backup procedures in the Configuration Management policy. CC ID 01314 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a system hardening standard. CC ID 00876 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Preventive | |
| Document that all enabled functions support secure configurations. CC ID 11985 | System hardening through configuration management | Preventive | |
| Validate, approve, and document all UNIX shells prior to use. CC ID 02161 | System hardening through configuration management | Preventive | |
| Configure the "global Package signature checking" setting to organizational standards. CC ID 08735 | System hardening through configuration management | Preventive | |
| Configure the "Package signature checking" setting for "all configured repositories" to organizational standards. CC ID 08736 | System hardening through configuration management | Preventive | |
| Configure the "verify against the package database" setting for "all installed software packages" to organizational standards. CC ID 08737 | System hardening through configuration management | Preventive | |
| Configure the "isdn4k-utils" package to organizational standards. CC ID 08738 | System hardening through configuration management | Preventive | |
| Configure the "postfix" package to organizational standards. CC ID 08739 | System hardening through configuration management | Preventive | |
| Configure the "vsftpd" package to organizational standards. CC ID 08740 | System hardening through configuration management | Preventive | |
| Configure the "net-snmpd" package to organizational standards. CC ID 08741 | System hardening through configuration management | Preventive | |
| Configure the "rsyslog" package to organizational standards. CC ID 08742 | System hardening through configuration management | Preventive | |
| Configure the "ipsec-tools" package to organizational standards. CC ID 08743 | System hardening through configuration management | Preventive | |
| Configure the "pam_ccreds" package to organizational standards. CC ID 08744 | System hardening through configuration management | Preventive | |
| Configure the "talk-server" package to organizational standards. CC ID 08745 | System hardening through configuration management | Preventive | |
| Configure the "talk" package to organizational standards. CC ID 08746 | System hardening through configuration management | Preventive | |
| Configure the "irda-utils" package to organizational standards. CC ID 08747 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain an authenticator standard. CC ID 01702 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain an authenticator management system. CC ID 12031 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain authenticator procedures. CC ID 12002 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a Configuration Baseline Documentation Record. CC ID 02130 [The device has guidance that describes the default configuration for each protocol and services for each interface that is available on the device. Each interface and protocol on the device should default to secure settings. If the interface has the ability to be configurable to non-secure settings, vendor guidance should strongly recommend against configuring to non-secure settings. H2] | System hardening through configuration management | Preventive | |
| Document and approve any changes to the Configuration Baseline Documentation Record. CC ID 12104 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain a system design specification. CC ID 04557 | Systems design, build, and implementation | Preventive | |
| Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 [{TOE} The device’s development-security documentation must provide means to the initial key-loading facility to assure the authenticity of the TOE’s security relevant components. M4] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain an acceptable use policy for the hardware security module. CC ID 12247 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Systems design, build, and implementation | Preventive | |
| Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Systems design, build, and implementation | Preventive | |
| Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Systems design, build, and implementation | Preventive | |
| Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Systems design, build, and implementation | Preventive | |
| Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Systems design, build, and implementation | Preventive | |
| Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain session security coding standards. CC ID 04584 | Systems design, build, and implementation | Preventive | |
| Establish and maintain a cryptographic architecture document. CC ID 12476 | Systems design, build, and implementation | Preventive | |
| Include the algorithms used in the cryptographic architecture document. CC ID 12483 | Systems design, build, and implementation | Preventive | |
| Include an inventory of all protected areas in the cryptographic architecture document. CC ID 12486 | Systems design, build, and implementation | Preventive | |
| Include a description of the key usage for each key in the cryptographic architecture document. CC ID 12484 | Systems design, build, and implementation | Preventive | |
| Include descriptions of all cryptographic keys in the cryptographic architecture document. CC ID 12487 | Systems design, build, and implementation | Preventive | |
| Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document. CC ID 12488 | Systems design, build, and implementation | Preventive | |
| Include each cryptographic key's expiration date in the cryptographic architecture document. CC ID 12489 | Systems design, build, and implementation | Preventive | |
| Include the protocols used in the cryptographic architecture document. CC ID 12485 | Systems design, build, and implementation | Preventive | |
| Establish and maintain system security documentation. CC ID 06271 [Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components. L7 {document and maintain} The vendor documents, maintains and makes available to integrators details on how to implement the protection system against unauthorized removal. E4.2 The device has security guidance that describes how protocols and services must be used for each interface that is accessible by the device applications. H1] | Systems design, build, and implementation | Preventive | |
| Document the procedures and environment used to create the system or software. CC ID 06609 | Systems design, build, and implementation | Preventive | |
| Establish and maintain a coding manual for secure coding techniques. CC ID 11863 [The vendor must provide clear security guidance consistent with B2 and B6 to all application developers to ensure:\ - That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.\ - That account data is not retained any longer, or used more often, than strictly necessary. K11.2] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain user documentation. CC ID 12250 | Systems design, build, and implementation | Preventive | |
| Include loss or theft instructions in the user documentation, as necessary. CC ID 12270 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Systems design, build, and implementation | Preventive | |
| Include disposition instructions in the user documentation, as necessary. CC ID 12269 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Systems design, build, and implementation | Preventive | |
| Include maintenance instructions in the user documentation, as necessary. CC ID 12268 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Systems design, build, and implementation | Preventive | |
| Include instructions on recording the location of the system in the user documentation, as necessary. CC ID 12267 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Systems design, build, and implementation | Preventive | |
| Include personalization instructions within the user documentation, as necessary. CC ID 12266 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Systems design, build, and implementation | Preventive | |
| Include life cycle management instructions for all components within the user documentation. CC ID 12265 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Systems design, build, and implementation | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Preventive | |
| Request attestation of compliance from third parties. CC ID 12067 | Third Party and supply chain oversight | Detective | |
| Define the traceability documentation required for chain of custody certification. CC ID 08895 [The POI should be protected from unauthorized modification with tamper-evident security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.\ Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time.\ Where multiple parties are involved in organizing the shipping, it is the responsibility of each party to ensure that the shipping and storage they are managing is compliant with this requirement. M1] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain product shipment procedures. CC ID 08934 [Procedures are in place to transfer accountability for the device from the manufacturer to the facility of initial deployment. Where the device is shipped via intermediaries such as resellers, accountability will be with the intermediary from the time at which they receive the device until the time it is received by the next intermediary or the point of initial deployment. M2] | Third Party and supply chain oversight | Preventive | |
| Document accurate outgoing shipment information. CC ID 08939 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain export records of outgoing shipments. CC ID 08954 | Third Party and supply chain oversight | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Technical security | Preventive | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Preventive | |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Preventive | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Detective | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Detective | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Detective | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Preventive | |
| Log the performance of all remote maintenance. CC ID 13202 | Operational management | Preventive | |
Maintenance | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Use system components only when third party support is available. CC ID 10644 | Operational management | Preventive | |
| Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Operational management | Preventive | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Preventive | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Preventive | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Preventive | |
| Restart systems on a periodic basis. CC ID 16498 | Operational management | Preventive | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Preventive | |
| Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Operational management | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Enforce information flow control. CC ID 11781 | Technical security | Preventive | |
| Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Physical and environmental protection | Detective | |
| Monitor the location of distributed assets. CC ID 11684 | Physical and environmental protection | Detective | |
| Monitor and review environmental protections. CC ID 12571 | Physical and environmental protection | Detective | |
| Install and maintain an environment control monitoring system. CC ID 06370 | Physical and environmental protection | Detective | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Preventive | |
| Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 [The PIN pad (PIN entry area) and the surrounding area must be designed and engineered in such a way that the complete device does not facilitate the fraudulent placement of an overlay over the PIN pad.\ An overlay attack must require an attack potential of at least 18 for identification and initial exploitation, with a minimum of 9 for exploitation. E2.2] | Systems design, build, and implementation | Detective | |
Physical and Environmental Protection | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Protect assets from tampering or unapproved substitution. CC ID 11902 [The unauthorized alteration of prompts for non-PIN data entry into the PIN entry key pad such that PINs are compromised, i.e., by prompting for the PIN entry when the output is not encrypted, cannot occur without requiring an attack potential of at least 18 per device for identification and initial exploitation with a minimum of 9 for exploitation. A7 It is not feasible to penetrate the device to make any additions, substitutions, or modifications to the magnetic-stripe reader and associated hardware or software, in order to determine or modify magnetic-stripe track data, without requiring an attack potential of at least 16 per device, for identification and initial exploitation, with a minimum of 8 for exploitation. A9 Secure components intended for unattended devices contain an anti-removal mechanism to protect against unauthorized removal and/or unauthorized re-installation. Defeating or circumventing this mechanism must require an attack potential of at least 18 per device for identification and initial exploitation, with a minimum of 9 for exploitation. A10 The POI should be protected from unauthorized modification with tamper-evident security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.\ Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time.\ Where multiple parties are involved in organizing the shipping, it is the responsibility of each party to ensure that the shipping and storage they are managing is compliant with this requirement. M1 The device is assembled in a manner that the components used in the manufacturing process are those components that were certified by the Core PIN Entry and/or POS Terminal Integration Security Requirements evaluation, and that unauthorized substitutions have not been made. L3 Subsequent to production but prior to shipment from the manufacturer’s or reseller’s facility, the device and any of its components are stored in a protected, access-controlled area or sealed within tamper-evident packaging to prevent undetected unauthorized access to the device or its components. L5 The PIN entry POI terminal is equipped with mechanisms to prevent attacks aiming at retaining and stealing the payment card (e.g., Lebanese Loop attack). E3.2 {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1 {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1 Failure of a single security mechanism does not compromise device security. Protection against a threat is based on a combination of at least two independent security mechanisms. A2] | Physical and environmental protection | Preventive | |
| Protect facilities from eavesdropping. CC ID 02222 [{prevent} {facility} There is no feasible way to determine any entered and internally transmitted PIN digit by monitoring sound, electro-magnetic emissions, power consumption or any other external characteristic available for monitoring—even with the cooperation of the device operator or sales clerk—without requiring an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. A5] | Physical and environmental protection | Preventive | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Detective | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Preventive | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and environmental protection | Preventive | |
| Protect distributed assets against theft. CC ID 06799 [The device is protected against unauthorized removal. Defeating or circumventing this mechanism must require an attack potential of at least 18 per device for identification and initial exploitation, with a minimum of 9 for exploitation. E4.1] | Physical and environmental protection | Preventive | |
| Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 | Physical and environmental protection | Preventive | |
| Control the removal of assets through physical entry points and physical exit points. CC ID 11681 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 | Physical and environmental protection | Preventive | |
| Attach asset location technologies to distributed assets. CC ID 10626 | Physical and environmental protection | Detective | |
| Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and environmental protection | Preventive | |
| Unpair missing Bluetooth devices. CC ID 12428 | Physical and environmental protection | Corrective | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 [{environmental conditions} Environmental or operational conditions cannot be altered to compromise the security of the device, or cause the device to output clear-text account data.\ (An example includes subjecting the device to temperatures or operating voltages outside the stated operating ranges.) K19] | Physical and environmental protection | Preventive | |
| Protect power equipment and power cabling from damage or destruction. CC ID 01438 | Physical and environmental protection | Preventive | |
| Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676 | Physical and environmental protection | Preventive | |
| Design the Information Technology facility with consideration given to natural disasters and man-made disasters. CC ID 00712 | Physical and environmental protection | Preventive | |
| Design the Information Technology facility with a low profile. CC ID 16140 | Physical and environmental protection | Preventive | |
| Prohibit signage indicating computer room location and uses. CC ID 06343 | Physical and environmental protection | Preventive | |
| Require critical facilities to have adequate room for facility maintenance. CC ID 06361 | Physical and environmental protection | Preventive | |
| Require critical facilities to have adequate room for evacuation. CC ID 11686 | Physical and environmental protection | Preventive | |
| Build critical facilities according to applicable building codes. CC ID 06366 | Physical and environmental protection | Preventive | |
| Build critical facilities with fire resistant materials. CC ID 06365 | Physical and environmental protection | Preventive | |
| Build critical facilities with materials that limit electromagnetic interference. CC ID 16131 | Physical and environmental protection | Preventive | |
| Build critical facilities with water-resistant materials. CC ID 11679 | Physical and environmental protection | Preventive | |
| Monitor operational conditions at unmanned facilities. CC ID 06327 | Physical and environmental protection | Preventive | |
| Inspect and maintain the facility and supporting assets. CC ID 06345 | Physical and environmental protection | Preventive | |
| Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141 | Physical and environmental protection | Preventive | |
| House system components in areas where the physical damage potential is minimized. CC ID 01623 | Physical and environmental protection | Preventive | |
| Install and maintain smoke detectors. CC ID 15264 | Physical and environmental protection | Preventive | |
| Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888 | Physical and environmental protection | Preventive | |
| Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362 | Physical and environmental protection | Preventive | |
| Install and maintain seismic detectors in critical facilities. CC ID 06364 | Physical and environmental protection | Detective | |
| Protect physical assets against static electricity, as necessary. CC ID 06363 | Physical and environmental protection | Preventive | |
| Install and maintain emergency lighting for use in a power failure. CC ID 01440 | Physical and environmental protection | Preventive | |
| Install and maintain lightning protection mechanisms in critical facilities. CC ID 06367 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain pest control systems in organizational facilities. CC ID 16139 | Physical and environmental protection | Preventive | |
| Protect air intakes into the organizational facility. CC ID 02211 | Physical and environmental protection | Preventive | |
| Install and maintain water detection devices. CC ID 11678 | Physical and environmental protection | Preventive | |
| Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Operational management | Preventive | |
| Control and monitor all maintenance tools. CC ID 01432 | Operational management | Detective | |
| Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Preventive | |
| Store manufacturing components in a controlled access area. CC ID 12256 [Subsequent to production but prior to shipment from the manufacturer’s or reseller’s facility, the device and any of its components are stored in a protected, access-controlled area or sealed within tamper-evident packaging to prevent undetected unauthorized access to the device or its components. L5] | Systems design, build, and implementation | Preventive | |
| Ship equipment to customers in tamper-evident packaging, as necessary. CC ID 12271 [{physical alteration} While in transit from the manufacturer’s facility to the initial key-loading facility, the device is:\ - Shipped and stored in tamper-evident packaging; and/or\ - Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel. M3] | Acquisition or sale of facilities, technology, and services | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disallow self-enrollment of biometric information. CC ID 11834 | Technical security | Preventive | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Preventive | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Preventive | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Preventive | |
| Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Physical and environmental protection | Preventive | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Corrective | |
| Conduct fire drills, as necessary. CC ID 13985 | Physical and environmental protection | Preventive | |
| Employ environmental protections. CC ID 12570 | Physical and environmental protection | Preventive | |
| Review and approve access controls, as necessary. CC ID 13074 | Operational management | Detective | |
| Provide management direction and support for the information security program. CC ID 11999 | Operational management | Preventive | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Preventive | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Preventive | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Preventive | |
| Perform emergency changes, as necessary. CC ID 12707 | Operational management | Preventive | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Preventive | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Detective | |
| Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Preventive | |
| Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 | Systems design, build, and implementation | Preventive | |
| Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897 [The vendor must provide clear security guidance consistent with B2 and B6 to all application developers to ensure:\ - That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.\ - That account data is not retained any longer, or used more often, than strictly necessary. K11.2] | Systems design, build, and implementation | Preventive | |
| Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 | Systems design, build, and implementation | Preventive | |
| Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 | Systems design, build, and implementation | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Preventive | |
| Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Technical security | Preventive | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Preventive | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 | Operational and Systems Continuity | Corrective | |
| Execute fail-safe procedures when an emergency occurs. CC ID 07108 [{integrity test}{authenticity test} The device performs a self-test, which includes integrity and authenticity tests upon start-up and at least once per day to check whether the device is in a compromised state. In the event of a failure, the device and its functionality fail in a secure manner. The device must reinitialize memory at least every 24 hours. B1] | Operational and Systems Continuity | Preventive | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Install and maintain power distribution boards. CC ID 16486 | Physical and environmental protection | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Preventive | |
| Validate the system before implementing approved changes. CC ID 01510 | Operational management | Preventive | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Preventive | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 | Systems design, build, and implementation | Preventive | |
| Include information security throughout the system development life cycle. CC ID 12042 [Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components. L7] | Systems design, build, and implementation | Preventive | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Preventive | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems design, build, and implementation | Preventive | |
| Protect stored manufacturing components prior to assembly. CC ID 12248 [The certified firmware is protected and stored in such a manner as to preclude unauthorized modification during its entire manufacturing life cycle—e.g., by using dual control or standardized cryptographic authentication procedures. L2] | Systems design, build, and implementation | Preventive | |
| Develop new products based on best practices. CC ID 01095 | Systems design, build, and implementation | Preventive | |
| Include security requirements in the system design specification. CC ID 06826 | Systems design, build, and implementation | Preventive | |
| Implement security controls when developing systems. CC ID 06270 [Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components. L7] | Systems design, build, and implementation | Preventive | |
| Analyze and minimize attack surfaces when developing systems. CC ID 06828 | Systems design, build, and implementation | Preventive | |
| Implement a hardware security module, as necessary. CC ID 12222 | Systems design, build, and implementation | Preventive | |
| Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 | Systems design, build, and implementation | Preventive | |
| Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 | Systems design, build, and implementation | Preventive | |
| Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 [If random numbers are generated by the device in connection with security over sensitive data, the random number generator has been assessed to ensure it is generating numbers sufficiently unpredictable. B9] | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to enforce the separation between applications. CC ID 12254 [If the device supports multiple applications, it must enforce the separation between applications. It must not be possible that one application interferes with or tampers with another application or the OS of the device including, but not limited to, modifying data objects belonging to another application or the OS. B17 If the device supports multiple applications, it must enforce the separation between applications consistent with B17. K20] | Systems design, build, and implementation | Preventive | |
| Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 [Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, PINs, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. B7] | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 [Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6] | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 [Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6] | Systems design, build, and implementation | Preventive | |
| Design the hardware security module to erase sensitive data when compromised. CC ID 12275 [{physical alteration} While in transit from the manufacturer’s facility to the initial key-loading facility, the device is:\ - Shipped and stored in tamper-evident packaging; and/or\ - Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel. M3] | Systems design, build, and implementation | Preventive | |
| Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 | Systems design, build, and implementation | Preventive | |
| Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 [It is not possible to encrypt or decrypt any arbitrary data using any PIN-encrypting key or key-encrypting key contained in the device. The device must enforce that data keys, key-encipherment keys, and PIN-encryption keys have different values. B13] | Systems design, build, and implementation | Preventive | |
| Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 [{sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4 {sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4] | Systems design, build, and implementation | Preventive | |
| Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 [{sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4 {sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4] | Systems design, build, and implementation | Preventive | |
| Install secret information into the hardware security module during manufacturing. CC ID 12249 | Systems design, build, and implementation | Preventive | |
| Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 [{initial-key-loading facility} If the device will be authenticated at the key-loading facility or the facility of initial deployment by means of secret information placed in the device during manufacturing, then this secret information is unique to each device, unknown and unpredictable to any person, and installed in the device under dual control to ensure that it is not disclosed during installation. L6 {physical alteration} While in transit from the manufacturer’s facility to the initial key-loading facility, the device is:\ - Shipped and stored in tamper-evident packaging; and/or\ - Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel. M3] | Systems design, build, and implementation | Preventive | |
| Install secret information under dual control into the hardware security module. CC ID 12257 [{initial-key-loading facility} If the device will be authenticated at the key-loading facility or the facility of initial deployment by means of secret information placed in the device during manufacturing, then this secret information is unique to each device, unknown and unpredictable to any person, and installed in the device under dual control to ensure that it is not disclosed during installation. L6] | Systems design, build, and implementation | Preventive | |
| Develop new products based on secure coding techniques. CC ID 11733 | Systems design, build, and implementation | Preventive | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems design, build, and implementation | Preventive | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems design, build, and implementation | Preventive | |
| Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 | Systems design, build, and implementation | Preventive | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Preventive | |
| Implement systems to allow for maintenance, cleaning, adjustment, and use. CC ID 06213 [{inspection process} Controls exist over the repair process, including the resetting of tamper mechanisms, and the inspection/testing process subsequent to repair to ensure that the device has not been subject to unauthorized modification. L8] | Systems design, build, and implementation | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Perform vulnerability scans, as necessary. CC ID 11637 [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2 The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2] | Monitoring and measurement | Detective | |
| Identify and document security vulnerabilities. CC ID 11857 [The device vendor has internal policies and procedures that ensure that the vendor maintains an effective process for detecting vulnerabilities that may exist within their device. This process is expected to be robust enough to include all interfaces defined in requirement F1. This process must be effective enough to detect vulnerabilities which may have not been publicly known during the last vulnerability assessment. G1 The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2] | Monitoring and measurement | Detective | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Preventive | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Detective | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Detective | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Detective | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Detective | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Detective | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Detective | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Detective | |
| Perform vulnerability assessments, as necessary. CC ID 11828 [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2 The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2] | Monitoring and measurement | Corrective | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Detective | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Preventive | |
| Control access rights to organizational assets. CC ID 00004 | Technical security | Preventive | |
| Establish access rights based on least privilege. CC ID 01411 [The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18 The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21] | Technical security | Preventive | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Preventive | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Preventive | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 [The device has characteristics that prevent or significantly deter the use of the device for exhaustive PAN determination. K18] | Technical security | Preventive | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Preventive | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Preventive | |
| Require proper authentication for user identifiers. CC ID 11785 [The update mechanism ensures security, i.e., integrity, mutual authentication, and protection against replay, by using an appropriate and declared security protocol when using a network connection. For manual updates, administrator rights must be implemented using password/PINs and/or cryptographic authentication techniques. J4 Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, account data, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. K22 Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, PINs, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. B7] | Technical security | Preventive | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical security | Preventive | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical security | Preventive | |
| Employ live scans to verify biometric authentication. CC ID 06847 | Technical security | Preventive | |
| Control all methods of remote access and teleworking. CC ID 00559 | Technical security | Preventive | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 [Public keys must be stored and used in a manner that protects against unauthorized modification or substitution. Unauthorized modification or substitution requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3.1 {mode of operation} All account data shall be encrypted using only ANSI X9 or ISO-approved encryption algorithms (e.g., AES, TDES) and should use ANSI X9 or ISO-approved modes of operation. K4] | Technical security | Preventive | |
| Employ cryptographic controls that comply with applicable requirements. CC ID 12491 | Technical security | Preventive | |
| Make key usage for data fields unique for each device. CC ID 04828 [{secret keys}{private keys} Secret and private keys that reside within the device to support account data encryption are unique per device. K7 Encryption or decryption of any arbitrary data using any account data-encrypting key or key-encrypting key contained in the device is not permitted.\ The device must enforce that account data keys, key-encipherment keys, and PIN-encryption keys have different values. K8 It is not possible to encrypt or decrypt any arbitrary data using any PIN-encrypting key or key-encrypting key contained in the device. The device must enforce that data keys, key-encipherment keys, and PIN-encryption keys have different values. B13] | Technical security | Preventive | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Preventive | |
| Bind keys to each identity. CC ID 12337 | Technical security | Preventive | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Preventive | |
| Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical security | Preventive | |
| Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical security | Preventive | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical security | Preventive | |
| Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical security | Preventive | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4] | Technical security | Preventive | |
| Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical security | Preventive | |
| Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 | Technical security | Preventive | |
| Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 | Technical security | Preventive | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2] | Technical security | Preventive | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Preventive | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Preventive | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Preventive | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Preventive | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Preventive | |
| Protect the system against replay attacks. CC ID 04552 [The device is able to detect replay of messages and enables the secure handling of the exceptions. I5] | Technical security | Preventive | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Physical and environmental protection | Preventive | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Physical and environmental protection | Preventive | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Corrective | |
| Remotely control operational conditions at unmanned facilities. CC ID 11680 | Physical and environmental protection | Preventive | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive | |
| Control remote maintenance according to the system's asset classification. CC ID 01433 [The update mechanism ensures security, i.e., integrity, mutual authentication, and protection against replay, by using an appropriate and declared security protocol when using a network connection. For manual updates, administrator rights must be implemented using password/PINs and/or cryptographic authentication techniques. J4] | Operational management | Preventive | |
| Approve all remote maintenance sessions. CC ID 10615 | Operational management | Preventive | |
| Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Operational management | Preventive | |
| Employ dedicated systems during system maintenance. CC ID 12108 | Operational management | Preventive | |
| Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Operational management | Preventive | |
| Integrate configuration management procedures into the change control program. CC ID 13646 | Operational management | Preventive | |
| Implement patch management software, as necessary. CC ID 12094 | Operational management | Preventive | |
| Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Operational management | Preventive | |
| Review the patch log for missing patches. CC ID 13186 | Operational management | Detective | |
| Patch software. CC ID 11825 | Operational management | Corrective | |
| Patch the operating system, as necessary. CC ID 11824 | Operational management | Corrective | |
| Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 [If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. B4 The firmware must support the authentication of applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates updates consistent with B4. B4.1 If the manufacturer is in charge of initial key loading, the manufacturer must verify the authenticity of the POI security-related components. M5 If the manufacturer is not in charge of initial key loading, the manufacturer must provide the means to the initial key-loading facility to assure the verification of the authenticity of the POI security-related components. M6 The firmware, and any changes thereafter, have been inspected and reviewed consistent with B3. K10 The firmware must confirm the authenticity of all applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates all updates consistent with B4. K11.1 The firmware must confirm the authenticity of all applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates all updates consistent with B4. K11.1 If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. K12] | Operational management | Detective | |
| Configure security parameter settings on all system components appropriately. CC ID 12041 [The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18 The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21] | System hardening through configuration management | Preventive | |
| Refrain from using assertion lifetimes to limit each session. CC ID 13871 | System hardening through configuration management | Preventive | |
| Restrict and control the use of privileged utility programs. CC ID 12030 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain service accounts. CC ID 13861 | System hardening through configuration management | Preventive | |
| Review the ownership of service accounts, as necessary. CC ID 13863 | System hardening through configuration management | Detective | |
| Manage access credentials for service accounts. CC ID 13862 | System hardening through configuration management | Preventive | |
| Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Preventive | |
| Store master images on securely configured servers. CC ID 12089 | System hardening through configuration management | Preventive | |
| Update the security configuration of hardened images, as necessary. CC ID 12088 | System hardening through configuration management | Corrective | |
| Include restricted data encryption and restricted information encryption in the security controls. CC ID 01083 | Systems design, build, and implementation | Preventive | |
| Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 | Systems design, build, and implementation | Preventive | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Systems design, build, and implementation | Preventive | |
| Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 | Systems design, build, and implementation | Preventive | |
| Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937 [The device’s functionality shall not be influenced by logical anomalies such as (but not limited to) unexpected command sequences, unknown commands, commands in a wrong device mode and supplying wrong parameters or data which could result in the device outputting the clear- text PIN or other sensitive data. B2 The device’s functionality shall not be influenced by logical anomalies consistent with B2. K13] | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 | Systems design, build, and implementation | Preventive | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding usernames in source code. CC ID 06561 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Systems design, build, and implementation | Preventive | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Systems design, build, and implementation | Preventive | |
| Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 | Systems design, build, and implementation | Preventive | |
| Control user account management through secure coding techniques in source code. CC ID 11909 | Systems design, build, and implementation | Preventive | |
| Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 | Systems design, build, and implementation | Preventive | |
| Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 | Systems design, build, and implementation | Preventive | |
| Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 | Systems design, build, and implementation | Preventive | |
| Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 | Systems design, build, and implementation | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Detective | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Monitoring and measurement | Detective | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Preventive | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2] | Audits and risk management | Preventive | |
| Identify the user when enrolling them in the biometric system. CC ID 06882 | Technical security | Detective | |
| Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 [{POI application} The POI (application) must enforce the correspondence between the display messages visible to the cardholder and the operating state (i.e., secure or non-secure mode) of the PIN entry device, e.g., by using cryptographic authentication.\ If commands impacting the correspondence between the display messages and the operating state of the PIN entry device are received from an external device (e.g., a store controller), the commands enabling data entry must be authenticated.\ The alteration of the correspondence between the display messages visible to the cardholder and the operating state of the PIN entry device cannot occur without requiring an attack potential of at least 18 per POI for identification and initial exploitation with a minimum of 9 for exploitation. E3.4 {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4] | Technical security | Preventive | |
| Test cryptographic key management applications, as necessary. CC ID 04829 | Technical security | Detective | |
| Implement non-repudiation for transactions. CC ID 00567 [The device supports data origin authentication of encrypted messages. K6] | Technical security | Detective | |
| Test and inspect assets under full load working conditions. CC ID 06356 | Physical and environmental protection | Detective | |
| Conduct maintenance with authorized personnel. CC ID 01434 | Operational management | Detective | |
| Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Operational management | Detective | |
| Test proposed changes prior to their approval. CC ID 00548 | Operational management | Detective | |
| Perform risk assessments prior to approving change requests. CC ID 00888 | Operational management | Preventive | |
| Perform a patch test prior to deploying a patch. CC ID 00898 | Operational management | Detective | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Detective | |
| Review changes to computer firmware. CC ID 12226 [The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions. B3] | Operational management | Detective | |
| Certify changes to computer firmware are free of malicious logic. CC ID 12227 [The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions. B3] | Operational management | Detective | |
| Test the system's operational functionality after implementing approved changes. CC ID 06294 | Operational management | Detective | |
| Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Operational management | Detective | |
| Test network access controls for proper Configuration Management settings. CC ID 01281 | System hardening through configuration management | Detective | |
| Verify wireless peripherals meet organizational security requirements. CC ID 00657 | System hardening through configuration management | Detective | |
| Test systems to ensure they conform to configuration baselines. CC ID 13062 | System hardening through configuration management | Detective | |
| Audit all modifications to the application being developed. CC ID 01614 | Systems design, build, and implementation | Detective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Update the vulnerability scanners' vulnerability list. CC ID 10634 | Monitoring and measurement | Configuration | |
| Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 | Monitoring and measurement | Behavior | |
| Perform vulnerability assessments, as necessary. CC ID 11828 [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2 The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2] | Monitoring and measurement | Technical Security | |
| Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 | Technical security | Communicate | |
| Tune the biometric identification equipment, as necessary. CC ID 07077 | Technical security | Configuration | |
| Quarantine data that fails security tests. CC ID 16500 | Technical security | Data and Information Management | |
| Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 | Technical security | Data and Information Management | |
| Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 | Technical security | Data and Information Management | |
| Remote lock any distributed assets reported lost or stolen. CC ID 14008 | Physical and environmental protection | Technical Security | |
| Remote wipe any distributed asset reported lost or stolen. CC ID 12197 | Physical and environmental protection | Process or Activity | |
| Unpair missing Bluetooth devices. CC ID 12428 | Physical and environmental protection | Physical and Environmental Protection | |
| Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 | Operational and Systems Continuity | Systems Continuity | |
| Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Establish/Maintain Documentation | |
| Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Establish/Maintain Documentation | |
| Approve back-out plans, as necessary. CC ID 13627 | Operational management | Establish/Maintain Documentation | |
| Deploy software patches in accordance with organizational standards. CC ID 07032 | Operational management | Configuration | |
| Patch software. CC ID 11825 | Operational management | Technical Security | |
| Patch the operating system, as necessary. CC ID 11824 | Operational management | Technical Security | |
| Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 | Operational management | Configuration | |
| Remove outdated software after software has been updated. CC ID 11792 | Operational management | Configuration | |
| Update computer firmware, as necessary. CC ID 11755 | Operational management | Configuration | |
| Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 | Operational management | Configuration | |
| Mitigate the adverse effects of unauthorized changes. CC ID 12244 | Operational management | Business Processes | |
| Establish, implement, and maintain a change acceptance testing log. CC ID 06392 | Operational management | Establish/Maintain Documentation | |
| Document approved configuration deviations. CC ID 08711 | Operational management | Establish/Maintain Documentation | |
| Update the security configuration of hardened images, as necessary. CC ID 12088 | System hardening through configuration management | Technical Security | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Perform vulnerability scans, as necessary. CC ID 11637 [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2 The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2] | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning, as necessary. CC ID 11646 | Monitoring and measurement | Testing | |
| Identify and document security vulnerabilities. CC ID 11857 [The device vendor has internal policies and procedures that ensure that the vendor maintains an effective process for detecting vulnerabilities that may exist within their device. This process is expected to be robust enough to include all interfaces defined in requirement F1. This process must be effective enough to detect vulnerabilities which may have not been publicly known during the last vulnerability assessment. G1 The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2] | Monitoring and measurement | Technical Security | |
| Rank discovered vulnerabilities. CC ID 11940 | Monitoring and measurement | Investigate | |
| Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 | Monitoring and measurement | Technical Security | |
| Correlate vulnerability scan reports from the various systems. CC ID 10636 | Monitoring and measurement | Technical Security | |
| Perform internal vulnerability scans, as necessary. CC ID 00656 | Monitoring and measurement | Testing | |
| Perform vulnerability scans prior to installing payment applications. CC ID 12192 | Monitoring and measurement | Technical Security | |
| Implement scanning tools, as necessary. CC ID 14282 | Monitoring and measurement | Technical Security | |
| Repeat vulnerability scanning after an approved change occurs. CC ID 12468 | Monitoring and measurement | Technical Security | |
| Perform external vulnerability scans, as necessary. CC ID 11624 | Monitoring and measurement | Technical Security | |
| Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 | Monitoring and measurement | Technical Security | |
| Review applications for security vulnerabilities after the application is updated. CC ID 11938 | Monitoring and measurement | Technical Security | |
| Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Investigate | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Audits and Risk Management | |
| Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Establish/Maintain Documentation | |
| Update the risk assessment upon changes to the risk profile. CC ID 11627 | Audits and risk management | Establish/Maintain Documentation | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Audits and Risk Management | |
| Identify the user when enrolling them in the biometric system. CC ID 06882 | Technical security | Testing | |
| Test cryptographic key management applications, as necessary. CC ID 04829 | Technical security | Testing | |
| Implement non-repudiation for transactions. CC ID 00567 [The device supports data origin authentication of encrypted messages. K6] | Technical security | Testing | |
| Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Inspect telephones for eavesdropping devices. CC ID 02223 | Physical and environmental protection | Physical and Environmental Protection | |
| Attach asset location technologies to distributed assets. CC ID 10626 | Physical and environmental protection | Physical and Environmental Protection | |
| Monitor the location of distributed assets. CC ID 11684 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Test and inspect assets under full load working conditions. CC ID 06356 | Physical and environmental protection | Testing | |
| Monitor and review environmental protections. CC ID 12571 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Install and maintain seismic detectors in critical facilities. CC ID 06364 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain an environment control monitoring system. CC ID 06370 | Physical and environmental protection | Monitor and Evaluate Occurrences | |
| Review and approve access controls, as necessary. CC ID 13074 | Operational management | Process or Activity | |
| Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
| Control and monitor all maintenance tools. CC ID 01432 | Operational management | Physical and Environmental Protection | |
| Conduct maintenance with authorized personnel. CC ID 01434 | Operational management | Testing | |
| Calibrate assets according to the calibration procedures for the asset. CC ID 06203 | Operational management | Testing | |
| Test proposed changes prior to their approval. CC ID 00548 | Operational management | Testing | |
| Examine all changes to ensure they correspond with the change request. CC ID 12345 | Operational management | Business Processes | |
| Conduct network certifications prior to approving change requests for networks. CC ID 13121 | Operational management | Process or Activity | |
| Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 | Operational management | Investigate | |
| Collect data about the network environment when certifying the network. CC ID 13125 | Operational management | Investigate | |
| Review the patch log for missing patches. CC ID 13186 | Operational management | Technical Security | |
| Perform a patch test prior to deploying a patch. CC ID 00898 | Operational management | Testing | |
| Test software patches for any potential compromise of the system's security. CC ID 13175 | Operational management | Testing | |
| Review changes to computer firmware. CC ID 12226 [The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions. B3] | Operational management | Testing | |
| Certify changes to computer firmware are free of malicious logic. CC ID 12227 [The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions. B3] | Operational management | Testing | |
| Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682 [If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. B4 The firmware must support the authentication of applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates updates consistent with B4. B4.1 If the manufacturer is in charge of initial key loading, the manufacturer must verify the authenticity of the POI security-related components. M5 If the manufacturer is not in charge of initial key loading, the manufacturer must provide the means to the initial key-loading facility to assure the verification of the authenticity of the POI security-related components. M6 The firmware, and any changes thereafter, have been inspected and reviewed consistent with B3. K10 The firmware must confirm the authenticity of all applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates all updates consistent with B4. K11.1 The firmware must confirm the authenticity of all applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates all updates consistent with B4. K11.1 If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. K12] | Operational management | Technical Security | |
| Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 | Operational management | Establish/Maintain Documentation | |
| Test the system's operational functionality after implementing approved changes. CC ID 06294 | Operational management | Testing | |
| Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 | Operational management | Testing | |
| Establish, implement, and maintain a configuration change log. CC ID 08710 | Operational management | Configuration | |
| Test network access controls for proper Configuration Management settings. CC ID 01281 | System hardening through configuration management | Testing | |
| Verify wireless peripherals meet organizational security requirements. CC ID 00657 | System hardening through configuration management | Testing | |
| Review the ownership of service accounts, as necessary. CC ID 13863 | System hardening through configuration management | Technical Security | |
| Test systems to ensure they conform to configuration baselines. CC ID 13062 | System hardening through configuration management | Testing | |
| Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639 [The PIN pad (PIN entry area) and the surrounding area must be designed and engineered in such a way that the complete device does not facilitate the fraudulent placement of an overlay over the PIN pad.\ An overlay attack must require an attack potential of at least 18 for identification and initial exploitation, with a minimum of 9 for exploitation. E2.2] | Systems design, build, and implementation | Monitor and Evaluate Occurrences | |
| Audit all modifications to the application being developed. CC ID 01614 | Systems design, build, and implementation | Testing | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Process or Activity | |
| Request attestation of compliance from third parties. CC ID 12067 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Report tampering when tampering indicators are identified in incoming shipments. CC ID 08937 | Third Party and supply chain oversight | Business Processes | |
| Report incoming shipment inconsistencies when an incoming shipment inconsistency is identified. CC ID 08940 | Third Party and supply chain oversight | Behavior | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Physical and environmental protection CC ID 00709 | Physical and environmental protection | IT Impact Zone | |
| Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| System hardening through configuration management CC ID 00860 | System hardening through configuration management | IT Impact Zone | |
| Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone | |
| Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Behavior | |
| Establish, implement, and maintain a vulnerability management program. CC ID 15721 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 | Monitoring and measurement | Establish/Maintain Documentation | |
| Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 | Monitoring and measurement | Technical Security | |
| Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 | Monitoring and measurement | Communicate | |
| Maintain vulnerability scan reports as organizational records. CC ID 12092 | Monitoring and measurement | Records Management | |
| Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 | Monitoring and measurement | Business Processes | |
| Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 | Monitoring and measurement | Testing | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 [The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2] | Audits and risk management | Establish/Maintain Documentation | |
| Document organizational risk criteria. CC ID 12277 | Audits and risk management | Establish/Maintain Documentation | |
| Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Technical Security | |
| Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 | Audits and risk management | Audits and Risk Management | |
| Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Audits and Risk Management | |
| Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Establish/Maintain Documentation | |
| Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Audits and Risk Management | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Business Processes | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2] | Audits and risk management | Testing | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Establish/Maintain Documentation | |
| Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Establish/Maintain Documentation | |
| Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Audits and risk management | Establish/Maintain Documentation | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Audits and Risk Management | |
| Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Audits and Risk Management | |
| Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Audits and Risk Management | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Establish/Maintain Documentation | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Audits and risk management | Communicate | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Communicate | |
| Establish, implement, and maintain an access control program. CC ID 11702 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an access rights management plan. CC ID 00513 | Technical security | Establish/Maintain Documentation | |
| Control access rights to organizational assets. CC ID 00004 | Technical security | Technical Security | |
| Establish access rights based on least privilege. CC ID 01411 [The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18 The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21] | Technical security | Technical Security | |
| Assign user permissions based on job responsibilities. CC ID 00538 | Technical security | Technical Security | |
| Assign user privileges after they have management sign off. CC ID 00542 | Technical security | Technical Security | |
| Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 | Technical security | Configuration | |
| Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412 [The device has characteristics that prevent or significantly deter the use of the device for exhaustive PAN determination. K18] | Technical security | Technical Security | |
| Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 | Technical security | Configuration | |
| Disallow unlocking user accounts absent system administrator approval. CC ID 01413 | Technical security | Technical Security | |
| Establish, implement, and maintain session lock capabilities. CC ID 01417 [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6] | Technical security | Configuration | |
| Limit concurrent sessions according to account type. CC ID 01416 [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6] | Technical security | Configuration | |
| Include digital identification procedures in the access control program. CC ID 11841 | Technical security | Technical Security | |
| Require proper authentication for user identifiers. CC ID 11785 [The update mechanism ensures security, i.e., integrity, mutual authentication, and protection against replay, by using an appropriate and declared security protocol when using a network connection. For manual updates, administrator rights must be implemented using password/PINs and/or cryptographic authentication techniques. J4 Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, account data, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. K22 Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, PINs, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. B7] | Technical security | Technical Security | |
| Assign authenticators to user accounts. CC ID 06855 | Technical security | Configuration | |
| Assign authentication mechanisms for user account authentication. CC ID 06856 | Technical security | Configuration | |
| Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 | Technical security | Technical Security | |
| Establish and maintain a memorized secret list. CC ID 13791 | Technical security | Establish/Maintain Documentation | |
| Limit account credential reuse as a part of digital identification procedures. CC ID 12357 | Technical security | Configuration | |
| Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 | Technical security | Technical Security | |
| Use biometric authentication for identification and authentication, as necessary. CC ID 06857 | Technical security | Establish Roles | |
| Employ live scans to verify biometric authentication. CC ID 06847 | Technical security | Technical Security | |
| Disallow self-enrollment of biometric information. CC ID 11834 | Technical security | Process or Activity | |
| Notify a user when an authenticator for a user account is changed. CC ID 13820 | Technical security | Communicate | |
| Enforce information flow control. CC ID 11781 | Technical security | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain information flow control configuration standards. CC ID 01924 | Technical security | Establish/Maintain Documentation | |
| Require the system to identify and authenticate approved devices before establishing a connection. CC ID 01429 [{POI application} The POI (application) must enforce the correspondence between the display messages visible to the cardholder and the operating state (i.e., secure or non-secure mode) of the PIN entry device, e.g., by using cryptographic authentication.\ If commands impacting the correspondence between the display messages and the operating state of the PIN entry device are received from an external device (e.g., a store controller), the commands enabling data entry must be authenticated.\ The alteration of the correspondence between the display messages visible to the cardholder and the operating state of the PIN entry device cannot occur without requiring an attack potential of at least 18 per POI for identification and initial exploitation with a minimum of 9 for exploitation. E3.4 {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4] | Technical security | Testing | |
| Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629 | Technical security | Establish/Maintain Documentation | |
| Constrain the information flow of restricted data or restricted information. CC ID 06763 [When operating in encrypting mode, the secure controller can only release clear-text account data to authenticated applications executing within the device. K15.1] | Technical security | Data and Information Management | |
| Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 | Technical security | Data and Information Management | |
| Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725 | Technical security | Data and Information Management | |
| Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310 | Technical security | Data and Information Management | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 | Technical security | Establish/Maintain Documentation | |
| Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859 [All account data is either encrypted immediately upon entry or entered in clear-text into a secure device and processed within the secure controller of the device. K1 The device protects all account data upon entry (consistent with A9 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitation. K1.1 The logical and physical integration of an approved secure card reader into a PIN entry POI terminal does not create new attack paths to the account data. The account data is protected from the input component to the secure controller of the device—i.e., it is not possible to insert a bug that would disclose sensitive data. K2] | Technical security | Data and Information Management | |
| Control all methods of remote access and teleworking. CC ID 00559 | Technical security | Technical Security | |
| Protect remote access accounts with encryption. CC ID 00562 [If the device may be accessed remotely for the purposes of administration, all access attempts must be cryptographically authenticated. If the authenticity of the access request cannot be confirmed, the access request is denied. K9] | Technical security | Configuration | |
| Manage the use of encryption controls and cryptographic controls. CC ID 00570 [Public keys must be stored and used in a manner that protects against unauthorized modification or substitution. Unauthorized modification or substitution requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3.1 {mode of operation} All account data shall be encrypted using only ANSI X9 or ISO-approved encryption algorithms (e.g., AES, TDES) and should use ANSI X9 or ISO-approved modes of operation. K4] | Technical security | Technical Security | |
| Comply with the encryption laws of the local country. CC ID 16377 | Technical security | Business Processes | |
| Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 | Technical security | Establish/Maintain Documentation | |
| Define the cryptographic boundaries. CC ID 06543 | Technical security | Establish/Maintain Documentation | |
| Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 | Technical security | Establish/Maintain Documentation | |
| Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 | Technical security | Establish/Maintain Documentation | |
| Implement the documented cryptographic module security functions. CC ID 06755 | Technical security | Data and Information Management | |
| Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 | Technical security | Establish/Maintain Documentation | |
| Document the operation of the cryptographic module. CC ID 06546 | Technical security | Establish/Maintain Documentation | |
| Employ cryptographic controls that comply with applicable requirements. CC ID 12491 | Technical security | Technical Security | |
| Establish, implement, and maintain digital signatures. CC ID 13828 | Technical security | Data and Information Management | |
| Include the expiration date in digital signatures. CC ID 13833 | Technical security | Data and Information Management | |
| Include audience restrictions in digital signatures. CC ID 13834 | Technical security | Data and Information Management | |
| Include the subject in digital signatures. CC ID 13832 | Technical security | Data and Information Management | |
| Include the issuer in digital signatures. CC ID 13831 | Technical security | Data and Information Management | |
| Include identifiers in the digital signature. CC ID 13829 | Technical security | Data and Information Management | |
| Generate and protect a secret random number for each digital signature. CC ID 06577 | Technical security | Establish/Maintain Documentation | |
| Establish the security strength requirements for the digital signature process. CC ID 06578 [The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3] | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 | Technical security | Establish/Maintain Documentation | |
| Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823 [{refrain from allowing} When operating in encrypting mode, there is no mechanism in the device that would allow the outputting of clear-text account data. Changing between an encrypting and non-encrypting mode of operation requires explicit authentication. K15 There is no mechanism in the device that would allow the outputting of a private or secret clear-text key or clear-text PIN, the encryption of a key or PIN under a key that might itself be disclosed, or the transfer of a clear-text key from a component of high security into a component of lesser security. B14] | Technical security | Configuration | |
| Encrypt in scope data or in scope information, as necessary. CC ID 04824 [PIN protection during transmission between the device encrypting the PIN and the ICC reader (at least two must apply):\ If the device encrypting the PIN and the ICC reader are not integrated into the same secure module, and the cardholder verification method is determined to be:\ - An enciphered PIN, the PIN block shall be enciphered between the device encrypting the PIN and the ICC reader using either an authenticated encipherment key of the IC card, or in accordance with ISO 9564.\ - A plaintext PIN, the PIN block shall be enciphered from the device encrypting the PIN to the ICC reader (the ICC reader will then decipher the PIN for transmission in plaintext to the IC card) in accordance with ISO 9564.\ If the device encrypting the PIN and the ICC reader are integrated into the same secure module, and the cardholder verification method is determined to be:\ - An enciphered PIN, the PIN block shall be enciphered using an authenticated encipherment key of the IC card.\ - A plaintext PIN, then encipherment is not required if the PIN block is transmitted wholly through a protected environment (as defined in ISO 9564). If the plaintext PIN is transmitted to the ICC reader through an unprotected environment, the PIN block shall be enciphered in accordance with ISO 9564. D4 The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3 {mode of operation} All account data shall be encrypted using only ANSI X9 or ISO-approved encryption algorithms (e.g., AES, TDES) and should use ANSI X9 or ISO-approved modes of operation. K4 Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6] | Technical security | Data and Information Management | |
| Digitally sign records and data, as necessary. CC ID 16507 | Technical security | Data and Information Management | |
| Make key usage for data fields unique for each device. CC ID 04828 [{secret keys}{private keys} Secret and private keys that reside within the device to support account data encryption are unique per device. K7 Encryption or decryption of any arbitrary data using any account data-encrypting key or key-encrypting key contained in the device is not permitted.\ The device must enforce that account data keys, key-encipherment keys, and PIN-encryption keys have different values. K8 It is not possible to encrypt or decrypt any arbitrary data using any PIN-encrypting key or key-encrypting key contained in the device. The device must enforce that data keys, key-encipherment keys, and PIN-encryption keys have different values. B13] | Technical security | Technical Security | |
| Decrypt restricted data for the minimum time required. CC ID 12308 | Technical security | Data and Information Management | |
| Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 | Technical security | Data and Information Management | |
| Accept only trusted keys and/or certificates. CC ID 11988 | Technical security | Technical Security | |
| Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575 [The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2 {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4 If using a hash function to generate surrogate PAN values, input to the hash function must use a salt with minimum length of 64 bits. K16.1] | Technical security | Data and Information Management | |
| Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 | Technical security | Process or Activity | |
| Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 | Technical security | Process or Activity | |
| Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476 | Technical security | Communicate | |
| Define the format of the biometric data on identification cards or badges. CC ID 06586 | Technical security | Process or Activity | |
| Protect salt values and hash values in accordance with organizational standards. CC ID 16471 | Technical security | Data and Information Management | |
| Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040 [The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3 The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477 | Technical security | Communicate | |
| Establish, implement, and maintain encryption management procedures. CC ID 15475 | Technical security | Establish/Maintain Documentation | |
| Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470 | Technical security | Establish Roles | |
| Establish, implement, and maintain cryptographic key management procedures. CC ID 00571 [The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3 The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3 The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2 {turnkey system} The vendor must provide a defined and documented process containing specific details on how any signing mechanisms must be implemented. This must include any “turnkey” systems required for compliance with the management of display prompts, or any mechanisms used for authenticating any application code. This must ensure:\ - The signing process is performed under dual control.\ - All executable files are signed.\ - Software is only signed using a secure cryptographic device provided by the terminal vendor. B4.2] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 | Technical security | Communicate | |
| Bind keys to each identity. CC ID 12337 | Technical security | Technical Security | |
| Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 | Technical security | Establish/Maintain Documentation | |
| Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 | Technical security | Establish/Maintain Documentation | |
| Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 | Technical security | Data and Information Management | |
| Generate strong cryptographic keys. CC ID 01299 | Technical security | Data and Information Management | |
| Generate unique cryptographic keys for each user. CC ID 12169 | Technical security | Technical Security | |
| Use approved random number generators for creating cryptographic keys. CC ID 06574 | Technical security | Data and Information Management | |
| Implement decryption keys so that they are not linked to user accounts. CC ID 06851 | Technical security | Technical Security | |
| Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540 [{determine}{reside}{penetrate} Determination of any PIN-security-related cryptographic key resident in the device, by penetration of the device and/or by monitoring emanations from the device (including power fluctuations), requires an attack potential of at least 35 for identification and initial exploitation with a minimum of 15 for exploitation. A6 The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3 {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4] | Technical security | Establish/Maintain Documentation | |
| Disseminate and communicate cryptographic keys securely. CC ID 01300 [If remote key distribution is used, the device supports mutual authentication between the sending key-distribution host and receiving device. K5] | Technical security | Data and Information Management | |
| Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 | Technical security | Data and Information Management | |
| Store cryptographic keys securely. CC ID 01298 [If the device can hold multiple PIN-encryption keys and if the key to be used to encrypt the PIN can be externally selected, the device prohibits unauthorized key replacement and key misuse. C1 Determination of any cryptographic keys used for account-data encryption, by penetration of the device and/or by monitoring emanations from the device (including power fluctuations), requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3 Public keys must be stored and used in a manner that protects against unauthorized modification or substitution. Unauthorized modification or substitution requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3.1] | Technical security | Data and Information Management | |
| Restrict access to cryptographic keys. CC ID 01297 | Technical security | Data and Information Management | |
| Store cryptographic keys in encrypted format. CC ID 06084 [If using a hash function to generate surrogate PAN values, the salt is kept secret and appropriately protected. Disclosure of the salt cannot occur without requiring an attack potential of at least 16 per device for identification and initial exploitation with a minimum of 8 for exploitation. K16.2] | Technical security | Data and Information Management | |
| Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 | Technical security | Technical Security | |
| Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 | Technical security | Establish/Maintain Documentation | |
| Change cryptographic keys in accordance with organizational standards. CC ID 01302 | Technical security | Data and Information Management | |
| Destroy cryptographic keys promptly after the retention period. CC ID 01303 | Technical security | Data and Information Management | |
| Control cryptographic keys with split knowledge and dual control. CC ID 01304 [{turnkey system} The vendor must provide a defined and documented process containing specific details on how any signing mechanisms must be implemented. This must include any “turnkey” systems required for compliance with the management of display prompts, or any mechanisms used for authenticating any application code. This must ensure:\ - The signing process is performed under dual control.\ - All executable files are signed.\ - Software is only signed using a secure cryptographic device provided by the terminal vendor. B4.2] | Technical security | Data and Information Management | |
| Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 | Technical security | Data and Information Management | |
| Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 | Technical security | Technical Security | |
| Archive outdated cryptographic keys. CC ID 06884 | Technical security | Data and Information Management | |
| Archive revoked cryptographic keys. CC ID 11819 | Technical security | Data and Information Management | |
| Require key custodians to sign the cryptographic key management policy. CC ID 01308 | Technical security | Establish/Maintain Documentation | |
| Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 | Technical security | Human Resources Management | |
| Manage the digital signature cryptographic key pair. CC ID 06576 | Technical security | Data and Information Management | |
| Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 | Technical security | Establish/Maintain Documentation | |
| Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725 | Technical security | Establish Roles | |
| Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 | Technical security | Establish/Maintain Documentation | |
| Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 | Technical security | Establish/Maintain Documentation | |
| Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 | Technical security | Establish/Maintain Documentation | |
| Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 | Technical security | Establish/Maintain Documentation | |
| Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 | Technical security | Establish/Maintain Documentation | |
| Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 | Technical security | Technical Security | |
| Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084 [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4] | Technical security | Technical Security | |
| Establish, implement, and maintain Public Key certificate procedures. CC ID 07085 [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4] | Technical security | Establish/Maintain Documentation | |
| Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817 [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4] | Technical security | Establish/Maintain Documentation | |
| Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 | Technical security | Establish/Maintain Documentation | |
| Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 | Technical security | Establish/Maintain Documentation | |
| Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 | Technical security | Technical Security | |
| Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 | Technical security | Records Management | |
| Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 | Technical security | Technical Security | |
| Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 | Technical security | Technical Security | |
| Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2] | Technical security | Technical Security | |
| Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749 | Technical security | Configuration | |
| Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 | Technical security | Technical Security | |
| Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490 | Technical security | Technical Security | |
| Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 | Technical security | Establish/Maintain Documentation | |
| Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 | Technical security | Technical Security | |
| Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from contract disputes. CC ID 12019 | Technical security | Technical Security | |
| Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 | Technical security | Technical Security | |
| Establish, implement, and maintain a malicious code protection program. CC ID 00574 | Technical security | Establish/Maintain Documentation | |
| Protect the system against replay attacks. CC ID 04552 [The device is able to detect replay of messages and enables the secure handling of the exceptions. I5] | Technical security | Technical Security | |
| Establish, implement, and maintain a physical security program. CC ID 11757 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211 [The device protects all account data upon entry (consistent with A9 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitation. K1.1 {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1] | Physical and environmental protection | Configuration | |
| Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215 [The security of the device is not compromised by altering: \ - Environmental conditions\ - Operational conditions A3 The security of the device is not compromised by altering: \ - Environmental conditions\ - Operational conditions A3] | Physical and environmental protection | Configuration | |
| Protect assets from tampering or unapproved substitution. CC ID 11902 [The unauthorized alteration of prompts for non-PIN data entry into the PIN entry key pad such that PINs are compromised, i.e., by prompting for the PIN entry when the output is not encrypted, cannot occur without requiring an attack potential of at least 18 per device for identification and initial exploitation with a minimum of 9 for exploitation. A7 It is not feasible to penetrate the device to make any additions, substitutions, or modifications to the magnetic-stripe reader and associated hardware or software, in order to determine or modify magnetic-stripe track data, without requiring an attack potential of at least 16 per device, for identification and initial exploitation, with a minimum of 8 for exploitation. A9 Secure components intended for unattended devices contain an anti-removal mechanism to protect against unauthorized removal and/or unauthorized re-installation. Defeating or circumventing this mechanism must require an attack potential of at least 18 per device for identification and initial exploitation, with a minimum of 9 for exploitation. A10 The POI should be protected from unauthorized modification with tamper-evident security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.\ Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time.\ Where multiple parties are involved in organizing the shipping, it is the responsibility of each party to ensure that the shipping and storage they are managing is compliant with this requirement. M1 The device is assembled in a manner that the components used in the manufacturing process are those components that were certified by the Core PIN Entry and/or POS Terminal Integration Security Requirements evaluation, and that unauthorized substitutions have not been made. L3 Subsequent to production but prior to shipment from the manufacturer’s or reseller’s facility, the device and any of its components are stored in a protected, access-controlled area or sealed within tamper-evident packaging to prevent undetected unauthorized access to the device or its components. L5 The PIN entry POI terminal is equipped with mechanisms to prevent attacks aiming at retaining and stealing the payment card (e.g., Lebanese Loop attack). E3.2 {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1 {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1 Failure of a single security mechanism does not compromise device security. Protection against a threat is based on a combination of at least two independent security mechanisms. A2] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a facility physical security program. CC ID 00711 | Physical and environmental protection | Establish/Maintain Documentation | |
| Protect facilities from eavesdropping. CC ID 02222 [{prevent} {facility} There is no feasible way to determine any entered and internally transmitted PIN digit by monitoring sound, electro-magnetic emissions, power consumption or any other external characteristic available for monitoring—even with the cooperation of the device operator or sales clerk—without requiring an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. A5] | Physical and environmental protection | Physical and Environmental Protection | |
| Implement audio protection controls on telephone systems in controlled areas. CC ID 16455 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581 | Physical and environmental protection | Establish/Maintain Documentation | |
| Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 | Physical and environmental protection | Physical and Environmental Protection | |
| Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 | Physical and environmental protection | Physical and Environmental Protection | |
| Protect distributed assets against theft. CC ID 06799 [The device is protected against unauthorized removal. Defeating or circumventing this mechanism must require an attack potential of at least 18 per device for identification and initial exploitation, with a minimum of 9 for exploitation. E4.1] | Physical and environmental protection | Physical and Environmental Protection | |
| Include Information Technology assets in the asset removal policy. CC ID 13162 | Physical and environmental protection | Establish/Maintain Documentation | |
| Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 | Physical and environmental protection | Establish/Maintain Documentation | |
| Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 | Physical and environmental protection | Communicate | |
| Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 | Physical and environmental protection | Establish/Maintain Documentation | |
| Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 | Physical and environmental protection | Process or Activity | |
| Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 | Physical and environmental protection | Physical and Environmental Protection | |
| Control the removal of assets through physical entry points and physical exit points. CC ID 11681 | Physical and environmental protection | Physical and Environmental Protection | |
| Maintain records of all system components entering and exiting the facility. CC ID 14304 | Physical and environmental protection | Log Management | |
| Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 | Physical and environmental protection | Technical Security | |
| Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain missing asset reporting procedures. CC ID 06336 | Physical and environmental protection | Establish/Maintain Documentation | |
| Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain an environmental control program. CC ID 00724 [{environmental conditions} Environmental or operational conditions cannot be altered to compromise the security of the device, or cause the device to output clear-text account data.\ (An example includes subjecting the device to temperatures or operating voltages outside the stated operating ranges.) K19] | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain clean energy standards. CC ID 16285 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain environmental control procedures. CC ID 12246 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish and maintain a telecommunications equipment room, as necessary. CC ID 06708 | Physical and environmental protection | Configuration | |
| Protect power equipment and power cabling from damage or destruction. CC ID 01438 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain power distribution boards. CC ID 16486 | Physical and environmental protection | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a battery room, as necessary. CC ID 06706 | Physical and environmental protection | Configuration | |
| Establish and maintain a generator room, as necessary. CC ID 06704 | Physical and environmental protection | Configuration | |
| Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain facility maintenance procedures. CC ID 00710 | Physical and environmental protection | Establish/Maintain Documentation | |
| Design the Information Technology facility with consideration given to natural disasters and man-made disasters. CC ID 00712 | Physical and environmental protection | Physical and Environmental Protection | |
| Design the Information Technology facility with a low profile. CC ID 16140 | Physical and environmental protection | Physical and Environmental Protection | |
| Prohibit signage indicating computer room location and uses. CC ID 06343 | Physical and environmental protection | Physical and Environmental Protection | |
| Require critical facilities to have adequate room for facility maintenance. CC ID 06361 | Physical and environmental protection | Physical and Environmental Protection | |
| Require critical facilities to have adequate room for evacuation. CC ID 11686 | Physical and environmental protection | Physical and Environmental Protection | |
| Build critical facilities according to applicable building codes. CC ID 06366 | Physical and environmental protection | Physical and Environmental Protection | |
| Build critical facilities with fire resistant materials. CC ID 06365 | Physical and environmental protection | Physical and Environmental Protection | |
| Build critical facilities with materials that limit electromagnetic interference. CC ID 16131 | Physical and environmental protection | Physical and Environmental Protection | |
| Build critical facilities with water-resistant materials. CC ID 11679 | Physical and environmental protection | Physical and Environmental Protection | |
| Monitor operational conditions at unmanned facilities. CC ID 06327 | Physical and environmental protection | Physical and Environmental Protection | |
| Remotely control operational conditions at unmanned facilities. CC ID 11680 | Physical and environmental protection | Technical Security | |
| Inspect and maintain the facility and supporting assets. CC ID 06345 | Physical and environmental protection | Physical and Environmental Protection | |
| Define selection criteria for facility locations. CC ID 06351 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain facility demolition procedures. CC ID 16133 | Physical and environmental protection | Establish/Maintain Documentation | |
| Establish, implement, and maintain work environment requirements. CC ID 06613 | Physical and environmental protection | Establish/Maintain Documentation | |
| Apply noise-prevention devices to organizational assets, as necessary. CC ID 16141 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain system cleanliness requirements. CC ID 06614 | Physical and environmental protection | Establish/Maintain Documentation | |
| House system components in areas where the physical damage potential is minimized. CC ID 01623 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695 | Physical and environmental protection | Establish/Maintain Documentation | |
| Install and maintain fire protection equipment. CC ID 00728 | Physical and environmental protection | Configuration | |
| Install and maintain fire suppression systems. CC ID 00729 | Physical and environmental protection | Configuration | |
| Install and maintain smoke detectors. CC ID 15264 | Physical and environmental protection | Physical and Environmental Protection | |
| Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362 | Physical and environmental protection | Physical and Environmental Protection | |
| Conduct fire drills, as necessary. CC ID 13985 | Physical and environmental protection | Process or Activity | |
| Employ environmental protections. CC ID 12570 | Physical and environmental protection | Process or Activity | |
| Establish, implement, and maintain electromagnetic compatibility requirements for in scope assets. CC ID 16472 | Physical and environmental protection | Establish/Maintain Documentation | |
| Protect physical assets against static electricity, as necessary. CC ID 06363 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain emergency lighting for use in a power failure. CC ID 01440 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain lightning protection mechanisms in critical facilities. CC ID 06367 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain pest control systems in organizational facilities. CC ID 16139 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727 | Physical and environmental protection | Configuration | |
| Protect air intakes into the organizational facility. CC ID 02211 | Physical and environmental protection | Physical and Environmental Protection | |
| Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368 | Physical and environmental protection | Configuration | |
| Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369 | Physical and environmental protection | Configuration | |
| Install and maintain a moisture control system as a part of the climate control system. CC ID 06694 | Physical and environmental protection | Configuration | |
| Install and maintain hydrogen sensors, as necessary. CC ID 06705 | Physical and environmental protection | Configuration | |
| Protect physical assets from water damage. CC ID 00730 | Physical and environmental protection | Configuration | |
| Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 | Physical and environmental protection | Communicate | |
| Install and maintain water detection devices. CC ID 11678 | Physical and environmental protection | Physical and Environmental Protection | |
| Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Execute fail-safe procedures when an emergency occurs. CC ID 07108 [{integrity test}{authenticity test} The device performs a self-test, which includes integrity and authenticity tests upon start-up and at least once per day to check whether the device is in a compromised state. In the event of a failure, the device and its functionality fail in a secure manner. The device must reinitialize memory at least every 24 hours. B1] | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 [The device vendor maintains guidance describing configuration management for the device.\ a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.\ b) The guidance covers the complete device—including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.\ c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.\ d) The security guidance ensures that unauthorized modification is not possible.\ e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier. J1] | Operational management | Establish/Maintain Documentation | |
| Include physical safeguards in the information security program. CC ID 12375 | Operational management | Establish/Maintain Documentation | |
| Include technical safeguards in the information security program. CC ID 12374 | Operational management | Establish/Maintain Documentation | |
| Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Establish/Maintain Documentation | |
| Include system development in the information security program. CC ID 12389 | Operational management | Establish/Maintain Documentation | |
| Include system maintenance in the information security program. CC ID 12388 | Operational management | Establish/Maintain Documentation | |
| Include system acquisition in the information security program. CC ID 12387 | Operational management | Establish/Maintain Documentation | |
| Include access control in the information security program. CC ID 12386 | Operational management | Establish/Maintain Documentation | |
| Include operations management in the information security program. CC ID 12385 | Operational management | Establish/Maintain Documentation | |
| Include communication management in the information security program. CC ID 12384 | Operational management | Establish/Maintain Documentation | |
| Include environmental security in the information security program. CC ID 12383 | Operational management | Establish/Maintain Documentation | |
| Include physical security in the information security program. CC ID 12382 | Operational management | Establish/Maintain Documentation | |
| Include human resources security in the information security program. CC ID 12381 | Operational management | Establish/Maintain Documentation | |
| Include asset management in the information security program. CC ID 12380 | Operational management | Establish/Maintain Documentation | |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation | |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation | |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
| Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Establish/Maintain Documentation | |
| Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation | |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
| Provide management direction and support for the information security program. CC ID 11999 | Operational management | Process or Activity | |
| Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Establish/Maintain Documentation | |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Business Processes | |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Establish/Maintain Documentation | |
| Include information security objectives in the information security policy. CC ID 13493 | Operational management | Establish/Maintain Documentation | |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation | |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Process or Activity | |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes | |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity | |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Establish Roles | |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Human Resources Management | |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Establish/Maintain Documentation | |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Human Resources Management | |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Communicate | |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Establish/Maintain Documentation | |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Behavior | |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Establish/Maintain Documentation | |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Establish/Maintain Documentation | |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Establish/Maintain Documentation | |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Establish/Maintain Documentation | |
| Include startup processes in operational control procedures. CC ID 00833 | Operational management | Establish/Maintain Documentation | |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Operational management | Establish/Maintain Documentation | |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Records Management | |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes | |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes | |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Communicate | |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation | |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Establish/Maintain Documentation | |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Establish/Maintain Documentation | |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Establish/Maintain Documentation | |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Establish/Maintain Documentation | |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Establish/Maintain Documentation | |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Establish/Maintain Documentation | |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Establish/Maintain Documentation | |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Establish/Maintain Documentation | |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Establish/Maintain Documentation | |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Establish/Maintain Documentation | |
| Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Establish/Maintain Documentation | |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Communicate | |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Establish/Maintain Documentation | |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Business Processes | |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Establish/Maintain Documentation | |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Establish/Maintain Documentation | |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management | |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 [{document and maintain} The vendor documents, maintains and makes available to integrators details on how to implement the protection system against unauthorized removal. E4.2] | Operational management | Behavior | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Business Processes | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Establish/Maintain Documentation | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain the systems' integrity level. CC ID 01906 [The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system preventive maintenance program. CC ID 00885 [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2] | Operational management | Establish/Maintain Documentation | |
| Establish and maintain maintenance reports. CC ID 11749 [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2] | Operational management | Establish/Maintain Documentation | |
| Establish and maintain system inspection reports. CC ID 06346 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system maintenance policy. CC ID 14032 | Operational management | Establish/Maintain Documentation | |
| Include compliance requirements in the system maintenance policy. CC ID 14217 | Operational management | Establish/Maintain Documentation | |
| Include management commitment in the system maintenance policy. CC ID 14216 | Operational management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system maintenance policy. CC ID 14215 | Operational management | Establish/Maintain Documentation | |
| Include the scope in the system maintenance policy. CC ID 14214 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 | Operational management | Communicate | |
| Include the purpose in the system maintenance policy. CC ID 14187 | Operational management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the system maintenance policy. CC ID 14181 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain system maintenance procedures. CC ID 14059 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 | Operational management | Communicate | |
| Establish, implement, and maintain a technology refresh plan. CC ID 13061 | Operational management | Establish/Maintain Documentation | |
| Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 | Operational management | Physical and Environmental Protection | |
| Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 | Operational management | Behavior | |
| Use system components only when third party support is available. CC ID 10644 | Operational management | Maintenance | |
| Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 | Operational management | Maintenance | |
| Obtain approval before removing maintenance tools from the facility. CC ID 14298 | Operational management | Business Processes | |
| Control remote maintenance according to the system's asset classification. CC ID 01433 [The update mechanism ensures security, i.e., integrity, mutual authentication, and protection against replay, by using an appropriate and declared security protocol when using a network connection. For manual updates, administrator rights must be implemented using password/PINs and/or cryptographic authentication techniques. J4] | Operational management | Technical Security | |
| Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 | Operational management | Configuration | |
| Approve all remote maintenance sessions. CC ID 10615 | Operational management | Technical Security | |
| Log the performance of all remote maintenance. CC ID 13202 | Operational management | Log Management | |
| Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 | Operational management | Technical Security | |
| Conduct offsite maintenance in authorized facilities. CC ID 16473 | Operational management | Maintenance | |
| Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 | Operational management | Maintenance | |
| Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 | Operational management | Maintenance | |
| Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 | Operational management | Behavior | |
| Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 | Operational management | Establish/Maintain Documentation | |
| Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 | Operational management | Acquisition/Sale of Assets or Services | |
| Perform periodic maintenance according to organizational standards. CC ID 01435 [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2] | Operational management | Behavior | |
| Restart systems on a periodic basis. CC ID 16498 | Operational management | Maintenance | |
| Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 | Operational management | Maintenance | |
| Employ dedicated systems during system maintenance. CC ID 12108 | Operational management | Technical Security | |
| Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 | Operational management | Technical Security | |
| Control granting access to appropriate parties performing maintenance on organizational assets. CC ID 11873 | Operational management | Human Resources Management | |
| Identify and authenticate appropriate parties prior to granting access to maintain assets. CC ID 11874 | Operational management | Physical and Environmental Protection | |
| Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 | Operational management | Establish/Maintain Documentation | |
| Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 | Operational management | Process or Activity | |
| Establish, implement, and maintain a change control program. CC ID 00886 [Change-control procedures are in place so that any intended change to the physical or functional capabilities of the POI causes a re-certification of the device under the Physical Security Requirements or the Logical Security Requirements of this document. Immediate re-certification is not required for changes that purely rectify errors and faults in software in order to make it function as intended and do not otherwise remove, modify, or add functionality. Approval of delta submissions is contingent on evidence of the ongoing change control and vulnerability management process. L1] | Operational management | Establish/Maintain Documentation | |
| Include potential consequences of unintended changes in the change control program. CC ID 12243 | Operational management | Establish/Maintain Documentation | |
| Include version control in the change control program. CC ID 13119 | Operational management | Establish/Maintain Documentation | |
| Include service design and transition in the change control program. CC ID 13920 | Operational management | Establish/Maintain Documentation | |
| Separate the production environment from development environment or test environment for the change control process. CC ID 11864 | Operational management | Maintenance | |
| Integrate configuration management procedures into the change control program. CC ID 13646 | Operational management | Technical Security | |
| Establish, implement, and maintain a back-out plan. CC ID 13623 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 | Operational management | Establish/Maintain Documentation | |
| Manage change requests. CC ID 00887 | Operational management | Business Processes | |
| Include documentation of the impact level of proposed changes in the change request. CC ID 11942 | Operational management | Establish/Maintain Documentation | |
| Establish and maintain a change request approver list. CC ID 06795 | Operational management | Establish/Maintain Documentation | |
| Document all change requests in change request forms. CC ID 06794 | Operational management | Establish/Maintain Documentation | |
| Approve tested change requests. CC ID 11783 | Operational management | Data and Information Management | |
| Validate the system before implementing approved changes. CC ID 01510 | Operational management | Systems Design, Build, and Implementation | |
| Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 | Operational management | Behavior | |
| Establish, implement, and maintain emergency change procedures. CC ID 00890 | Operational management | Establish/Maintain Documentation | |
| Perform emergency changes, as necessary. CC ID 12707 | Operational management | Process or Activity | |
| Back up emergency changes after the change has been performed. CC ID 12734 | Operational management | Process or Activity | |
| Log emergency changes after they have been performed. CC ID 12733 | Operational management | Establish/Maintain Documentation | |
| Perform risk assessments prior to approving change requests. CC ID 00888 | Operational management | Testing | |
| Implement changes according to the change control program. CC ID 11776 | Operational management | Business Processes | |
| Provide audit trails for all approved changes. CC ID 13120 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a patch management program. CC ID 00896 | Operational management | Process or Activity | |
| Document the sources of all software updates. CC ID 13316 | Operational management | Establish/Maintain Documentation | |
| Implement patch management software, as necessary. CC ID 12094 | Operational management | Technical Security | |
| Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 | Operational management | Technical Security | |
| Establish, implement, and maintain a patch management policy. CC ID 16432 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain patch management procedures. CC ID 15224 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a patch log. CC ID 01642 | Operational management | Establish/Maintain Documentation | |
| Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 | Operational management | Business Processes | |
| Establish, implement, and maintain a software release policy. CC ID 00893 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain traceability documentation. CC ID 16388 | Operational management | Systems Design, Build, and Implementation | |
| Disseminate and communicate software update information to users and regulators. CC ID 06602 | Operational management | Behavior | |
| Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 | Operational management | Data and Information Management | |
| Update associated documentation after the system configuration has been changed. CC ID 00891 | Operational management | Establish/Maintain Documentation | |
| Document the organization's local environments. CC ID 06726 [The PIN-encryption technique implemented in the device is a technique included in ISO 9564. B12 It is neither feasible to penetrate the ICC reader to make any additions, substitutions, or modifications to either the ICC reader’s hardware or software, in order to determine or modify any sensitive data, without requiring an attack potential of at least 20 for identification and initial exploitation, with a minimum of 10 for exploitation, nor is it possible for both an IC card and any other foreign object to reside within the card insertion slot. D1 If the device is capable of communicating over an IP network or uses a public domain protocol (such as but not limited to Wi-Fi or Bluetooth), then requirements specified in DTR Module 3: Open Protocols Requirements have been met. K14 The key-management techniques implemented in the device are consistent with B11. K17 Sensitive services are protected from unauthorized use consistent with B8. K23 The key-management techniques implemented in the device conform to ISO 11568 and/or ANSI X9.24. Key-management techniques must support the ANSI TR-31 key-derivation methodology or an equivalent methodology for maintaining the TDEA key bundle. B11] | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain local environment security profiles. CC ID 07037 | Operational management | Establish/Maintain Documentation | |
| Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 | Operational management | Establish/Maintain Documentation | |
| Include security requirements in the local environment security profile. CC ID 15717 | Operational management | Establish/Maintain Documentation | |
| Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 | Operational management | Establish/Maintain Documentation | |
| Include the technology used in the local environment in the local environment security profile. CC ID 07040 | Operational management | Establish/Maintain Documentation | |
| Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 | Operational management | Establish/Maintain Documentation | |
| Include facility information for the local environment in the local environment security profile. CC ID 07042 | Operational management | Establish/Maintain Documentation | |
| Include facility access information for the local environment in the local environment security profile. CC ID 11773 | Operational management | Establish/Maintain Documentation | |
| Disseminate and communicate the local environment security profile to interested personnel and affected parties. CC ID 15716 | Operational management | Communicate | |
| Update the local environment security profile, as necessary. CC ID 07043 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Configuration Management program. CC ID 00867 [The device vendor maintains guidance describing configuration management for the device.\ a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.\ b) The guidance covers the complete device—including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.\ c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.\ d) The security guidance ensures that unauthorized modification is not possible.\ e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier. J1] | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 | System hardening through configuration management | Business Processes | |
| Establish, implement, and maintain appropriate system labeling. CC ID 01900 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040 | System hardening through configuration management | Establish/Maintain Documentation | |
| Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain a configuration management policy. CC ID 14023 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain configuration management procedures. CC ID 14074 | System hardening through configuration management | Establish/Maintain Documentation | |
| Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 | System hardening through configuration management | Communicate | |
| Include compliance requirements in the configuration management policy. CC ID 14072 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the configuration management policy. CC ID 14071 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include management commitment in the configuration management policy. CC ID 14070 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the configuration management policy. CC ID 14069 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the scope in the configuration management policy. CC ID 14068 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the purpose in the configuration management policy. CC ID 14067 | System hardening through configuration management | Establish/Maintain Documentation | |
| Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066 | System hardening through configuration management | Communicate | |
| Establish, implement, and maintain a configuration management plan. CC ID 01901 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include configuration management procedures in the configuration management plan. CC ID 14248 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the configuration management plan. CC ID 14247 | System hardening through configuration management | Establish/Maintain Documentation | |
| Approve the configuration management plan. CC ID 14717 | System hardening through configuration management | Business Processes | |
| Establish, implement, and maintain system tracking documentation. CC ID 15266 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include prioritization codes in the system tracking documentation. CC ID 15283 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the type and category of the request in the system tracking documentation. CC ID 15281 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include contact information in the system tracking documentation. CC ID 15280 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the username in the system tracking documentation. CC ID 15278 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include a problem description in the system tracking documentation. CC ID 15276 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include affected systems in the system tracking documentation. CC ID 15275 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include root causes in the system tracking documentation. CC ID 15274 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include current status in the system tracking documentation. CC ID 15272 | System hardening through configuration management | Establish/Maintain Documentation | |
| Employ the Configuration Management program. CC ID 11904 | System hardening through configuration management | Configuration | |
| Record Configuration Management items in the Configuration Management database. CC ID 00861 | System hardening through configuration management | Establish/Maintain Documentation | |
| Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946 [The device vendor maintains guidance describing configuration management for the device.\ a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.\ b) The guidance covers the complete device—including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.\ c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.\ d) The security guidance ensures that unauthorized modification is not possible.\ e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier. J1] | System hardening through configuration management | Communicate | |
| Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132 | System hardening through configuration management | Establish/Maintain Documentation | |
| Document external connections for all systems. CC ID 06415 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the applied security patches in the baseline configuration. CC ID 13271 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the installed application software and version numbers in the baseline configuration. CC ID 13270 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include installed custom software in the baseline configuration. CC ID 13274 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include network ports in the baseline configuration. CC ID 13273 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include the operating systems and version numbers in the baseline configuration. CC ID 13269 | System hardening through configuration management | Establish/Maintain Documentation | |
| Include backup procedures in the Configuration Management policy. CC ID 01314 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a system hardening standard. CC ID 00876 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain configuration standards for all systems based upon industry best practices. CC ID 11953 | System hardening through configuration management | Configuration | |
| Configure security parameter settings on all system components appropriately. CC ID 12041 [The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18 The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21] | System hardening through configuration management | Technical Security | |
| Establish, implement, and maintain system hardening procedures. CC ID 12001 | System hardening through configuration management | Establish/Maintain Documentation | |
| Block and/or remove unnecessary software and unauthorized software. CC ID 00865 [If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. B4 The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18 If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. K12 The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21] | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain idle session termination and logout capabilities. CC ID 01418 [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6] | System hardening through configuration management | Configuration | |
| Refrain from using assertion lifetimes to limit each session. CC ID 13871 | System hardening through configuration management | Technical Security | |
| Configure Session Configuration settings in accordance with organizational standards. CC ID 07698 | System hardening through configuration management | Configuration | |
| Invalidate unexpected session identifiers. CC ID 15307 | System hardening through configuration management | Configuration | |
| Configure the "MaxStartups" settings to organizational standards. CC ID 15329 | System hardening through configuration management | Configuration | |
| Reject session identifiers that are not valid. CC ID 15306 | System hardening through configuration management | Configuration | |
| Configure the "MaxSessions" settings to organizational standards. CC ID 15330 | System hardening through configuration management | Configuration | |
| Configure the "Interactive logon: Message title for users attempting to log on" to organizational standards. CC ID 07699 | System hardening through configuration management | Configuration | |
| Configure the "LoginGraceTime" settings to organizational standards. CC ID 15328 | System hardening through configuration management | Configuration | |
| Configure the "Network security: Force logoff when logon hours expire" to organizational standards. CC ID 07738 | System hardening through configuration management | Configuration | |
| Configure the "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" to organizational standards. CC ID 07758 | System hardening through configuration management | Configuration | |
| Configure the "Microsoft network server: Disconnect clients when logon hours expire" to organizational standards. CC ID 07824 | System hardening through configuration management | Configuration | |
| Configure the "Microsoft network server: Amount of idle time required before suspending session" to organizational standards. CC ID 07826 | System hardening through configuration management | Configuration | |
| Configure the "Interactive logon: Do not display last user name" to organizational standards. CC ID 07832 | System hardening through configuration management | Configuration | |
| Configure the "Interactive logon: Display user information when the session is locked" to organizational standards. CC ID 07848 | System hardening through configuration management | Configuration | |
| Configure the "Interactive logon: Message text for users attempting to log on" to organizational standards. CC ID 07870 | System hardening through configuration management | Configuration | |
| Configure the "Always prompt for password upon connection" to organizational standards. CC ID 08229 | System hardening through configuration management | Configuration | |
| Configure the "Interactive logon: Machine inactivity limit" to organizational standards. CC ID 08350 | System hardening through configuration management | Configuration | |
| Remove all unnecessary functionality. CC ID 00882 [The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21 The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21] | System hardening through configuration management | Configuration | |
| Document that all enabled functions support secure configurations. CC ID 11985 | System hardening through configuration management | Establish/Maintain Documentation | |
| Find and eradicate unauthorized world writable files. CC ID 01541 | System hardening through configuration management | Configuration | |
| Strip dangerous/unneeded SUID/SGID system executables. CC ID 01542 | System hardening through configuration management | Configuration | |
| Find and eradicate unauthorized SUID/SGID system executables. CC ID 01543 | System hardening through configuration management | Configuration | |
| Find and eradicate unowned files and unowned directories. CC ID 01544 | System hardening through configuration management | Configuration | |
| Disable logon prompts on serial ports. CC ID 01553 | System hardening through configuration management | Configuration | |
| Disable "nobody" access for Secure RPC. CC ID 01554 | System hardening through configuration management | Configuration | |
| Disable all unnecessary interfaces. CC ID 04826 | System hardening through configuration management | Configuration | |
| Enable or disable all unused USB ports as appropriate. CC ID 06042 | System hardening through configuration management | Configuration | |
| Disable all user-mounted removable file systems. CC ID 01536 | System hardening through configuration management | Configuration | |
| Set the Bluetooth Security Mode to the organizational standard. CC ID 00587 | System hardening through configuration management | Configuration | |
| Secure the Bluetooth headset connections. CC ID 00593 | System hardening through configuration management | Configuration | |
| Disable automatic dial-in access to computers that have installed modems. CC ID 02036 | System hardening through configuration management | Configuration | |
| Configure the "Turn off AutoPlay" setting. CC ID 01787 | System hardening through configuration management | Configuration | |
| Configure the "Devices: Restrict floppy access to locally logged on users only" setting. CC ID 01732 | System hardening through configuration management | Configuration | |
| Configure the "Devices: Restrict CD-ROM access to locally logged on users" setting. CC ID 01731 | System hardening through configuration management | Configuration | |
| Configure the "Remove CD Burning features" setting. CC ID 04379 | System hardening through configuration management | Configuration | |
| Disable Autorun. CC ID 01790 | System hardening through configuration management | Configuration | |
| Disable USB devices (aka hotplugger). CC ID 01545 | System hardening through configuration management | Configuration | |
| Enable or disable all unused auxiliary ports as appropriate. CC ID 06414 | System hardening through configuration management | Configuration | |
| Remove rhosts support unless absolutely necessary. CC ID 01555 | System hardening through configuration management | Configuration | |
| Remove weak authentication services from Pluggable Authentication Modules. CC ID 01556 | System hardening through configuration management | Configuration | |
| Remove the /etc/hosts.equiv file. CC ID 01559 | System hardening through configuration management | Configuration | |
| Create the /etc/ftpd/ftpusers file. CC ID 01560 | System hardening through configuration management | Configuration | |
| Remove the X Wrapper and enable the X Display Manager. CC ID 01564 | System hardening through configuration management | Configuration | |
| Remove empty crontab files and restrict file permissions to the file. CC ID 01571 | System hardening through configuration management | Configuration | |
| Remove all compilers and assemblers from the system. CC ID 01594 | System hardening through configuration management | Configuration | |
| Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827 [The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21] | System hardening through configuration management | Configuration | |
| Restrict and control the use of privileged utility programs. CC ID 12030 | System hardening through configuration management | Technical Security | |
| Disable the storing of movies in cache in Apple's QuickTime. CC ID 04489 | System hardening through configuration management | Configuration | |
| Install and enable file sharing utilities, as necessary. CC ID 02174 | System hardening through configuration management | Configuration | |
| Disable boot services unless boot services are absolutely necessary. CC ID 01481 | System hardening through configuration management | Configuration | |
| Disable File Services for Macintosh unless File Services for Macintosh are absolutely necessary. CC ID 04279 | System hardening through configuration management | Configuration | |
| Configure the Trivial FTP Daemon service to organizational standards. CC ID 01484 | System hardening through configuration management | Configuration | |
| Disable printer daemons or the printer service unless printer daemons or the printer service is absolutely necessary. CC ID 01487 | System hardening through configuration management | Configuration | |
| Disable web server unless web server is absolutely necessary. CC ID 01490 | System hardening through configuration management | Configuration | |
| Disable portmapper unless portmapper is absolutely necessary. CC ID 01492 | System hardening through configuration management | Configuration | |
| Disable writesrv, pmd, and httpdlite unless writesrv, pmd, and httpdlite are absolutely necessary. CC ID 01498 | System hardening through configuration management | Configuration | |
| Disable hwscan hardware detection unless hwscan hardware detection is absolutely necessary. CC ID 01504 | System hardening through configuration management | Configuration | |
| Configure the “xinetd” service to organizational standards. CC ID 01509 | System hardening through configuration management | Configuration | |
| Configure the /etc/xinetd.conf file permissions as appropriate. CC ID 01568 | System hardening through configuration management | Configuration | |
| Disable inetd unless inetd is absolutely necessary. CC ID 01508 | System hardening through configuration management | Configuration | |
| Disable Network Computing System unless it is absolutely necessary. CC ID 01497 | System hardening through configuration management | Configuration | |
| Disable print server for macintosh unless print server for macintosh is absolutely necessary. CC ID 04284 | System hardening through configuration management | Configuration | |
| Disable Print Server unless Print Server is absolutely necessary. CC ID 01488 | System hardening through configuration management | Configuration | |
| Disable ruser/remote login/remote shell/rcp command, unless it is absolutely necessary. CC ID 01480 | System hardening through configuration management | Configuration | |
| Disable xfsmd unless xfsmd is absolutely necessary. CC ID 02179 | System hardening through configuration management | Configuration | |
| Disable RPC-based services unless RPC-based services are absolutely necessary. CC ID 01455 | System hardening through configuration management | Configuration | |
| Disable netfs script unless netfs script is absolutely necessary. CC ID 01495 | System hardening through configuration management | Configuration | |
| Disable Remote Procedure Calls unless Remote Procedure Calls are absolutely necessary and if enabled, set restrictions. CC ID 01456 | System hardening through configuration management | Configuration | |
| Configure the "RPC Endpoint Mapper Client Authentication" setting. CC ID 04327 | System hardening through configuration management | Configuration | |
| Disable ncpfs Script unless ncpfs Script is absolutely necessary. CC ID 01494 | System hardening through configuration management | Configuration | |
| Disable sendmail server unless sendmail server is absolutely necessary. CC ID 01511 | System hardening through configuration management | Configuration | |
| Disable postfix unless postfix is absolutely necessary. CC ID 01512 | System hardening through configuration management | Configuration | |
| Disable directory server unless directory server is absolutely necessary. CC ID 01464 | System hardening through configuration management | Configuration | |
| Disable Windows-compatibility client processes unless Windows-compatibility client processes are absolutely necessary. CC ID 01471 | System hardening through configuration management | Configuration | |
| Disable Windows-compatibility servers unless Windows-compatibility servers are absolutely necessary. CC ID 01470 | System hardening through configuration management | Configuration | |
| Configure the “Network File System” server to organizational standards CC ID 01472 | System hardening through configuration management | Configuration | |
| Configure NFS to respond or not as appropriate to NFS client requests that do not include a User ID. CC ID 05981 | System hardening through configuration management | Configuration | |
| Configure NFS with appropriate authentication methods. CC ID 05982 | System hardening through configuration management | Configuration | |
| Configure the "AUTH_DES authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08971 | System hardening through configuration management | Configuration | |
| Configure the "AUTH_KERB authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08972 | System hardening through configuration management | Configuration | |
| Configure the "AUTH_NONE authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08973 | System hardening through configuration management | Configuration | |
| Configure the "AUTH_UNIX authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08974 | System hardening through configuration management | Configuration | |
| Disable webmin processes unless the webmin process is absolutely necessary. CC ID 01501 | System hardening through configuration management | Configuration | |
| Disable automount daemon unless automount daemon is absolutely necessary. CC ID 01476 | System hardening through configuration management | Configuration | |
| Disable CDE-related daemons unless CDE-related daemons are absolutely necessary. CC ID 01474 | System hardening through configuration management | Configuration | |
| Disable finger unless finger is absolutely necessary. CC ID 01505 | System hardening through configuration management | Configuration | |
| Disable Rexec unless Rexec is absolutely necessary. CC ID 02164 | System hardening through configuration management | Configuration | |
| Disable Squid cache server unless Squid cache server is absolutely necessary. CC ID 01502 | System hardening through configuration management | Configuration | |
| Disable Kudzu hardware detection unless Kudzu hardware detection is absolutely necessary. CC ID 01503 | System hardening through configuration management | Configuration | |
| Install and enable public Instant Messaging clients as necessary. CC ID 02173 | System hardening through configuration management | Configuration | |
| Disable x font server unless x font server is absolutely necessary. CC ID 01499 | System hardening through configuration management | Configuration | |
| Validate, approve, and document all UNIX shells prior to use. CC ID 02161 | System hardening through configuration management | Establish/Maintain Documentation | |
| Disable NFS client processes unless NFS client processes are absolutely necessary. CC ID 01475 | System hardening through configuration management | Configuration | |
| Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary. CC ID 06681 | System hardening through configuration management | Data and Information Management | |
| Disable removable storage media daemon unless the removable storage media daemon is absolutely necessary. CC ID 01477 | System hardening through configuration management | Configuration | |
| Disable GSS daemon unless GSS daemon is absolutely necessary. CC ID 01465 | System hardening through configuration management | Configuration | |
| Disable Computer Browser unless Computer Browser is absolutely necessary. CC ID 01814 | System hardening through configuration management | Configuration | |
| Configure the Computer Browser ResetBrowser Frames as appropriate. CC ID 05984 | System hardening through configuration management | Configuration | |
| Configure the /etc/samba/smb.conf file file permissions as appropriate. CC ID 05989 | System hardening through configuration management | Configuration | |
| Disable NetMeeting remote desktop sharing unless NetMeeting remote desktop sharing is absolutely necessary. CC ID 01821 | System hardening through configuration management | Configuration | |
| Disable web directory browsing on all web-enabled devices. CC ID 01874 | System hardening through configuration management | Configuration | |
| Disable WWW publishing services unless WWW publishing services are absolutely necessary. CC ID 01833 | System hardening through configuration management | Configuration | |
| Install and enable samba, as necessary. CC ID 02175 | System hardening through configuration management | Configuration | |
| Configure the samba hosts allow option with an appropriate set of networks. CC ID 05985 | System hardening through configuration management | Configuration | |
| Configure the samba security option option as appropriate. CC ID 05986 | System hardening through configuration management | Configuration | |
| Configure the samba encrypt passwords option as appropriate. CC ID 05987 | System hardening through configuration management | Configuration | |
| Configure the Samba 'smb passwd file' option with an appropriate password file or no password file. CC ID 05988 | System hardening through configuration management | Configuration | |
| Disable Usenet Internet news package file capabilities unless Usenet Internet news package file capabilities are absolutely necessary. CC ID 02176 | System hardening through configuration management | Configuration | |
| Disable iPlanet Web Server unless iPlanet Web Server is absolutely necessary. CC ID 02172 | System hardening through configuration management | Configuration | |
| Disable volume manager unless volume manager is absolutely necessary. CC ID 01469 | System hardening through configuration management | Configuration | |
| Disable Solaris Management Console unless Solaris Management Console is absolutely necessary. CC ID 01468 | System hardening through configuration management | Configuration | |
| Disable the Graphical User Interface unless it is absolutely necessary. CC ID 01466 | System hardening through configuration management | Configuration | |
| Disable help and support unless help and support is absolutely necessary. CC ID 04280 | System hardening through configuration management | Configuration | |
| Disable speech recognition unless speech recognition is absolutely necessary. CC ID 04491 | System hardening through configuration management | Configuration | |
| Disable or secure the NetWare QuickFinder search engine. CC ID 04453 | System hardening through configuration management | Configuration | |
| Disable messenger unless messenger is absolutely necessary. CC ID 01819 | System hardening through configuration management | Configuration | |
| Configure the "Do not allow Windows Messenger to be run" setting. CC ID 04516 | System hardening through configuration management | Configuration | |
| Configure the "Do not automatically start Windows Messenger initially" setting. CC ID 04517 | System hardening through configuration management | Configuration | |
| Configure the "Turn off the Windows Messenger Customer Experience Improvement Program" setting. CC ID 04330 | System hardening through configuration management | Configuration | |
| Disable automatic updates unless automatic updates are absolutely necessary. CC ID 01811 | System hardening through configuration management | Configuration | |
| Configure automatic update installation and shutdown/restart options and shutdown/restart procedures to organizational standards. CC ID 05979 | System hardening through configuration management | Configuration | |
| Disable Name Service Cache Daemon unless Name Service Cache Daemon is absolutely necessary. CC ID 04846 | System hardening through configuration management | Configuration | |
| Prohibit R-command files from existing for root or administrator. CC ID 16322 | System hardening through configuration management | Configuration | |
| Verify the /bin/rsh file exists or not, as appropriate. CC ID 05101 | System hardening through configuration management | Configuration | |
| Verify the /sbin/rsh file exists or not, as appropriate. CC ID 05102 | System hardening through configuration management | Configuration | |
| Verify the /usr/bin/rsh file exists or not, as appropriate. CC ID 05103 | System hardening through configuration management | Configuration | |
| Verify the /etc/ftpusers file exists or not, as appropriate. CC ID 05104 | System hardening through configuration management | Configuration | |
| Verify the /etc/rsh file exists or not, as appropriate. CC ID 05105 | System hardening through configuration management | Configuration | |
| Install or uninstall the AIDE package, as appropriate. CC ID 05106 | System hardening through configuration management | Configuration | |
| Enable the GNOME automounter (gnome-volume-manager) as necessary. CC ID 05107 | System hardening through configuration management | Configuration | |
| Install or uninstall the setroubleshoot package, as appropriate. CC ID 05108 | System hardening through configuration management | Configuration | |
| Configure Avahi properly. CC ID 05109 | System hardening through configuration management | Configuration | |
| Install or uninstall OpenNTPD, as appropriate. CC ID 05110 | System hardening through configuration management | Configuration | |
| Configure the "httpd" service to organizational standards. CC ID 05111 | System hardening through configuration management | Configuration | |
| Install or uninstall the net-smtp package properly. CC ID 05112 | System hardening through configuration management | Configuration | |
| Configure the apache web service properly. CC ID 05113 | System hardening through configuration management | Configuration | |
| Configure the vlock package properly. CC ID 05114 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain service accounts. CC ID 13861 | System hardening through configuration management | Technical Security | |
| Manage access credentials for service accounts. CC ID 13862 | System hardening through configuration management | Technical Security | |
| Configure the daemon account properly. CC ID 05115 | System hardening through configuration management | Configuration | |
| Configure the bin account properly. CC ID 05116 | System hardening through configuration management | Configuration | |
| Configure the nuucp account properly. CC ID 05117 | System hardening through configuration management | Configuration | |
| Configure the smmsp account properly. CC ID 05118 | System hardening through configuration management | Configuration | |
| Configure the listen account properly. CC ID 05119 | System hardening through configuration management | Configuration | |
| Configure the gdm account properly. CC ID 05120 | System hardening through configuration management | Configuration | |
| Configure the webservd account properly. CC ID 05121 | System hardening through configuration management | Configuration | |
| Configure the nobody account properly. CC ID 05122 | System hardening through configuration management | Configuration | |
| Configure the noaccess account properly. CC ID 05123 | System hardening through configuration management | Configuration | |
| Configure the nobody4 account properly. CC ID 05124 | System hardening through configuration management | Configuration | |
| Configure the sys account properly. CC ID 05125 | System hardening through configuration management | Configuration | |
| Configure the adm account properly. CC ID 05126 | System hardening through configuration management | Configuration | |
| Configure the lp account properly. CC ID 05127 | System hardening through configuration management | Configuration | |
| Configure the uucp account properly. CC ID 05128 | System hardening through configuration management | Configuration | |
| Install or uninstall the tftp-server package, as appropriate. CC ID 05130 | System hardening through configuration management | Configuration | |
| Enable the web console as necessary. CC ID 05131 | System hardening through configuration management | Configuration | |
| Enable rlogin auth by Pluggable Authentication Modules or pam.d properly. CC ID 05132 | System hardening through configuration management | Configuration | |
| Enable rsh auth by Pluggable Authentication Modules properly. CC ID 05133 | System hardening through configuration management | Configuration | |
| Enable the listening sendmail daemon, as appropriate. CC ID 05134 | System hardening through configuration management | Configuration | |
| Configure Squid properly. CC ID 05135 | System hardening through configuration management | Configuration | |
| Configure the "global Package signature checking" setting to organizational standards. CC ID 08735 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "Package signature checking" setting for "all configured repositories" to organizational standards. CC ID 08736 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "verify against the package database" setting for "all installed software packages" to organizational standards. CC ID 08737 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "isdn4k-utils" package to organizational standards. CC ID 08738 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "postfix" package to organizational standards. CC ID 08739 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "vsftpd" package to organizational standards. CC ID 08740 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "net-snmpd" package to organizational standards. CC ID 08741 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "rsyslog" package to organizational standards. CC ID 08742 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "ipsec-tools" package to organizational standards. CC ID 08743 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "pam_ccreds" package to organizational standards. CC ID 08744 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "talk-server" package to organizational standards. CC ID 08745 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "talk" package to organizational standards. CC ID 08746 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "irda-utils" package to organizational standards. CC ID 08747 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure the "/etc/shells" file to organizational standards. CC ID 08978 | System hardening through configuration management | Configuration | |
| Configure the LDAP package to organizational standards. CC ID 09937 | System hardening through configuration management | Configuration | |
| Configure the "FTP server" package to organizational standards. CC ID 09938 | System hardening through configuration management | Configuration | |
| Configure the "HTTP Proxy Server" package to organizational standards. CC ID 09939 | System hardening through configuration management | Configuration | |
| Configure the "prelink" package to organizational standards. CC ID 11379 | System hardening through configuration management | Configuration | |
| Configure the Network Information Service (NIS) package to organizational standards. CC ID 11380 | System hardening through configuration management | Configuration | |
| Configure the "time" setting to organizational standards. CC ID 11381 | System hardening through configuration management | Configuration | |
| Configure the "biosdevname" package to organizational standards. CC ID 11383 | System hardening through configuration management | Configuration | |
| Configure the "ufw" setting to organizational standards. CC ID 11384 | System hardening through configuration management | Configuration | |
| Configure the "Devices: Allow undock without having to log on" setting. CC ID 01728 | System hardening through configuration management | Configuration | |
| Limit the user roles that are allowed to format and eject removable storage media. CC ID 01729 | System hardening through configuration management | Configuration | |
| Prevent users from installing printer drivers. CC ID 01730 | System hardening through configuration management | Configuration | |
| Minimize the inetd.conf file and set the file to the appropriate permissions. CC ID 01506 | System hardening through configuration management | Configuration | |
| Configure the unsigned driver installation behavior. CC ID 01733 | System hardening through configuration management | Configuration | |
| Configure the unsigned non-driver installation behavior. CC ID 02038 | System hardening through configuration management | Configuration | |
| Remove all demonstration applications on the system. CC ID 01875 | System hardening through configuration management | Configuration | |
| Configure the system to disallow optional Subsystems. CC ID 04265 | System hardening through configuration management | Configuration | |
| Configure the "Remove Security tab" setting. CC ID 04380 | System hardening through configuration management | Configuration | |
| Disable all unnecessary services unless otherwise noted in a policy exception. CC ID 00880 | System hardening through configuration management | Configuration | |
| Disable rquotad unless rquotad is absolutely necessary. CC ID 01473 | System hardening through configuration management | Configuration | |
| Configure the rquotad service to use a static port or a dynamic portmapper port as appropriate. CC ID 05983 | System hardening through configuration management | Configuration | |
| Disable telnet unless telnet use is absolutely necessary. CC ID 01478 | System hardening through configuration management | Configuration | |
| Disable File Transfer Protocol unless File Transfer Protocol use is absolutely necessary. CC ID 01479 | System hardening through configuration management | Configuration | |
| Configure anonymous FTP to restrict the use of restricted data. CC ID 16314 | System hardening through configuration management | Configuration | |
| Disable anonymous access to File Transfer Protocol. CC ID 06739 | System hardening through configuration management | Configuration | |
| Disable Internet Message Access Protocol unless Internet Message Access Protocol use is absolutely necessary. CC ID 01485 | System hardening through configuration management | Configuration | |
| Disable Post Office Protocol unless its use is absolutely necessary. CC ID 01486 | System hardening through configuration management | Configuration | |
| Disable SQLServer processes unless SQLServer processes use is absolutely necessary. CC ID 01500 | System hardening through configuration management | Configuration | |
| Disable alerter unless alerter use is absolutely necessary. CC ID 01810 | System hardening through configuration management | Configuration | |
| Disable Background Intelligent Transfer Service unless Background Intelligent Transfer Service use is absolutely necessary. CC ID 01812 | System hardening through configuration management | Configuration | |
| Disable ClipBook unless ClipBook use is absolutely necessary. CC ID 01813 | System hardening through configuration management | Configuration | |
| Disable Fax Service unless Fax Service use is absolutely necessary. CC ID 01815 | System hardening through configuration management | Configuration | |
| Disable IIS admin service unless IIS admin service use is absolutely necessary. CC ID 01817 | System hardening through configuration management | Configuration | |
| Disable indexing service unless indexing service use is absolutely necessary. CC ID 01818 | System hardening through configuration management | Configuration | |
| Disable net logon unless net logon use is absolutely necessary. CC ID 01820 | System hardening through configuration management | Configuration | |
| Disable Remote Desktop Help Session Manager unless Remote Desktop Help Session Manager use is absolutely necessary. CC ID 01822 | System hardening through configuration management | Configuration | |
| Disable the "Offer Remote Assistance" setting. CC ID 04325 | System hardening through configuration management | Configuration | |
| Disable the "Solicited Remote Assistance" setting. CC ID 04326 | System hardening through configuration management | Configuration | |
| Disable Remote Registry Service unless Remote Registry Service use is absolutely necessary. CC ID 01823 | System hardening through configuration management | Configuration | |
| Disable Routing and Remote Access unless Routing and Remote Access use is necessary. CC ID 01824 | System hardening through configuration management | Configuration | |
| Disable task scheduler unless task scheduler use is absolutely necessary. CC ID 01829 | System hardening through configuration management | Configuration | |
| Disable Terminal Services unless Terminal Services use is absolutely necessary. CC ID 01831 | System hardening through configuration management | Configuration | |
| Disable Universal Plug and Play device host unless Universal Plug and Play device host use is absolutely necessary. CC ID 01832 | System hardening through configuration management | Configuration | |
| Disable File Service Protocol. CC ID 02167 | System hardening through configuration management | Configuration | |
| Disable the License Logging Service unless unless it is absolutely necessary. CC ID 04282 | System hardening through configuration management | Configuration | |
| Disable Remote Access Auto Connection Manager unless Remote Access Auto Connection Manager use is absolutely necessary. CC ID 04285 | System hardening through configuration management | Configuration | |
| Disable Remote Access Connection Manager unless Remote Access Connection Manager use is absolutely necessary. CC ID 04286 | System hardening through configuration management | Configuration | |
| Disable Remote Administration Service unless remote administration management is absolutely necessary. CC ID 04287 | System hardening through configuration management | Configuration | |
| Disable remote installation unless remote installation is absolutely necessary. CC ID 04288 | System hardening through configuration management | Configuration | |
| Disable Remote Server Manager unless Remote Server Manager is absolutely necessary. CC ID 04289 | System hardening through configuration management | Configuration | |
| Disable Remote Server Monitor unless Remote Server Monitor use is absolutely necessary. CC ID 04290 | System hardening through configuration management | Configuration | |
| Disable Remote Storage Notification unless Remote Storage Notification use is absolutely necessary. CC ID 04291 | System hardening through configuration management | Configuration | |
| Disable Remote Storage Server unless Remote Storage Server use is absolutely necessary. CC ID 04292 | System hardening through configuration management | Configuration | |
| Disable telephony services unless telephony services use is absolutely necessary. CC ID 04293 | System hardening through configuration management | Configuration | |
| Disable Wireless Zero Configuration service unless Wireless Zero Configuration service use is absolutely necessary. CC ID 04294 | System hardening through configuration management | Configuration | |
| Disable SSDP/UPnp unless SSDP/UPnP is absolutely necessary. CC ID 04315 | System hardening through configuration management | Configuration | |
| Configure the "ntpd service" setting to organizational standards. CC ID 04911 | System hardening through configuration management | Configuration | |
| Configure the "echo service" setting to organizational standards. CC ID 04912 | System hardening through configuration management | Configuration | |
| Configure the "echo-dgram service" setting to organizational standards. CC ID 09927 | System hardening through configuration management | Configuration | |
| Configure the "echo-stream service" setting to organizational standards. CC ID 09928 | System hardening through configuration management | Configuration | |
| Configure the "AllowTcpForwarding" to organizational standards. CC ID 15327 | System hardening through configuration management | Configuration | |
| Configure the "tcpmux-server" setting to organizational standards. CC ID 09929 | System hardening through configuration management | Configuration | |
| Configure the "netstat service" setting to organizational standards. CC ID 04913 | System hardening through configuration management | Configuration | |
| Configure the "character generator protocol (chargen)" setting to organizational standards. CC ID 04914 | System hardening through configuration management | Configuration | |
| Configure the "tftpd service" setting to organizational standards. CC ID 04915 | System hardening through configuration management | Configuration | |
| Configure the "walld service" setting to organizational standards. CC ID 04916 | System hardening through configuration management | Configuration | |
| Configure the "rstatd service" setting to organizational standards. CC ID 04917 | System hardening through configuration management | Configuration | |
| Configure the "sprayd service" setting to organizational standards. CC ID 04918 | System hardening through configuration management | Configuration | |
| Configure the "rusersd service" setting to organizational standards. CC ID 04919 | System hardening through configuration management | Configuration | |
| Configure the "inn service" setting to organizational standards. CC ID 04920 | System hardening through configuration management | Configuration | |
| Configure the "font service" setting to organizational standards. CC ID 04921 | System hardening through configuration management | Configuration | |
| Configure the "ident service" setting to organizational standards. CC ID 04922 | System hardening through configuration management | Configuration | |
| Configure the "rexd service" setting to organizational standards. CC ID 04923 | System hardening through configuration management | Configuration | |
| Configure the "daytime service" setting to organizational standards. CC ID 04924 | System hardening through configuration management | Configuration | |
| Configure the "dtspc (cde-spc) service" setting to organizational standards. CC ID 04925 | System hardening through configuration management | Configuration | |
| Configure the "cmsd service" setting to organizational standards. CC ID 04926 | System hardening through configuration management | Configuration | |
| Configure the "ToolTalk service" setting to organizational standards. CC ID 04927 | System hardening through configuration management | Configuration | |
| Configure the "discard service" setting to organizational standards. CC ID 04928 | System hardening through configuration management | Configuration | |
| Configure the "vino-server service" setting to organizational standards. CC ID 04929 | System hardening through configuration management | Configuration | |
| Configure the "bind service" setting to organizational standards. CC ID 04930 | System hardening through configuration management | Configuration | |
| Configure the "nfsd service" setting to organizational standards. CC ID 04931 | System hardening through configuration management | Configuration | |
| Configure the "mountd service" setting to organizational standards. CC ID 04932 | System hardening through configuration management | Configuration | |
| Configure the "statd service" setting to organizational standards. CC ID 04933 | System hardening through configuration management | Configuration | |
| Configure the "lockd service" setting to organizational standards. CC ID 04934 | System hardening through configuration management | Configuration | |
| Configure the lockd service to use a static port or a dynamic portmapper port for User Datagram Protocol as appropriate. CC ID 05980 | System hardening through configuration management | Configuration | |
| Configure the "decode sendmail alias" setting to organizational standards. CC ID 04935 | System hardening through configuration management | Configuration | |
| Configure the sendmail vrfy command, as appropriate. CC ID 04936 | System hardening through configuration management | Configuration | |
| Configure the sendmail expn command, as appropriate. CC ID 04937 | System hardening through configuration management | Configuration | |
| Configure .netrc with an appropriate set of services. CC ID 04938 | System hardening through configuration management | Configuration | |
| Enable NFS insecure locks as necessary. CC ID 04939 | System hardening through configuration management | Configuration | |
| Configure the "X server ac" setting to organizational standards. CC ID 04940 | System hardening through configuration management | Configuration | |
| Configure the "X server core" setting to organizational standards. CC ID 04941 | System hardening through configuration management | Configuration | |
| Enable or disable the setroubleshoot service, as appropriate. CC ID 05540 | System hardening through configuration management | Configuration | |
| Configure the "X server nolock" setting to organizational standards. CC ID 04942 | System hardening through configuration management | Configuration | |
| Enable or disable the mcstrans service, as appropriate. CC ID 05541 | System hardening through configuration management | Configuration | |
| Configure the "PAM console" setting to organizational standards. CC ID 04943 | System hardening through configuration management | Configuration | |
| Enable or disable the restorecond service, as appropriate. CC ID 05542 | System hardening through configuration management | Configuration | |
| Enable the rhnsd service as necessary. CC ID 04944 | System hardening through configuration management | Configuration | |
| Enable the yum-updatesd service as necessary. CC ID 04945 | System hardening through configuration management | Configuration | |
| Enable the autofs service as necessary. CC ID 04946 | System hardening through configuration management | Configuration | |
| Enable the ip6tables service as necessary. CC ID 04947 | System hardening through configuration management | Configuration | |
| Configure syslog to organizational standards. CC ID 04949 | System hardening through configuration management | Configuration | |
| Enable the auditd service as necessary. CC ID 04950 | System hardening through configuration management | Configuration | |
| Enable the logwatch service as necessary. CC ID 04951 | System hardening through configuration management | Configuration | |
| Enable the logrotate (syslog rotator) service as necessary. CC ID 04952 | System hardening through configuration management | Configuration | |
| Install or uninstall the telnet server package, only if absolutely necessary. CC ID 04953 | System hardening through configuration management | Configuration | |
| Enable the ypbind service as necessary. CC ID 04954 | System hardening through configuration management | Configuration | |
| Enable the ypserv service as necessary. CC ID 04955 | System hardening through configuration management | Configuration | |
| Enable the firstboot service as necessary. CC ID 04956 | System hardening through configuration management | Configuration | |
| Enable the gpm service as necessary. CC ID 04957 | System hardening through configuration management | Configuration | |
| Enable the irqbalance service as necessary. CC ID 04958 | System hardening through configuration management | Configuration | |
| Enable the isdn service as necessary. CC ID 04959 | System hardening through configuration management | Configuration | |
| Enable the kdump service as necessary. CC ID 04960 | System hardening through configuration management | Configuration | |
| Enable the mdmonitor service as necessary. CC ID 04961 | System hardening through configuration management | Configuration | |
| Enable the microcode_ctl service as necessary. CC ID 04962 | System hardening through configuration management | Configuration | |
| Enable the pcscd service as necessary. CC ID 04963 | System hardening through configuration management | Configuration | |
| Enable the smartd service as necessary. CC ID 04964 | System hardening through configuration management | Configuration | |
| Enable the readahead_early service as necessary. CC ID 04965 | System hardening through configuration management | Configuration | |
| Enable the readahead_later service as necessary. CC ID 04966 | System hardening through configuration management | Configuration | |
| Enable the messagebus service as necessary. CC ID 04967 | System hardening through configuration management | Configuration | |
| Enable the haldaemon service as necessary. CC ID 04968 | System hardening through configuration management | Configuration | |
| Enable the apmd service as necessary. CC ID 04969 | System hardening through configuration management | Configuration | |
| Enable the acpid service as necessary. CC ID 04970 | System hardening through configuration management | Configuration | |
| Enable the cpuspeed service as necessary. CC ID 04971 | System hardening through configuration management | Configuration | |
| Enable the network service as necessary. CC ID 04972 | System hardening through configuration management | Configuration | |
| Enable the hidd service as necessary. CC ID 04973 | System hardening through configuration management | Configuration | |
| Enable the crond service as necessary. CC ID 04974 | System hardening through configuration management | Configuration | |
| Install and enable the anacron service as necessary. CC ID 04975 | System hardening through configuration management | Configuration | |
| Enable the xfs service as necessary. CC ID 04976 | System hardening through configuration management | Configuration | |
| Install and enable the Avahi daemon service, as necessary. CC ID 04977 | System hardening through configuration management | Configuration | |
| Enable the CUPS service, as necessary. CC ID 04978 | System hardening through configuration management | Configuration | |
| Enable the hplip service as necessary. CC ID 04979 | System hardening through configuration management | Configuration | |
| Enable the dhcpd service as necessary. CC ID 04980 | System hardening through configuration management | Configuration | |
| Enable the nfslock service as necessary. CC ID 04981 | System hardening through configuration management | Configuration | |
| Enable the rpcgssd service as necessary. CC ID 04982 | System hardening through configuration management | Configuration | |
| Enable the rpcidmapd service as necessary. CC ID 04983 | System hardening through configuration management | Configuration | |
| Enable the rpcsvcgssd service as necessary. CC ID 04985 | System hardening through configuration management | Configuration | |
| Configure root squashing for all NFS shares, as appropriate. CC ID 04986 | System hardening through configuration management | Configuration | |
| Configure write access to NFS shares, as appropriate. CC ID 04987 | System hardening through configuration management | Configuration | |
| Configure the named service, as appropriate. CC ID 04988 | System hardening through configuration management | Configuration | |
| Configure the vsftpd service, as appropriate. CC ID 04989 | System hardening through configuration management | Configuration | |
| Configure the “dovecot” service to organizational standards. CC ID 04990 | System hardening through configuration management | Configuration | |
| Configure Server Message Block (SMB) to organizational standards. CC ID 04991 | System hardening through configuration management | Configuration | |
| Enable the snmpd service as necessary. CC ID 04992 | System hardening through configuration management | Configuration | |
| Enable the calendar manager as necessary. CC ID 04993 | System hardening through configuration management | Configuration | |
| Enable the GNOME logon service as necessary. CC ID 04994 | System hardening through configuration management | Configuration | |
| Enable the WBEM services as necessary. CC ID 04995 | System hardening through configuration management | Configuration | |
| Enable the keyserv service as necessary. CC ID 04996 | System hardening through configuration management | Configuration | |
| Enable the Generic Security Service daemon as necessary. CC ID 04997 | System hardening through configuration management | Configuration | |
| Enable the volfs service as necessary. CC ID 04998 | System hardening through configuration management | Configuration | |
| Enable the smserver service as necessary. CC ID 04999 | System hardening through configuration management | Configuration | |
| Enable the mpxio-upgrade service as necessary. CC ID 05000 | System hardening through configuration management | Configuration | |
| Enable the metainit service as necessary. CC ID 05001 | System hardening through configuration management | Configuration | |
| Enable the meta service as necessary. CC ID 05003 | System hardening through configuration management | Configuration | |
| Enable the metaed service as necessary. CC ID 05004 | System hardening through configuration management | Configuration | |
| Enable the metamh service as necessary. CC ID 05005 | System hardening through configuration management | Configuration | |
| Enable the Local RPC Port Mapping Service as necessary. CC ID 05006 | System hardening through configuration management | Configuration | |
| Enable the Kerberos kadmind service as necessary. CC ID 05007 | System hardening through configuration management | Configuration | |
| Enable the Kerberos krb5kdc service as necessary. CC ID 05008 | System hardening through configuration management | Configuration | |
| Enable the Kerberos kpropd service as necessary. CC ID 05009 | System hardening through configuration management | Configuration | |
| Enable the Kerberos ktkt_warnd service as necessary. CC ID 05010 | System hardening through configuration management | Configuration | |
| Enable the sadmin service as necessary. CC ID 05011 | System hardening through configuration management | Configuration | |
| Enable the IPP listener as necessary. CC ID 05012 | System hardening through configuration management | Configuration | |
| Enable the serial port listener as necessary. CC ID 05013 | System hardening through configuration management | Configuration | |
| Enable the Smart Card Helper service as necessary. CC ID 05014 | System hardening through configuration management | Configuration | |
| Enable the Application Management service as necessary. CC ID 05015 | System hardening through configuration management | Configuration | |
| Enable the Resultant Set of Policy (RSoP) Provider service as necessary. CC ID 05016 | System hardening through configuration management | Configuration | |
| Enable the Network News Transport Protocol service as necessary. CC ID 05017 | System hardening through configuration management | Configuration | |
| Enable the network Dynamic Data Exchange service as necessary. CC ID 05018 | System hardening through configuration management | Configuration | |
| Enable the Distributed Link Tracking Server service as necessary. CC ID 05019 | System hardening through configuration management | Configuration | |
| Enable the RARP service as necessary. CC ID 05020 | System hardening through configuration management | Configuration | |
| Configure the ".NET Framework service" setting to organizational standards. CC ID 05021 | System hardening through configuration management | Configuration | |
| Enable the Network DDE Share Database Manager service as necessary. CC ID 05022 | System hardening through configuration management | Configuration | |
| Enable the Certificate Services service as necessary. CC ID 05023 | System hardening through configuration management | Configuration | |
| Configure the ATI hotkey poller service properly. CC ID 05024 | System hardening through configuration management | Configuration | |
| Configure the Interix Subsystem Startup service properly. CC ID 05025 | System hardening through configuration management | Configuration | |
| Configure the Cluster Service service properly. CC ID 05026 | System hardening through configuration management | Configuration | |
| Configure the IAS Jet Database Access service properly. CC ID 05027 | System hardening through configuration management | Configuration | |
| Configure the IAS service properly. CC ID 05028 | System hardening through configuration management | Configuration | |
| Configure the IP Version 6 Helper service properly. CC ID 05029 | System hardening through configuration management | Configuration | |
| Configure "Message Queuing service" to organizational standards. CC ID 05030 | System hardening through configuration management | Configuration | |
| Configure the Message Queuing Down Level Clients service properly. CC ID 05031 | System hardening through configuration management | Configuration | |
| Configure the Windows Management Instrumentation Driver Extensions service properly. CC ID 05033 | System hardening through configuration management | Configuration | |
| Configure the TCP/IP NetBIOS Helper Service properly. CC ID 05034 | System hardening through configuration management | Configuration | |
| Configure the Utility Manager service properly. CC ID 05035 | System hardening through configuration management | Configuration | |
| Configure the secondary logon service properly. CC ID 05036 | System hardening through configuration management | Configuration | |
| Configure the Windows Management Instrumentation service properly. CC ID 05037 | System hardening through configuration management | Configuration | |
| Configure the Workstation service properly. CC ID 05038 | System hardening through configuration management | Configuration | |
| Configure the Windows Installer service properly. CC ID 05039 | System hardening through configuration management | Configuration | |
| Configure the Windows System Resource Manager service properly. CC ID 05040 | System hardening through configuration management | Configuration | |
| Configure the WinHTTP Web Proxy Auto-Discovery Service properly. CC ID 05041 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Client for NFS service properly. CC ID 05042 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Server for PCNFS service properly. CC ID 05043 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Perl Socket service properly. CC ID 05044 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix User Name Mapping service properly. CC ID 05045 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Windows Cron service properly. CC ID 05046 | System hardening through configuration management | Configuration | |
| Configure the Windows Media Services service properly. CC ID 05047 | System hardening through configuration management | Configuration | |
| Configure the Services for Netware Service Advertising Protocol (SAP) Agent properly. CC ID 05048 | System hardening through configuration management | Configuration | |
| Configure the Web Element Manager service properly. CC ID 05049 | System hardening through configuration management | Configuration | |
| Configure the Remote Installation Services Single Instance Storage (SIS) Groveler service properly. CC ID 05050 | System hardening through configuration management | Configuration | |
| Configure the Terminal Services Licensing service properly. CC ID 05051 | System hardening through configuration management | Configuration | |
| Configure the COM+ Event System service properly. CC ID 05052 | System hardening through configuration management | Configuration | |
| Configure the Event Log service properly. CC ID 05053 | System hardening through configuration management | Configuration | |
| Configure the Infrared Monitor service properly. CC ID 05054 | System hardening through configuration management | Configuration | |
| Configure the Services for Unix Server for NFS service properly. CC ID 05055 | System hardening through configuration management | Configuration | |
| Configure the System Event Notification Service properly. CC ID 05056 | System hardening through configuration management | Configuration | |
| Configure the NTLM Security Support Provider service properly. CC ID 05057 | System hardening through configuration management | Configuration | |
| Configure the Performance Logs and Alerts service properly. CC ID 05058 | System hardening through configuration management | Configuration | |
| Configure the Protected Storage service properly. CC ID 05059 | System hardening through configuration management | Configuration | |
| Configure the QoS Admission Control (RSVP) service properly. CC ID 05060 | System hardening through configuration management | Configuration | |
| Configure the Remote Procedure Call service properly. CC ID 05061 | System hardening through configuration management | Configuration | |
| Configure the Removable Storage service properly. CC ID 05062 | System hardening through configuration management | Configuration | |
| Configure the Server service properly. CC ID 05063 | System hardening through configuration management | Configuration | |
| Configure the Security Accounts Manager service properly. CC ID 05064 | System hardening through configuration management | Configuration | |
| Configure the “Network Connections” service to organizational standards. CC ID 05065 | System hardening through configuration management | Configuration | |
| Configure the Logical Disk Manager service properly. CC ID 05066 | System hardening through configuration management | Configuration | |
| Configure the Logical Disk Manager Administrative Service properly. CC ID 05067 | System hardening through configuration management | Configuration | |
| Configure the File Replication service properly. CC ID 05068 | System hardening through configuration management | Configuration | |
| Configure the Kerberos Key Distribution Center service properly. CC ID 05069 | System hardening through configuration management | Configuration | |
| Configure the Intersite Messaging service properly. CC ID 05070 | System hardening through configuration management | Configuration | |
| Configure the Remote Procedure Call locator service properly. CC ID 05071 | System hardening through configuration management | Configuration | |
| Configure the Distributed File System service properly. CC ID 05072 | System hardening through configuration management | Configuration | |
| Configure the Windows Internet Name Service service properly. CC ID 05073 | System hardening through configuration management | Configuration | |
| Configure the FTP Publishing Service properly. CC ID 05074 | System hardening through configuration management | Configuration | |
| Configure the Windows Search service properly. CC ID 05075 | System hardening through configuration management | Configuration | |
| Configure the Microsoft Peer-to-Peer Networking Services service properly. CC ID 05076 | System hardening through configuration management | Configuration | |
| Configure the Remote Shell service properly. CC ID 05077 | System hardening through configuration management | Configuration | |
| Configure Simple TCP/IP services to organizational standards. CC ID 05078 | System hardening through configuration management | Configuration | |
| Configure the Print Services for Unix service properly. CC ID 05079 | System hardening through configuration management | Configuration | |
| Configure the File Shares service to organizational standards. CC ID 05080 | System hardening through configuration management | Configuration | |
| Configure the NetMeeting service properly. CC ID 05081 | System hardening through configuration management | Configuration | |
| Configure the Application Layer Gateway service properly. CC ID 05082 | System hardening through configuration management | Configuration | |
| Configure the Cryptographic Services service properly. CC ID 05083 | System hardening through configuration management | Configuration | |
| Configure the Help and Support Service properly. CC ID 05084 | System hardening through configuration management | Configuration | |
| Configure the Human Interface Device Access service properly. CC ID 05085 | System hardening through configuration management | Configuration | |
| Configure the IMAPI CD-Burning COM service properly. CC ID 05086 | System hardening through configuration management | Configuration | |
| Configure the MS Software Shadow Copy Provider service properly. CC ID 05087 | System hardening through configuration management | Configuration | |
| Configure the Network Location Awareness service properly. CC ID 05088 | System hardening through configuration management | Configuration | |
| Configure the Portable Media Serial Number Service service properly. CC ID 05089 | System hardening through configuration management | Configuration | |
| Configure the System Restore Service service properly. CC ID 05090 | System hardening through configuration management | Configuration | |
| Configure the Themes service properly. CC ID 05091 | System hardening through configuration management | Configuration | |
| Configure the Uninterruptible Power Supply service properly. CC ID 05092 | System hardening through configuration management | Configuration | |
| Configure the Upload Manager service properly. CC ID 05093 | System hardening through configuration management | Configuration | |
| Configure the Volume Shadow Copy Service properly. CC ID 05094 | System hardening through configuration management | Configuration | |
| Configure the WebClient service properly. CC ID 05095 | System hardening through configuration management | Configuration | |
| Configure the Windows Audio service properly. CC ID 05096 | System hardening through configuration management | Configuration | |
| Configure the Windows Image Acquisition service properly. CC ID 05097 | System hardening through configuration management | Configuration | |
| Configure the WMI Performance Adapter service properly. CC ID 05098 | System hardening through configuration management | Configuration | |
| Enable file uploads via vsftpd service, as appropriate. CC ID 05100 | System hardening through configuration management | Configuration | |
| Disable or remove sadmind unless use of sadmind is absolutely necessary. CC ID 06885 | System hardening through configuration management | Configuration | |
| Configure the "SNMP version 1" setting to organizational standards. CC ID 08976 | System hardening through configuration management | Configuration | |
| Configure the "xdmcp service" setting to organizational standards. CC ID 08985 | System hardening through configuration management | Configuration | |
| Disable the automatic display of remote images in HTML-formatted e-mail. CC ID 04494 | System hardening through configuration management | Configuration | |
| Disable Remote Apply Events unless Remote Apply Events are absolutely necessary. CC ID 04495 | System hardening through configuration management | Configuration | |
| Disable Xgrid unless Xgrid is absolutely necessary. CC ID 04496 | System hardening through configuration management | Configuration | |
| Configure the "Do Not Show First Use Dialog Boxes" setting for Windows Media Player properly. CC ID 05136 | System hardening through configuration management | Configuration | |
| Disable Core dumps unless absolutely necessary. CC ID 01507 | System hardening through configuration management | Configuration | |
| Set hard core dump size limits, as appropriate. CC ID 05990 | System hardening through configuration management | Configuration | |
| Configure the "Prevent Desktop Shortcut Creation" setting for Windows Media Player properly. CC ID 05137 | System hardening through configuration management | Configuration | |
| Set the Squid EUID and Squid GUID to an appropriate user and group. CC ID 05138 | System hardening through configuration management | Configuration | |
| Verify groups referenced in /etc/passwd are included in /etc/group, as appropriate. CC ID 05139 | System hardening through configuration management | Configuration | |
| Use of the cron.allow file should be enabled or disabled as appropriate. CC ID 06014 | System hardening through configuration management | Configuration | |
| Use of the at.allow file should be enabled or disabled as appropriate. CC ID 06015 | System hardening through configuration management | Configuration | |
| Enable or disable the Dynamic DNS feature of the DHCP Server as appropriate. CC ID 06039 | System hardening through configuration management | Configuration | |
| Enable or disable each user's Screen saver software, as necessary. CC ID 06050 | System hardening through configuration management | Configuration | |
| Disable any unnecessary scripting languages, as necessary. CC ID 12137 | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain authenticators. CC ID 15305 | System hardening through configuration management | Technical Security | |
| Establish, implement, and maintain an authenticator standard. CC ID 01702 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an authenticator management system. CC ID 12031 | System hardening through configuration management | Establish/Maintain Documentation | |
| Establish, implement, and maintain authenticator procedures. CC ID 12002 | System hardening through configuration management | Establish/Maintain Documentation | |
| Configure authenticators to comply with organizational standards. CC ID 06412 | System hardening through configuration management | Configuration | |
| Configure the system to mask authenticators. CC ID 02037 [The device never displays the entered PIN digits. Any array related to PIN entry displays only non-significant symbols, e.g., asterisks. B5] | System hardening through configuration management | Configuration | |
| Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881 | System hardening through configuration management | Configuration | |
| Configure the system to a default secure level. CC ID 01519 [The device has guidance that describes the default configuration for each protocol and services for each interface that is available on the device. Each interface and protocol on the device should default to secure settings. If the interface has the ability to be configurable to non-secure settings, vendor guidance should strongly recommend against configuring to non-secure settings. H2] | System hardening through configuration management | Configuration | |
| Establish, implement, and maintain a Configuration Baseline Documentation Record. CC ID 02130 [The device has guidance that describes the default configuration for each protocol and services for each interface that is available on the device. Each interface and protocol on the device should default to secure settings. If the interface has the ability to be configurable to non-secure settings, vendor guidance should strongly recommend against configuring to non-secure settings. H2] | System hardening through configuration management | Establish/Maintain Documentation | |
| Document and approve any changes to the Configuration Baseline Documentation Record. CC ID 12104 | System hardening through configuration management | Establish/Maintain Documentation | |
| Create a hardened image of the baseline configuration to be used for building new systems. CC ID 07063 | System hardening through configuration management | Configuration | |
| Store master images on securely configured servers. CC ID 12089 | System hardening through configuration management | Technical Security | |
| Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include information security throughout the system development life cycle. CC ID 12042 [Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components. L7] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect confidential information during the system development life cycle program. CC ID 13479 | Systems design, build, and implementation | Data and Information Management | |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect stored manufacturing components prior to assembly. CC ID 12248 [The certified firmware is protected and stored in such a manner as to preclude unauthorized modification during its entire manufacturing life cycle—e.g., by using dual control or standardized cryptographic authentication procedures. L2] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Store manufacturing components in a controlled access area. CC ID 12256 [Subsequent to production but prior to shipment from the manufacturer’s or reseller’s facility, the device and any of its components are stored in a protected, access-controlled area or sealed within tamper-evident packaging to prevent undetected unauthorized access to the device or its components. L5] | Systems design, build, and implementation | Physical and Environmental Protection | |
| Develop new products based on best practices. CC ID 01095 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a system design specification. CC ID 04557 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include security requirements in the system design specification. CC ID 06826 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Implement security controls when developing systems. CC ID 06270 [Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components. L7] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include restricted data encryption and restricted information encryption in the security controls. CC ID 01083 | Systems design, build, and implementation | Technical Security | |
| Analyze and minimize attack surfaces when developing systems. CC ID 06828 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 | Systems design, build, and implementation | Technical Security | |
| Implement a hardware security module, as necessary. CC ID 12222 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the random number generator to generate random numbers that are unpredictable. CC ID 12255 [If random numbers are generated by the device in connection with security over sensitive data, the random number generator has been assessed to ensure it is generating numbers sufficiently unpredictable. B9] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to enforce the separation between applications. CC ID 12254 [If the device supports multiple applications, it must enforce the separation between applications. It must not be possible that one application interferes with or tampers with another application or the OS of the device including, but not limited to, modifying data objects belonging to another application or the OS. B17 If the device supports multiple applications, it must enforce the separation between applications consistent with B17. K20] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253 [Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, PINs, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. B7] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233 [Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251 [Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Design the hardware security module to erase sensitive data when compromised. CC ID 12275 [{physical alteration} While in transit from the manufacturer’s facility to the initial key-loading facility, the device is:\ - Shipped and stored in tamper-evident packaging; and/or\ - Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel. M3] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231 [It is not possible to encrypt or decrypt any arbitrary data using any PIN-encrypting key or key-encrypting key contained in the device. The device must enforce that data keys, key-encipherment keys, and PIN-encryption keys have different values. B13] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258 [{TOE} The device’s development-security documentation must provide means to the initial key-loading facility to assure the authenticity of the TOE’s security relevant components. M4] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225 [{sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4 {sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224 [{sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4 {sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain an acceptable use policy for the hardware security module. CC ID 12247 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include device identification in the acceptable use policy for the hardware security module. CC ID 12262 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260 [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Install secret information into the hardware security module during manufacturing. CC ID 12249 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272 [{initial-key-loading facility} If the device will be authenticated at the key-loading facility or the facility of initial deployment by means of secret information placed in the device during manufacturing, then this secret information is unique to each device, unknown and unpredictable to any person, and installed in the device under dual control to ensure that it is not disclosed during installation. L6 {physical alteration} While in transit from the manufacturer’s facility to the initial key-loading facility, the device is:\ - Shipped and stored in tamper-evident packaging; and/or\ - Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel. M3] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Install secret information under dual control into the hardware security module. CC ID 12257 [{initial-key-loading facility} If the device will be authenticated at the key-loading facility or the facility of initial deployment by means of secret information placed in the device during manufacturing, then this secret information is unique to each device, unknown and unpredictable to any person, and installed in the device under dual control to ensure that it is not disclosed during installation. L6] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain session security coding standards. CC ID 04584 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain a cryptographic architecture document. CC ID 12476 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the algorithms used in the cryptographic architecture document. CC ID 12483 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include an inventory of all protected areas in the cryptographic architecture document. CC ID 12486 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include a description of the key usage for each key in the cryptographic architecture document. CC ID 12484 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include descriptions of all cryptographic keys in the cryptographic architecture document. CC ID 12487 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document. CC ID 12488 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include each cryptographic key's expiration date in the cryptographic architecture document. CC ID 12489 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include the protocols used in the cryptographic architecture document. CC ID 12485 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Establish and maintain system security documentation. CC ID 06271 [Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components. L7 {document and maintain} The vendor documents, maintains and makes available to integrators details on how to implement the protection system against unauthorized removal. E4.2 The device has security guidance that describes how protocols and services must be used for each interface that is accessible by the device applications. H1] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Document the procedures and environment used to create the system or software. CC ID 06609 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Develop new products based on secure coding techniques. CC ID 11733 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish and maintain a coding manual for secure coding techniques. CC ID 11863 [The vendor must provide clear security guidance consistent with B2 and B6 to all application developers to ensure:\ - That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.\ - That account data is not retained any longer, or used more often, than strictly necessary. K11.2] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Protect applications from insufficient anti-automation through secure coding techniques in source code. CC ID 16854 | Systems design, build, and implementation | Technical Security | |
| Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 | Systems design, build, and implementation | Technical Security | |
| Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937 [The device’s functionality shall not be influenced by logical anomalies such as (but not limited to) unexpected command sequences, unknown commands, commands in a wrong device mode and supplying wrong parameters or data which could result in the device outputting the clear- text PIN or other sensitive data. B2 The device’s functionality shall not be influenced by logical anomalies consistent with B2. K13] | Systems design, build, and implementation | Technical Security | |
| Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 | Systems design, build, and implementation | Technical Security | |
| Protect applications from attacks on business logic through secure coding techniques in source code. CC ID 15472 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 | Systems design, build, and implementation | Technical Security | |
| Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding security parameters in source code. CC ID 14917 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Refrain from hard-coding usernames in source code. CC ID 06561 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding authenticators in source code. CC ID 11829 | Systems design, build, and implementation | Technical Security | |
| Refrain from hard-coding cryptographic keys in source code. CC ID 12307 | Systems design, build, and implementation | Technical Security | |
| Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 | Systems design, build, and implementation | Technical Security | |
| Protect applications from attacks on data and data structures through secure coding techniques in source code. CC ID 15482 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Control user account management through secure coding techniques in source code. CC ID 11909 | Systems design, build, and implementation | Technical Security | |
| Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 | Systems design, build, and implementation | Technical Security | |
| Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 | Systems design, build, and implementation | Technical Security | |
| Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 | Systems design, build, and implementation | Process or Activity | |
| Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897 [The vendor must provide clear security guidance consistent with B2 and B6 to all application developers to ensure:\ - That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.\ - That account data is not retained any longer, or used more often, than strictly necessary. K11.2] | Systems design, build, and implementation | Process or Activity | |
| Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 | Systems design, build, and implementation | Process or Activity | |
| Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 | Systems design, build, and implementation | Technical Security | |
| Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 | Systems design, build, and implementation | Process or Activity | |
| Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 | Systems design, build, and implementation | Technical Security | |
| Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Initiate the System Development Life Cycle implementation phase. CC ID 06268 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Manage the system implementation process. CC ID 01115 | Systems design, build, and implementation | Behavior | |
| Implement systems to allow for maintenance, cleaning, adjustment, and use. CC ID 06213 [{inspection process} Controls exist over the repair process, including the resetting of tamper mechanisms, and the inspection/testing process subsequent to repair to ensure that the device has not been subject to unauthorized modification. L8] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
| Establish and maintain end user support communications. CC ID 06615 | Systems design, build, and implementation | Business Processes | |
| Establish, implement, and maintain user documentation. CC ID 12250 | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include loss or theft instructions in the user documentation, as necessary. CC ID 12270 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include disposition instructions in the user documentation, as necessary. CC ID 12269 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include maintenance instructions in the user documentation, as necessary. CC ID 12268 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include instructions on recording the location of the system in the user documentation, as necessary. CC ID 12267 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include personalization instructions within the user documentation, as necessary. CC ID 12266 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Include life cycle management instructions for all components within the user documentation. CC ID 12265 [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8] | Systems design, build, and implementation | Establish/Maintain Documentation | |
| Plan for selling facilities, technology, or services. CC ID 06893 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain equipment shipping procedures. CC ID 11449 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
| Ship equipment to customers in tamper-evident packaging, as necessary. CC ID 12271 [{physical alteration} While in transit from the manufacturer’s facility to the initial key-loading facility, the device is:\ - Shipped and stored in tamper-evident packaging; and/or\ - Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel. M3] | Acquisition or sale of facilities, technology, and services | Physical and Environmental Protection | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data collection program. CC ID 06487 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data use policy. CC ID 00076 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Use personal data for specified purposes. CC ID 11831 [Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6] | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Data and Information Management | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 [The vendor must provide clear security guidance consistent with B2 and B6 to all application developers to ensure:\ - That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.\ - That account data is not retained any longer, or used more often, than strictly necessary. K11.2 Account data (in either clear-text or encrypted form) shall not be retained any longer, or used more often, than strictly necessary. K15.2 Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6] | Privacy protection for information and data | Configuration | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |
| Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [The POI should be protected from unauthorized modification with tamper-evident security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.\ Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time.\ Where multiple parties are involved in organizing the shipping, it is the responsibility of each party to ensure that the shipping and storage they are managing is compliant with this requirement. M1] | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Third Party and supply chain oversight | Business Processes | |
| Define the traceability documentation required for chain of custody certification. CC ID 08895 [The POI should be protected from unauthorized modification with tamper-evident security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.\ Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time.\ Where multiple parties are involved in organizing the shipping, it is the responsibility of each party to ensure that the shipping and storage they are managing is compliant with this requirement. M1] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain physical security controls for the supply chain. CC ID 08931 | Third Party and supply chain oversight | Business Processes | |
| Assign unique reference numbers to all products and their subcomponents. CC ID 08932 [Each device shall have a unique visible identifier affixed to it. M7] | Third Party and supply chain oversight | Business Processes | |
| Establish, implement, and maintain product shipment procedures. CC ID 08934 [Procedures are in place to transfer accountability for the device from the manufacturer to the facility of initial deployment. Where the device is shipped via intermediaries such as resellers, accountability will be with the intermediary from the time at which they receive the device until the time it is received by the next intermediary or the point of initial deployment. M2] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Coordinate and support suppliers' physical security controls. CC ID 08935 | Third Party and supply chain oversight | Business Processes | |
| Inspect all incoming shipments for conformity to information from the supplier. CC ID 08936 | Third Party and supply chain oversight | Business Processes | |
| Use authorized personnel to unseal and open incoming shipments. CC ID 08938 | Third Party and supply chain oversight | Behavior | |
| Document accurate outgoing shipment information. CC ID 08939 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain export records of outgoing shipments. CC ID 08954 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Segregate and secure shipments that have incoming shipment inconsistencies. CC ID 08941 | Third Party and supply chain oversight | Business Processes | |
| Provide access to outgoing shipment information, as necessary. CC ID 08942 | Third Party and supply chain oversight | Data and Information Management | |