Back

Payment Card Organizations > PCI Security Standards Council

Payment Card Industry (PCI), PIN Transaction Security (PTS) Point of Interaction (POI) - Modular Security Requirements, Version 4.1c



AD ID

0002773

AD STATUS

Payment Card Industry (PCI), PIN Transaction Security (PTS) Point of Interaction (POI) - Modular Security Requirements, Version 4.1c

ORIGINATOR

PCI Security Standards Council

TYPE

Contractual Obligation

AVAILABILITY

Free

SYNONYMS

PCI PTS POI SRs 4.1c

Payment Card Industry (PCI), PIN Transaction Security (PTS) Point of Interaction (POI) - Modular Security Requirements

EFFECTIVE

2015-11-01

ADDED

AD ID

0002773

AD STATUS

Free

ORIGINATOR

PCI Security Standards Council

TYPE

Contractual Obligation

AVAILABILITY

SYNONYMS

PCI PTS POI SRs 4.1c

Payment Card Industry (PCI), PIN Transaction Security (PTS) Point of Interaction (POI) - Modular Security Requirements

EFFECTIVE

2015-11-01

ADDED


Important Notice

This Authority Document In Depth Report is copyrighted - © 2022 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Payment Card Industry (PCI), PIN Transaction Security (PTS) Point of Interaction (POI) - Modular Security Requirements, Version 4.1c that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Payment Card Industry (PCI), PIN Transaction Security (PTS) Point of Interaction (POI) - Modular Security Requirements, Version 4.1c are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
104 Mandated Controls - bold    
80 Implied Controls - italic     684 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
868 Total
  • Acquisition or sale of facilities, technology, and services
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Plan for selling facilities, technology, or services. CC ID 06893 Acquisition/Sale of Assets or Services Preventive
    Establish, implement, and maintain equipment shipping procedures. CC ID 11449 Acquisition/Sale of Assets or Services Preventive
    Ship equipment to customers in tamper-evident packaging, as necessary. CC ID 12271
    [{physical alteration} While in transit from the manufacturer’s facility to the initial key-loading facility, the device is:\ - Shipped and stored in tamper-evident packaging; and/or\ - Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel. M3]
    Physical and Environmental Protection Preventive
  • Audits and risk management
    26
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a risk management program. CC ID 12051 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183
    [The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2]
    Establish/Maintain Documentation Preventive
    Document organizational risk criteria. CC ID 12277 Establish/Maintain Documentation Preventive
    Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 Technical Security Preventive
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Investigate Detective
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 Audits and Risk Management Preventive
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and Risk Management Preventive
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Establish/Maintain Documentation Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and Risk Management Preventive
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2]
    Testing Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Establish/Maintain Documentation Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Establish/Maintain Documentation Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481 Establish/Maintain Documentation Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and Risk Management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Establish/Maintain Documentation Detective
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and Risk Management Preventive
    Update the risk assessment upon changes to the risk profile. CC ID 11627 Establish/Maintain Documentation Detective
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and Risk Management Preventive
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Establish/Maintain Documentation Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Communicate Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and Risk Management Detective
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Communicate Preventive
  • Monitoring and measurement
    24
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a testing program. CC ID 00654 Behavior Preventive
    Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 Establish/Maintain Documentation Preventive
    Perform vulnerability scans, as necessary. CC ID 11637
    [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2
    The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2]
    Technical Security Detective
    Repeat vulnerability scanning, as necessary. CC ID 11646 Testing Detective
    Identify and document security vulnerabilities. CC ID 11857
    [The device vendor has internal policies and procedures that ensure that the vendor maintains an effective process for detecting vulnerabilities that may exist within their device. This process is expected to be robust enough to include all interfaces defined in requirement F1. This process must be effective enough to detect vulnerabilities which may have not been publicly known during the last vulnerability assessment. G1
    The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2]
    Technical Security Detective
    Rank discovered vulnerabilities. CC ID 11940 Investigate Detective
    Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 Technical Security Preventive
    Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 Technical Security Detective
    Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 Establish/Maintain Documentation Preventive
    Maintain vulnerability scan reports as organizational records. CC ID 12092 Records Management Preventive
    Correlate vulnerability scan reports from the various systems. CC ID 10636 Technical Security Detective
    Perform internal vulnerability scans. CC ID 00656 Testing Detective
    Perform vulnerability scans prior to installing payment applications. CC ID 12192 Technical Security Detective
    Implement scanning tools, as necessary. CC ID 14282 Technical Security Detective
    Update the vulnerability scanners' vulnerability list. CC ID 10634 Configuration Corrective
    Repeat vulnerability scanning after an approved change occurs. CC ID 12468 Technical Security Detective
    Perform external vulnerability scans on the organization's systems. CC ID 11624 Technical Security Detective
    Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 Business Processes Preventive
    Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 Testing Preventive
    Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 Technical Security Detective
    Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 Behavior Corrective
    Perform vulnerability assessments, as necessary. CC ID 11828
    [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2
    The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2]
    Technical Security Corrective
    Review applications for security vulnerabilities after the application is updated. CC ID 11938 Technical Security Detective
  • Operational and Systems Continuity
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational and Systems Continuity CC ID 00731 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a business continuity program. CC ID 13210 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752 Establish/Maintain Documentation Preventive
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 Systems Continuity Corrective
    Execute fail-safe procedures when an emergency occurs. CC ID 07108
    [{integrity test}{authenticity test} The device performs a self-test, which includes integrity and authenticity tests upon start-up and at least once per day to check whether the device is in a compromised state. In the event of a failure, the device and its functionality fail in a secure manner. The device must reinitialize memory at least every 24 hours. B1]
    Systems Continuity Preventive
  • Operational management
    217
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an information security program. CC ID 00812
    [The device vendor maintains guidance describing configuration management for the device.\ a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.\ b) The guidance covers the complete device—including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.\ c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.\ d) The security guidance ensures that unauthorized modification is not possible.\ e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier. J1]
    Establish/Maintain Documentation Preventive
    Include physical safeguards in the information security program. CC ID 12375 Establish/Maintain Documentation Preventive
    Include technical safeguards in the information security program. CC ID 12374 Establish/Maintain Documentation Preventive
    Include administrative safeguards in the information security program. CC ID 12373 Establish/Maintain Documentation Preventive
    Include system development in the information security program. CC ID 12389 Establish/Maintain Documentation Preventive
    Include system maintenance in the information security program. CC ID 12388 Establish/Maintain Documentation Preventive
    Include system acquisition in the information security program. CC ID 12387 Establish/Maintain Documentation Preventive
    Include access control in the information security program. CC ID 12386 Establish/Maintain Documentation Preventive
    Review and approve access controls, as necessary. CC ID 13074 Process or Activity Detective
    Include operations management in the information security program. CC ID 12385 Establish/Maintain Documentation Preventive
    Include communication management in the information security program. CC ID 12384 Establish/Maintain Documentation Preventive
    Include environmental security in the information security program. CC ID 12383 Establish/Maintain Documentation Preventive
    Include physical security in the information security program. CC ID 12382 Establish/Maintain Documentation Preventive
    Include human resources security in the information security program. CC ID 12381 Establish/Maintain Documentation Preventive
    Include asset management in the information security program. CC ID 12380 Establish/Maintain Documentation Preventive
    Include a continuous monitoring program in the information security program. CC ID 14323 Establish/Maintain Documentation Preventive
    Include how the information security department is organized in the information security program. CC ID 12379 Establish/Maintain Documentation Preventive
    Include risk management in the information security program. CC ID 12378 Establish/Maintain Documentation Preventive
    Include mitigating supply chain risks in the information security program. CC ID 13352 Establish/Maintain Documentation Preventive
    Provide management direction and support for the information security program. CC ID 11999 Process or Activity Preventive
    Monitor and review the effectiveness of the information security program. CC ID 12744 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain an information security policy. CC ID 11740 Establish/Maintain Documentation Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Business Processes Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Establish/Maintain Documentation Preventive
    Include information security objectives in the information security policy. CC ID 13493 Establish/Maintain Documentation Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain information security procedures. CC ID 12006 Business Processes Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737 Process or Activity Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Establish/Maintain Documentation Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Establish/Maintain Documentation Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Establish Roles Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Human Resources Management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Establish/Maintain Documentation Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Human Resources Management Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 Communicate Preventive
    Establish, implement, and maintain a social media governance program. CC ID 06536 Establish/Maintain Documentation Preventive
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Business Processes Preventive
    Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 Business Processes Preventive
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Behavior Preventive
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Establish/Maintain Documentation Preventive
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Establish/Maintain Documentation Preventive
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Establish/Maintain Documentation Preventive
    Perform social network analysis, as necessary. CC ID 14864 Investigate Detective
    Establish, implement, and maintain operational control procedures. CC ID 00831 Establish/Maintain Documentation Preventive
    Include assigning and approving operations in operational control procedures. CC ID 06382 Establish/Maintain Documentation Preventive
    Include startup processes in operational control procedures. CC ID 00833 Establish/Maintain Documentation Preventive
    Establish and maintain a data processing run manual. CC ID 00832 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826
    [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8]
    Establish/Maintain Documentation Preventive
    Use systems in accordance with the standard operating procedures manual. CC ID 15049 Process or Activity Preventive
    Include metrics in the standard operating procedures manual. CC ID 14988 Establish/Maintain Documentation Preventive
    Include maintenance measures in the standard operating procedures manual. CC ID 14986 Establish/Maintain Documentation Preventive
    Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 Establish/Maintain Documentation Preventive
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 Establish/Maintain Documentation Preventive
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14981 Establish/Maintain Documentation Preventive
    Include predetermined changes in the standard operating procedures manual. CC ID 14977 Establish/Maintain Documentation Preventive
    Include specifications for input data in the standard operating procedures manual. CC ID 14975 Establish/Maintain Documentation Preventive
    Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 Establish/Maintain Documentation Preventive
    Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 Establish/Maintain Documentation Preventive
    Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 Establish/Maintain Documentation Preventive
    Include the intended purpose in the standard operating procedures manual. CC ID 14967 Establish/Maintain Documentation Preventive
    Include information on system performance in the standard operating procedures manual. CC ID 14965 Establish/Maintain Documentation Preventive
    Include contact details in the standard operating procedures manual. CC ID 14962 Establish/Maintain Documentation Preventive
    Include information sharing procedures in standard operating procedures. CC ID 12974 Records Management Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Business Processes Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Establish/Maintain Documentation Corrective
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Communicate Preventive
    Establish, implement, and maintain a job scheduling methodology. CC ID 00834 Establish/Maintain Documentation Preventive
    Establish and maintain a job schedule exceptions list. CC ID 00835 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a data processing continuity plan. CC ID 00836 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 Establish/Maintain Documentation Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Establish/Maintain Documentation Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Establish/Maintain Documentation Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Establish/Maintain Documentation Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Establish/Maintain Documentation Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Establish/Maintain Documentation Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Establish/Maintain Documentation Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Technical Security Preventive
    Include prohibiting, copying, or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Establish/Maintain Documentation Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Data and Information Management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Establish/Maintain Documentation Preventive
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Establish/Maintain Documentation Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Establish/Maintain Documentation Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Establish/Maintain Documentation Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Establish/Maintain Documentation Corrective
    Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 Establish/Maintain Documentation Preventive
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Establish/Maintain Documentation Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Communicate Preventive
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 Business Processes Preventive
    Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 Establish/Maintain Documentation Preventive
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Establish/Maintain Documentation Preventive
    Include business use of personal e-mail in the e-mail policy. CC ID 14381 Establish/Maintain Documentation Preventive
    Identify the sender in all electronic messages. CC ID 13996 Data and Information Management Preventive
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Establish/Maintain Documentation Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Business Processes Preventive
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815
    [{document and maintain} The vendor documents, maintains and makes available to integrators details on how to implement the protection system against unauthorized removal. E4.2]
    Behavior Preventive
    Establish, implement, and maintain an Asset Management program. CC ID 06630 Business Processes Preventive
    Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 Establish/Maintain Documentation Preventive
    Apply security controls to each level of the information classification standard. CC ID 01903 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain the systems' integrity level. CC ID 01906
    [The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system preventive maintenance program. CC ID 00885
    [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2]
    Establish/Maintain Documentation Preventive
    Establish and maintain maintenance reports. CC ID 11749
    [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2]
    Establish/Maintain Documentation Preventive
    Establish and maintain system inspection reports. CC ID 06346 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system maintenance policy. CC ID 14032 Establish/Maintain Documentation Preventive
    Include compliance requirements in the system maintenance policy. CC ID 14217 Establish/Maintain Documentation Preventive
    Include management commitment in the system maintenance policy. CC ID 14216 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system maintenance policy. CC ID 14215 Establish/Maintain Documentation Preventive
    Include the scope in the system maintenance policy. CC ID 14214 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 Communicate Preventive
    Include the purpose in the system maintenance policy. CC ID 14187 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the system maintenance policy. CC ID 14181 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system maintenance procedures. CC ID 14059 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 Communicate Preventive
    Include a technology refresh plan in the system preventive maintenance program. CC ID 13061 Establish/Maintain Documentation Preventive
    Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 Physical and Environmental Protection Preventive
    Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 Behavior Preventive
    Replace system components when third party support is no longer available. CC ID 10644 Maintenance Preventive
    Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 Maintenance Preventive
    Control and monitor all maintenance tools. CC ID 01432 Physical and Environmental Protection Detective
    Obtain approval before removing maintenance tools from the facility. CC ID 14298 Business Processes Preventive
    Control remote maintenance according to the system's asset classification. CC ID 01433
    [The update mechanism ensures security, i.e., integrity, mutual authentication, and protection against replay, by using an appropriate and declared security protocol when using a network connection. For manual updates, administrator rights must be implemented using password/PINs and/or cryptographic authentication techniques. J4]
    Technical Security Preventive
    Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 Configuration Preventive
    Approve all remote maintenance sessions. CC ID 10615 Technical Security Preventive
    Log the performance of all remote maintenance. CC ID 13202 Log Management Preventive
    Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 Technical Security Preventive
    Conduct maintenance with authorized personnel. CC ID 01434 Testing Detective
    Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 Maintenance Preventive
    Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 Maintenance Preventive
    Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 Behavior Preventive
    Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 Establish/Maintain Documentation Preventive
    Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 Acquisition/Sale of Assets or Services Preventive
    Perform periodic maintenance according to organizational standards. CC ID 01435
    [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2]
    Behavior Preventive
    Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 Maintenance Preventive
    Employ dedicated systems during system maintenance. CC ID 12108 Technical Security Preventive
    Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 Technical Security Preventive
    Control granting access to third parties performing maintenance on organizational assets. CC ID 11873 Human Resources Management Preventive
    Identify and authenticate third parties prior to granting access to maintain assets. CC ID 11874 Physical and Environmental Protection Preventive
    Calibrate assets according to the calibration procedures for the asset. CC ID 06203 Testing Detective
    Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 Establish/Maintain Documentation Preventive
    Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 Process or Activity Preventive
    Establish, implement, and maintain a change control program. CC ID 00886
    [Change-control procedures are in place so that any intended change to the physical or functional capabilities of the POI causes a re-certification of the device under the Physical Security Requirements or the Logical Security Requirements of this document. Immediate re-certification is not required for changes that purely rectify errors and faults in software in order to make it function as intended and do not otherwise remove, modify, or add functionality. Approval of delta submissions is contingent on evidence of the ongoing change control and vulnerability management process. L1]
    Establish/Maintain Documentation Preventive
    Include potential consequences of unintended changes in the change control program. CC ID 12243 Establish/Maintain Documentation Preventive
    Include version control in the change control program. CC ID 13119 Establish/Maintain Documentation Preventive
    Include service design and transition in the change control program. CC ID 13920 Establish/Maintain Documentation Preventive
    Separate the production environment from development environment or test environment for the change control process. CC ID 11864 Maintenance Preventive
    Integrate configuration management procedures into the change control program. CC ID 13646 Technical Security Preventive
    Establish, implement, and maintain a back-out plan. CC ID 13623 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 Establish/Maintain Documentation Preventive
    Approve back-out plans, as necessary. CC ID 13627 Establish/Maintain Documentation Corrective
    Manage change requests. CC ID 00887 Business Processes Preventive
    Include documentation of the impact level of proposed changes in the change request. CC ID 11942 Establish/Maintain Documentation Preventive
    Establish and maintain a change request approver list. CC ID 06795 Establish/Maintain Documentation Preventive
    Document all change requests in change request forms. CC ID 06794 Establish/Maintain Documentation Preventive
    Test proposed changes prior to their approval. CC ID 00548 Testing Detective
    Examine all changes to ensure they correspond with the change request. CC ID 12345 Business Processes Detective
    Approve tested change requests. CC ID 11783 Data and Information Management Preventive
    Validate the system before implementing approved changes. CC ID 01510 Systems Design, Build, and Implementation Preventive
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Behavior Preventive
    Establish, implement, and maintain emergency change procedures. CC ID 00890 Establish/Maintain Documentation Preventive
    Perform emergency changes, as necessary. CC ID 12707 Process or Activity Preventive
    Back up emergency changes after the change has been performed. CC ID 12734 Process or Activity Preventive
    Log emergency changes after they have been performed. CC ID 12733 Establish/Maintain Documentation Preventive
    Perform risk assessments prior to approving change requests. CC ID 00888 Testing Preventive
    Conduct network certifications prior to approving change requests for networks. CC ID 13121 Process or Activity Detective
    Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 Investigate Detective
    Collect data about the network environment when certifying the network. CC ID 13125 Investigate Detective
    Implement changes according to the change control program. CC ID 11776 Business Processes Preventive
    Provide audit trails for all approved changes. CC ID 13120 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a patch management program. CC ID 00896 Process or Activity Preventive
    Document the sources of all software updates. CC ID 13316 Establish/Maintain Documentation Preventive
    Implement patch management software, as necessary. CC ID 12094 Technical Security Preventive
    Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 Technical Security Preventive
    Establish, implement, and maintain patch management procedures. CC ID 15224 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a patch log. CC ID 01642 Establish/Maintain Documentation Preventive
    Review the patch log for missing patches. CC ID 13186 Technical Security Detective
    Perform a patch test prior to deploying a patch. CC ID 00898 Testing Detective
    Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 Business Processes Preventive
    Deploy software patches. CC ID 07032 Configuration Corrective
    Test software patches for any potential compromise of the system's security. CC ID 13175 Testing Detective
    Patch software. CC ID 11825 Technical Security Corrective
    Patch the operating system, as necessary. CC ID 11824 Technical Security Corrective
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Configuration Corrective
    Remove outdated software after software has been updated. CC ID 11792 Configuration Corrective
    Update computer firmware, as necessary. CC ID 11755 Configuration Corrective
    Review changes to computer firmware. CC ID 12226
    [The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions. B3]
    Testing Detective
    Certify changes to computer firmware are free of malicious logic. CC ID 12227
    [The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions. B3]
    Testing Detective
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Configuration Corrective
    Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682
    [If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. B4
    The firmware must support the authentication of applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates updates consistent with B4. B4.1
    If the manufacturer is in charge of initial key loading, the manufacturer must verify the authenticity of the POI security-related components. M5
    If the manufacturer is not in charge of initial key loading, the manufacturer must provide the means to the initial key-loading facility to assure the verification of the authenticity of the POI security-related components. M6
    The firmware, and any changes thereafter, have been inspected and reviewed consistent with B3. K10
    The firmware must confirm the authenticity of all applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates all updates consistent with B4. K11.1
    The firmware must confirm the authenticity of all applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates all updates consistent with B4. K11.1
    If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. K12]
    Technical Security Detective
    Establish, implement, and maintain a software release policy. CC ID 00893 Establish/Maintain Documentation Preventive
    Disseminate and communicate software update information to users and regulators. CC ID 06602 Behavior Preventive
    Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 Data and Information Management Preventive
    Mitigate the adverse effects of unauthorized changes. CC ID 12244 Business Processes Corrective
    Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 Establish/Maintain Documentation Detective
    Test the system's operational functionality after implementing approved changes. CC ID 06294 Testing Detective
    Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 Testing Detective
    Establish, implement, and maintain a change acceptance testing log. CC ID 06392 Establish/Maintain Documentation Corrective
    Update associated documentation after the system configuration has been changed. CC ID 00891 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a configuration change log. CC ID 08710 Configuration Detective
    Document approved configuration deviations. CC ID 08711 Establish/Maintain Documentation Corrective
    Document the organization's local environments. CC ID 06726
    [The PIN-encryption technique implemented in the device is a technique included in ISO 9564. B12
    It is neither feasible to penetrate the ICC reader to make any additions, substitutions, or modifications to either the ICC reader’s hardware or software, in order to determine or modify any sensitive data, without requiring an attack potential of at least 20 for identification and initial exploitation, with a minimum of 10 for exploitation, nor is it possible for both an IC card and any other foreign object to reside within the card insertion slot. D1
    If the device is capable of communicating over an IP network or uses a public domain protocol (such as but not limited to Wi-Fi or Bluetooth), then requirements specified in DTR Module 3: Open Protocols Requirements have been met. K14
    The key-management techniques implemented in the device are consistent with B11. K17
    Sensitive services are protected from unauthorized use consistent with B8. K23
    The key-management techniques implemented in the device conform to ISO 11568 and/or ANSI X9.24. Key-management techniques must support the ANSI TR-31 key-derivation methodology or an equivalent methodology for maintaining the TDEA key bundle. B11]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain local environment security profiles. CC ID 07037 Establish/Maintain Documentation Preventive
    Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 Establish/Maintain Documentation Preventive
    Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 Establish/Maintain Documentation Preventive
    Include the technology used in the local environment in the local environment security profile. CC ID 07040 Establish/Maintain Documentation Preventive
    Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 Establish/Maintain Documentation Preventive
    Include facility information for the local environment in the local environment security profile. CC ID 07042 Establish/Maintain Documentation Preventive
    Include facility access information for the local environment in the local environment security profile. CC ID 11773 Establish/Maintain Documentation Preventive
    Update the local environment security profile, as necessary. CC ID 07043 Establish/Maintain Documentation Preventive
  • Physical and environmental protection
    78
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Physical and environmental protection CC ID 00709 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a physical security program. CC ID 11757 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 Monitor and Evaluate Occurrences Detective
    Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211
    [The device protects all account data upon entry (consistent with A9 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitation. K1.1
    {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1]
    Configuration Preventive
    Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215
    [The security of the device is not compromised by altering: \ - Environmental conditions\ - Operational conditions A3
    The security of the device is not compromised by altering: \ - Environmental conditions\ - Operational conditions A3]
    Configuration Preventive
    Protect assets from tampering or unapproved substitution. CC ID 11902
    [The unauthorized alteration of prompts for non-PIN data entry into the PIN entry key pad such that PINs are compromised, i.e., by prompting for the PIN entry when the output is not encrypted, cannot occur without requiring an attack potential of at least 18 per device for identification and initial exploitation with a minimum of 9 for exploitation. A7
    It is not feasible to penetrate the device to make any additions, substitutions, or modifications to the magnetic-stripe reader and associated hardware or software, in order to determine or modify magnetic-stripe track data, without requiring an attack potential of at least 16 per device, for identification and initial exploitation, with a minimum of 8 for exploitation. A9
    Secure components intended for unattended devices contain an anti-removal mechanism to protect against unauthorized removal and/or unauthorized re-installation. Defeating or circumventing this mechanism must require an attack potential of at least 18 per device for identification and initial exploitation, with a minimum of 9 for exploitation. A10
    The POI should be protected from unauthorized modification with tamper-evident security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.\ Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time.\ Where multiple parties are involved in organizing the shipping, it is the responsibility of each party to ensure that the shipping and storage they are managing is compliant with this requirement. M1
    The device is assembled in a manner that the components used in the manufacturing process are those components that were certified by the Core PIN Entry and/or POS Terminal Integration Security Requirements evaluation, and that unauthorized substitutions have not been made. L3
    Subsequent to production but prior to shipment from the manufacturer’s or reseller’s facility, the device and any of its components are stored in a protected, access-controlled area or sealed within tamper-evident packaging to prevent undetected unauthorized access to the device or its components. L5
    The PIN entry POI terminal is equipped with mechanisms to prevent attacks aiming at retaining and stealing the payment card (e.g., Lebanese Loop attack). E3.2
    {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1
    {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1
    Failure of a single security mechanism does not compromise device security. Protection against a threat is based on a combination of at least two independent security mechanisms. A2]
    Physical and Environmental Protection Preventive
    Establish, implement, and maintain a facility physical security program. CC ID 00711 Establish/Maintain Documentation Preventive
    Protect facilities from eavesdropping. CC ID 02222
    [{prevent} {facility} There is no feasible way to determine any entered and internally transmitted PIN digit by monitoring sound, electro-magnetic emissions, power consumption or any other external characteristic available for monitoring—even with the cooperation of the device operator or sales clerk—without requiring an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. A5]
    Physical and Environmental Protection Preventive
    Inspect telephones for eavesdropping devices. CC ID 02223 Physical and Environmental Protection Detective
    Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 Physical and Environmental Protection Preventive
    Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 Physical and Environmental Protection Preventive
    Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 Physical and Environmental Protection Preventive
    Protect distributed assets against theft. CC ID 06799
    [The device is protected against unauthorized removal. Defeating or circumventing this mechanism must require an attack potential of at least 18 per device for identification and initial exploitation, with a minimum of 9 for exploitation. E4.1]
    Physical and Environmental Protection Preventive
    Include Information Technology assets in the asset removal policy. CC ID 13162 Establish/Maintain Documentation Preventive
    Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 Establish/Maintain Documentation Preventive
    Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 Communicate Preventive
    Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 Establish/Maintain Documentation Preventive
    Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 Process or Activity Preventive
    Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 Physical and Environmental Protection Preventive
    Control the removal of assets through physical entry points and physical exit points. CC ID 11681 Physical and Environmental Protection Preventive
    Maintain records of all system components entering and exiting the facility. CC ID 14304 Log Management Preventive
    Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 Technical Security Preventive
    Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 Technical Security Preventive
    Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 Physical and Environmental Protection Preventive
    Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 Physical and Environmental Protection Preventive
    Establish, implement, and maintain report missing asset procedures. CC ID 06336 Establish/Maintain Documentation Preventive
    Attach asset location technologies to distributed assets. CC ID 10626 Physical and Environmental Protection Detective
    Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 Physical and Environmental Protection Preventive
    Monitor the location of distributed assets. CC ID 11684 Monitor and Evaluate Occurrences Detective
    Remote lock any distributed assets reported lost or stolen. CC ID 14008 Technical Security Corrective
    Remote wipe any distributed asset reported lost or stolen. CC ID 12197 Process or Activity Corrective
    Unpair missing Bluetooth devices. CC ID 12428 Physical and Environmental Protection Corrective
    Establish, implement, and maintain an environmental control program. CC ID 00724
    [{environmental conditions} Environmental or operational conditions cannot be altered to compromise the security of the device, or cause the device to output clear-text account data.\ (An example includes subjecting the device to temperatures or operating voltages outside the stated operating ranges.) K19]
    Physical and Environmental Protection Preventive
    Establish, implement, and maintain environmental control procedures. CC ID 12246 Establish/Maintain Documentation Preventive
    Establish and maintain a telecommunications equipment room, as necessary. CC ID 06708 Configuration Preventive
    Protect power equipment and power cabling from damage or destruction. CC ID 01438 Physical and Environmental Protection Preventive
    Establish, implement, and maintain a battery room, as necessary. CC ID 06706 Configuration Preventive
    Establish and maintain a generator room, as necessary. CC ID 06704 Configuration Preventive
    Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676 Physical and Environmental Protection Preventive
    Establish, implement, and maintain facility maintenance procedures. CC ID 00710 Establish/Maintain Documentation Preventive
    Design the Information Technology facility with a low profile and consideration given to natural disasters and man-made disasters. CC ID 00712 Physical and Environmental Protection Preventive
    Prohibit signage indicating computer room location and uses. CC ID 06343 Physical and Environmental Protection Preventive
    Require critical facilities to have adequate room for facility maintenance. CC ID 06361 Physical and Environmental Protection Preventive
    Require critical facilities to have adequate room for evacuation. CC ID 11686 Physical and Environmental Protection Preventive
    Build critical facilities according to applicable building codes. CC ID 06366 Physical and Environmental Protection Preventive
    Build critical facilities with fire resistant materials. CC ID 06365 Physical and Environmental Protection Preventive
    Build critical facilities with water-resistant materials. CC ID 11679 Physical and Environmental Protection Preventive
    Monitor operational conditions at unmanned facilities. CC ID 06327 Physical and Environmental Protection Preventive
    Remotely control operational conditions at unmanned facilities. CC ID 11680 Technical Security Preventive
    Inspect and maintain the facility and supporting assets. CC ID 06345 Physical and Environmental Protection Preventive
    Test and inspect assets under full load working conditions. CC ID 06356 Testing Detective
    Define selection criteria for facility locations. CC ID 06351 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain work environment requirements. CC ID 06613 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system cleanliness requirements. CC ID 06614 Establish/Maintain Documentation Preventive
    House system components in areas where the physical damage potential is minimized. CC ID 01623 Physical and Environmental Protection Preventive
    Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695 Establish/Maintain Documentation Preventive
    Install and maintain fire protection equipment. CC ID 00728 Configuration Preventive
    Install and maintain fire suppression systems. CC ID 00729 Configuration Preventive
    Install and maintain smoke detectors. CC ID 15264 Physical and Environmental Protection Preventive
    Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888 Physical and Environmental Protection Preventive
    Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362 Physical and Environmental Protection Preventive
    Conduct fire drills, as necessary. CC ID 13985 Process or Activity Preventive
    Employ environmental protections. CC ID 12570 Process or Activity Preventive
    Monitor and review environmental protections. CC ID 12571 Monitor and Evaluate Occurrences Detective
    Install and maintain seismic detectors in critical facilities. CC ID 06364 Physical and Environmental Protection Detective
    Protect physical assets against static electricity, as necessary. CC ID 06363 Physical and Environmental Protection Preventive
    Install and maintain emergency lighting for use in a power failure. CC ID 01440 Physical and Environmental Protection Preventive
    Install and maintain lightning protection mechanisms in critical facilities. CC ID 06367 Physical and Environmental Protection Preventive
    Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727 Configuration Preventive
    Install and maintain an environment control monitoring system. CC ID 06370 Monitor and Evaluate Occurrences Detective
    Protect air intakes into the organizational facility. CC ID 02211 Physical and Environmental Protection Preventive
    Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368 Configuration Preventive
    Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369 Configuration Preventive
    Install and maintain a moisture control system as a part of the climate control system. CC ID 06694 Configuration Preventive
    Install and maintain hydrogen sensors, as necessary. CC ID 06705 Configuration Preventive
    Protect physical assets from water damage. CC ID 00730 Configuration Preventive
    Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 Communicate Preventive
    Install and maintain water detection devices. CC ID 11678 Physical and Environmental Protection Preventive
  • Privacy protection for information and data
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Privacy protection for information and data CC ID 00008 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data collection program. CC ID 06487 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Establish/Maintain Documentation Preventive
    Use personal data for specified purposes. CC ID 11831
    [Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6]
    Data and Information Management Preventive
    Establish, implement, and maintain a data handling program. CC ID 13427 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Data and Information Management Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758
    [The vendor must provide clear security guidance consistent with B2 and B6 to all application developers to ensure:\ - That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.\ - That account data is not retained any longer, or used more often, than strictly necessary. K11.2
    Account data (in either clear-text or encrypted form) shall not be retained any longer, or used more often, than strictly necessary. K15.2
    Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6]
    Configuration Preventive
  • System hardening through configuration management
    267
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    System hardening through configuration management CC ID 00860 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a Configuration Management program. CC ID 00867
    [The device vendor maintains guidance describing configuration management for the device.\ a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.\ b) The guidance covers the complete device—including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.\ c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.\ d) The security guidance ensures that unauthorized modification is not possible.\ e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier. J1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 Business Processes Preventive
    Establish, implement, and maintain appropriate system labeling. CC ID 01900 Establish/Maintain Documentation Preventive
    Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041 Establish/Maintain Documentation Preventive
    Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040 Establish/Maintain Documentation Preventive
    Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555 Configuration Preventive
    Establish, implement, and maintain a configuration management policy. CC ID 14023 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain configuration management procedures. CC ID 14074 Establish/Maintain Documentation Preventive
    Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 Communicate Preventive
    Include compliance requirements in the configuration management policy. CC ID 14072 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the configuration management policy. CC ID 14071 Establish/Maintain Documentation Preventive
    Include management commitment in the configuration management policy. CC ID 14070 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the configuration management policy. CC ID 14069 Establish/Maintain Documentation Preventive
    Include the scope in the configuration management policy. CC ID 14068 Establish/Maintain Documentation Preventive
    Include the purpose in the configuration management policy. CC ID 14067 Establish/Maintain Documentation Preventive
    Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066 Communicate Preventive
    Establish, implement, and maintain a configuration management plan. CC ID 01901 Establish/Maintain Documentation Preventive
    Include configuration management procedures in the configuration management plan. CC ID 14248 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the configuration management plan. CC ID 14247 Establish/Maintain Documentation Preventive
    Approve the configuration management plan. CC ID 14717 Business Processes Preventive
    Establish, implement, and maintain system tracking documentation. CC ID 15266 Establish/Maintain Documentation Preventive
    Include prioritization codes in the system tracking documentation. CC ID 15283 Establish/Maintain Documentation Preventive
    Include the type and category of the request in the system tracking documentation. CC ID 15281 Establish/Maintain Documentation Preventive
    Include contact information in the system tracking documentation. CC ID 15280 Establish/Maintain Documentation Preventive
    Include the username in the system tracking documentation. CC ID 15278 Establish/Maintain Documentation Preventive
    Include a problem description in the system tracking documentation. CC ID 15276 Establish/Maintain Documentation Preventive
    Include affected systems in the system tracking documentation. CC ID 15275 Establish/Maintain Documentation Preventive
    Include root causes in the system tracking documentation. CC ID 15274 Establish/Maintain Documentation Preventive
    Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273 Establish/Maintain Documentation Preventive
    Include current status in the system tracking documentation. CC ID 15272 Establish/Maintain Documentation Preventive
    Employ the Configuration Management program. CC ID 11904 Configuration Preventive
    Record Configuration Management items in the Configuration Management database. CC ID 00861 Establish/Maintain Documentation Preventive
    Test network access controls for proper Configuration Management settings. CC ID 01281 Testing Detective
    Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946
    [The device vendor maintains guidance describing configuration management for the device.\ a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.\ b) The guidance covers the complete device—including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.\ c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.\ d) The security guidance ensures that unauthorized modification is not possible.\ e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier. J1]
    Communicate Preventive
    Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132 Establish/Maintain Documentation Preventive
    Document external connections for all systems. CC ID 06415 Configuration Preventive
    Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 Establish/Maintain Documentation Preventive
    Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 Establish/Maintain Documentation Preventive
    Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 Establish/Maintain Documentation Preventive
    Include the applied security patches in the baseline configuration. CC ID 13271 Establish/Maintain Documentation Preventive
    Include the installed application software and version numbers in the baseline configuration. CC ID 13270 Establish/Maintain Documentation Preventive
    Include installed custom software in the baseline configuration. CC ID 13274 Establish/Maintain Documentation Preventive
    Include network ports in the baseline configuration. CC ID 13273 Establish/Maintain Documentation Preventive
    Include the operating systems and version numbers in the baseline configuration. CC ID 13269 Establish/Maintain Documentation Preventive
    Include backup procedures in the Configuration Management policy. CC ID 01314 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a system hardening standard. CC ID 00876 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain configuration standards for all systems based upon industry best practices. CC ID 11953 Configuration Preventive
    Configure security parameter settings on all system components appropriately. CC ID 12041
    [The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18
    The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21]
    Technical Security Preventive
    Establish, implement, and maintain system hardening procedures. CC ID 12001 Establish/Maintain Documentation Preventive
    Block and/or remove unused software and unauthorized software. CC ID 00865
    [If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. B4
    The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18
    If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. K12
    The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21]
    Configuration Preventive
    Establish, implement, and maintain idle session termination and logout capabilities. CC ID 01418
    [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6]
    Configuration Preventive
    Refrain from using assertion lifetimes to limit each session. CC ID 13871 Technical Security Preventive
    Configure Session Configuration settings in accordance with organizational standards. CC ID 07698 Configuration Preventive
    Invalidate unexpected session identifiers. CC ID 15307 Configuration Preventive
    Reject session identifiers that are not valid. CC ID 15306 Configuration Preventive
    Configure the "Interactive logon: Message title for users attempting to log on" to organizational standards. CC ID 07699 Configuration Preventive
    Configure the "Network security: Force logoff when logon hours expire" to organizational standards. CC ID 07738 Configuration Preventive
    Configure the "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" to organizational standards. CC ID 07758 Configuration Preventive
    Configure the "Microsoft network server: Disconnect clients when logon hours expire" to organizational standards. CC ID 07824 Configuration Preventive
    Configure the "Microsoft network server: Amount of idle time required before suspending session" to organizational standards. CC ID 07826 Configuration Preventive
    Configure the "Interactive logon: Do not display last user name" to organizational standards. CC ID 07832 Configuration Preventive
    Configure the "Interactive logon: Display user information when the session is locked" to organizational standards. CC ID 07848 Configuration Preventive
    Configure the "Interactive logon: Message text for users attempting to log on" to organizational standards. CC ID 07870 Configuration Preventive
    Configure the "Always prompt for password upon connection" to organizational standards. CC ID 08229 Configuration Preventive
    Configure the "Interactive logon: Machine inactivity limit" to organizational standards. CC ID 08350 Configuration Preventive
    Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827
    [The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21]
    Configuration Preventive
    Restrict and control the use of privileged utility programs. CC ID 12030 Technical Security Preventive
    Disable the storing of movies in cache in Apple's QuickTime. CC ID 04489 Configuration Preventive
    Install and enable file sharing utilities, as necessary. CC ID 02174 Configuration Preventive
    Disable boot services unless boot services are absolutely necessary. CC ID 01481 Configuration Preventive
    Disable File Services for Macintosh unless File Services for Macintosh are absolutely necessary. CC ID 04279 Configuration Preventive
    Configure the Trivial FTP Daemon service to organizational standards. CC ID 01484 Configuration Preventive
    Disable printer daemons or the printer service unless printer daemons or the printer service is absolutely necessary. CC ID 01487 Configuration Preventive
    Disable web server unless web server is absolutely necessary. CC ID 01490 Configuration Preventive
    Disable portmapper unless portmapper is absolutely necessary. CC ID 01492 Configuration Preventive
    Disable writesrv, pmd, and httpdlite unless writesrv, pmd, and httpdlite are absolutely necessary. CC ID 01498 Configuration Preventive
    Disable hwscan hardware detection unless hwscan hardware detection is absolutely necessary. CC ID 01504 Configuration Preventive
    Disable xinetd unless xinetd is absolutely necessary. CC ID 01509 Configuration Preventive
    Configure the /etc/xinetd.conf file permissions as appropriate. CC ID 01568 Configuration Preventive
    Disable inetd unless inetd is absolutely necessary. CC ID 01508 Configuration Preventive
    Disable Network Computing System unless it is absolutely necessary. CC ID 01497 Configuration Preventive
    Disable print server for macintosh unless print server for macintosh is absolutely necessary. CC ID 04284 Configuration Preventive
    Disable Print Server unless Print Server is absolutely necessary. CC ID 01488 Configuration Preventive
    Disable remote login/remote shell/rcp command, unless it is absolutely necessary. CC ID 01480 Configuration Preventive
    Disable xfsmd unless xfsmd is absolutely necessary. CC ID 02179 Configuration Preventive
    Disable RPC-based services unless RPC-based services are absolutely necessary. CC ID 01455 Configuration Preventive
    Disable netfs script unless netfs script is absolutely necessary. CC ID 01495 Configuration Preventive
    Disable Remote Procedure Calls unless Remote Procedure Calls are absolutely necessary and if enabled, set restrictions. CC ID 01456 Configuration Preventive
    Configure the "RPC Endpoint Mapper Client Authentication" setting. CC ID 04327 Configuration Preventive
    Disable ncpfs Script unless ncpfs Script is absolutely necessary. CC ID 01494 Configuration Preventive
    Disable sendmail server unless sendmail server is absolutely necessary. CC ID 01511 Configuration Preventive
    Disable postfix unless postfix is absolutely necessary. CC ID 01512 Configuration Preventive
    Disable directory server unless directory server is absolutely necessary. CC ID 01464 Configuration Preventive
    Disable Windows-compatibility client processes unless Windows-compatibility client processes are absolutely necessary. CC ID 01471 Configuration Preventive
    Disable Windows-compatibility servers unless Windows-compatibility servers are absolutely necessary. CC ID 01470 Configuration Preventive
    Disable NFS server processes unless NFS server processes are absolutely necessary. CC ID 01472 Configuration Preventive
    Configure NFS to respond or not as appropriate to NFS client requests that do not include a User ID. CC ID 05981 Configuration Preventive
    Configure NFS with appropriate authentication methods. CC ID 05982 Configuration Preventive
    Configure the "AUTH_DES authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08971 Configuration Preventive
    Configure the "AUTH_KERB authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08972 Configuration Preventive
    Configure the "AUTH_NONE authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08973 Configuration Preventive
    Configure the "AUTH_UNIX authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08974 Configuration Preventive
    Disable webmin processes unless the webmin process is absolutely necessary. CC ID 01501 Configuration Preventive
    Disable automount daemon unless automount daemon is absolutely necessary. CC ID 01476 Configuration Preventive
    Disable CDE-related daemons unless CDE-related daemons are absolutely necessary. CC ID 01474 Configuration Preventive
    Disable finger unless finger is absolutely necessary. CC ID 01505 Configuration Preventive
    Disable Rexec unless Rexec is absolutely necessary. CC ID 02164 Configuration Preventive
    Disable Squid cache server unless Squid cache server is absolutely necessary. CC ID 01502 Configuration Preventive
    Disable Kudzu hardware detection unless Kudzu hardware detection is absolutely necessary. CC ID 01503 Configuration Preventive
    Install and enable public Instant Messaging clients as necessary. CC ID 02173 Configuration Preventive
    Disable x font server unless x font server is absolutely necessary. CC ID 01499 Configuration Preventive
    Validate, approve, and document all UNIX shells prior to use. CC ID 02161 Establish/Maintain Documentation Preventive
    Disable NFS client processes unless NFS client processes are absolutely necessary. CC ID 01475 Configuration Preventive
    Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary. CC ID 06681 Data and Information Management Preventive
    Disable removable storage media daemon unless the removable storage media daemon is absolutely necessary. CC ID 01477 Configuration Preventive
    Disable GSS daemon unless GSS daemon is absolutely necessary. CC ID 01465 Configuration Preventive
    Disable Computer Browser unless Computer Browser is absolutely necessary. CC ID 01814 Configuration Preventive
    Configure the Computer Browser ResetBrowser Frames as appropriate. CC ID 05984 Configuration Preventive
    Configure the /etc/samba/smb.conf file file permissions as appropriate. CC ID 05989 Configuration Preventive
    Disable NetMeeting remote desktop sharing unless NetMeeting remote desktop sharing is absolutely necessary. CC ID 01821 Configuration Preventive
    Disable web directory browsing on all web-enabled devices. CC ID 01874 Configuration Preventive
    Disable WWW publishing services unless WWW publishing services are absolutely necessary. CC ID 01833 Configuration Preventive
    Install and enable samba as necessary. CC ID 02175 Configuration Preventive
    Configure the samba hosts allow option with an appropriate set of networks. CC ID 05985 Configuration Preventive
    Configure the samba security option option as appropriate. CC ID 05986 Configuration Preventive
    Configure the samba encrypt passwords option as appropriate. CC ID 05987 Configuration Preventive
    Configure the Samba 'smb passwd file' option with an appropriate password file or no password file. CC ID 05988 Configuration Preventive
    Disable Usenet Internet news package file capabilities unless Usenet Internet news package file capabilities are absolutely necessary. CC ID 02176 Configuration Preventive
    Disable iPlanet Web Server unless iPlanet Web Server is absolutely necessary. CC ID 02172 Configuration Preventive
    Disable volume manager unless volume manager is absolutely necessary. CC ID 01469 Configuration Preventive
    Disable Solaris Management Console unless Solaris Management Console is absolutely necessary. CC ID 01468 Configuration Preventive
    Disable the Graphical User Interface unless it is absolutely necessary. CC ID 01466 Configuration Preventive
    Disable help and support unless help and support is absolutely necessary. CC ID 04280 Configuration Preventive
    Disable speech recognition unless speech recognition is absolutely necessary. CC ID 04491 Configuration Preventive
    Disable or secure the NetWare QuickFinder search engine. CC ID 04453 Configuration Preventive
    Disable messenger unless messenger is absolutely necessary. CC ID 01819 Configuration Preventive
    Configure the "Do not allow Windows Messenger to be run" setting. CC ID 04516 Configuration Preventive
    Configure the "Do not automatically start Windows Messenger initially" setting. CC ID 04517 Configuration Preventive
    Configure the "Turn off the Windows Messenger Customer Experience Improvement Program" setting. CC ID 04330 Configuration Preventive
    Disable automatic updates unless automatic updates are absolutely necessary. CC ID 01811 Configuration Preventive
    Configure automatic update installation and shutdown/restart options and shutdown/restart procedures to organizational standards. CC ID 05979 Configuration Preventive
    Disable Name Service Cache Daemon unless Name Service Cache Daemon is absolutely necessary. CC ID 04846 Configuration Preventive
    Verify the /bin/rsh file exists or not, as appropriate. CC ID 05101 Configuration Preventive
    Verify the /sbin/rsh file exists or not, as appropriate. CC ID 05102 Configuration Preventive
    Verify the /usr/bin/rsh file exists or not, as appropriate. CC ID 05103 Configuration Preventive
    Verify the /etc/ftpusers file exists or not, as appropriate. CC ID 05104 Configuration Preventive
    Verify the /etc/rsh file exists or not, as appropriate. CC ID 05105 Configuration Preventive
    Install or uninstall the AIDE package, as appropriate. CC ID 05106 Configuration Preventive
    Enable the GNOME automounter (gnome-volume-manager) as necessary. CC ID 05107 Configuration Preventive
    Install or uninstall the setroubleshoot package, as appropriate. CC ID 05108 Configuration Preventive
    Configure Avahi properly. CC ID 05109 Configuration Preventive
    Install or uninstall OpenNTPD, as appropriate. CC ID 05110 Configuration Preventive
    Install or uninstall the httpd service properly. CC ID 05111 Configuration Preventive
    Install or uninstall the net-smtp package properly. CC ID 05112 Configuration Preventive
    Configure the apache web service properly. CC ID 05113 Configuration Preventive
    Configure the vlock package properly. CC ID 05114 Configuration Preventive
    Establish, implement, and maintain service accounts. CC ID 13861 Technical Security Preventive
    Review the ownership of service accounts, as necessary. CC ID 13863 Technical Security Detective
    Manage access credentials for service accounts. CC ID 13862 Technical Security Preventive
    Configure the daemon account properly. CC ID 05115 Configuration Preventive
    Configure the bin account properly. CC ID 05116 Configuration Preventive
    Configure the nuucp account properly. CC ID 05117 Configuration Preventive
    Configure the smmsp account properly. CC ID 05118 Configuration Preventive
    Configure the listen account properly. CC ID 05119 Configuration Preventive
    Configure the gdm account properly. CC ID 05120 Configuration Preventive
    Configure the webservd account properly. CC ID 05121 Configuration Preventive
    Configure the nobody account properly. CC ID 05122 Configuration Preventive
    Configure the noaccess account properly. CC ID 05123 Configuration Preventive
    Configure the nobody4 account properly. CC ID 05124 Configuration Preventive
    Configure the sys account properly. CC ID 05125 Configuration Preventive
    Configure the adm account properly. CC ID 05126 Configuration Preventive
    Configure the lp account properly. CC ID 05127 Configuration Preventive
    Configure the uucp account properly. CC ID 05128 Configuration Preventive
    Install or uninstall the tftp-server package, as appropriate. CC ID 05130 Configuration Preventive
    Enable the web console as necessary. CC ID 05131 Configuration Preventive
    Enable rlogin auth by Pluggable Authentication Modules or pam.d properly. CC ID 05132 Configuration Preventive
    Enable rsh auth by Pluggable Authentication Modules properly. CC ID 05133 Configuration Preventive
    Enable the listening sendmail daemon, as appropriate. CC ID 05134 Configuration Preventive
    Configure Squid properly. CC ID 05135 Configuration Preventive
    Configure the "global Package signature checking" setting to organizational standards. CC ID 08735 Establish/Maintain Documentation Preventive
    Configure the "Package signature checking" setting for "all configured repositories" to organizational standards. CC ID 08736 Establish/Maintain Documentation Preventive
    Configure the "verify against the package database" setting for "all installed software packages" to organizational standards. CC ID 08737 Establish/Maintain Documentation Preventive
    Configure the "isdn4k-utils" package to organizational standards. CC ID 08738 Establish/Maintain Documentation Preventive
    Configure the "postfix" package to organizational standards. CC ID 08739 Establish/Maintain Documentation Preventive
    Configure the "vsftpd" package to organizational standards. CC ID 08740 Establish/Maintain Documentation Preventive
    Configure the "net-snmpd" package to organizational standards. CC ID 08741 Establish/Maintain Documentation Preventive
    Configure the "rsyslog" package to organizational standards. CC ID 08742 Establish/Maintain Documentation Preventive
    Configure the "ipsec-tools" package to organizational standards. CC ID 08743 Establish/Maintain Documentation Preventive
    Configure the "pam_ccreds" package to organizational standards. CC ID 08744 Establish/Maintain Documentation Preventive
    Configure the "talk-server" package to organizational standards. CC ID 08745 Establish/Maintain Documentation Preventive
    Configure the "talk" package to organizational standards. CC ID 08746 Establish/Maintain Documentation Preventive
    Configure the "irda-utils" package to organizational standards. CC ID 08747 Establish/Maintain Documentation Preventive
    Configure the "/etc/shells" file to organizational standards. CC ID 08978 Configuration Preventive
    Configure the LDAP package to organizational standards. CC ID 09937 Configuration Preventive
    Configure the "FTP server" package to organizational standards. CC ID 09938 Configuration Preventive
    Configure the "HTTP Proxy Server" package to organizational standards. CC ID 09939 Configuration Preventive
    Configure the "prelink" package to organizational standards. CC ID 11379 Configuration Preventive
    Configure the Network Information Service (NIS) package to organizational standards. CC ID 11380 Configuration Preventive
    Configure the "time" setting to organizational standards. CC ID 11381 Configuration Preventive
    Configure the "biosdevname" package to organizational standards. CC ID 11383 Configuration Preventive
    Configure the "ufw" setting to organizational standards. CC ID 11384 Configuration Preventive
    Remove all unnecessary functionality. CC ID 00882
    [The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21
    The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21]
    Configuration Preventive
    Document that all enabled functions support secure configurations. CC ID 11985 Establish/Maintain Documentation Preventive
    Find and eradicate unauthorized world-writable files. CC ID 01541 Configuration Preventive
    Strip dangerous/unneeded SUID/SGID system executables. CC ID 01542 Configuration Preventive
    Find and eradicate unauthorized SUID/SGID system executables. CC ID 01543 Configuration Preventive
    Find and eradicate "un-owned" files and "un-owned" directories. CC ID 01544 Configuration Preventive
    Disable logon prompts on serial ports. CC ID 01553 Configuration Preventive
    Disable "nobody" access for Secure RPC. CC ID 01554 Configuration Preventive
    Disable all unnecessary computer interfaces. CC ID 04826 Configuration Preventive
    Enable or disable all unused USB ports as appropriate. CC ID 06042 Configuration Preventive
    Disable all user-mounted removable file systems. CC ID 01536 Configuration Preventive
    Set the Bluetooth Security Mode to the organizational standard. CC ID 00587 Configuration Preventive
    Secure the Bluetooth headset connections. CC ID 00593 Configuration Preventive
    Verify wireless peripherals meet organizational security requirements. CC ID 00657 Testing Detective
    Disable automatic dial-in access to computers that have installed modems. CC ID 02036 Configuration Preventive
    Configure the "Turn off AutoPlay" setting. CC ID 01787 Configuration Preventive
    Configure the "Devices: Restrict floppy access to locally logged on users only" setting. CC ID 01732 Configuration Preventive
    Configure the "Devices: Restrict CD-ROM access to locally logged on users" setting. CC ID 01731 Configuration Preventive
    Configure the "Remove CD Burning features" setting. CC ID 04379 Configuration Preventive
    Disable Autorun. CC ID 01790 Configuration Preventive
    Disable USB devices (aka hotplugger). CC ID 01545 Configuration Preventive
    Enable or disable all unused auxiliary ports as appropriate. CC ID 06414 Configuration Preventive
    Remove rhosts support unless absolutely necessary. CC ID 01555 Configuration Preventive
    Remove weak authentication services from Pluggable Authentication Modules. CC ID 01556 Configuration Preventive
    Remove the /etc/hosts.equiv file. CC ID 01559 Configuration Preventive
    Create the /etc/ftpd/ftpusers file. CC ID 01560 Configuration Preventive
    Remove the X Wrapper and enable the X Display Manager. CC ID 01564 Configuration Preventive
    Remove empty crontab files and restrict file permissions to the file. CC ID 01571 Configuration Preventive
    Remove all compilers and assemblers from the system. CC ID 01594 Configuration Preventive
    Configure the "Devices: Allow undock without having to log on" setting. CC ID 01728 Configuration Preventive
    Limit the user roles that are allowed to format and eject removable storage media. CC ID 01729 Configuration Preventive
    Prevent users from installing printer drivers. CC ID 01730 Configuration Preventive
    Minimize the inetd.conf file and set the file to the appropriate permissions. CC ID 01506 Configuration Preventive
    Configure the unsigned driver installation behavior. CC ID 01733 Configuration Preventive
    Configure the unsigned non-driver installation behavior. CC ID 02038 Configuration Preventive
    Remove all demonstration applications on the system. CC ID 01875 Configuration Preventive
    Configure the system to disallow optional Subsystems. CC ID 04265 Configuration Preventive
    Configure the "Remove Security tab" setting. CC ID 04380 Configuration Preventive
    Disable the automatic display of remote images in HTML-formatted e-mail. CC ID 04494 Configuration Preventive
    Disable Remote Apply Events unless Remote Apply Events are absolutely necessary. CC ID 04495 Configuration Preventive
    Disable Xgrid unless Xgrid is absolutely necessary. CC ID 04496 Configuration Preventive
    Configure the "Do Not Show First Use Dialog Boxes" setting for Windows Media Player properly. CC ID 05136 Configuration Preventive
    Disable Core dumps unless absolutely necessary. CC ID 01507 Configuration Preventive
    Set hard core dump size limits as appropriate. CC ID 05990 Configuration Preventive
    Configure the "Prevent Desktop Shortcut Creation" setting for Windows Media Player properly. CC ID 05137 Configuration Preventive
    Set the Squid EUID and Squid GUID to an appropriate user and group. CC ID 05138 Configuration Preventive
    Verify groups referenced in /etc/passwd are included in /etc/group, as appropriate. CC ID 05139 Configuration Preventive
    Use of the cron.allow file should be enabled or disabled as appropriate. CC ID 06014 Configuration Preventive
    Use of the at.allow file should be enabled or disabled as appropriate. CC ID 06015 Configuration Preventive
    Enable or disable the Dynamic DNS feature of the DHCP Server as appropriate. CC ID 06039 Configuration Preventive
    Enable or disable each user's Screen saver software, as necessary. CC ID 06050 Configuration Preventive
    Disable any unnecessary scripting languages, as necessary. CC ID 12137 Configuration Preventive
    Establish, implement, and maintain an authenticator standard. CC ID 01702 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an authenticator management system. CC ID 12031 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain authenticator procedures. CC ID 12002 Establish/Maintain Documentation Preventive
    Configure authenticators to comply with organizational standards. CC ID 06412 Configuration Preventive
    Configure the system to use asterisks to mask authenticators. CC ID 02037
    [The device never displays the entered PIN digits. Any array related to PIN entry displays only non-significant symbols, e.g., asterisks. B5]
    Configuration Preventive
    Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881 Configuration Preventive
    Configure the system to a default secure level. CC ID 01519
    [The device has guidance that describes the default configuration for each protocol and services for each interface that is available on the device. Each interface and protocol on the device should default to secure settings. If the interface has the ability to be configurable to non-secure settings, vendor guidance should strongly recommend against configuring to non-secure settings. H2]
    Configuration Preventive
    Establish, implement, and maintain a Configuration Baseline Documentation Record. CC ID 02130
    [The device has guidance that describes the default configuration for each protocol and services for each interface that is available on the device. Each interface and protocol on the device should default to secure settings. If the interface has the ability to be configurable to non-secure settings, vendor guidance should strongly recommend against configuring to non-secure settings. H2]
    Establish/Maintain Documentation Preventive
    Document and approve any changes to the Configuration Baseline Documentation Record. CC ID 12104 Establish/Maintain Documentation Preventive
    Create a hardened image of the baseline configuration to be used for building new systems. CC ID 07063 Configuration Preventive
    Store master images on securely configured servers. CC ID 12089 Technical Security Preventive
    Test systems to ensure they conform to configuration baselines. CC ID 13062 Testing Detective
    Update the security configuration of hardened images, as necessary. CC ID 12088 Technical Security Corrective
  • Systems design, build, and implementation
    84
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Systems design, build, and implementation CC ID 00989 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 Systems Design, Build, and Implementation Preventive
    Include information security throughout the system development life cycle. CC ID 12042
    [Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components. L7]
    Systems Design, Build, and Implementation Preventive
    Protect confidential information during the system development life cycle program. CC ID 13479 Data and Information Management Preventive
    Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 Systems Design, Build, and Implementation Preventive
    Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 Systems Design, Build, and Implementation Preventive
    Protect stored manufacturing components prior to assembly. CC ID 12248
    [The certified firmware is protected and stored in such a manner as to preclude unauthorized modification during its entire manufacturing life cycle—e.g., by using dual control or standardized cryptographic authentication procedures. L2]
    Systems Design, Build, and Implementation Preventive
    Store manufacturing components in a controlled access area. CC ID 12256
    [Subsequent to production but prior to shipment from the manufacturer’s or reseller’s facility, the device and any of its components are stored in a protected, access-controlled area or sealed within tamper-evident packaging to prevent undetected unauthorized access to the device or its components. L5]
    Physical and Environmental Protection Preventive
    Develop new products based on best practices. CC ID 01095 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain a system design specification. CC ID 04557 Establish/Maintain Documentation Preventive
    Include security requirements in the system design specification. CC ID 06826 Systems Design, Build, and Implementation Preventive
    Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639
    [The PIN pad (PIN entry area) and the surrounding area must be designed and engineered in such a way that the complete device does not facilitate the fraudulent placement of an overlay over the PIN pad.\ An overlay attack must require an attack potential of at least 18 for identification and initial exploitation, with a minimum of 9 for exploitation. E2.2]
    Monitor and Evaluate Occurrences Detective
    Implement security controls when developing systems. CC ID 06270
    [Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components. L7]
    Systems Design, Build, and Implementation Preventive
    Include restricted data encryption and restricted information encryption in the security controls. CC ID 01083 Technical Security Preventive
    Analyze and minimize attack surfaces when developing systems. CC ID 06828 Systems Design, Build, and Implementation Preventive
    Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 Technical Security Preventive
    Audit all modifications to the application being developed. CC ID 01614 Testing Detective
    Implement a hardware security module, as necessary. CC ID 12222 Systems Design, Build, and Implementation Preventive
    Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 Systems Design, Build, and Implementation Preventive
    Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 Systems Design, Build, and Implementation Preventive
    Design the random number generator to generate random numbers that are unpredictable. CC ID 12255
    [If random numbers are generated by the device in connection with security over sensitive data, the random number generator has been assessed to ensure it is generating numbers sufficiently unpredictable. B9]
    Systems Design, Build, and Implementation Preventive
    Design the hardware security module to enforce the separation between applications. CC ID 12254
    [If the device supports multiple applications, it must enforce the separation between applications. It must not be possible that one application interferes with or tampers with another application or the OS of the device including, but not limited to, modifying data objects belonging to another application or the OS. B17
    If the device supports multiple applications, it must enforce the separation between applications consistent with B17. K20]
    Systems Design, Build, and Implementation Preventive
    Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253
    [Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, PINs, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. B7]
    Systems Design, Build, and Implementation Preventive
    Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233
    [Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6]
    Systems Design, Build, and Implementation Preventive
    Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 Systems Design, Build, and Implementation Preventive
    Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251
    [Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6]
    Systems Design, Build, and Implementation Preventive
    Design the hardware security module to erase sensitive data when compromised. CC ID 12275
    [{physical alteration} While in transit from the manufacturer’s facility to the initial key-loading facility, the device is:\ - Shipped and stored in tamper-evident packaging; and/or\ - Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel. M3]
    Systems Design, Build, and Implementation Preventive
    Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 Systems Design, Build, and Implementation Preventive
    Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231
    [It is not possible to encrypt or decrypt any arbitrary data using any PIN-encrypting key or key-encrypting key contained in the device. The device must enforce that data keys, key-encipherment keys, and PIN-encryption keys have different values. B13]
    Systems Design, Build, and Implementation Preventive
    Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258
    [{TOE} The device’s development-security documentation must provide means to the initial key-loading facility to assure the authenticity of the TOE’s security relevant components. M4]
    Establish/Maintain Documentation Preventive
    Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225
    [{sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4
    {sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4]
    Systems Design, Build, and Implementation Preventive
    Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224
    [{sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4
    {sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4]
    Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain an acceptable use policy for the hardware security module. CC ID 12247
    [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20]
    Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264
    [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20]
    Establish/Maintain Documentation Preventive
    Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263
    [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20]
    Establish/Maintain Documentation Preventive
    Include device identification in the acceptable use policy for the hardware security module. CC ID 12262
    [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20]
    Establish/Maintain Documentation Preventive
    Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261
    [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20]
    Establish/Maintain Documentation Preventive
    Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260
    [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20]
    Establish/Maintain Documentation Preventive
    Install secret information into the hardware security module during manufacturing. CC ID 12249 Systems Design, Build, and Implementation Preventive
    Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272
    [{initial-key-loading facility} If the device will be authenticated at the key-loading facility or the facility of initial deployment by means of secret information placed in the device during manufacturing, then this secret information is unique to each device, unknown and unpredictable to any person, and installed in the device under dual control to ensure that it is not disclosed during installation. L6
    {physical alteration} While in transit from the manufacturer’s facility to the initial key-loading facility, the device is:\ - Shipped and stored in tamper-evident packaging; and/or\ - Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel. M3]
    Systems Design, Build, and Implementation Preventive
    Install secret information under dual control into the hardware security module. CC ID 12257
    [{initial-key-loading facility} If the device will be authenticated at the key-loading facility or the facility of initial deployment by means of secret information placed in the device during manufacturing, then this secret information is unique to each device, unknown and unpredictable to any person, and installed in the device under dual control to ensure that it is not disclosed during installation. L6]
    Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain session security coding standards. CC ID 04584 Establish/Maintain Documentation Preventive
    Establish and maintain a cryptographic architecture document. CC ID 12476 Establish/Maintain Documentation Preventive
    Include the algorithms used in the cryptographic architecture document. CC ID 12483 Establish/Maintain Documentation Preventive
    Include an inventory of all protected areas in the cryptographic architecture document. CC ID 12486 Establish/Maintain Documentation Preventive
    Include a description of the key usage for each key in the cryptographic architecture document. CC ID 12484 Establish/Maintain Documentation Preventive
    Include descriptions of all cryptographic keys in the cryptographic architecture document. CC ID 12487 Establish/Maintain Documentation Preventive
    Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document. CC ID 12488 Establish/Maintain Documentation Preventive
    Include each cryptographic key's expiration date in the cryptographic architecture document. CC ID 12489 Establish/Maintain Documentation Preventive
    Include the protocols used in the cryptographic architecture document. CC ID 12485 Establish/Maintain Documentation Preventive
    Establish and maintain a coding manual for secure coding techniques. CC ID 11863
    [The vendor must provide clear security guidance consistent with B2 and B6 to all application developers to ensure:\ - That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.\ - That account data is not retained any longer, or used more often, than strictly necessary. K11.2]
    Establish/Maintain Documentation Preventive
    Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 Technical Security Preventive
    Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937
    [The device’s functionality shall not be influenced by logical anomalies such as (but not limited to) unexpected command sequences, unknown commands, commands in a wrong device mode and supplying wrong parameters or data which could result in the device outputting the clear- text PIN or other sensitive data. B2
    The device’s functionality shall not be influenced by logical anomalies consistent with B2. K13]
    Technical Security Preventive
    Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 Technical Security Preventive
    Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 Technical Security Preventive
    Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 Technical Security Preventive
    Refrain from hard-coding security parameters in source code. CC ID 14917 Systems Design, Build, and Implementation Preventive
    Refrain from hard-coding usernames in source code. CC ID 06561 Technical Security Preventive
    Refrain from hard-coding authenticators in source code. CC ID 11829 Technical Security Preventive
    Refrain from hard-coding cryptographic keys in source code. CC ID 12307 Technical Security Preventive
    Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 Technical Security Preventive
    Control user account management through secure coding techniques in source code. CC ID 11909 Technical Security Preventive
    Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 Technical Security Preventive
    Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 Technical Security Preventive
    Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 Process or Activity Preventive
    Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897
    [The vendor must provide clear security guidance consistent with B2 and B6 to all application developers to ensure:\ - That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.\ - That account data is not retained any longer, or used more often, than strictly necessary. K11.2]
    Process or Activity Preventive
    Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 Process or Activity Preventive
    Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 Technical Security Preventive
    Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 Process or Activity Preventive
    Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 Technical Security Preventive
    Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 Systems Design, Build, and Implementation Preventive
    Establish and maintain system security documentation. CC ID 06271
    [Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components. L7
    {document and maintain} The vendor documents, maintains and makes available to integrators details on how to implement the protection system against unauthorized removal. E4.2
    The device has security guidance that describes how protocols and services must be used for each interface that is accessible by the device applications. H1]
    Establish/Maintain Documentation Preventive
    Document the procedures and environment used to create the system or software. CC ID 06609 Establish/Maintain Documentation Preventive
    Initiate the System Development Life Cycle implementation phase. CC ID 06268 Systems Design, Build, and Implementation Preventive
    Manage the system implementation process. CC ID 01115 Behavior Preventive
    Implement systems to allow for maintenance, cleaning, adjustment, and use. CC ID 06213
    [{inspection process} Controls exist over the repair process, including the resetting of tamper mechanisms, and the inspection/testing process subsequent to repair to ensure that the device has not been subject to unauthorized modification. L8]
    Systems Design, Build, and Implementation Preventive
    Establish and maintain end user support communications. CC ID 06615 Business Processes Preventive
    Establish, implement, and maintain user documentation. CC ID 12250 Establish/Maintain Documentation Preventive
    Include loss or theft instructions in the user documentation, as necessary. CC ID 12270
    [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8]
    Establish/Maintain Documentation Preventive
    Include disposition instructions in the user documentation, as necessary. CC ID 12269
    [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8]
    Establish/Maintain Documentation Preventive
    Include maintenance instructions in the user documentation, as necessary. CC ID 12268
    [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8]
    Establish/Maintain Documentation Preventive
    Include instructions on recording the location of the system in the user documentation, as necessary. CC ID 12267
    [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8]
    Establish/Maintain Documentation Preventive
    Include personalization instructions within the user documentation, as necessary. CC ID 12266
    [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8]
    Establish/Maintain Documentation Preventive
    Include life cycle management instructions for all components within the user documentation. CC ID 12265
    [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8]
    Establish/Maintain Documentation Preventive
  • Technical security
    133
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Technical security CC ID 00508 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain an access control program. CC ID 11702 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an access rights management plan. CC ID 00513 Establish/Maintain Documentation Preventive
    Control access rights to organizational assets. CC ID 00004 Technical Security Preventive
    Establish access rights based on least privilege. CC ID 01411
    [The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18
    The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21]
    Technical Security Preventive
    Assign user permissions based on job responsibilities. CC ID 00538 Technical Security Preventive
    Assign user privileges after they have management sign off. CC ID 00542 Technical Security Preventive
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Configuration Preventive
    Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412
    [The device has characteristics that prevent or significantly deter the use of the device for exhaustive PAN determination. K18]
    Technical Security Preventive
    Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 Configuration Preventive
    Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 Communicate Corrective
    Disallow unlocking user accounts absent system administrator approval. CC ID 01413 Technical Security Preventive
    Establish, implement, and maintain session lock capabilities. CC ID 01417
    [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6]
    Configuration Preventive
    Limit concurrent sessions according to account type. CC ID 01416
    [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6]
    Configuration Preventive
    Include digital identification procedures in the access control program. CC ID 11841 Technical Security Preventive
    Require proper authentication for user identifiers. CC ID 11785
    [The update mechanism ensures security, i.e., integrity, mutual authentication, and protection against replay, by using an appropriate and declared security protocol when using a network connection. For manual updates, administrator rights must be implemented using password/PINs and/or cryptographic authentication techniques. J4
    Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, account data, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. K22
    Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, PINs, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. B7]
    Technical Security Preventive
    Assign authenticators to user accounts. CC ID 06855 Configuration Preventive
    Assign authentication mechanisms for user account authentication. CC ID 06856 Configuration Preventive
    Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 Technical Security Preventive
    Establish and maintain a memorized secret list. CC ID 13791 Establish/Maintain Documentation Preventive
    Limit account credential reuse as a part of digital identification procedures. CC ID 12357 Configuration Preventive
    Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 Technical Security Preventive
    Use biometric authentication for identification and authentication, as necessary. CC ID 06857 Establish Roles Preventive
    Employ live scans to verify biometric authentication. CC ID 06847 Technical Security Preventive
    Identify the user when enrolling them in the biometric system. CC ID 06882 Testing Detective
    Disallow self-enrollment of biometric information. CC ID 11834 Process or Activity Preventive
    Tune the biometric identification equipment, as necessary. CC ID 07077 Configuration Corrective
    Notify a user when an authenticator for a user account is changed. CC ID 13820 Communicate Preventive
    Enforce information flow control. CC ID 11781 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain information flow control configuration standards. CC ID 01924 Establish/Maintain Documentation Preventive
    Require the system to identify and authenticate approved devices before establishing a connection to restricted data. CC ID 01429
    [{POI application} The POI (application) must enforce the correspondence between the display messages visible to the cardholder and the operating state (i.e., secure or non-secure mode) of the PIN entry device, e.g., by using cryptographic authentication.\ If commands impacting the correspondence between the display messages and the operating state of the PIN entry device are received from an external device (e.g., a store controller), the commands enabling data entry must be authenticated.\ The alteration of the correspondence between the display messages visible to the cardholder and the operating state of the PIN entry device cannot occur without requiring an attack potential of at least 18 per POI for identification and initial exploitation with a minimum of 9 for exploitation. E3.4
    {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4]
    Testing Preventive
    Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629 Establish/Maintain Documentation Preventive
    Constrain the information flow of restricted data or restricted information. CC ID 06763
    [When operating in encrypting mode, the secure controller can only release clear-text account data to authenticated applications executing within the device. K15.1]
    Data and Information Management Preventive
    Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 Data and Information Management Preventive
    Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725 Data and Information Management Preventive
    Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310 Data and Information Management Preventive
    Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain information exchange procedures. CC ID 11782 Establish/Maintain Documentation Preventive
    Enable encryption of a protected distribution system if sending restricted data or restricted information. CC ID 01749 Configuration Preventive
    Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859
    [All account data is either encrypted immediately upon entry or entered in clear-text into a secure device and processed within the secure controller of the device. K1
    The device protects all account data upon entry (consistent with A9 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitation. K1.1
    The logical and physical integration of an approved secure card reader into a PIN entry POI terminal does not create new attack paths to the account data. The account data is protected from the input component to the secure controller of the device—i.e., it is not possible to insert a bug that would disclose sensitive data. K2]
    Data and Information Management Preventive
    Control all methods of remote access and teleworking. CC ID 00559 Technical Security Preventive
    Protect remote access accounts with encryption. CC ID 00562
    [If the device may be accessed remotely for the purposes of administration, all access attempts must be cryptographically authenticated. If the authenticity of the access request cannot be confirmed, the access request is denied. K9]
    Configuration Preventive
    Manage the use of encryption controls and cryptographic controls. CC ID 00570
    [Public keys must be stored and used in a manner that protects against unauthorized modification or substitution. Unauthorized modification or substitution requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3.1
    {mode of operation} All account data shall be encrypted using only ANSI X9 or ISO-approved encryption algorithms (e.g., AES, TDES) and should use ANSI X9 or ISO-approved modes of operation. K4]
    Technical Security Preventive
    Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 Establish/Maintain Documentation Preventive
    Define the cryptographic boundaries. CC ID 06543 Establish/Maintain Documentation Preventive
    Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 Establish/Maintain Documentation Preventive
    Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 Establish/Maintain Documentation Preventive
    Implement the documented cryptographic module security functions. CC ID 06755 Data and Information Management Preventive
    Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 Establish/Maintain Documentation Preventive
    Document the operation of the cryptographic module. CC ID 06546 Establish/Maintain Documentation Preventive
    Employ only secure versions of cryptographic controls. CC ID 12491 Technical Security Preventive
    Establish, implement, and maintain digital signatures. CC ID 13828 Data and Information Management Preventive
    Include the expiration date in digital signatures. CC ID 13833 Data and Information Management Preventive
    Include audience restrictions in digital signatures. CC ID 13834 Data and Information Management Preventive
    Include the subject in digital signatures. CC ID 13832 Data and Information Management Preventive
    Include the issuer in digital signatures. CC ID 13831 Data and Information Management Preventive
    Include identifiers in the digital signature. CC ID 13829 Data and Information Management Preventive
    Generate and protect a secret random number for each digital signature. CC ID 06577 Establish/Maintain Documentation Preventive
    Establish the security strength requirements for the digital signature process. CC ID 06578
    [The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 Establish/Maintain Documentation Preventive
    Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823
    [{refrain from allowing} When operating in encrypting mode, there is no mechanism in the device that would allow the outputting of clear-text account data. Changing between an encrypting and non-encrypting mode of operation requires explicit authentication. K15
    There is no mechanism in the device that would allow the outputting of a private or secret clear-text key or clear-text PIN, the encryption of a key or PIN under a key that might itself be disclosed, or the transfer of a clear-text key from a component of high security into a component of lesser security. B14]
    Configuration Preventive
    Encrypt restricted data or restricted information using the most secure method possible. CC ID 04824
    [PIN protection during transmission between the device encrypting the PIN and the ICC reader (at least two must apply):\ If the device encrypting the PIN and the ICC reader are not integrated into the same secure module, and the cardholder verification method is determined to be:\ - An enciphered PIN, the PIN block shall be enciphered between the device encrypting the PIN and the ICC reader using either an authenticated encipherment key of the IC card, or in accordance with ISO 9564.\ - A plaintext PIN, the PIN block shall be enciphered from the device encrypting the PIN to the ICC reader (the ICC reader will then decipher the PIN for transmission in plaintext to the IC card) in accordance with ISO 9564.\ If the device encrypting the PIN and the ICC reader are integrated into the same secure module, and the cardholder verification method is determined to be:\ - An enciphered PIN, the PIN block shall be enciphered using an authenticated encipherment key of the IC card.\ - A plaintext PIN, then encipherment is not required if the PIN block is transmitted wholly through a protected environment (as defined in ISO 9564). If the plaintext PIN is transmitted to the ICC reader through an unprotected environment, the PIN block shall be enciphered in accordance with ISO 9564. D4
    The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3
    {mode of operation} All account data shall be encrypted using only ANSI X9 or ISO-approved encryption algorithms (e.g., AES, TDES) and should use ANSI X9 or ISO-approved modes of operation. K4
    Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6]
    Data and Information Management Preventive
    Make key usage for data fields unique for each device. CC ID 04828
    [{secret keys}{private keys} Secret and private keys that reside within the device to support account data encryption are unique per device. K7
    Encryption or decryption of any arbitrary data using any account data-encrypting key or key-encrypting key contained in the device is not permitted.\ The device must enforce that account data keys, key-encipherment keys, and PIN-encryption keys have different values. K8
    It is not possible to encrypt or decrypt any arbitrary data using any PIN-encrypting key or key-encrypting key contained in the device. The device must enforce that data keys, key-encipherment keys, and PIN-encryption keys have different values. B13]
    Technical Security Preventive
    Decrypt restricted data for the minimum time required. CC ID 12308 Data and Information Management Preventive
    Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 Data and Information Management Preventive
    Accept only trusted keys and/or certificates. CC ID 11988 Technical Security Preventive
    Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575
    [The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2
    {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4
    If using a hash function to generate surrogate PAN values, input to the hash function must use a salt with minimum length of 64 bits. K16.1]
    Data and Information Management Preventive
    Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 Process or Activity Preventive
    Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 Process or Activity Preventive
    Define the format of the biometric data on identification cards or badges. CC ID 06586 Process or Activity Preventive
    Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040
    [The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3
    The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain cryptographic key management procedures. CC ID 00571
    [The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3
    The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3
    The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2
    {turnkey system} The vendor must provide a defined and documented process containing specific details on how any signing mechanisms must be implemented. This must include any “turnkey” systems required for compliance with the management of display prompts, or any mechanisms used for authenticating any application code. This must ensure:\ - The signing process is performed under dual control.\ - All executable files are signed.\ - Software is only signed using a secure cryptographic device provided by the terminal vendor. B4.2]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 Communicate Preventive
    Bind keys to each identity. CC ID 12337 Technical Security Preventive
    Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 Establish/Maintain Documentation Preventive
    Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 Establish/Maintain Documentation Preventive
    Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 Data and Information Management Preventive
    Generate strong cryptographic keys. CC ID 01299 Data and Information Management Preventive
    Generate unique cryptographic keys for each user. CC ID 12169 Technical Security Preventive
    Use approved random number generators for creating cryptographic keys. CC ID 06574 Data and Information Management Preventive
    Implement decryption keys so that they are not linked to user accounts. CC ID 06851 Technical Security Preventive
    Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540
    [{determine}{reside}{penetrate} Determination of any PIN-security-related cryptographic key resident in the device, by penetration of the device and/or by monitoring emanations from the device (including power fluctuations), requires an attack potential of at least 35 for identification and initial exploitation with a minimum of 15 for exploitation. A6
    The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3
    {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate cryptographic keys securely. CC ID 01300
    [If remote key distribution is used, the device supports mutual authentication between the sending key-distribution host and receiving device. K5]
    Data and Information Management Preventive
    Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 Data and Information Management Preventive
    Store cryptographic keys securely. CC ID 01298
    [If the device can hold multiple PIN-encryption keys and if the key to be used to encrypt the PIN can be externally selected, the device prohibits unauthorized key replacement and key misuse. C1
    Determination of any cryptographic keys used for account-data encryption, by penetration of the device and/or by monitoring emanations from the device (including power fluctuations), requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3
    Public keys must be stored and used in a manner that protects against unauthorized modification or substitution. Unauthorized modification or substitution requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3.1]
    Data and Information Management Preventive
    Restrict access to cryptographic keys. CC ID 01297 Data and Information Management Preventive
    Store cryptographic keys in encrypted format. CC ID 06084
    [If using a hash function to generate surrogate PAN values, the salt is kept secret and appropriately protected. Disclosure of the salt cannot occur without requiring an attack potential of at least 16 per device for identification and initial exploitation with a minimum of 8 for exploitation. K16.2]
    Data and Information Management Preventive
    Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 Technical Security Preventive
    Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 Establish/Maintain Documentation Preventive
    Change cryptographic keys, as necessary. CC ID 01302 Data and Information Management Preventive
    Destroy cryptographic keys promptly after the retention period. CC ID 01303 Data and Information Management Preventive
    Control cryptographic keys with split knowledge and dual control. CC ID 01304
    [{turnkey system} The vendor must provide a defined and documented process containing specific details on how any signing mechanisms must be implemented. This must include any “turnkey” systems required for compliance with the management of display prompts, or any mechanisms used for authenticating any application code. This must ensure:\ - The signing process is performed under dual control.\ - All executable files are signed.\ - Software is only signed using a secure cryptographic device provided by the terminal vendor. B4.2]
    Data and Information Management Preventive
    Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 Data and Information Management Preventive
    Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 Technical Security Preventive
    Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 Data and Information Management Corrective
    Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 Data and Information Management Corrective
    Archive outdated cryptographic keys. CC ID 06884 Data and Information Management Preventive
    Archive revoked cryptographic keys. CC ID 11819 Data and Information Management Preventive
    Require key custodians to sign the cryptographic key management policy. CC ID 01308 Establish/Maintain Documentation Preventive
    Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 Human Resources Management Preventive
    Test cryptographic key management applications, as necessary. CC ID 04829 Testing Detective
    Manage the digital signature cryptographic key pair. CC ID 06576 Data and Information Management Preventive
    Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 Establish/Maintain Documentation Preventive
    Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 Establish/Maintain Documentation Preventive
    Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 Establish/Maintain Documentation Preventive
    Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 Establish/Maintain Documentation Preventive
    Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 Establish/Maintain Documentation Preventive
    Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 Establish/Maintain Documentation Preventive
    Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 Technical Security Preventive
    Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084
    [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4]
    Technical Security Preventive
    Establish, implement, and maintain Public Key certificate procedures. CC ID 07085
    [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4]
    Establish/Maintain Documentation Preventive
    Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817
    [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4]
    Establish/Maintain Documentation Preventive
    Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 Establish/Maintain Documentation Preventive
    Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 Establish/Maintain Documentation Preventive
    Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 Technical Security Preventive
    Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 Records Management Preventive
    Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 Technical Security Preventive
    Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 Technical Security Preventive
    Use strong data encryption to transmit restricted data or restricted information over public networks. CC ID 00564
    [The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2]
    Technical Security Preventive
    Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 Technical Security Preventive
    Encrypt traffic over public networks with trusted cryptographic keys. CC ID 12490 Technical Security Preventive
    Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 Establish/Maintain Documentation Preventive
    Implement non-repudiation for transactions. CC ID 00567
    [The device supports data origin authentication of encrypted messages. K6]
    Testing Detective
    Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 Technical Security Preventive
    Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 Technical Security Preventive
    Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 Technical Security Preventive
    Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 Technical Security Preventive
    Protect application services information transmitted over a public network from contract disputes. CC ID 12019 Technical Security Preventive
    Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 Technical Security Preventive
    Establish, implement, and maintain a malicious code protection program. CC ID 00574 Establish/Maintain Documentation Preventive
    Protect the system against replay attacks. CC ID 04552
    [The device is able to detect replay of messages and enables the secure handling of the exceptions. I5]
    Technical Security Preventive
  • Third Party and supply chain oversight
    19
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Third Party and supply chain oversight CC ID 08807 IT Impact Zone IT Impact Zone
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Business Processes Preventive
    Assess third parties' compliance environment during due diligence. CC ID 13134 Process or Activity Detective
    Request attestation of compliance from third parties. CC ID 12067 Establish/Maintain Documentation Detective
    Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819
    [The POI should be protected from unauthorized modification with tamper-evident security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.\ Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time.\ Where multiple parties are involved in organizing the shipping, it is the responsibility of each party to ensure that the shipping and storage they are managing is compliant with this requirement. M1]
    Business Processes Preventive
    Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 Business Processes Preventive
    Define the traceability documentation required for chain of custody certification. CC ID 08895
    [The POI should be protected from unauthorized modification with tamper-evident security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.\ Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time.\ Where multiple parties are involved in organizing the shipping, it is the responsibility of each party to ensure that the shipping and storage they are managing is compliant with this requirement. M1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain physical security controls for the supply chain. CC ID 08931 Business Processes Preventive
    Assign unique reference numbers to all products and their subcomponents. CC ID 08932
    [Each device shall have a unique visible identifier affixed to it. M7]
    Business Processes Preventive
    Establish, implement, and maintain product shipment procedures. CC ID 08934
    [Procedures are in place to transfer accountability for the device from the manufacturer to the facility of initial deployment. Where the device is shipped via intermediaries such as resellers, accountability will be with the intermediary from the time at which they receive the device until the time it is received by the next intermediary or the point of initial deployment. M2]
    Establish/Maintain Documentation Preventive
    Coordinate and support suppliers' physical security controls. CC ID 08935 Business Processes Preventive
    Inspect all incoming shipments for conformity to information from the supplier. CC ID 08936 Business Processes Preventive
    Use authorized personnel to unseal and open incoming shipments. CC ID 08938 Behavior Preventive
    Report tampering when tampering indicators are identified in incoming shipments. CC ID 08937 Business Processes Detective
    Document accurate outgoing shipment information. CC ID 08939 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain export records of outgoing shipments. CC ID 08954 Establish/Maintain Documentation Preventive
    Report incoming shipment inconsistencies when an incoming shipment inconsistency is identified. CC ID 08940 Behavior Detective
    Segregate and secure shipments that have incoming shipment inconsistencies. CC ID 08941 Business Processes Preventive
    Provide access to outgoing shipment information, as necessary. CC ID 08942 Data and Information Management Preventive
Common Controls and
mandates by Type
104 Mandated Controls - bold    
80 Implied Controls - italic     684 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
868 Total
  • Acquisition/Sale of Assets or Services
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Acquire spare parts prior to when maintenance requests are scheduled. CC ID 11833 Operational management Preventive
    Plan for selling facilities, technology, or services. CC ID 06893 Acquisition or sale of facilities, technology, and services Preventive
    Establish, implement, and maintain equipment shipping procedures. CC ID 11449 Acquisition or sale of facilities, technology, and services Preventive
  • Audits and Risk Management
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 Audits and risk management Preventive
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and risk management Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and risk management Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and risk management Preventive
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and risk management Preventive
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and risk management Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and risk management Detective
  • Behavior
    12
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain a testing program. CC ID 00654 Monitoring and measurement Preventive
    Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 Monitoring and measurement Corrective
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Operational management Preventive
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815
    [{document and maintain} The vendor documents, maintains and makes available to integrators details on how to implement the protection system against unauthorized removal. E4.2]
    Operational management Preventive
    Maintain contact with the device manufacturer or component manufacturer for maintenance requests. CC ID 06388 Operational management Preventive
    Respond to maintenance requests inside the organizationally established time frame. CC ID 04878 Operational management Preventive
    Perform periodic maintenance according to organizational standards. CC ID 01435
    [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2]
    Operational management Preventive
    Disseminate and communicate proposed changes to all interested personnel and affected parties. CC ID 06807 Operational management Preventive
    Disseminate and communicate software update information to users and regulators. CC ID 06602 Operational management Preventive
    Manage the system implementation process. CC ID 01115 Systems design, build, and implementation Preventive
    Use authorized personnel to unseal and open incoming shipments. CC ID 08938 Third Party and supply chain oversight Preventive
    Report incoming shipment inconsistencies when an incoming shipment inconsistency is identified. CC ID 08940 Third Party and supply chain oversight Detective
  • Business Processes
    27
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 Monitoring and measurement Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Operational management Preventive
    Establish, implement, and maintain information security procedures. CC ID 12006 Operational management Preventive
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Operational management Preventive
    Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 Operational management Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Operational management Preventive
    Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 Operational management Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Preventive
    Establish, implement, and maintain an Asset Management program. CC ID 06630 Operational management Preventive
    Obtain approval before removing maintenance tools from the facility. CC ID 14298 Operational management Preventive
    Manage change requests. CC ID 00887 Operational management Preventive
    Examine all changes to ensure they correspond with the change request. CC ID 12345 Operational management Detective
    Implement changes according to the change control program. CC ID 11776 Operational management Preventive
    Prioritize deploying patches according to vulnerability risk metrics. CC ID 06796 Operational management Preventive
    Mitigate the adverse effects of unauthorized changes. CC ID 12244 Operational management Corrective
    Establish, implement, and maintain configuration control and Configuration Status Accounting. CC ID 00863 System hardening through configuration management Preventive
    Approve the configuration management plan. CC ID 14717 System hardening through configuration management Preventive
    Establish and maintain end user support communications. CC ID 06615 Systems design, build, and implementation Preventive
    Conduct all parts of the supply chain due diligence process. CC ID 08854 Third Party and supply chain oversight Preventive
    Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819
    [The POI should be protected from unauthorized modification with tamper-evident security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.\ Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time.\ Where multiple parties are involved in organizing the shipping, it is the responsibility of each party to ensure that the shipping and storage they are managing is compliant with this requirement. M1]
    Third Party and supply chain oversight Preventive
    Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain physical security controls for the supply chain. CC ID 08931 Third Party and supply chain oversight Preventive
    Assign unique reference numbers to all products and their subcomponents. CC ID 08932
    [Each device shall have a unique visible identifier affixed to it. M7]
    Third Party and supply chain oversight Preventive
    Coordinate and support suppliers' physical security controls. CC ID 08935 Third Party and supply chain oversight Preventive
    Inspect all incoming shipments for conformity to information from the supplier. CC ID 08936 Third Party and supply chain oversight Preventive
    Report tampering when tampering indicators are identified in incoming shipments. CC ID 08937 Third Party and supply chain oversight Detective
    Segregate and secure shipments that have incoming shipment inconsistencies. CC ID 08941 Third Party and supply chain oversight Preventive
  • Communicate
    15
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Audits and risk management Preventive
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Audits and risk management Preventive
    Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 Technical security Corrective
    Notify a user when an authenticator for a user account is changed. CC ID 13820 Technical security Preventive
    Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 Technical security Preventive
    Disseminate and communicate the asset removal policy to interested personnel and affected parties. CC ID 13160 Physical and environmental protection Preventive
    Notify interested personnel and affected parties when water is detected in the vicinity of information systems. CC ID 14252 Physical and environmental protection Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 Operational management Preventive
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Operational management Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Operational management Preventive
    Disseminate and communicate the system maintenance policy to interested personnel and affected parties. CC ID 14213 Operational management Preventive
    Disseminate and communicate the system maintenance procedures to interested personnel and affected parties. CC ID 14194 Operational management Preventive
    Disseminate and communicate the configuration management procedures to interested personnel and affected parties. CC ID 14139 System hardening through configuration management Preventive
    Disseminate and communicate the configuration management policy to interested personnel and affected parties. CC ID 14066 System hardening through configuration management Preventive
    Disseminate and communicate the configuration management program to all interested personnel and affected parties. CC ID 11946
    [The device vendor maintains guidance describing configuration management for the device.\ a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.\ b) The guidance covers the complete device—including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.\ c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.\ d) The security guidance ensures that unauthorized modification is not possible.\ e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier. J1]
    System hardening through configuration management Preventive
  • Configuration
    224
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Update the vulnerability scanners' vulnerability list. CC ID 10634 Monitoring and measurement Corrective
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Technical security Preventive
    Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 Technical security Preventive
    Establish, implement, and maintain session lock capabilities. CC ID 01417
    [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6]
    Technical security Preventive
    Limit concurrent sessions according to account type. CC ID 01416
    [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6]
    Technical security Preventive
    Assign authenticators to user accounts. CC ID 06855 Technical security Preventive
    Assign authentication mechanisms for user account authentication. CC ID 06856 Technical security Preventive
    Limit account credential reuse as a part of digital identification procedures. CC ID 12357 Technical security Preventive
    Tune the biometric identification equipment, as necessary. CC ID 07077 Technical security Corrective
    Enable encryption of a protected distribution system if sending restricted data or restricted information. CC ID 01749 Technical security Preventive
    Protect remote access accounts with encryption. CC ID 00562
    [If the device may be accessed remotely for the purposes of administration, all access attempts must be cryptographically authenticated. If the authenticity of the access request cannot be confirmed, the access request is denied. K9]
    Technical security Preventive
    Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823
    [{refrain from allowing} When operating in encrypting mode, there is no mechanism in the device that would allow the outputting of clear-text account data. Changing between an encrypting and non-encrypting mode of operation requires explicit authentication. K15
    There is no mechanism in the device that would allow the outputting of a private or secret clear-text key or clear-text PIN, the encryption of a key or PIN under a key that might itself be disclosed, or the transfer of a clear-text key from a component of high security into a component of lesser security. B14]
    Technical security Preventive
    Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211
    [The device protects all account data upon entry (consistent with A9 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitation. K1.1
    {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1]
    Physical and environmental protection Preventive
    Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215
    [The security of the device is not compromised by altering: \ - Environmental conditions\ - Operational conditions A3
    The security of the device is not compromised by altering: \ - Environmental conditions\ - Operational conditions A3]
    Physical and environmental protection Preventive
    Establish and maintain a telecommunications equipment room, as necessary. CC ID 06708 Physical and environmental protection Preventive
    Establish, implement, and maintain a battery room, as necessary. CC ID 06706 Physical and environmental protection Preventive
    Establish and maintain a generator room, as necessary. CC ID 06704 Physical and environmental protection Preventive
    Install and maintain fire protection equipment. CC ID 00728 Physical and environmental protection Preventive
    Install and maintain fire suppression systems. CC ID 00729 Physical and environmental protection Preventive
    Establish, implement, and maintain a Heating Ventilation and Air Conditioning system. CC ID 00727 Physical and environmental protection Preventive
    Install and maintain dust collection and filtering as a part of the Heating Ventilation and Air Conditioning system. CC ID 06368 Physical and environmental protection Preventive
    Install and maintain backup Heating Ventilation and Air Conditioning equipment. CC ID 06369 Physical and environmental protection Preventive
    Install and maintain a moisture control system as a part of the climate control system. CC ID 06694 Physical and environmental protection Preventive
    Install and maintain hydrogen sensors, as necessary. CC ID 06705 Physical and environmental protection Preventive
    Protect physical assets from water damage. CC ID 00730 Physical and environmental protection Preventive
    Separate remote maintenance sessions from other network sessions with a logically separate communications path based upon encryption. CC ID 10614 Operational management Preventive
    Deploy software patches. CC ID 07032 Operational management Corrective
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Operational management Corrective
    Remove outdated software after software has been updated. CC ID 11792 Operational management Corrective
    Update computer firmware, as necessary. CC ID 11755 Operational management Corrective
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Operational management Corrective
    Establish, implement, and maintain a configuration change log. CC ID 08710 Operational management Detective
    Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete. CC ID 06555 System hardening through configuration management Preventive
    Employ the Configuration Management program. CC ID 11904 System hardening through configuration management Preventive
    Document external connections for all systems. CC ID 06415 System hardening through configuration management Preventive
    Establish, implement, and maintain configuration standards for all systems based upon industry best practices. CC ID 11953 System hardening through configuration management Preventive
    Block and/or remove unused software and unauthorized software. CC ID 00865
    [If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. B4
    The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18
    If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. K12
    The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21]
    System hardening through configuration management Preventive
    Establish, implement, and maintain idle session termination and logout capabilities. CC ID 01418
    [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6]
    System hardening through configuration management Preventive
    Configure Session Configuration settings in accordance with organizational standards. CC ID 07698 System hardening through configuration management Preventive
    Invalidate unexpected session identifiers. CC ID 15307 System hardening through configuration management Preventive
    Reject session identifiers that are not valid. CC ID 15306 System hardening through configuration management Preventive
    Configure the "Interactive logon: Message title for users attempting to log on" to organizational standards. CC ID 07699 System hardening through configuration management Preventive
    Configure the "Network security: Force logoff when logon hours expire" to organizational standards. CC ID 07738 System hardening through configuration management Preventive
    Configure the "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" to organizational standards. CC ID 07758 System hardening through configuration management Preventive
    Configure the "Microsoft network server: Disconnect clients when logon hours expire" to organizational standards. CC ID 07824 System hardening through configuration management Preventive
    Configure the "Microsoft network server: Amount of idle time required before suspending session" to organizational standards. CC ID 07826 System hardening through configuration management Preventive
    Configure the "Interactive logon: Do not display last user name" to organizational standards. CC ID 07832 System hardening through configuration management Preventive
    Configure the "Interactive logon: Display user information when the session is locked" to organizational standards. CC ID 07848 System hardening through configuration management Preventive
    Configure the "Interactive logon: Message text for users attempting to log on" to organizational standards. CC ID 07870 System hardening through configuration management Preventive
    Configure the "Always prompt for password upon connection" to organizational standards. CC ID 08229 System hardening through configuration management Preventive
    Configure the "Interactive logon: Machine inactivity limit" to organizational standards. CC ID 08350 System hardening through configuration management Preventive
    Disable all unnecessary applications unless otherwise noted in a policy exception. CC ID 04827
    [The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21]
    System hardening through configuration management Preventive
    Disable the storing of movies in cache in Apple's QuickTime. CC ID 04489 System hardening through configuration management Preventive
    Install and enable file sharing utilities, as necessary. CC ID 02174 System hardening through configuration management Preventive
    Disable boot services unless boot services are absolutely necessary. CC ID 01481 System hardening through configuration management Preventive
    Disable File Services for Macintosh unless File Services for Macintosh are absolutely necessary. CC ID 04279 System hardening through configuration management Preventive
    Configure the Trivial FTP Daemon service to organizational standards. CC ID 01484 System hardening through configuration management Preventive
    Disable printer daemons or the printer service unless printer daemons or the printer service is absolutely necessary. CC ID 01487 System hardening through configuration management Preventive
    Disable web server unless web server is absolutely necessary. CC ID 01490 System hardening through configuration management Preventive
    Disable portmapper unless portmapper is absolutely necessary. CC ID 01492 System hardening through configuration management Preventive
    Disable writesrv, pmd, and httpdlite unless writesrv, pmd, and httpdlite are absolutely necessary. CC ID 01498 System hardening through configuration management Preventive
    Disable hwscan hardware detection unless hwscan hardware detection is absolutely necessary. CC ID 01504 System hardening through configuration management Preventive
    Disable xinetd unless xinetd is absolutely necessary. CC ID 01509 System hardening through configuration management Preventive
    Configure the /etc/xinetd.conf file permissions as appropriate. CC ID 01568 System hardening through configuration management Preventive
    Disable inetd unless inetd is absolutely necessary. CC ID 01508 System hardening through configuration management Preventive
    Disable Network Computing System unless it is absolutely necessary. CC ID 01497 System hardening through configuration management Preventive
    Disable print server for macintosh unless print server for macintosh is absolutely necessary. CC ID 04284 System hardening through configuration management Preventive
    Disable Print Server unless Print Server is absolutely necessary. CC ID 01488 System hardening through configuration management Preventive
    Disable remote login/remote shell/rcp command, unless it is absolutely necessary. CC ID 01480 System hardening through configuration management Preventive
    Disable xfsmd unless xfsmd is absolutely necessary. CC ID 02179 System hardening through configuration management Preventive
    Disable RPC-based services unless RPC-based services are absolutely necessary. CC ID 01455 System hardening through configuration management Preventive
    Disable netfs script unless netfs script is absolutely necessary. CC ID 01495 System hardening through configuration management Preventive
    Disable Remote Procedure Calls unless Remote Procedure Calls are absolutely necessary and if enabled, set restrictions. CC ID 01456 System hardening through configuration management Preventive
    Configure the "RPC Endpoint Mapper Client Authentication" setting. CC ID 04327 System hardening through configuration management Preventive
    Disable ncpfs Script unless ncpfs Script is absolutely necessary. CC ID 01494 System hardening through configuration management Preventive
    Disable sendmail server unless sendmail server is absolutely necessary. CC ID 01511 System hardening through configuration management Preventive
    Disable postfix unless postfix is absolutely necessary. CC ID 01512 System hardening through configuration management Preventive
    Disable directory server unless directory server is absolutely necessary. CC ID 01464 System hardening through configuration management Preventive
    Disable Windows-compatibility client processes unless Windows-compatibility client processes are absolutely necessary. CC ID 01471 System hardening through configuration management Preventive
    Disable Windows-compatibility servers unless Windows-compatibility servers are absolutely necessary. CC ID 01470 System hardening through configuration management Preventive
    Disable NFS server processes unless NFS server processes are absolutely necessary. CC ID 01472 System hardening through configuration management Preventive
    Configure NFS to respond or not as appropriate to NFS client requests that do not include a User ID. CC ID 05981 System hardening through configuration management Preventive
    Configure NFS with appropriate authentication methods. CC ID 05982 System hardening through configuration management Preventive
    Configure the "AUTH_DES authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08971 System hardening through configuration management Preventive
    Configure the "AUTH_KERB authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08972 System hardening through configuration management Preventive
    Configure the "AUTH_NONE authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08973 System hardening through configuration management Preventive
    Configure the "AUTH_UNIX authentication mechanism" for "NFS server" setting to organizational standards. CC ID 08974 System hardening through configuration management Preventive
    Disable webmin processes unless the webmin process is absolutely necessary. CC ID 01501 System hardening through configuration management Preventive
    Disable automount daemon unless automount daemon is absolutely necessary. CC ID 01476 System hardening through configuration management Preventive
    Disable CDE-related daemons unless CDE-related daemons are absolutely necessary. CC ID 01474 System hardening through configuration management Preventive
    Disable finger unless finger is absolutely necessary. CC ID 01505 System hardening through configuration management Preventive
    Disable Rexec unless Rexec is absolutely necessary. CC ID 02164 System hardening through configuration management Preventive
    Disable Squid cache server unless Squid cache server is absolutely necessary. CC ID 01502 System hardening through configuration management Preventive
    Disable Kudzu hardware detection unless Kudzu hardware detection is absolutely necessary. CC ID 01503 System hardening through configuration management Preventive
    Install and enable public Instant Messaging clients as necessary. CC ID 02173 System hardening through configuration management Preventive
    Disable x font server unless x font server is absolutely necessary. CC ID 01499 System hardening through configuration management Preventive
    Disable NFS client processes unless NFS client processes are absolutely necessary. CC ID 01475 System hardening through configuration management Preventive
    Disable removable storage media daemon unless the removable storage media daemon is absolutely necessary. CC ID 01477 System hardening through configuration management Preventive
    Disable GSS daemon unless GSS daemon is absolutely necessary. CC ID 01465 System hardening through configuration management Preventive
    Disable Computer Browser unless Computer Browser is absolutely necessary. CC ID 01814 System hardening through configuration management Preventive
    Configure the Computer Browser ResetBrowser Frames as appropriate. CC ID 05984 System hardening through configuration management Preventive
    Configure the /etc/samba/smb.conf file file permissions as appropriate. CC ID 05989 System hardening through configuration management Preventive
    Disable NetMeeting remote desktop sharing unless NetMeeting remote desktop sharing is absolutely necessary. CC ID 01821 System hardening through configuration management Preventive
    Disable web directory browsing on all web-enabled devices. CC ID 01874 System hardening through configuration management Preventive
    Disable WWW publishing services unless WWW publishing services are absolutely necessary. CC ID 01833 System hardening through configuration management Preventive
    Install and enable samba as necessary. CC ID 02175 System hardening through configuration management Preventive
    Configure the samba hosts allow option with an appropriate set of networks. CC ID 05985 System hardening through configuration management Preventive
    Configure the samba security option option as appropriate. CC ID 05986 System hardening through configuration management Preventive
    Configure the samba encrypt passwords option as appropriate. CC ID 05987 System hardening through configuration management Preventive
    Configure the Samba 'smb passwd file' option with an appropriate password file or no password file. CC ID 05988 System hardening through configuration management Preventive
    Disable Usenet Internet news package file capabilities unless Usenet Internet news package file capabilities are absolutely necessary. CC ID 02176 System hardening through configuration management Preventive
    Disable iPlanet Web Server unless iPlanet Web Server is absolutely necessary. CC ID 02172 System hardening through configuration management Preventive
    Disable volume manager unless volume manager is absolutely necessary. CC ID 01469 System hardening through configuration management Preventive
    Disable Solaris Management Console unless Solaris Management Console is absolutely necessary. CC ID 01468 System hardening through configuration management Preventive
    Disable the Graphical User Interface unless it is absolutely necessary. CC ID 01466 System hardening through configuration management Preventive
    Disable help and support unless help and support is absolutely necessary. CC ID 04280 System hardening through configuration management Preventive
    Disable speech recognition unless speech recognition is absolutely necessary. CC ID 04491 System hardening through configuration management Preventive
    Disable or secure the NetWare QuickFinder search engine. CC ID 04453 System hardening through configuration management Preventive
    Disable messenger unless messenger is absolutely necessary. CC ID 01819 System hardening through configuration management Preventive
    Configure the "Do not allow Windows Messenger to be run" setting. CC ID 04516 System hardening through configuration management Preventive
    Configure the "Do not automatically start Windows Messenger initially" setting. CC ID 04517 System hardening through configuration management Preventive
    Configure the "Turn off the Windows Messenger Customer Experience Improvement Program" setting. CC ID 04330 System hardening through configuration management Preventive
    Disable automatic updates unless automatic updates are absolutely necessary. CC ID 01811 System hardening through configuration management Preventive
    Configure automatic update installation and shutdown/restart options and shutdown/restart procedures to organizational standards. CC ID 05979 System hardening through configuration management Preventive
    Disable Name Service Cache Daemon unless Name Service Cache Daemon is absolutely necessary. CC ID 04846 System hardening through configuration management Preventive
    Verify the /bin/rsh file exists or not, as appropriate. CC ID 05101 System hardening through configuration management Preventive
    Verify the /sbin/rsh file exists or not, as appropriate. CC ID 05102 System hardening through configuration management Preventive
    Verify the /usr/bin/rsh file exists or not, as appropriate. CC ID 05103 System hardening through configuration management Preventive
    Verify the /etc/ftpusers file exists or not, as appropriate. CC ID 05104 System hardening through configuration management Preventive
    Verify the /etc/rsh file exists or not, as appropriate. CC ID 05105 System hardening through configuration management Preventive
    Install or uninstall the AIDE package, as appropriate. CC ID 05106 System hardening through configuration management Preventive
    Enable the GNOME automounter (gnome-volume-manager) as necessary. CC ID 05107 System hardening through configuration management Preventive
    Install or uninstall the setroubleshoot package, as appropriate. CC ID 05108 System hardening through configuration management Preventive
    Configure Avahi properly. CC ID 05109 System hardening through configuration management Preventive
    Install or uninstall OpenNTPD, as appropriate. CC ID 05110 System hardening through configuration management Preventive
    Install or uninstall the httpd service properly. CC ID 05111 System hardening through configuration management Preventive
    Install or uninstall the net-smtp package properly. CC ID 05112 System hardening through configuration management Preventive
    Configure the apache web service properly. CC ID 05113 System hardening through configuration management Preventive
    Configure the vlock package properly. CC ID 05114 System hardening through configuration management Preventive
    Configure the daemon account properly. CC ID 05115 System hardening through configuration management Preventive
    Configure the bin account properly. CC ID 05116 System hardening through configuration management Preventive
    Configure the nuucp account properly. CC ID 05117 System hardening through configuration management Preventive
    Configure the smmsp account properly. CC ID 05118 System hardening through configuration management Preventive
    Configure the listen account properly. CC ID 05119 System hardening through configuration management Preventive
    Configure the gdm account properly. CC ID 05120 System hardening through configuration management Preventive
    Configure the webservd account properly. CC ID 05121 System hardening through configuration management Preventive
    Configure the nobody account properly. CC ID 05122 System hardening through configuration management Preventive
    Configure the noaccess account properly. CC ID 05123 System hardening through configuration management Preventive
    Configure the nobody4 account properly. CC ID 05124 System hardening through configuration management Preventive
    Configure the sys account properly. CC ID 05125 System hardening through configuration management Preventive
    Configure the adm account properly. CC ID 05126 System hardening through configuration management Preventive
    Configure the lp account properly. CC ID 05127 System hardening through configuration management Preventive
    Configure the uucp account properly. CC ID 05128 System hardening through configuration management Preventive
    Install or uninstall the tftp-server package, as appropriate. CC ID 05130 System hardening through configuration management Preventive
    Enable the web console as necessary. CC ID 05131 System hardening through configuration management Preventive
    Enable rlogin auth by Pluggable Authentication Modules or pam.d properly. CC ID 05132 System hardening through configuration management Preventive
    Enable rsh auth by Pluggable Authentication Modules properly. CC ID 05133 System hardening through configuration management Preventive
    Enable the listening sendmail daemon, as appropriate. CC ID 05134 System hardening through configuration management Preventive
    Configure Squid properly. CC ID 05135 System hardening through configuration management Preventive
    Configure the "/etc/shells" file to organizational standards. CC ID 08978 System hardening through configuration management Preventive
    Configure the LDAP package to organizational standards. CC ID 09937 System hardening through configuration management Preventive
    Configure the "FTP server" package to organizational standards. CC ID 09938 System hardening through configuration management Preventive
    Configure the "HTTP Proxy Server" package to organizational standards. CC ID 09939 System hardening through configuration management Preventive
    Configure the "prelink" package to organizational standards. CC ID 11379 System hardening through configuration management Preventive
    Configure the Network Information Service (NIS) package to organizational standards. CC ID 11380 System hardening through configuration management Preventive
    Configure the "time" setting to organizational standards. CC ID 11381 System hardening through configuration management Preventive
    Configure the "biosdevname" package to organizational standards. CC ID 11383 System hardening through configuration management Preventive
    Configure the "ufw" setting to organizational standards. CC ID 11384 System hardening through configuration management Preventive
    Remove all unnecessary functionality. CC ID 00882
    [The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21
    The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21]
    System hardening through configuration management Preventive
    Find and eradicate unauthorized world-writable files. CC ID 01541 System hardening through configuration management Preventive
    Strip dangerous/unneeded SUID/SGID system executables. CC ID 01542 System hardening through configuration management Preventive
    Find and eradicate unauthorized SUID/SGID system executables. CC ID 01543 System hardening through configuration management Preventive
    Find and eradicate "un-owned" files and "un-owned" directories. CC ID 01544 System hardening through configuration management Preventive
    Disable logon prompts on serial ports. CC ID 01553 System hardening through configuration management Preventive
    Disable "nobody" access for Secure RPC. CC ID 01554 System hardening through configuration management Preventive
    Disable all unnecessary computer interfaces. CC ID 04826 System hardening through configuration management Preventive
    Enable or disable all unused USB ports as appropriate. CC ID 06042 System hardening through configuration management Preventive
    Disable all user-mounted removable file systems. CC ID 01536 System hardening through configuration management Preventive
    Set the Bluetooth Security Mode to the organizational standard. CC ID 00587 System hardening through configuration management Preventive
    Secure the Bluetooth headset connections. CC ID 00593 System hardening through configuration management Preventive
    Disable automatic dial-in access to computers that have installed modems. CC ID 02036 System hardening through configuration management Preventive
    Configure the "Turn off AutoPlay" setting. CC ID 01787 System hardening through configuration management Preventive
    Configure the "Devices: Restrict floppy access to locally logged on users only" setting. CC ID 01732 System hardening through configuration management Preventive
    Configure the "Devices: Restrict CD-ROM access to locally logged on users" setting. CC ID 01731 System hardening through configuration management Preventive
    Configure the "Remove CD Burning features" setting. CC ID 04379 System hardening through configuration management Preventive
    Disable Autorun. CC ID 01790 System hardening through configuration management Preventive
    Disable USB devices (aka hotplugger). CC ID 01545 System hardening through configuration management Preventive
    Enable or disable all unused auxiliary ports as appropriate. CC ID 06414 System hardening through configuration management Preventive
    Remove rhosts support unless absolutely necessary. CC ID 01555 System hardening through configuration management Preventive
    Remove weak authentication services from Pluggable Authentication Modules. CC ID 01556 System hardening through configuration management Preventive
    Remove the /etc/hosts.equiv file. CC ID 01559 System hardening through configuration management Preventive
    Create the /etc/ftpd/ftpusers file. CC ID 01560 System hardening through configuration management Preventive
    Remove the X Wrapper and enable the X Display Manager. CC ID 01564 System hardening through configuration management Preventive
    Remove empty crontab files and restrict file permissions to the file. CC ID 01571 System hardening through configuration management Preventive
    Remove all compilers and assemblers from the system. CC ID 01594 System hardening through configuration management Preventive
    Configure the "Devices: Allow undock without having to log on" setting. CC ID 01728 System hardening through configuration management Preventive
    Limit the user roles that are allowed to format and eject removable storage media. CC ID 01729 System hardening through configuration management Preventive
    Prevent users from installing printer drivers. CC ID 01730 System hardening through configuration management Preventive
    Minimize the inetd.conf file and set the file to the appropriate permissions. CC ID 01506 System hardening through configuration management Preventive
    Configure the unsigned driver installation behavior. CC ID 01733 System hardening through configuration management Preventive
    Configure the unsigned non-driver installation behavior. CC ID 02038 System hardening through configuration management Preventive
    Remove all demonstration applications on the system. CC ID 01875 System hardening through configuration management Preventive
    Configure the system to disallow optional Subsystems. CC ID 04265 System hardening through configuration management Preventive
    Configure the "Remove Security tab" setting. CC ID 04380 System hardening through configuration management Preventive
    Disable the automatic display of remote images in HTML-formatted e-mail. CC ID 04494 System hardening through configuration management Preventive
    Disable Remote Apply Events unless Remote Apply Events are absolutely necessary. CC ID 04495 System hardening through configuration management Preventive
    Disable Xgrid unless Xgrid is absolutely necessary. CC ID 04496 System hardening through configuration management Preventive
    Configure the "Do Not Show First Use Dialog Boxes" setting for Windows Media Player properly. CC ID 05136 System hardening through configuration management Preventive
    Disable Core dumps unless absolutely necessary. CC ID 01507 System hardening through configuration management Preventive
    Set hard core dump size limits as appropriate. CC ID 05990 System hardening through configuration management Preventive
    Configure the "Prevent Desktop Shortcut Creation" setting for Windows Media Player properly. CC ID 05137 System hardening through configuration management Preventive
    Set the Squid EUID and Squid GUID to an appropriate user and group. CC ID 05138 System hardening through configuration management Preventive
    Verify groups referenced in /etc/passwd are included in /etc/group, as appropriate. CC ID 05139 System hardening through configuration management Preventive
    Use of the cron.allow file should be enabled or disabled as appropriate. CC ID 06014 System hardening through configuration management Preventive
    Use of the at.allow file should be enabled or disabled as appropriate. CC ID 06015 System hardening through configuration management Preventive
    Enable or disable the Dynamic DNS feature of the DHCP Server as appropriate. CC ID 06039 System hardening through configuration management Preventive
    Enable or disable each user's Screen saver software, as necessary. CC ID 06050 System hardening through configuration management Preventive
    Disable any unnecessary scripting languages, as necessary. CC ID 12137 System hardening through configuration management Preventive
    Configure authenticators to comply with organizational standards. CC ID 06412 System hardening through configuration management Preventive
    Configure the system to use asterisks to mask authenticators. CC ID 02037
    [The device never displays the entered PIN digits. Any array related to PIN entry displays only non-significant symbols, e.g., asterisks. B5]
    System hardening through configuration management Preventive
    Configure the system security parameters to prevent system misuse or information misappropriation. CC ID 00881 System hardening through configuration management Preventive
    Configure the system to a default secure level. CC ID 01519
    [The device has guidance that describes the default configuration for each protocol and services for each interface that is available on the device. Each interface and protocol on the device should default to secure settings. If the interface has the ability to be configurable to non-secure settings, vendor guidance should strongly recommend against configuring to non-secure settings. H2]
    System hardening through configuration management Preventive
    Create a hardened image of the baseline configuration to be used for building new systems. CC ID 07063 System hardening through configuration management Preventive
    Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758
    [The vendor must provide clear security guidance consistent with B2 and B6 to all application developers to ensure:\ - That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.\ - That account data is not retained any longer, or used more often, than strictly necessary. K11.2
    Account data (in either clear-text or encrypted form) shall not be retained any longer, or used more often, than strictly necessary. K15.2
    Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6]
    Privacy protection for information and data Preventive
  • Data and Information Management
    42
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Constrain the information flow of restricted data or restricted information. CC ID 06763
    [When operating in encrypting mode, the secure controller can only release clear-text account data to authenticated applications executing within the device. K15.1]
    Technical security Preventive
    Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 Technical security Preventive
    Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725 Technical security Preventive
    Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310 Technical security Preventive
    Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859
    [All account data is either encrypted immediately upon entry or entered in clear-text into a secure device and processed within the secure controller of the device. K1
    The device protects all account data upon entry (consistent with A9 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitation. K1.1
    The logical and physical integration of an approved secure card reader into a PIN entry POI terminal does not create new attack paths to the account data. The account data is protected from the input component to the secure controller of the device—i.e., it is not possible to insert a bug that would disclose sensitive data. K2]
    Technical security Preventive
    Implement the documented cryptographic module security functions. CC ID 06755 Technical security Preventive
    Establish, implement, and maintain digital signatures. CC ID 13828 Technical security Preventive
    Include the expiration date in digital signatures. CC ID 13833 Technical security Preventive
    Include audience restrictions in digital signatures. CC ID 13834 Technical security Preventive
    Include the subject in digital signatures. CC ID 13832 Technical security Preventive
    Include the issuer in digital signatures. CC ID 13831 Technical security Preventive
    Include identifiers in the digital signature. CC ID 13829 Technical security Preventive
    Encrypt restricted data or restricted information using the most secure method possible. CC ID 04824
    [PIN protection during transmission between the device encrypting the PIN and the ICC reader (at least two must apply):\ If the device encrypting the PIN and the ICC reader are not integrated into the same secure module, and the cardholder verification method is determined to be:\ - An enciphered PIN, the PIN block shall be enciphered between the device encrypting the PIN and the ICC reader using either an authenticated encipherment key of the IC card, or in accordance with ISO 9564.\ - A plaintext PIN, the PIN block shall be enciphered from the device encrypting the PIN to the ICC reader (the ICC reader will then decipher the PIN for transmission in plaintext to the IC card) in accordance with ISO 9564.\ If the device encrypting the PIN and the ICC reader are integrated into the same secure module, and the cardholder verification method is determined to be:\ - An enciphered PIN, the PIN block shall be enciphered using an authenticated encipherment key of the IC card.\ - A plaintext PIN, then encipherment is not required if the PIN block is transmitted wholly through a protected environment (as defined in ISO 9564). If the plaintext PIN is transmitted to the ICC reader through an unprotected environment, the PIN block shall be enciphered in accordance with ISO 9564. D4
    The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3
    {mode of operation} All account data shall be encrypted using only ANSI X9 or ISO-approved encryption algorithms (e.g., AES, TDES) and should use ANSI X9 or ISO-approved modes of operation. K4
    Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6]
    Technical security Preventive
    Decrypt restricted data for the minimum time required. CC ID 12308 Technical security Preventive
    Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 Technical security Preventive
    Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575
    [The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2
    {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4
    If using a hash function to generate surrogate PAN values, input to the hash function must use a salt with minimum length of 64 bits. K16.1]
    Technical security Preventive
    Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 Technical security Preventive
    Generate strong cryptographic keys. CC ID 01299 Technical security Preventive
    Use approved random number generators for creating cryptographic keys. CC ID 06574 Technical security Preventive
    Disseminate and communicate cryptographic keys securely. CC ID 01300
    [If remote key distribution is used, the device supports mutual authentication between the sending key-distribution host and receiving device. K5]
    Technical security Preventive
    Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 Technical security Preventive
    Store cryptographic keys securely. CC ID 01298
    [If the device can hold multiple PIN-encryption keys and if the key to be used to encrypt the PIN can be externally selected, the device prohibits unauthorized key replacement and key misuse. C1
    Determination of any cryptographic keys used for account-data encryption, by penetration of the device and/or by monitoring emanations from the device (including power fluctuations), requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3
    Public keys must be stored and used in a manner that protects against unauthorized modification or substitution. Unauthorized modification or substitution requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3.1]
    Technical security Preventive
    Restrict access to cryptographic keys. CC ID 01297 Technical security Preventive
    Store cryptographic keys in encrypted format. CC ID 06084
    [If using a hash function to generate surrogate PAN values, the salt is kept secret and appropriately protected. Disclosure of the salt cannot occur without requiring an attack potential of at least 16 per device for identification and initial exploitation with a minimum of 8 for exploitation. K16.2]
    Technical security Preventive
    Change cryptographic keys, as necessary. CC ID 01302 Technical security Preventive
    Destroy cryptographic keys promptly after the retention period. CC ID 01303 Technical security Preventive
    Control cryptographic keys with split knowledge and dual control. CC ID 01304
    [{turnkey system} The vendor must provide a defined and documented process containing specific details on how any signing mechanisms must be implemented. This must include any “turnkey” systems required for compliance with the management of display prompts, or any mechanisms used for authenticating any application code. This must ensure:\ - The signing process is performed under dual control.\ - All executable files are signed.\ - Software is only signed using a secure cryptographic device provided by the terminal vendor. B4.2]
    Technical security Preventive
    Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 Technical security Preventive
    Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 Technical security Corrective
    Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 Technical security Corrective
    Archive outdated cryptographic keys. CC ID 06884 Technical security Preventive
    Archive revoked cryptographic keys. CC ID 11819 Technical security Preventive
    Manage the digital signature cryptographic key pair. CC ID 06576 Technical security Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Operational management Preventive
    Identify the sender in all electronic messages. CC ID 13996 Operational management Preventive
    Approve tested change requests. CC ID 11783 Operational management Preventive
    Allow interested personnel and affected parties to opt out of specific version releases and software updates. CC ID 06809 Operational management Preventive
    Disable the use of removable storage media for systems that process restricted data or restricted information, as necessary. CC ID 06681 System hardening through configuration management Preventive
    Protect confidential information during the system development life cycle program. CC ID 13479 Systems design, build, and implementation Preventive
    Use personal data for specified purposes. CC ID 11831
    [Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6]
    Privacy protection for information and data Preventive
    Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 Privacy protection for information and data Preventive
    Provide access to outgoing shipment information, as necessary. CC ID 08942 Third Party and supply chain oversight Preventive
  • Establish Roles
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Use biometric authentication for identification and authentication, as necessary. CC ID 06857 Technical security Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Operational management Preventive
  • Establish/Maintain Documentation
    288
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish, implement, and maintain a risk management program. CC ID 12051 Audits and risk management Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687 Audits and risk management Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446 Audits and risk management Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183
    [The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2]
    Audits and risk management Preventive
    Document organizational risk criteria. CC ID 12277 Audits and risk management Preventive
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Audits and risk management Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Audits and risk management Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Audits and risk management Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481 Audits and risk management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Audits and risk management Detective
    Update the risk assessment upon changes to the risk profile. CC ID 11627 Audits and risk management Detective
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Audits and risk management Preventive
    Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 Monitoring and measurement Preventive
    Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 Monitoring and measurement Preventive
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Preventive
    Establish, implement, and maintain an access rights management plan. CC ID 00513 Technical security Preventive
    Establish and maintain a memorized secret list. CC ID 13791 Technical security Preventive
    Establish, implement, and maintain information flow control configuration standards. CC ID 01924 Technical security Preventive
    Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629 Technical security Preventive
    Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 Technical security Preventive
    Establish, implement, and maintain information exchange procedures. CC ID 11782 Technical security Preventive
    Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 Technical security Preventive
    Define the cryptographic boundaries. CC ID 06543 Technical security Preventive
    Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 Technical security Preventive
    Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 Technical security Preventive
    Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 Technical security Preventive
    Document the operation of the cryptographic module. CC ID 06546 Technical security Preventive
    Generate and protect a secret random number for each digital signature. CC ID 06577 Technical security Preventive
    Establish the security strength requirements for the digital signature process. CC ID 06578
    [The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3]
    Technical security Preventive
    Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 Technical security Preventive
    Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040
    [The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3
    The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3]
    Technical security Preventive
    Establish, implement, and maintain cryptographic key management procedures. CC ID 00571
    [The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3
    The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3
    The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2
    {turnkey system} The vendor must provide a defined and documented process containing specific details on how any signing mechanisms must be implemented. This must include any “turnkey” systems required for compliance with the management of display prompts, or any mechanisms used for authenticating any application code. This must ensure:\ - The signing process is performed under dual control.\ - All executable files are signed.\ - Software is only signed using a secure cryptographic device provided by the terminal vendor. B4.2]
    Technical security Preventive
    Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 Technical security Preventive
    Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 Technical security Preventive
    Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540
    [{determine}{reside}{penetrate} Determination of any PIN-security-related cryptographic key resident in the device, by penetration of the device and/or by monitoring emanations from the device (including power fluctuations), requires an attack potential of at least 35 for identification and initial exploitation with a minimum of 15 for exploitation. A6
    The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3
    {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4]
    Technical security Preventive
    Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 Technical security Preventive
    Require key custodians to sign the cryptographic key management policy. CC ID 01308 Technical security Preventive
    Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 Technical security Preventive
    Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 Technical security Preventive
    Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 Technical security Preventive
    Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 Technical security Preventive
    Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 Technical security Preventive
    Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 Technical security Preventive
    Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 Technical security Preventive
    Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 Technical security Preventive
    Establish, implement, and maintain Public Key certificate procedures. CC ID 07085
    [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4]
    Technical security Preventive
    Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817
    [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4]
    Technical security Preventive
    Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 Technical security Preventive
    Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 Technical security Preventive
    Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 Technical security Preventive
    Establish, implement, and maintain a malicious code protection program. CC ID 00574 Technical security Preventive
    Establish, implement, and maintain a physical security program. CC ID 11757 Physical and environmental protection Preventive
    Establish, implement, and maintain a facility physical security program. CC ID 00711 Physical and environmental protection Preventive
    Include Information Technology assets in the asset removal policy. CC ID 13162 Physical and environmental protection Preventive
    Specify the assets to be returned or removed in the asset removal policy. CC ID 13163 Physical and environmental protection Preventive
    Establish, implement, and maintain asset removal procedures or asset decommissioning procedures. CC ID 04540 Physical and environmental protection Preventive
    Establish, implement, and maintain report missing asset procedures. CC ID 06336 Physical and environmental protection Preventive
    Establish, implement, and maintain environmental control procedures. CC ID 12246 Physical and environmental protection Preventive
    Establish, implement, and maintain facility maintenance procedures. CC ID 00710 Physical and environmental protection Preventive
    Define selection criteria for facility locations. CC ID 06351 Physical and environmental protection Preventive
    Establish, implement, and maintain work environment requirements. CC ID 06613 Physical and environmental protection Preventive
    Establish, implement, and maintain system cleanliness requirements. CC ID 06614 Physical and environmental protection Preventive
    Establish, implement, and maintain a fire prevention and fire suppression standard. CC ID 06695 Physical and environmental protection Preventive
    Establish, implement, and maintain a business continuity program. CC ID 13210 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752 Operational and Systems Continuity Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Preventive
    Establish, implement, and maintain an information security program. CC ID 00812
    [The device vendor maintains guidance describing configuration management for the device.\ a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.\ b) The guidance covers the complete device—including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.\ c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.\ d) The security guidance ensures that unauthorized modification is not possible.\ e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier. J1]
    Operational management Preventive
    Include physical safeguards in the information security program. CC ID 12375 Operational management Preventive
    Include technical safeguards in the information security program. CC ID 12374 Operational management Preventive
    Include administrative safeguards in the information security program. CC ID 12373 Operational management Preventive
    Include system development in the information security program. CC ID 12389 Operational management Preventive
    Include system maintenance in the information security program. CC ID 12388 Operational management Preventive
    Include system acquisition in the information security program. CC ID 12387 Operational management Preventive
    Include access control in the information security program. CC ID 12386 Operational management Preventive
    Include operations management in the information security program. CC ID 12385 Operational management Preventive
    Include communication management in the information security program. CC ID 12384 Operational management Preventive
    Include environmental security in the information security program. CC ID 12383 Operational management Preventive
    Include physical security in the information security program. CC ID 12382 Operational management Preventive
    Include human resources security in the information security program. CC ID 12381 Operational management Preventive
    Include asset management in the information security program. CC ID 12380 Operational management Preventive
    Include a continuous monitoring program in the information security program. CC ID 14323 Operational management Preventive
    Include how the information security department is organized in the information security program. CC ID 12379 Operational management Preventive
    Include risk management in the information security program. CC ID 12378 Operational management Preventive
    Include mitigating supply chain risks in the information security program. CC ID 13352 Operational management Preventive
    Establish, implement, and maintain an information security policy. CC ID 11740 Operational management Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Operational management Preventive
    Include information security objectives in the information security policy. CC ID 13493 Operational management Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Operational management Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Operational management Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Operational management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Operational management Preventive
    Establish, implement, and maintain a social media governance program. CC ID 06536 Operational management Preventive
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Operational management Preventive
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Operational management Preventive
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Operational management Preventive
    Establish, implement, and maintain operational control procedures. CC ID 00831 Operational management Preventive
    Include assigning and approving operations in operational control procedures. CC ID 06382 Operational management Preventive
    Include startup processes in operational control procedures. CC ID 00833 Operational management Preventive
    Establish and maintain a data processing run manual. CC ID 00832 Operational management Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826
    [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8]
    Operational management Preventive
    Include metrics in the standard operating procedures manual. CC ID 14988 Operational management Preventive
    Include maintenance measures in the standard operating procedures manual. CC ID 14986 Operational management Preventive
    Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 Operational management Preventive
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 Operational management Preventive
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14981 Operational management Preventive
    Include predetermined changes in the standard operating procedures manual. CC ID 14977 Operational management Preventive
    Include specifications for input data in the standard operating procedures manual. CC ID 14975 Operational management Preventive
    Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 Operational management Preventive
    Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 Operational management Preventive
    Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 Operational management Preventive
    Include the intended purpose in the standard operating procedures manual. CC ID 14967 Operational management Preventive
    Include information on system performance in the standard operating procedures manual. CC ID 14965 Operational management Preventive
    Include contact details in the standard operating procedures manual. CC ID 14962 Operational management Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Operational management Corrective
    Establish, implement, and maintain a job scheduling methodology. CC ID 00834 Operational management Preventive
    Establish and maintain a job schedule exceptions list. CC ID 00835 Operational management Preventive
    Establish, implement, and maintain a data processing continuity plan. CC ID 00836 Operational management Preventive
    Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Operational management Preventive
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 Operational management Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Operational management Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 Operational management Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Operational management Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Operational management Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Operational management Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Operational management Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Operational management Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Operational management Preventive
    Include prohibiting, copying, or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Operational management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Operational management Preventive
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Operational management Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Operational management Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Operational management Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Operational management Corrective
    Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311 Operational management Preventive
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Operational management Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Operational management Preventive
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Operational management Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Operational management Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Operational management Preventive
    Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 Operational management Preventive
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Operational management Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Operational management Preventive
    Include business use of personal e-mail in the e-mail policy. CC ID 14381 Operational management Preventive
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Operational management Preventive
    Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 Operational management Preventive
    Establish, implement, and maintain the systems' integrity level. CC ID 01906
    [The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3]
    Operational management Preventive
    Establish, implement, and maintain a system preventive maintenance program. CC ID 00885
    [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2]
    Operational management Preventive
    Establish and maintain maintenance reports. CC ID 11749
    [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2]
    Operational management Preventive
    Establish and maintain system inspection reports. CC ID 06346 Operational management Preventive
    Establish, implement, and maintain a system maintenance policy. CC ID 14032 Operational management Preventive
    Include compliance requirements in the system maintenance policy. CC ID 14217 Operational management Preventive
    Include management commitment in the system maintenance policy. CC ID 14216 Operational management Preventive
    Include roles and responsibilities in the system maintenance policy. CC ID 14215 Operational management Preventive
    Include the scope in the system maintenance policy. CC ID 14214 Operational management Preventive
    Include the purpose in the system maintenance policy. CC ID 14187 Operational management Preventive
    Include coordination amongst entities in the system maintenance policy. CC ID 14181 Operational management Preventive
    Establish, implement, and maintain system maintenance procedures. CC ID 14059 Operational management Preventive
    Include a technology refresh plan in the system preventive maintenance program. CC ID 13061 Operational management Preventive
    Establish and maintain an archive of maintenance reports in a maintenance log. CC ID 06202 Operational management Preventive
    Post calibration limits or calibration tolerances on or near assets requiring calibration. CC ID 06204 Operational management Preventive
    Establish, implement, and maintain a change control program. CC ID 00886
    [Change-control procedures are in place so that any intended change to the physical or functional capabilities of the POI causes a re-certification of the device under the Physical Security Requirements or the Logical Security Requirements of this document. Immediate re-certification is not required for changes that purely rectify errors and faults in software in order to make it function as intended and do not otherwise remove, modify, or add functionality. Approval of delta submissions is contingent on evidence of the ongoing change control and vulnerability management process. L1]
    Operational management Preventive
    Include potential consequences of unintended changes in the change control program. CC ID 12243 Operational management Preventive
    Include version control in the change control program. CC ID 13119 Operational management Preventive
    Include service design and transition in the change control program. CC ID 13920 Operational management Preventive
    Establish, implement, and maintain a back-out plan. CC ID 13623 Operational management Preventive
    Establish, implement, and maintain back-out procedures for each proposed change in a change request. CC ID 00373 Operational management Preventive
    Approve back-out plans, as necessary. CC ID 13627 Operational management Corrective
    Include documentation of the impact level of proposed changes in the change request. CC ID 11942 Operational management Preventive
    Establish and maintain a change request approver list. CC ID 06795 Operational management Preventive
    Document all change requests in change request forms. CC ID 06794 Operational management Preventive
    Establish, implement, and maintain emergency change procedures. CC ID 00890 Operational management Preventive
    Log emergency changes after they have been performed. CC ID 12733 Operational management Preventive
    Provide audit trails for all approved changes. CC ID 13120 Operational management Preventive
    Document the sources of all software updates. CC ID 13316 Operational management Preventive
    Establish, implement, and maintain patch management procedures. CC ID 15224 Operational management Preventive
    Establish, implement, and maintain a patch log. CC ID 01642 Operational management Preventive
    Establish, implement, and maintain a software release policy. CC ID 00893 Operational management Preventive
    Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 Operational management Detective
    Establish, implement, and maintain a change acceptance testing log. CC ID 06392 Operational management Corrective
    Update associated documentation after the system configuration has been changed. CC ID 00891 Operational management Preventive
    Document approved configuration deviations. CC ID 08711 Operational management Corrective
    Document the organization's local environments. CC ID 06726
    [The PIN-encryption technique implemented in the device is a technique included in ISO 9564. B12
    It is neither feasible to penetrate the ICC reader to make any additions, substitutions, or modifications to either the ICC reader’s hardware or software, in order to determine or modify any sensitive data, without requiring an attack potential of at least 20 for identification and initial exploitation, with a minimum of 10 for exploitation, nor is it possible for both an IC card and any other foreign object to reside within the card insertion slot. D1
    If the device is capable of communicating over an IP network or uses a public domain protocol (such as but not limited to Wi-Fi or Bluetooth), then requirements specified in DTR Module 3: Open Protocols Requirements have been met. K14
    The key-management techniques implemented in the device are consistent with B11. K17
    Sensitive services are protected from unauthorized use consistent with B8. K23
    The key-management techniques implemented in the device conform to ISO 11568 and/or ANSI X9.24. Key-management techniques must support the ANSI TR-31 key-derivation methodology or an equivalent methodology for maintaining the TDEA key bundle. B11]
    Operational management Preventive
    Establish, implement, and maintain local environment security profiles. CC ID 07037 Operational management Preventive
    Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 Operational management Preventive
    Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 Operational management Preventive
    Include the technology used in the local environment in the local environment security profile. CC ID 07040 Operational management Preventive
    Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 Operational management Preventive
    Include facility information for the local environment in the local environment security profile. CC ID 07042 Operational management Preventive
    Include facility access information for the local environment in the local environment security profile. CC ID 11773 Operational management Preventive
    Update the local environment security profile, as necessary. CC ID 07043 Operational management Preventive
    Establish, implement, and maintain a Configuration Management program. CC ID 00867
    [The device vendor maintains guidance describing configuration management for the device.\ a) The guidance is at the disposal of internal users, and/or of application developers, system integrators and end-users of the device.\ b) The guidance covers the complete device—including firmware, payment and non-payment applications, forms, multimedia files, certificates, configuration files, configuration setting, and keys.\ c) The guidance covers the complete life cycle of the device from development, over manufacturing, up to delivery and operation.\ d) The security guidance ensures that unauthorized modification is not possible.\ e) The security guidance ensures that any modification of a PTS- approved device that impacts device security, results in a change of the device identifier. J1]
    System hardening through configuration management Preventive
    Establish, implement, and maintain appropriate system labeling. CC ID 01900 System hardening through configuration management Preventive
    Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials. CC ID 15041 System hardening through configuration management Preventive
    Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity. CC ID 15040 System hardening through configuration management Preventive
    Establish, implement, and maintain a configuration management policy. CC ID 14023 System hardening through configuration management Preventive
    Establish, implement, and maintain configuration management procedures. CC ID 14074 System hardening through configuration management Preventive
    Include compliance requirements in the configuration management policy. CC ID 14072 System hardening through configuration management Preventive
    Include coordination amongst entities in the configuration management policy. CC ID 14071 System hardening through configuration management Preventive
    Include management commitment in the configuration management policy. CC ID 14070 System hardening through configuration management Preventive
    Include roles and responsibilities in the configuration management policy. CC ID 14069 System hardening through configuration management Preventive
    Include the scope in the configuration management policy. CC ID 14068 System hardening through configuration management Preventive
    Include the purpose in the configuration management policy. CC ID 14067 System hardening through configuration management Preventive
    Establish, implement, and maintain a configuration management plan. CC ID 01901 System hardening through configuration management Preventive
    Include configuration management procedures in the configuration management plan. CC ID 14248 System hardening through configuration management Preventive
    Include roles and responsibilities in the configuration management plan. CC ID 14247 System hardening through configuration management Preventive
    Establish, implement, and maintain system tracking documentation. CC ID 15266 System hardening through configuration management Preventive
    Include prioritization codes in the system tracking documentation. CC ID 15283 System hardening through configuration management Preventive
    Include the type and category of the request in the system tracking documentation. CC ID 15281 System hardening through configuration management Preventive
    Include contact information in the system tracking documentation. CC ID 15280 System hardening through configuration management Preventive
    Include the username in the system tracking documentation. CC ID 15278 System hardening through configuration management Preventive
    Include a problem description in the system tracking documentation. CC ID 15276 System hardening through configuration management Preventive
    Include affected systems in the system tracking documentation. CC ID 15275 System hardening through configuration management Preventive
    Include root causes in the system tracking documentation. CC ID 15274 System hardening through configuration management Preventive
    Include the name of who is responsible for resolution in the system tracking documentation. CC ID 15273 System hardening through configuration management Preventive
    Include current status in the system tracking documentation. CC ID 15272 System hardening through configuration management Preventive
    Record Configuration Management items in the Configuration Management database. CC ID 00861 System hardening through configuration management Preventive
    Establish, implement, and maintain a Configuration Management Database with accessible reporting capabilities. CC ID 02132 System hardening through configuration management Preventive
    Establish, implement, and maintain a configuration baseline based on the least functionality principle. CC ID 00862 System hardening through configuration management Preventive
    Include the measures used to account for any differences in operation between the test environments and production environments in the baseline configuration. CC ID 13285 System hardening through configuration management Preventive
    Include the differences between test environments and production environments in the baseline configuration. CC ID 13284 System hardening through configuration management Preventive
    Include the applied security patches in the baseline configuration. CC ID 13271 System hardening through configuration management Preventive
    Include the installed application software and version numbers in the baseline configuration. CC ID 13270 System hardening through configuration management Preventive
    Include installed custom software in the baseline configuration. CC ID 13274 System hardening through configuration management Preventive
    Include network ports in the baseline configuration. CC ID 13273 System hardening through configuration management Preventive
    Include the operating systems and version numbers in the baseline configuration. CC ID 13269 System hardening through configuration management Preventive
    Include backup procedures in the Configuration Management policy. CC ID 01314 System hardening through configuration management Preventive
    Establish, implement, and maintain a system hardening standard. CC ID 00876 System hardening through configuration management Preventive
    Establish, implement, and maintain system hardening procedures. CC ID 12001 System hardening through configuration management Preventive
    Validate, approve, and document all UNIX shells prior to use. CC ID 02161 System hardening through configuration management Preventive
    Configure the "global Package signature checking" setting to organizational standards. CC ID 08735 System hardening through configuration management Preventive
    Configure the "Package signature checking" setting for "all configured repositories" to organizational standards. CC ID 08736 System hardening through configuration management Preventive
    Configure the "verify against the package database" setting for "all installed software packages" to organizational standards. CC ID 08737 System hardening through configuration management Preventive
    Configure the "isdn4k-utils" package to organizational standards. CC ID 08738 System hardening through configuration management Preventive
    Configure the "postfix" package to organizational standards. CC ID 08739 System hardening through configuration management Preventive
    Configure the "vsftpd" package to organizational standards. CC ID 08740 System hardening through configuration management Preventive
    Configure the "net-snmpd" package to organizational standards. CC ID 08741 System hardening through configuration management Preventive
    Configure the "rsyslog" package to organizational standards. CC ID 08742 System hardening through configuration management Preventive
    Configure the "ipsec-tools" package to organizational standards. CC ID 08743 System hardening through configuration management Preventive
    Configure the "pam_ccreds" package to organizational standards. CC ID 08744 System hardening through configuration management Preventive
    Configure the "talk-server" package to organizational standards. CC ID 08745 System hardening through configuration management Preventive
    Configure the "talk" package to organizational standards. CC ID 08746 System hardening through configuration management Preventive
    Configure the "irda-utils" package to organizational standards. CC ID 08747 System hardening through configuration management Preventive
    Document that all enabled functions support secure configurations. CC ID 11985 System hardening through configuration management Preventive
    Establish, implement, and maintain an authenticator standard. CC ID 01702 System hardening through configuration management Preventive
    Establish, implement, and maintain an authenticator management system. CC ID 12031 System hardening through configuration management Preventive
    Establish, implement, and maintain authenticator procedures. CC ID 12002 System hardening through configuration management Preventive
    Establish, implement, and maintain a Configuration Baseline Documentation Record. CC ID 02130
    [The device has guidance that describes the default configuration for each protocol and services for each interface that is available on the device. Each interface and protocol on the device should default to secure settings. If the interface has the ability to be configurable to non-secure settings, vendor guidance should strongly recommend against configuring to non-secure settings. H2]
    System hardening through configuration management Preventive
    Document and approve any changes to the Configuration Baseline Documentation Record. CC ID 12104 System hardening through configuration management Preventive
    Establish, implement, and maintain a system design specification. CC ID 04557 Systems design, build, and implementation Preventive
    Include in the system documentation methodologies for authenticating the hardware security module. CC ID 12258
    [{TOE} The device’s development-security documentation must provide means to the initial key-loading facility to assure the authenticity of the TOE’s security relevant components. M4]
    Systems design, build, and implementation Preventive
    Establish, implement, and maintain an acceptable use policy for the hardware security module. CC ID 12247
    [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20]
    Systems design, build, and implementation Preventive
    Include roles and responsibilities in the acceptable use policy for the hardware security module. CC ID 12264
    [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20]
    Systems design, build, and implementation Preventive
    Include the environmental requirements in the acceptable use policy for the hardware security module. CC ID 12263
    [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20]
    Systems design, build, and implementation Preventive
    Include device identification in the acceptable use policy for the hardware security module. CC ID 12262
    [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20]
    Systems design, build, and implementation Preventive
    Include device functionality in the acceptable use policy for the hardware security module. CC ID 12261
    [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20]
    Systems design, build, and implementation Preventive
    Include administrative responsibilities in the acceptable use policy for the hardware security module. CC ID 12260
    [A user-available security policy from the vendor addresses the proper use of the POI in a secure fashion, including information on key-management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy must define the roles supported by the POI and indicate the services available for each role in a deterministic tabular format. The POI is capable of performing only its designed functions—i.e., there is no hidden functionality. The only approved functions performed by the POI are those allowed by the policy. B20]
    Systems design, build, and implementation Preventive
    Establish, implement, and maintain session security coding standards. CC ID 04584 Systems design, build, and implementation Preventive
    Establish and maintain a cryptographic architecture document. CC ID 12476 Systems design, build, and implementation Preventive
    Include the algorithms used in the cryptographic architecture document. CC ID 12483 Systems design, build, and implementation Preventive
    Include an inventory of all protected areas in the cryptographic architecture document. CC ID 12486 Systems design, build, and implementation Preventive
    Include a description of the key usage for each key in the cryptographic architecture document. CC ID 12484 Systems design, build, and implementation Preventive
    Include descriptions of all cryptographic keys in the cryptographic architecture document. CC ID 12487 Systems design, build, and implementation Preventive
    Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document. CC ID 12488 Systems design, build, and implementation Preventive
    Include each cryptographic key's expiration date in the cryptographic architecture document. CC ID 12489 Systems design, build, and implementation Preventive
    Include the protocols used in the cryptographic architecture document. CC ID 12485 Systems design, build, and implementation Preventive
    Establish and maintain a coding manual for secure coding techniques. CC ID 11863
    [The vendor must provide clear security guidance consistent with B2 and B6 to all application developers to ensure:\ - That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.\ - That account data is not retained any longer, or used more often, than strictly necessary. K11.2]
    Systems design, build, and implementation Preventive
    Establish and maintain system security documentation. CC ID 06271
    [Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components. L7
    {document and maintain} The vendor documents, maintains and makes available to integrators details on how to implement the protection system against unauthorized removal. E4.2
    The device has security guidance that describes how protocols and services must be used for each interface that is accessible by the device applications. H1]
    Systems design, build, and implementation Preventive
    Document the procedures and environment used to create the system or software. CC ID 06609 Systems design, build, and implementation Preventive
    Establish, implement, and maintain user documentation. CC ID 12250 Systems design, build, and implementation Preventive
    Include loss or theft instructions in the user documentation, as necessary. CC ID 12270
    [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8]
    Systems design, build, and implementation Preventive
    Include disposition instructions in the user documentation, as necessary. CC ID 12269
    [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8]
    Systems design, build, and implementation Preventive
    Include maintenance instructions in the user documentation, as necessary. CC ID 12268
    [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8]
    Systems design, build, and implementation Preventive
    Include instructions on recording the location of the system in the user documentation, as necessary. CC ID 12267
    [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8]
    Systems design, build, and implementation Preventive
    Include personalization instructions within the user documentation, as necessary. CC ID 12266
    [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8]
    Systems design, build, and implementation Preventive
    Include life cycle management instructions for all components within the user documentation. CC ID 12265
    [The vendor must maintain a manual that provides instructions for the operational management of the POI. This includes instructions for recording the entire life cycle of the POI security-related components and of the manner in which those components are integrated into a single POI, e.g.:\ - Data on production and personalization \ - Physical/chronological whereabouts \ - Repair and maintenance \ - Removal from operation \ - Loss or theft M8]
    Systems design, build, and implementation Preventive
    Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data collection program. CC ID 06487 Privacy protection for information and data Preventive
    Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use policy. CC ID 00076 Privacy protection for information and data Preventive
    Establish, implement, and maintain a data handling program. CC ID 13427 Privacy protection for information and data Preventive
    Establish, implement, and maintain data handling policies. CC ID 00353 Privacy protection for information and data Preventive
    Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 Privacy protection for information and data Preventive
    Request attestation of compliance from third parties. CC ID 12067 Third Party and supply chain oversight Detective
    Define the traceability documentation required for chain of custody certification. CC ID 08895
    [The POI should be protected from unauthorized modification with tamper-evident security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.\ Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time.\ Where multiple parties are involved in organizing the shipping, it is the responsibility of each party to ensure that the shipping and storage they are managing is compliant with this requirement. M1]
    Third Party and supply chain oversight Preventive
    Establish, implement, and maintain product shipment procedures. CC ID 08934
    [Procedures are in place to transfer accountability for the device from the manufacturer to the facility of initial deployment. Where the device is shipped via intermediaries such as resellers, accountability will be with the intermediary from the time at which they receive the device until the time it is received by the next intermediary or the point of initial deployment. M2]
    Third Party and supply chain oversight Preventive
    Document accurate outgoing shipment information. CC ID 08939 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain export records of outgoing shipments. CC ID 08954 Third Party and supply chain oversight Preventive
  • Human Resources Management
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 Technical security Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Operational management Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Operational management Preventive
    Control granting access to third parties performing maintenance on organizational assets. CC ID 11873 Operational management Preventive
  • IT Impact Zone
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Physical and environmental protection CC ID 00709 Physical and environmental protection IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    System hardening through configuration management CC ID 00860 System hardening through configuration management IT Impact Zone
    Systems design, build, and implementation CC ID 00989 Systems design, build, and implementation IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Investigate
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Audits and risk management Detective
    Rank discovered vulnerabilities. CC ID 11940 Monitoring and measurement Detective
    Perform social network analysis, as necessary. CC ID 14864 Operational management Detective
    Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 Operational management Detective
    Collect data about the network environment when certifying the network. CC ID 13125 Operational management Detective
  • Log Management
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Maintain records of all system components entering and exiting the facility. CC ID 14304 Physical and environmental protection Preventive
    Log the performance of all remote maintenance. CC ID 13202 Operational management Preventive
  • Maintenance
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Replace system components when third party support is no longer available. CC ID 10644 Operational management Preventive
    Obtain justification for the continued use of system components when third party support is no longer available. CC ID 10645 Operational management Preventive
    Disconnect non-volatile media from information systems prior to performing maintenance with uncleared personnel. CC ID 14295 Operational management Preventive
    Sanitize volatile media in information systems prior to performing maintenance with uncleared personnel. CC ID 14291 Operational management Preventive
    Remove components being serviced from the information system prior to performing maintenance. CC ID 14251 Operational management Preventive
    Separate the production environment from development environment or test environment for the change control process. CC ID 11864 Operational management Preventive
  • Monitor and Evaluate Occurrences
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Enforce information flow control. CC ID 11781 Technical security Preventive
    Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 Physical and environmental protection Detective
    Monitor the location of distributed assets. CC ID 11684 Physical and environmental protection Detective
    Monitor and review environmental protections. CC ID 12571 Physical and environmental protection Detective
    Install and maintain an environment control monitoring system. CC ID 06370 Physical and environmental protection Detective
    Monitor and review the effectiveness of the information security program. CC ID 12744 Operational management Preventive
    Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639
    [The PIN pad (PIN entry area) and the surrounding area must be designed and engineered in such a way that the complete device does not facilitate the fraudulent placement of an overlay over the PIN pad.\ An overlay attack must require an attack potential of at least 18 for identification and initial exploitation, with a minimum of 9 for exploitation. E2.2]
    Systems design, build, and implementation Detective
  • Physical and Environmental Protection
    41
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Protect assets from tampering or unapproved substitution. CC ID 11902
    [The unauthorized alteration of prompts for non-PIN data entry into the PIN entry key pad such that PINs are compromised, i.e., by prompting for the PIN entry when the output is not encrypted, cannot occur without requiring an attack potential of at least 18 per device for identification and initial exploitation with a minimum of 9 for exploitation. A7
    It is not feasible to penetrate the device to make any additions, substitutions, or modifications to the magnetic-stripe reader and associated hardware or software, in order to determine or modify magnetic-stripe track data, without requiring an attack potential of at least 16 per device, for identification and initial exploitation, with a minimum of 8 for exploitation. A9
    Secure components intended for unattended devices contain an anti-removal mechanism to protect against unauthorized removal and/or unauthorized re-installation. Defeating or circumventing this mechanism must require an attack potential of at least 18 per device for identification and initial exploitation, with a minimum of 9 for exploitation. A10
    The POI should be protected from unauthorized modification with tamper-evident security features, and customers shall be provided with documentation (both shipped with the product and available securely online) that provides instruction on validating the authenticity and integrity of the POI.\ Where this is not possible, the POI is shipped from the manufacturer’s facility to the initial key-loading facility or to the facility of initial deployment and stored en route under auditable controls that can account for the location of every POI at every point in time.\ Where multiple parties are involved in organizing the shipping, it is the responsibility of each party to ensure that the shipping and storage they are managing is compliant with this requirement. M1
    The device is assembled in a manner that the components used in the manufacturing process are those components that were certified by the Core PIN Entry and/or POS Terminal Integration Security Requirements evaluation, and that unauthorized substitutions have not been made. L3
    Subsequent to production but prior to shipment from the manufacturer’s or reseller’s facility, the device and any of its components are stored in a protected, access-controlled area or sealed within tamper-evident packaging to prevent undetected unauthorized access to the device or its components. L5
    The PIN entry POI terminal is equipped with mechanisms to prevent attacks aiming at retaining and stealing the payment card (e.g., Lebanese Loop attack). E3.2
    {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1
    {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1
    Failure of a single security mechanism does not compromise device security. Protection against a threat is based on a combination of at least two independent security mechanisms. A2]
    Physical and environmental protection Preventive
    Protect facilities from eavesdropping. CC ID 02222
    [{prevent} {facility} There is no feasible way to determine any entered and internally transmitted PIN digit by monitoring sound, electro-magnetic emissions, power consumption or any other external characteristic available for monitoring—even with the cooperation of the device operator or sales clerk—without requiring an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. A5]
    Physical and environmental protection Preventive
    Inspect telephones for eavesdropping devices. CC ID 02223 Physical and environmental protection Detective
    Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440 Physical and environmental protection Preventive
    Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441 Physical and environmental protection Preventive
    Establish, implement, and maintain physical security controls for distributed assets. CC ID 00718 Physical and environmental protection Preventive
    Protect distributed assets against theft. CC ID 06799
    [The device is protected against unauthorized removal. Defeating or circumventing this mechanism must require an attack potential of at least 18 per device for identification and initial exploitation, with a minimum of 9 for exploitation. E4.1]
    Physical and environmental protection Preventive
    Control the delivery of assets through physical entry points and physical exit points. CC ID 01441 Physical and environmental protection Preventive
    Control the removal of assets through physical entry points and physical exit points. CC ID 11681 Physical and environmental protection Preventive
    Establish, implement, and maintain on-site physical controls for all distributed assets. CC ID 04820 Physical and environmental protection Preventive
    Establish, implement, and maintain off-site physical controls for all distributed assets. CC ID 04539 Physical and environmental protection Preventive
    Attach asset location technologies to distributed assets. CC ID 10626 Physical and environmental protection Detective
    Employ asset location technologies in accordance with applicable laws and regulations. CC ID 10627 Physical and environmental protection Preventive
    Unpair missing Bluetooth devices. CC ID 12428 Physical and environmental protection Corrective
    Establish, implement, and maintain an environmental control program. CC ID 00724
    [{environmental conditions} Environmental or operational conditions cannot be altered to compromise the security of the device, or cause the device to output clear-text account data.\ (An example includes subjecting the device to temperatures or operating voltages outside the stated operating ranges.) K19]
    Physical and environmental protection Preventive
    Protect power equipment and power cabling from damage or destruction. CC ID 01438 Physical and environmental protection Preventive
    Place the Uninterruptible Power Supply in the generator room, as necessary. CC ID 11676 Physical and environmental protection Preventive
    Design the Information Technology facility with a low profile and consideration given to natural disasters and man-made disasters. CC ID 00712 Physical and environmental protection Preventive
    Prohibit signage indicating computer room location and uses. CC ID 06343 Physical and environmental protection Preventive
    Require critical facilities to have adequate room for facility maintenance. CC ID 06361 Physical and environmental protection Preventive
    Require critical facilities to have adequate room for evacuation. CC ID 11686 Physical and environmental protection Preventive
    Build critical facilities according to applicable building codes. CC ID 06366 Physical and environmental protection Preventive
    Build critical facilities with fire resistant materials. CC ID 06365 Physical and environmental protection Preventive
    Build critical facilities with water-resistant materials. CC ID 11679 Physical and environmental protection Preventive
    Monitor operational conditions at unmanned facilities. CC ID 06327 Physical and environmental protection Preventive
    Inspect and maintain the facility and supporting assets. CC ID 06345 Physical and environmental protection Preventive
    House system components in areas where the physical damage potential is minimized. CC ID 01623 Physical and environmental protection Preventive
    Install and maintain smoke detectors. CC ID 15264 Physical and environmental protection Preventive
    Conduct periodic fire marshal inspections for all organizational facilities. CC ID 04888 Physical and environmental protection Preventive
    Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes. CC ID 06362 Physical and environmental protection Preventive
    Install and maintain seismic detectors in critical facilities. CC ID 06364 Physical and environmental protection Detective
    Protect physical assets against static electricity, as necessary. CC ID 06363 Physical and environmental protection Preventive
    Install and maintain emergency lighting for use in a power failure. CC ID 01440 Physical and environmental protection Preventive
    Install and maintain lightning protection mechanisms in critical facilities. CC ID 06367 Physical and environmental protection Preventive
    Protect air intakes into the organizational facility. CC ID 02211 Physical and environmental protection Preventive
    Install and maintain water detection devices. CC ID 11678 Physical and environmental protection Preventive
    Plan and conduct maintenance so that it does not interfere with scheduled operations. CC ID 06389 Operational management Preventive
    Control and monitor all maintenance tools. CC ID 01432 Operational management Detective
    Identify and authenticate third parties prior to granting access to maintain assets. CC ID 11874 Operational management Preventive
    Store manufacturing components in a controlled access area. CC ID 12256
    [Subsequent to production but prior to shipment from the manufacturer’s or reseller’s facility, the device and any of its components are stored in a protected, access-controlled area or sealed within tamper-evident packaging to prevent undetected unauthorized access to the device or its components. L5]
    Systems design, build, and implementation Preventive
    Ship equipment to customers in tamper-evident packaging, as necessary. CC ID 12271
    [{physical alteration} While in transit from the manufacturer’s facility to the initial key-loading facility, the device is:\ - Shipped and stored in tamper-evident packaging; and/or\ - Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel. M3]
    Acquisition or sale of facilities, technology, and services Preventive
  • Process or Activity
    22
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disallow self-enrollment of biometric information. CC ID 11834 Technical security Preventive
    Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 Technical security Preventive
    Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 Technical security Preventive
    Define the format of the biometric data on identification cards or badges. CC ID 06586 Technical security Preventive
    Prohibit assets from being taken off-site absent prior authorization. CC ID 12027 Physical and environmental protection Preventive
    Remote wipe any distributed asset reported lost or stolen. CC ID 12197 Physical and environmental protection Corrective
    Conduct fire drills, as necessary. CC ID 13985 Physical and environmental protection Preventive
    Employ environmental protections. CC ID 12570 Physical and environmental protection Preventive
    Review and approve access controls, as necessary. CC ID 13074 Operational management Detective
    Provide management direction and support for the information security program. CC ID 11999 Operational management Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737 Operational management Preventive
    Use systems in accordance with the standard operating procedures manual. CC ID 15049 Operational management Preventive
    Implement automated mechanisms to transfer predictive maintenance data to a maintenance management system. CC ID 10616 Operational management Preventive
    Perform emergency changes, as necessary. CC ID 12707 Operational management Preventive
    Back up emergency changes after the change has been performed. CC ID 12734 Operational management Preventive
    Conduct network certifications prior to approving change requests for networks. CC ID 13121 Operational management Detective
    Establish, implement, and maintain a patch management program. CC ID 00896 Operational management Preventive
    Protect applications from cross-site scripting through secure coding techniques in source code. CC ID 11899 Systems design, build, and implementation Preventive
    Protect against coding vulnerabilities through secure coding techniques in source code. CC ID 11897
    [The vendor must provide clear security guidance consistent with B2 and B6 to all application developers to ensure:\ - That it is not possible for applications to be influenced by logical anomalies which could result in clear-text data being outputted whilst the terminal is in encrypting mode.\ - That account data is not retained any longer, or used more often, than strictly necessary. K11.2]
    Systems design, build, and implementation Preventive
    Protect applications from broken authentication and session management through secure coding techniques in source code. CC ID 11896 Systems design, build, and implementation Preventive
    Protect applications from cross-site request forgery through secure coding techniques in source code. CC ID 11895 Systems design, build, and implementation Preventive
    Assess third parties' compliance environment during due diligence. CC ID 13134 Third Party and supply chain oversight Detective
  • Records Management
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Maintain vulnerability scan reports as organizational records. CC ID 12092 Monitoring and measurement Preventive
    Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 Technical security Preventive
    Include information sharing procedures in standard operating procedures. CC ID 12974 Operational management Preventive
  • Systems Continuity
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 Operational and Systems Continuity Corrective
    Execute fail-safe procedures when an emergency occurs. CC ID 07108
    [{integrity test}{authenticity test} The device performs a self-test, which includes integrity and authenticity tests upon start-up and at least once per day to check whether the device is in a compromised state. In the event of a failure, the device and its functionality fail in a secure manner. The device must reinitialize memory at least every 24 hours. B1]
    Operational and Systems Continuity Preventive
  • Systems Design, Build, and Implementation
    32
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Apply security controls to each level of the information classification standard. CC ID 01903 Operational management Preventive
    Validate the system before implementing approved changes. CC ID 01510 Operational management Preventive
    Establish, implement, and maintain a System Development Life Cycle program. CC ID 11823 Systems design, build, and implementation Preventive
    Include information security throughout the system development life cycle. CC ID 12042
    [Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components. L7]
    Systems design, build, and implementation Preventive
    Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 Systems design, build, and implementation Preventive
    Develop systems in accordance with the system design specifications and system design standards. CC ID 01094 Systems design, build, and implementation Preventive
    Protect stored manufacturing components prior to assembly. CC ID 12248
    [The certified firmware is protected and stored in such a manner as to preclude unauthorized modification during its entire manufacturing life cycle—e.g., by using dual control or standardized cryptographic authentication procedures. L2]
    Systems design, build, and implementation Preventive
    Develop new products based on best practices. CC ID 01095 Systems design, build, and implementation Preventive
    Include security requirements in the system design specification. CC ID 06826 Systems design, build, and implementation Preventive
    Implement security controls when developing systems. CC ID 06270
    [Security measures are taken during the development and maintenance of POI security-related components. The manufacturer must maintain development-security documentation describing all the physical, procedural, personnel, and other security measures that are necessary to protect the integrity of the design and implementation of the POI security-related components in their development environment. The development-security documentation shall provide evidence that these security measures are followed during the development and maintenance of the POI security-related components. The evidence shall justify that the security measures provide the necessary level of protection to maintain the integrity of the POI security-related components. L7]
    Systems design, build, and implementation Preventive
    Analyze and minimize attack surfaces when developing systems. CC ID 06828 Systems design, build, and implementation Preventive
    Implement a hardware security module, as necessary. CC ID 12222 Systems design, build, and implementation Preventive
    Require dual authentication when switching out of PCI mode in the hardware security module. CC ID 12274 Systems design, build, and implementation Preventive
    Include an indicator to designate when the hardware security module is in PCI mode. CC ID 12273 Systems design, build, and implementation Preventive
    Design the random number generator to generate random numbers that are unpredictable. CC ID 12255
    [If random numbers are generated by the device in connection with security over sensitive data, the random number generator has been assessed to ensure it is generating numbers sufficiently unpredictable. B9]
    Systems design, build, and implementation Preventive
    Design the hardware security module to enforce the separation between applications. CC ID 12254
    [If the device supports multiple applications, it must enforce the separation between applications. It must not be possible that one application interferes with or tampers with another application or the OS of the device including, but not limited to, modifying data objects belonging to another application or the OS. B17
    If the device supports multiple applications, it must enforce the separation between applications consistent with B17. K20]
    Systems design, build, and implementation Preventive
    Protect sensitive data when transiting sensitive services in the hardware security module. CC ID 12253
    [Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, PINs, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. B7]
    Systems design, build, and implementation Preventive
    Design the hardware security module to automatically clear its internal buffers of sensitive information prior to reuse of the buffer. CC ID 12233
    [Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6]
    Systems design, build, and implementation Preventive
    Design the hardware security module to automatically clear its internal buffers of sensitive information after it recovers from an error condition. CC ID 12252 Systems design, build, and implementation Preventive
    Design the hardware security module to automatically clear its internal buffers of sensitive information when it has timed out. CC ID 12251
    [Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6]
    Systems design, build, and implementation Preventive
    Design the hardware security module to erase sensitive data when compromised. CC ID 12275
    [{physical alteration} While in transit from the manufacturer’s facility to the initial key-loading facility, the device is:\ - Shipped and stored in tamper-evident packaging; and/or\ - Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel. M3]
    Systems design, build, and implementation Preventive
    Restrict key-usage information for cryptographic keys in the hardware security module. CC ID 12232 Systems design, build, and implementation Preventive
    Prevent cryptographic keys in the hardware security module from making unauthorized changes to data. CC ID 12231
    [It is not possible to encrypt or decrypt any arbitrary data using any PIN-encrypting key or key-encrypting key contained in the device. The device must enforce that data keys, key-encipherment keys, and PIN-encryption keys have different values. B13]
    Systems design, build, and implementation Preventive
    Protect sensitive information within the hardware security module from unauthorized changes. CC ID 12225
    [{sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4
    {sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4]
    Systems design, build, and implementation Preventive
    Prohibit sensitive functions from working outside of protected areas of the hardware security module. CC ID 12224
    [{sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4
    {sensitive function}{sensitive data} Sensitive functions or data are only used in the protected area(s) of the device. Sensitive data and functions dealing with sensitive data are protected from modification without requiring an attack potential of at least 26 for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader, for identification and initial exploitation. A4]
    Systems design, build, and implementation Preventive
    Install secret information into the hardware security module during manufacturing. CC ID 12249 Systems design, build, and implementation Preventive
    Install secret information into the hardware security module so that it can only be verified by the initial-key-loading facility. CC ID 12272
    [{initial-key-loading facility} If the device will be authenticated at the key-loading facility or the facility of initial deployment by means of secret information placed in the device during manufacturing, then this secret information is unique to each device, unknown and unpredictable to any person, and installed in the device under dual control to ensure that it is not disclosed during installation. L6
    {physical alteration} While in transit from the manufacturer’s facility to the initial key-loading facility, the device is:\ - Shipped and stored in tamper-evident packaging; and/or\ - Shipped and stored containing a secret that is immediately and automatically erased if any physical or functional alteration to the device is attempted, that can be verified by the initial key-loading facility, but that cannot feasibly be determined by unauthorized personnel. M3]
    Systems design, build, and implementation Preventive
    Install secret information under dual control into the hardware security module. CC ID 12257
    [{initial-key-loading facility} If the device will be authenticated at the key-loading facility or the facility of initial deployment by means of secret information placed in the device during manufacturing, then this secret information is unique to each device, unknown and unpredictable to any person, and installed in the device under dual control to ensure that it is not disclosed during installation. L6]
    Systems design, build, and implementation Preventive
    Refrain from hard-coding security parameters in source code. CC ID 14917 Systems design, build, and implementation Preventive
    Refrain from displaying error messages to end users through secure coding techniques in source code. CC ID 12166 Systems design, build, and implementation Preventive
    Initiate the System Development Life Cycle implementation phase. CC ID 06268 Systems design, build, and implementation Preventive
    Implement systems to allow for maintenance, cleaning, adjustment, and use. CC ID 06213
    [{inspection process} Controls exist over the repair process, including the resetting of tamper mechanisms, and the inspection/testing process subsequent to repair to ensure that the device has not been subject to unauthorized modification. L8]
    Systems design, build, and implementation Preventive
  • Technical Security
    90
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 Audits and risk management Preventive
    Perform vulnerability scans, as necessary. CC ID 11637
    [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2
    The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2]
    Monitoring and measurement Detective
    Identify and document security vulnerabilities. CC ID 11857
    [The device vendor has internal policies and procedures that ensure that the vendor maintains an effective process for detecting vulnerabilities that may exist within their device. This process is expected to be robust enough to include all interfaces defined in requirement F1. This process must be effective enough to detect vulnerabilities which may have not been publicly known during the last vulnerability assessment. G1
    The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2]
    Monitoring and measurement Detective
    Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 Monitoring and measurement Preventive
    Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 Monitoring and measurement Detective
    Correlate vulnerability scan reports from the various systems. CC ID 10636 Monitoring and measurement Detective
    Perform vulnerability scans prior to installing payment applications. CC ID 12192 Monitoring and measurement Detective
    Implement scanning tools, as necessary. CC ID 14282 Monitoring and measurement Detective
    Repeat vulnerability scanning after an approved change occurs. CC ID 12468 Monitoring and measurement Detective
    Perform external vulnerability scans on the organization's systems. CC ID 11624 Monitoring and measurement Detective
    Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 Monitoring and measurement Detective
    Perform vulnerability assessments, as necessary. CC ID 11828
    [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2
    The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2]
    Monitoring and measurement Corrective
    Review applications for security vulnerabilities after the application is updated. CC ID 11938 Monitoring and measurement Detective
    Control access rights to organizational assets. CC ID 00004 Technical security Preventive
    Establish access rights based on least privilege. CC ID 01411
    [The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18
    The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21]
    Technical security Preventive
    Assign user permissions based on job responsibilities. CC ID 00538 Technical security Preventive
    Assign user privileges after they have management sign off. CC ID 00542 Technical security Preventive
    Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412
    [The device has characteristics that prevent or significantly deter the use of the device for exhaustive PAN determination. K18]
    Technical security Preventive
    Disallow unlocking user accounts absent system administrator approval. CC ID 01413 Technical security Preventive
    Include digital identification procedures in the access control program. CC ID 11841 Technical security Preventive
    Require proper authentication for user identifiers. CC ID 11785
    [The update mechanism ensures security, i.e., integrity, mutual authentication, and protection against replay, by using an appropriate and declared security protocol when using a network connection. For manual updates, administrator rights must be implemented using password/PINs and/or cryptographic authentication techniques. J4
    Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, account data, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. K22
    Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, PINs, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. B7]
    Technical security Preventive
    Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 Technical security Preventive
    Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 Technical security Preventive
    Employ live scans to verify biometric authentication. CC ID 06847 Technical security Preventive
    Control all methods of remote access and teleworking. CC ID 00559 Technical security Preventive
    Manage the use of encryption controls and cryptographic controls. CC ID 00570
    [Public keys must be stored and used in a manner that protects against unauthorized modification or substitution. Unauthorized modification or substitution requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3.1
    {mode of operation} All account data shall be encrypted using only ANSI X9 or ISO-approved encryption algorithms (e.g., AES, TDES) and should use ANSI X9 or ISO-approved modes of operation. K4]
    Technical security Preventive
    Employ only secure versions of cryptographic controls. CC ID 12491 Technical security Preventive
    Make key usage for data fields unique for each device. CC ID 04828
    [{secret keys}{private keys} Secret and private keys that reside within the device to support account data encryption are unique per device. K7
    Encryption or decryption of any arbitrary data using any account data-encrypting key or key-encrypting key contained in the device is not permitted.\ The device must enforce that account data keys, key-encipherment keys, and PIN-encryption keys have different values. K8
    It is not possible to encrypt or decrypt any arbitrary data using any PIN-encrypting key or key-encrypting key contained in the device. The device must enforce that data keys, key-encipherment keys, and PIN-encryption keys have different values. B13]
    Technical security Preventive
    Accept only trusted keys and/or certificates. CC ID 11988 Technical security Preventive
    Bind keys to each identity. CC ID 12337 Technical security Preventive
    Generate unique cryptographic keys for each user. CC ID 12169 Technical security Preventive
    Implement decryption keys so that they are not linked to user accounts. CC ID 06851 Technical security Preventive
    Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 Technical security Preventive
    Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 Technical security Preventive
    Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 Technical security Preventive
    Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084
    [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4]
    Technical security Preventive
    Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 Technical security Preventive
    Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 Technical security Preventive
    Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 Technical security Preventive
    Use strong data encryption to transmit restricted data or restricted information over public networks. CC ID 00564
    [The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2]
    Technical security Preventive
    Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 Technical security Preventive
    Encrypt traffic over public networks with trusted cryptographic keys. CC ID 12490 Technical security Preventive
    Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 Technical security Preventive
    Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 Technical security Preventive
    Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 Technical security Preventive
    Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 Technical security Preventive
    Protect application services information transmitted over a public network from contract disputes. CC ID 12019 Technical security Preventive
    Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 Technical security Preventive
    Protect the system against replay attacks. CC ID 04552
    [The device is able to detect replay of messages and enables the secure handling of the exceptions. I5]
    Technical security Preventive
    Establish, implement, and maintain on-site logical controls for all distributed assets. CC ID 11682 Physical and environmental protection Preventive
    Establish, implement, and maintain off-site logical controls for all distributed assets. CC ID 11683 Physical and environmental protection Preventive
    Remote lock any distributed assets reported lost or stolen. CC ID 14008 Physical and environmental protection Corrective
    Remotely control operational conditions at unmanned facilities. CC ID 11680 Physical and environmental protection Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Operational management Preventive
    Control remote maintenance according to the system's asset classification. CC ID 01433
    [The update mechanism ensures security, i.e., integrity, mutual authentication, and protection against replay, by using an appropriate and declared security protocol when using a network connection. For manual updates, administrator rights must be implemented using password/PINs and/or cryptographic authentication techniques. J4]
    Operational management Preventive
    Approve all remote maintenance sessions. CC ID 10615 Operational management Preventive
    Terminate remote maintenance sessions when the remote maintenance is complete. CC ID 12083 Operational management Preventive
    Employ dedicated systems during system maintenance. CC ID 12108 Operational management Preventive
    Isolate dedicated systems used for system maintenance from Internet access. CC ID 12114 Operational management Preventive
    Integrate configuration management procedures into the change control program. CC ID 13646 Operational management Preventive
    Implement patch management software, as necessary. CC ID 12094 Operational management Preventive
    Include updates and exceptions to hardened images as a part of the patch management program. CC ID 12087 Operational management Preventive
    Review the patch log for missing patches. CC ID 13186 Operational management Detective
    Patch software. CC ID 11825 Operational management Corrective
    Patch the operating system, as necessary. CC ID 11824 Operational management Corrective
    Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682
    [If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. B4
    The firmware must support the authentication of applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates updates consistent with B4. B4.1
    If the manufacturer is in charge of initial key loading, the manufacturer must verify the authenticity of the POI security-related components. M5
    If the manufacturer is not in charge of initial key loading, the manufacturer must provide the means to the initial key-loading facility to assure the verification of the authenticity of the POI security-related components. M6
    The firmware, and any changes thereafter, have been inspected and reviewed consistent with B3. K10
    The firmware must confirm the authenticity of all applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates all updates consistent with B4. K11.1
    The firmware must confirm the authenticity of all applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates all updates consistent with B4. K11.1
    If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. K12]
    Operational management Detective
    Configure security parameter settings on all system components appropriately. CC ID 12041
    [The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18
    The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21]
    System hardening through configuration management Preventive
    Refrain from using assertion lifetimes to limit each session. CC ID 13871 System hardening through configuration management Preventive
    Restrict and control the use of privileged utility programs. CC ID 12030 System hardening through configuration management Preventive
    Establish, implement, and maintain service accounts. CC ID 13861 System hardening through configuration management Preventive
    Review the ownership of service accounts, as necessary. CC ID 13863 System hardening through configuration management Detective
    Manage access credentials for service accounts. CC ID 13862 System hardening through configuration management Preventive
    Store master images on securely configured servers. CC ID 12089 System hardening through configuration management Preventive
    Update the security configuration of hardened images, as necessary. CC ID 12088 System hardening through configuration management Corrective
    Include restricted data encryption and restricted information encryption in the security controls. CC ID 01083 Systems design, build, and implementation Preventive
    Require successful authentication before granting access to system functionality via network interfaces. CC ID 14926 Systems design, build, and implementation Preventive
    Protect applications from improper access control through secure coding techniques in source code. CC ID 11959 Systems design, build, and implementation Preventive
    Protect applications from improper error handling through secure coding techniques in source code. CC ID 11937
    [The device’s functionality shall not be influenced by logical anomalies such as (but not limited to) unexpected command sequences, unknown commands, commands in a wrong device mode and supplying wrong parameters or data which could result in the device outputting the clear- text PIN or other sensitive data. B2
    The device’s functionality shall not be influenced by logical anomalies consistent with B2. K13]
    Systems design, build, and implementation Preventive
    Protect applications from insecure communications through secure coding techniques in source code. CC ID 11936 Systems design, build, and implementation Preventive
    Protect applications from XML external entities through secure coding techniques in source code. CC ID 14806 Systems design, build, and implementation Preventive
    Protect applications from insecure deserialization through secure coding techniques in source code. CC ID 14805 Systems design, build, and implementation Preventive
    Refrain from hard-coding usernames in source code. CC ID 06561 Systems design, build, and implementation Preventive
    Refrain from hard-coding authenticators in source code. CC ID 11829 Systems design, build, and implementation Preventive
    Refrain from hard-coding cryptographic keys in source code. CC ID 12307 Systems design, build, and implementation Preventive
    Protect applications from injection flaws through secure coding techniques in source code. CC ID 11944 Systems design, build, and implementation Preventive
    Control user account management through secure coding techniques in source code. CC ID 11909 Systems design, build, and implementation Preventive
    Restrict direct access of databases to the database administrator through secure coding techniques in source code. CC ID 11933 Systems design, build, and implementation Preventive
    Protect applications from buffer overflows through secure coding techniques in source code. CC ID 11943 Systems design, build, and implementation Preventive
    Protect applications from insecure cryptographic storage through secure coding techniques in source code. CC ID 11935 Systems design, build, and implementation Preventive
    Protect databases from unauthorized database management actions through secure coding techniques in source code. CC ID 12049 Systems design, build, and implementation Preventive
  • Testing
    23
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2]
    Audits and risk management Preventive
    Repeat vulnerability scanning, as necessary. CC ID 11646 Monitoring and measurement Detective
    Perform internal vulnerability scans. CC ID 00656 Monitoring and measurement Detective
    Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 Monitoring and measurement Preventive
    Identify the user when enrolling them in the biometric system. CC ID 06882 Technical security Detective
    Require the system to identify and authenticate approved devices before establishing a connection to restricted data. CC ID 01429
    [{POI application} The POI (application) must enforce the correspondence between the display messages visible to the cardholder and the operating state (i.e., secure or non-secure mode) of the PIN entry device, e.g., by using cryptographic authentication.\ If commands impacting the correspondence between the display messages and the operating state of the PIN entry device are received from an external device (e.g., a store controller), the commands enabling data entry must be authenticated.\ The alteration of the correspondence between the display messages visible to the cardholder and the operating state of the PIN entry device cannot occur without requiring an attack potential of at least 18 per POI for identification and initial exploitation with a minimum of 9 for exploitation. E3.4
    {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4]
    Technical security Preventive
    Test cryptographic key management applications, as necessary. CC ID 04829 Technical security Detective
    Implement non-repudiation for transactions. CC ID 00567
    [The device supports data origin authentication of encrypted messages. K6]
    Technical security Detective
    Test and inspect assets under full load working conditions. CC ID 06356 Physical and environmental protection Detective
    Conduct maintenance with authorized personnel. CC ID 01434 Operational management Detective
    Calibrate assets according to the calibration procedures for the asset. CC ID 06203 Operational management Detective
    Test proposed changes prior to their approval. CC ID 00548 Operational management Detective
    Perform risk assessments prior to approving change requests. CC ID 00888 Operational management Preventive
    Perform a patch test prior to deploying a patch. CC ID 00898 Operational management Detective
    Test software patches for any potential compromise of the system's security. CC ID 13175 Operational management Detective
    Review changes to computer firmware. CC ID 12226
    [The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions. B3]
    Operational management Detective
    Certify changes to computer firmware are free of malicious logic. CC ID 12227
    [The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions. B3]
    Operational management Detective
    Test the system's operational functionality after implementing approved changes. CC ID 06294 Operational management Detective
    Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 Operational management Detective
    Test network access controls for proper Configuration Management settings. CC ID 01281 System hardening through configuration management Detective
    Verify wireless peripherals meet organizational security requirements. CC ID 00657 System hardening through configuration management Detective
    Test systems to ensure they conform to configuration baselines. CC ID 13062 System hardening through configuration management Detective
    Audit all modifications to the application being developed. CC ID 01614 Systems design, build, and implementation Detective
Common Controls and
mandates by Classification
104 Mandated Controls - bold    
80 Implied Controls - italic     684 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
868 Total
  • Corrective
    25
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Update the vulnerability scanners' vulnerability list. CC ID 10634 Monitoring and measurement Configuration
    Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 Monitoring and measurement Behavior
    Perform vulnerability assessments, as necessary. CC ID 11828
    [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2
    The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2]
    Monitoring and measurement Technical Security
    Notify the user when an authentication is attempted using an expired authenticator. CC ID 13818 Technical security Communicate
    Tune the biometric identification equipment, as necessary. CC ID 07077 Technical security Configuration
    Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307 Technical security Data and Information Management
    Replace known or suspected compromised cryptographic keys immediately. CC ID 01306 Technical security Data and Information Management
    Remote lock any distributed assets reported lost or stolen. CC ID 14008 Physical and environmental protection Technical Security
    Remote wipe any distributed asset reported lost or stolen. CC ID 12197 Physical and environmental protection Process or Activity
    Unpair missing Bluetooth devices. CC ID 12428 Physical and environmental protection Physical and Environmental Protection
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 Operational and Systems Continuity Systems Continuity
    Update operating procedures that contribute to user errors. CC ID 06935 Operational management Establish/Maintain Documentation
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Operational management Establish/Maintain Documentation
    Approve back-out plans, as necessary. CC ID 13627 Operational management Establish/Maintain Documentation
    Deploy software patches. CC ID 07032 Operational management Configuration
    Patch software. CC ID 11825 Operational management Technical Security
    Patch the operating system, as necessary. CC ID 11824 Operational management Technical Security
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Operational management Configuration
    Remove outdated software after software has been updated. CC ID 11792 Operational management Configuration
    Update computer firmware, as necessary. CC ID 11755 Operational management Configuration
    Remove outdated computer firmware after the computer firmware has been updated. CC ID 10671 Operational management Configuration
    Mitigate the adverse effects of unauthorized changes. CC ID 12244 Operational management Business Processes
    Establish, implement, and maintain a change acceptance testing log. CC ID 06392 Operational management Establish/Maintain Documentation
    Document approved configuration deviations. CC ID 08711 Operational management Establish/Maintain Documentation
    Update the security configuration of hardened images, as necessary. CC ID 12088 System hardening through configuration management Technical Security
  • Detective
    58
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Audits and risk management Investigate
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Audits and risk management Establish/Maintain Documentation
    Update the risk assessment upon changes to the risk profile. CC ID 11627 Audits and risk management Establish/Maintain Documentation
    Conduct external audits of risk assessments, as necessary. CC ID 13308 Audits and risk management Audits and Risk Management
    Perform vulnerability scans, as necessary. CC ID 11637
    [The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2
    The device vendor has maintenance measures in place.\ a) The maintenance measures are documented.\ b) The maintenance measures ensure timely detection of vulnerabilities that apply to the device by periodic execution of a vulnerability assessment that includes activities such as: analysis, survey of information available in the public domain, and testing.\ c) The maintenance measures ensure timely assessment and classification of newly found vulnerabilities.\ d) The maintenance measures ensure timely creation of mitigation measures for newly found vulnerabilities that may impact device security. J2]
    Monitoring and measurement Technical Security
    Repeat vulnerability scanning, as necessary. CC ID 11646 Monitoring and measurement Testing
    Identify and document security vulnerabilities. CC ID 11857
    [The device vendor has internal policies and procedures that ensure that the vendor maintains an effective process for detecting vulnerabilities that may exist within their device. This process is expected to be robust enough to include all interfaces defined in requirement F1. This process must be effective enough to detect vulnerabilities which may have not been publicly known during the last vulnerability assessment. G1
    The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2]
    Monitoring and measurement Technical Security
    Rank discovered vulnerabilities. CC ID 11940 Monitoring and measurement Investigate
    Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 Monitoring and measurement Technical Security
    Correlate vulnerability scan reports from the various systems. CC ID 10636 Monitoring and measurement Technical Security
    Perform internal vulnerability scans. CC ID 00656 Monitoring and measurement Testing
    Perform vulnerability scans prior to installing payment applications. CC ID 12192 Monitoring and measurement Technical Security
    Implement scanning tools, as necessary. CC ID 14282 Monitoring and measurement Technical Security
    Repeat vulnerability scanning after an approved change occurs. CC ID 12468 Monitoring and measurement Technical Security
    Perform external vulnerability scans on the organization's systems. CC ID 11624 Monitoring and measurement Technical Security
    Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 Monitoring and measurement Technical Security
    Review applications for security vulnerabilities after the application is updated. CC ID 11938 Monitoring and measurement Technical Security
    Identify the user when enrolling them in the biometric system. CC ID 06882 Technical security Testing
    Test cryptographic key management applications, as necessary. CC ID 04829 Technical security Testing
    Implement non-repudiation for transactions. CC ID 00567
    [The device supports data origin authentication of encrypted messages. K6]
    Technical security Testing
    Establish, implement, and maintain an anti-tamper protection program. CC ID 10638 Physical and environmental protection Monitor and Evaluate Occurrences
    Inspect telephones for eavesdropping devices. CC ID 02223 Physical and environmental protection Physical and Environmental Protection
    Attach asset location technologies to distributed assets. CC ID 10626 Physical and environmental protection Physical and Environmental Protection
    Monitor the location of distributed assets. CC ID 11684 Physical and environmental protection Monitor and Evaluate Occurrences
    Test and inspect assets under full load working conditions. CC ID 06356 Physical and environmental protection Testing
    Monitor and review environmental protections. CC ID 12571 Physical and environmental protection Monitor and Evaluate Occurrences
    Install and maintain seismic detectors in critical facilities. CC ID 06364 Physical and environmental protection Physical and Environmental Protection
    Install and maintain an environment control monitoring system. CC ID 06370 Physical and environmental protection Monitor and Evaluate Occurrences
    Review and approve access controls, as necessary. CC ID 13074 Operational management Process or Activity
    Perform social network analysis, as necessary. CC ID 14864 Operational management Investigate
    Control and monitor all maintenance tools. CC ID 01432 Operational management Physical and Environmental Protection
    Conduct maintenance with authorized personnel. CC ID 01434 Operational management Testing
    Calibrate assets according to the calibration procedures for the asset. CC ID 06203 Operational management Testing
    Test proposed changes prior to their approval. CC ID 00548 Operational management Testing
    Examine all changes to ensure they correspond with the change request. CC ID 12345 Operational management Business Processes
    Conduct network certifications prior to approving change requests for networks. CC ID 13121 Operational management Process or Activity
    Analyze mitigating controls for vulnerabilities in the network when certifying the network. CC ID 13126 Operational management Investigate
    Collect data about the network environment when certifying the network. CC ID 13125 Operational management Investigate
    Review the patch log for missing patches. CC ID 13186 Operational management Technical Security
    Perform a patch test prior to deploying a patch. CC ID 00898 Operational management Testing
    Test software patches for any potential compromise of the system's security. CC ID 13175 Operational management Testing
    Review changes to computer firmware. CC ID 12226
    [The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions. B3]
    Operational management Testing
    Certify changes to computer firmware are free of malicious logic. CC ID 12227
    [The firmware and any changes thereafter have been inspected and reviewed using a documented and auditable process, and certified as being free from hidden and unauthorized or undocumented functions. B3]
    Operational management Testing
    Implement cryptographic mechanisms to authenticate software and computer firmware before installation. CC ID 10682
    [If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. B4
    The firmware must support the authentication of applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates updates consistent with B4. B4.1
    If the manufacturer is in charge of initial key loading, the manufacturer must verify the authenticity of the POI security-related components. M5
    If the manufacturer is not in charge of initial key loading, the manufacturer must provide the means to the initial key-loading facility to assure the verification of the authenticity of the POI security-related components. M6
    The firmware, and any changes thereafter, have been inspected and reviewed consistent with B3. K10
    The firmware must confirm the authenticity of all applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates all updates consistent with B4. K11.1
    The firmware must confirm the authenticity of all applications loaded onto the terminal consistent with B4. If the device allows software application and/or configuration updates, the device cryptographically authenticates all updates consistent with B4. K11.1
    If the device allows updates of firmware, the device cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted. K12]
    Operational management Technical Security
    Establish, implement, and maintain approved change acceptance testing procedures. CC ID 06391 Operational management Establish/Maintain Documentation
    Test the system's operational functionality after implementing approved changes. CC ID 06294 Operational management Testing
    Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred. CC ID 04541 Operational management Testing
    Establish, implement, and maintain a configuration change log. CC ID 08710 Operational management Configuration
    Test network access controls for proper Configuration Management settings. CC ID 01281 System hardening through configuration management Testing
    Review the ownership of service accounts, as necessary. CC ID 13863 System hardening through configuration management Technical Security
    Verify wireless peripherals meet organizational security requirements. CC ID 00657 System hardening through configuration management Testing
    Test systems to ensure they conform to configuration baselines. CC ID 13062 System hardening through configuration management Testing
    Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639
    [The PIN pad (PIN entry area) and the surrounding area must be designed and engineered in such a way that the complete device does not facilitate the fraudulent placement of an overlay over the PIN pad.\ An overlay attack must require an attack potential of at least 18 for identification and initial exploitation, with a minimum of 9 for exploitation. E2.2]
    Systems design, build, and implementation Monitor and Evaluate Occurrences
    Audit all modifications to the application being developed. CC ID 01614 Systems design, build, and implementation Testing
    Assess third parties' compliance environment during due diligence. CC ID 13134 Third Party and supply chain oversight Process or Activity
    Request attestation of compliance from third parties. CC ID 12067 Third Party and supply chain oversight Establish/Maintain Documentation
    Report tampering when tampering indicators are identified in incoming shipments. CC ID 08937 Third Party and supply chain oversight Business Processes
    Report incoming shipment inconsistencies when an incoming shipment inconsistency is identified. CC ID 08940 Third Party and supply chain oversight Behavior
  • IT Impact Zone
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Physical and environmental protection CC ID 00709 Physical and environmental protection IT Impact Zone
    Operational and Systems Continuity CC ID 00731 Operational and Systems Continuity IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    System hardening through configuration management CC ID 00860 System hardening through configuration management IT Impact Zone
    Systems design, build, and implementation CC ID 00989 Systems design, build, and implementation IT Impact Zone
    Acquisition or sale of facilities, technology, and services CC ID 01123 Acquisition or sale of facilities, technology, and services IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Preventive
    774
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Establish, implement, and maintain a risk management program. CC ID 12051 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a risk assessment program. CC ID 00687 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain risk assessment procedures. CC ID 06446 Audits and risk management Establish/Maintain Documentation
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183
    [The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2]
    Audits and risk management Establish/Maintain Documentation
    Document organizational risk criteria. CC ID 12277 Audits and risk management Establish/Maintain Documentation
    Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 Audits and risk management Technical Security
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 Audits and risk management Audits and Risk Management
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and risk management Audits and Risk Management
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Audits and risk management Establish/Maintain Documentation
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and risk management Audits and Risk Management
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [The device has undergone a vulnerability assessment to ensure that the protocols and interfaces list in F1 do not contain exploitable vulnerabilities.\ a) The vulnerability assessment is supported by a documented analysis describing the security of the protocols and interfaces.\ b) The vulnerability assessment is supported by a vulnerability survey of information available in the public domain.\ c) The vulnerability assessment is supported by testing. G2]
    Audits and risk management Testing
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Audits and risk management Establish/Maintain Documentation
    Include physical assets in the scope of the risk assessment. CC ID 13075 Audits and risk management Establish/Maintain Documentation
    Include the results of the risk assessment in the risk assessment report. CC ID 06481 Audits and risk management Establish/Maintain Documentation
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and risk management Audits and Risk Management
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and risk management Audits and Risk Management
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and risk management Audits and Risk Management
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Audits and risk management Establish/Maintain Documentation
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Audits and risk management Communicate
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Audits and risk management Communicate
    Establish, implement, and maintain a testing program. CC ID 00654 Monitoring and measurement Behavior
    Establish, implement, and maintain a vulnerability assessment program. CC ID 11636 Monitoring and measurement Establish/Maintain Documentation
    Use dedicated user accounts when conducting vulnerability scans. CC ID 12098 Monitoring and measurement Technical Security
    Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 Monitoring and measurement Establish/Maintain Documentation
    Maintain vulnerability scan reports as organizational records. CC ID 12092 Monitoring and measurement Records Management
    Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 Monitoring and measurement Business Processes
    Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 Monitoring and measurement Testing
    Establish, implement, and maintain an access control program. CC ID 11702 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain an access rights management plan. CC ID 00513 Technical security Establish/Maintain Documentation
    Control access rights to organizational assets. CC ID 00004 Technical security Technical Security
    Establish access rights based on least privilege. CC ID 01411
    [The operating system of the device must contain only the software (components and services) necessary for the intended operation. The operating system must be configured securely and run with least privilege. B18
    The following features of the device’s operating system must be in place:\ - The operating system of the device must contain only the software (components and services) necessary for the intended operation.\ - The operating system must be configured securely and run with least privilege.\ - The security policy enforced by the device must not allow unauthorized or unnecessary functions.\ - API functionality and commands that are not required to support specific functionality must be disabled (and where possible, removed). K21]
    Technical security Technical Security
    Assign user permissions based on job responsibilities. CC ID 00538 Technical security Technical Security
    Assign user privileges after they have management sign off. CC ID 00542 Technical security Technical Security
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Technical security Configuration
    Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts. CC ID 01412
    [The device has characteristics that prevent or significantly deter the use of the device for exhaustive PAN determination. K18]
    Technical security Technical Security
    Configure the lockout procedure to disregard failed logon attempts after the user is authenticated. CC ID 13822 Technical security Configuration
    Disallow unlocking user accounts absent system administrator approval. CC ID 01413 Technical security Technical Security
    Establish, implement, and maintain session lock capabilities. CC ID 01417
    [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6]
    Technical security Configuration
    Limit concurrent sessions according to account type. CC ID 01416
    [The device implements session management.\ a) The device keeps track of all connections and restricts the number of sessions that can remain active on the device to the minimum necessary number.\ b) The device sets time limits for sessions and ensures that sessions are not left open for longer than necessary. I6]
    Technical security Configuration
    Include digital identification procedures in the access control program. CC ID 11841 Technical security Technical Security
    Require proper authentication for user identifiers. CC ID 11785
    [The update mechanism ensures security, i.e., integrity, mutual authentication, and protection against replay, by using an appropriate and declared security protocol when using a network connection. For manual updates, administrator rights must be implemented using password/PINs and/or cryptographic authentication techniques. J4
    Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, account data, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. K22
    Access to sensitive services requires authentication. Sensitive services provide access to the underlying sensitive functions. Sensitive functions are those functions that process sensitive data such as cryptographic keys, PINs, and passwords. Entering or exiting sensitive services shall not reveal or otherwise affect sensitive data. B7]
    Technical security Technical Security
    Assign authenticators to user accounts. CC ID 06855 Technical security Configuration
    Assign authentication mechanisms for user account authentication. CC ID 06856 Technical security Configuration
    Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 Technical security Technical Security
    Establish and maintain a memorized secret list. CC ID 13791 Technical security Establish/Maintain Documentation
    Limit account credential reuse as a part of digital identification procedures. CC ID 12357 Technical security Configuration
    Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 Technical security Technical Security
    Use biometric authentication for identification and authentication, as necessary. CC ID 06857 Technical security Establish Roles
    Employ live scans to verify biometric authentication. CC ID 06847 Technical security Technical Security
    Disallow self-enrollment of biometric information. CC ID 11834 Technical security Process or Activity
    Notify a user when an authenticator for a user account is changed. CC ID 13820 Technical security Communicate
    Enforce information flow control. CC ID 11781 Technical security Monitor and Evaluate Occurrences
    Establish, implement, and maintain information flow control configuration standards. CC ID 01924 Technical security Establish/Maintain Documentation
    Require the system to identify and authenticate approved devices before establishing a connection to restricted data. CC ID 01429
    [{POI application} The POI (application) must enforce the correspondence between the display messages visible to the cardholder and the operating state (i.e., secure or non-secure mode) of the PIN entry device, e.g., by using cryptographic authentication.\ If commands impacting the correspondence between the display messages and the operating state of the PIN entry device are received from an external device (e.g., a store controller), the commands enabling data entry must be authenticated.\ The alteration of the correspondence between the display messages visible to the cardholder and the operating state of the PIN entry device cannot occur without requiring an attack potential of at least 18 per POI for identification and initial exploitation with a minimum of 9 for exploitation. E3.4
    {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4]
    Technical security Testing
    Maintain a record of the challenge state during identification and authentication in an automated information exchange. CC ID 06629 Technical security Establish/Maintain Documentation
    Constrain the information flow of restricted data or restricted information. CC ID 06763
    [When operating in encrypting mode, the secure controller can only release clear-text account data to authenticated applications executing within the device. K15.1]
    Technical security Data and Information Management
    Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 Technical security Data and Information Management
    Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725 Technical security Data and Information Management
    Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310 Technical security Data and Information Management
    Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain information exchange procedures. CC ID 11782 Technical security Establish/Maintain Documentation
    Enable encryption of a protected distribution system if sending restricted data or restricted information. CC ID 01749 Technical security Configuration
    Protect data from unauthorized disclosure while transmitting between separate parts of the system. CC ID 11859
    [All account data is either encrypted immediately upon entry or entered in clear-text into a secure device and processed within the secure controller of the device. K1
    The device protects all account data upon entry (consistent with A9 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitation. K1.1
    The logical and physical integration of an approved secure card reader into a PIN entry POI terminal does not create new attack paths to the account data. The account data is protected from the input component to the secure controller of the device—i.e., it is not possible to insert a bug that would disclose sensitive data. K2]
    Technical security Data and Information Management
    Control all methods of remote access and teleworking. CC ID 00559 Technical security Technical Security
    Protect remote access accounts with encryption. CC ID 00562
    [If the device may be accessed remotely for the purposes of administration, all access attempts must be cryptographically authenticated. If the authenticity of the access request cannot be confirmed, the access request is denied. K9]
    Technical security Configuration
    Manage the use of encryption controls and cryptographic controls. CC ID 00570
    [Public keys must be stored and used in a manner that protects against unauthorized modification or substitution. Unauthorized modification or substitution requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3.1
    {mode of operation} All account data shall be encrypted using only ANSI X9 or ISO-approved encryption algorithms (e.g., AES, TDES) and should use ANSI X9 or ISO-approved modes of operation. K4]
    Technical security Technical Security
    Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542 Technical security Establish/Maintain Documentation
    Define the cryptographic boundaries. CC ID 06543 Technical security Establish/Maintain Documentation
    Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544 Technical security Establish/Maintain Documentation
    Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545 Technical security Establish/Maintain Documentation
    Implement the documented cryptographic module security functions. CC ID 06755 Technical security Data and Information Management
    Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547 Technical security Establish/Maintain Documentation
    Document the operation of the cryptographic module. CC ID 06546 Technical security Establish/Maintain Documentation
    Employ only secure versions of cryptographic controls. CC ID 12491 Technical security Technical Security
    Establish, implement, and maintain digital signatures. CC ID 13828 Technical security Data and Information Management
    Include the expiration date in digital signatures. CC ID 13833 Technical security Data and Information Management
    Include audience restrictions in digital signatures. CC ID 13834 Technical security Data and Information Management
    Include the subject in digital signatures. CC ID 13832 Technical security Data and Information Management
    Include the issuer in digital signatures. CC ID 13831 Technical security Data and Information Management
    Include identifiers in the digital signature. CC ID 13829 Technical security Data and Information Management
    Generate and protect a secret random number for each digital signature. CC ID 06577 Technical security Establish/Maintain Documentation
    Establish the security strength requirements for the digital signature process. CC ID 06578
    [The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3]
    Technical security Establish/Maintain Documentation
    Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546 Technical security Establish/Maintain Documentation
    Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823
    [{refrain from allowing} When operating in encrypting mode, there is no mechanism in the device that would allow the outputting of clear-text account data. Changing between an encrypting and non-encrypting mode of operation requires explicit authentication. K15
    There is no mechanism in the device that would allow the outputting of a private or secret clear-text key or clear-text PIN, the encryption of a key or PIN under a key that might itself be disclosed, or the transfer of a clear-text key from a component of high security into a component of lesser security. B14]
    Technical security Configuration
    Encrypt restricted data or restricted information using the most secure method possible. CC ID 04824
    [PIN protection during transmission between the device encrypting the PIN and the ICC reader (at least two must apply):\ If the device encrypting the PIN and the ICC reader are not integrated into the same secure module, and the cardholder verification method is determined to be:\ - An enciphered PIN, the PIN block shall be enciphered between the device encrypting the PIN and the ICC reader using either an authenticated encipherment key of the IC card, or in accordance with ISO 9564.\ - A plaintext PIN, the PIN block shall be enciphered from the device encrypting the PIN to the ICC reader (the ICC reader will then decipher the PIN for transmission in plaintext to the IC card) in accordance with ISO 9564.\ If the device encrypting the PIN and the ICC reader are integrated into the same secure module, and the cardholder verification method is determined to be:\ - An enciphered PIN, the PIN block shall be enciphered using an authenticated encipherment key of the IC card.\ - A plaintext PIN, then encipherment is not required if the PIN block is transmitted wholly through a protected environment (as defined in ISO 9564). If the plaintext PIN is transmitted to the ICC reader through an unprotected environment, the PIN block shall be enciphered in accordance with ISO 9564. D4
    The device is able to provide the integrity of data that is sent over a network connection.\ a) Integrity is provided by a MAC as defined in ISO 16609, or by a digital signature.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) Examples of appropriate algorithms and minimum key sizes are stated in Appendix D of the PCI PTS POI DTRs. I3
    {mode of operation} All account data shall be encrypted using only ANSI X9 or ISO-approved encryption algorithms (e.g., AES, TDES) and should use ANSI X9 or ISO-approved modes of operation. K4
    Sensitive data shall not be retained any longer, or used more often, than strictly necessary. Online PINs are encrypted within the device immediately after PIN entry is complete and has been signified as such by the cardholder, e.g., via pressing the enter button.\ The device must automatically clear its internal buffers when either:\ - The transaction is completed, or\ - The device has timed out waiting for the response from the cardholder or merchant. B6]
    Technical security Data and Information Management
    Make key usage for data fields unique for each device. CC ID 04828
    [{secret keys}{private keys} Secret and private keys that reside within the device to support account data encryption are unique per device. K7
    Encryption or decryption of any arbitrary data using any account data-encrypting key or key-encrypting key contained in the device is not permitted.\ The device must enforce that account data keys, key-encipherment keys, and PIN-encryption keys have different values. K8
    It is not possible to encrypt or decrypt any arbitrary data using any PIN-encrypting key or key-encrypting key contained in the device. The device must enforce that data keys, key-encipherment keys, and PIN-encryption keys have different values. B13]
    Technical security Technical Security
    Decrypt restricted data for the minimum time required. CC ID 12308 Technical security Data and Information Management
    Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309 Technical security Data and Information Management
    Accept only trusted keys and/or certificates. CC ID 11988 Technical security Technical Security
    Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575
    [The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2
    {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4
    If using a hash function to generate surrogate PAN values, input to the hash function must use a salt with minimum length of 64 bits. K16.1]
    Technical security Data and Information Management
    Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584 Technical security Process or Activity
    Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585 Technical security Process or Activity
    Define the format of the biometric data on identification cards or badges. CC ID 06586 Technical security Process or Activity
    Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040
    [The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3
    The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3]
    Technical security Establish/Maintain Documentation
    Establish, implement, and maintain cryptographic key management procedures. CC ID 00571
    [The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3
    The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3
    The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2
    {turnkey system} The vendor must provide a defined and documented process containing specific details on how any signing mechanisms must be implemented. This must include any “turnkey” systems required for compliance with the management of display prompts, or any mechanisms used for authenticating any application code. This must ensure:\ - The signing process is performed under dual control.\ - All executable files are signed.\ - Software is only signed using a secure cryptographic device provided by the terminal vendor. B4.2]
    Technical security Establish/Maintain Documentation
    Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164 Technical security Communicate
    Bind keys to each identity. CC ID 12337 Technical security Technical Security
    Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152 Technical security Establish/Maintain Documentation
    Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151 Technical security Establish/Maintain Documentation
    Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301 Technical security Data and Information Management
    Generate strong cryptographic keys. CC ID 01299 Technical security Data and Information Management
    Generate unique cryptographic keys for each user. CC ID 12169 Technical security Technical Security
    Use approved random number generators for creating cryptographic keys. CC ID 06574 Technical security Data and Information Management
    Implement decryption keys so that they are not linked to user accounts. CC ID 06851 Technical security Technical Security
    Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540
    [{determine}{reside}{penetrate} Determination of any PIN-security-related cryptographic key resident in the device, by penetration of the device and/or by monitoring emanations from the device (including power fluctuations), requires an attack potential of at least 35 for identification and initial exploitation with a minimum of 15 for exploitation. A6
    The device has guidance for key management describing how keys and certificates must be used.\ a) The key-management guidance is at the disposal of internal users and/or of application developers, system integrators, and end-users of the device.\ b) Key-management security guidance describes the properties of all keys and certificates that can be used by the device.\ c) Key-management security guidance describes the responsibilities of the device vendor, application developers, system integrators, and end-users of the device.\ d) Key-management security guidance ensures secure use of keys and certificates. H3
    {Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4]
    Technical security Establish/Maintain Documentation
    Disseminate and communicate cryptographic keys securely. CC ID 01300
    [If remote key distribution is used, the device supports mutual authentication between the sending key-distribution host and receiving device. K5]
    Technical security Data and Information Management
    Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541 Technical security Data and Information Management
    Store cryptographic keys securely. CC ID 01298
    [If the device can hold multiple PIN-encryption keys and if the key to be used to encrypt the PIN can be externally selected, the device prohibits unauthorized key replacement and key misuse. C1
    Determination of any cryptographic keys used for account-data encryption, by penetration of the device and/or by monitoring emanations from the device (including power fluctuations), requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3
    Public keys must be stored and used in a manner that protects against unauthorized modification or substitution. Unauthorized modification or substitution requires an attack potential of at least 26 for identification and initial exploitation with a minimum of 13 for exploitation. K3.1]
    Technical security Data and Information Management
    Restrict access to cryptographic keys. CC ID 01297 Technical security Data and Information Management
    Store cryptographic keys in encrypted format. CC ID 06084
    [If using a hash function to generate surrogate PAN values, the salt is kept secret and appropriately protected. Disclosure of the salt cannot occur without requiring an attack potential of at least 16 per device for identification and initial exploitation with a minimum of 8 for exploitation. K16.2]
    Technical security Data and Information Management
    Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085 Technical security Technical Security
    Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127 Technical security Establish/Maintain Documentation
    Change cryptographic keys, as necessary. CC ID 01302 Technical security Data and Information Management
    Destroy cryptographic keys promptly after the retention period. CC ID 01303 Technical security Data and Information Management
    Control cryptographic keys with split knowledge and dual control. CC ID 01304
    [{turnkey system} The vendor must provide a defined and documented process containing specific details on how any signing mechanisms must be implemented. This must include any “turnkey” systems required for compliance with the management of display prompts, or any mechanisms used for authenticating any application code. This must ensure:\ - The signing process is performed under dual control.\ - All executable files are signed.\ - Software is only signed using a secure cryptographic device provided by the terminal vendor. B4.2]
    Technical security Data and Information Management
    Prevent the unauthorized substitution of cryptographic keys. CC ID 01305 Technical security Data and Information Management
    Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852 Technical security Technical Security
    Archive outdated cryptographic keys. CC ID 06884 Technical security Data and Information Management
    Archive revoked cryptographic keys. CC ID 11819 Technical security Data and Information Management
    Require key custodians to sign the cryptographic key management policy. CC ID 01308 Technical security Establish/Maintain Documentation
    Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820 Technical security Human Resources Management
    Manage the digital signature cryptographic key pair. CC ID 06576 Technical security Data and Information Management
    Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079 Technical security Establish/Maintain Documentation
    Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080 Technical security Establish/Maintain Documentation
    Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081 Technical security Establish/Maintain Documentation
    Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082 Technical security Establish/Maintain Documentation
    Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089 Technical security Establish/Maintain Documentation
    Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083 Technical security Establish/Maintain Documentation
    Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816 Technical security Establish/Maintain Documentation
    Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092 Technical security Technical Security
    Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084
    [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4]
    Technical security Technical Security
    Establish, implement, and maintain Public Key certificate procedures. CC ID 07085
    [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4]
    Technical security Establish/Maintain Documentation
    Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817
    [{Certificate Authority} The device uses a declared security protocol to authenticate the server.\ a) Server authentication utilizes key sizes appropriate for the algorithm(s) in question.\ b) Hashing can be provided by at least one of the following algorithms: SHA-224, SHA-256, SHA-384, and SHA-512.\ c) The device is able to verify the validity of the public keys it receives.\ d) The device is able to verify the authenticity of the public keys it receives.\ e) The device’s trusted root certificate store shall contain only public key certificates from trusted CA's or else self-signed certificates verified by the acquirer. I4]
    Technical security Establish/Maintain Documentation
    Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087 Technical security Establish/Maintain Documentation
    Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086 Technical security Establish/Maintain Documentation
    Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091 Technical security Technical Security
    Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090 Technical security Records Management
    Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153 Technical security Technical Security
    Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154 Technical security Technical Security
    Use strong data encryption to transmit restricted data or restricted information over public networks. CC ID 00564
    [The device is able to provide confidentiality of data sent over a network connection.\ a) Encryption mechanism utilizes key sizes appropriate for the algorithm(s) in question.\ b) Encryption is provided by using keys that are established in a secure manner using appropriate key-management procedures, such as those listed in NIST SP800-21, Guidelines for Implementing Cryptography in the Federal Government and ISO 11568 Banking – Key Management (Retail). I2]
    Technical security Technical Security
    Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 Technical security Technical Security
    Encrypt traffic over public networks with trusted cryptographic keys. CC ID 12490 Technical security Technical Security
    Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 Technical security Establish/Maintain Documentation
    Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416 Technical security Technical Security
    Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 Technical security Technical Security
    Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 Technical security Technical Security
    Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 Technical security Technical Security
    Protect application services information transmitted over a public network from contract disputes. CC ID 12019 Technical security Technical Security
    Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 Technical security Technical Security
    Establish, implement, and maintain a malicious code protection program. CC ID 00574 Technical security Establish/Maintain Documentation
    Protect the system against replay attacks. CC ID 04552
    [The device is able to detect replay of messages and enables the secure handling of the exceptions. I5]
    Technical security Technical Security
    Establish, implement, and maintain a physical security program. CC ID 11757 Physical and environmental protection Establish/Maintain Documentation
    Disallow disabling tamper detection and response mechanisms, absent authorization. CC ID 12211
    [The device protects all account data upon entry (consistent with A9 for magnetic stripe data and D1 for Chip data), and there is no method of accessing the clear-text account data (using methods described in A1) without defeating the security of the device. Defeating or circumventing the security mechanism requires an attack potential of at least 16 for identification and initial exploitation, with a minimum of 8 for exploitation. K1.1
    {tamper response} The device uses tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings; and there is not any demonstrable way to disable or defeat the mechanism and insert a PIN-disclosing bug or gain access to secret information without requiring an attack potential of at least 26 per device for identification and initial exploitation, with a minimum of 13 for exploitation, exclusive of the IC card reader. A1]
    Physical and environmental protection Configuration
    Prevent security mechanisms from being compromised by adverse physical conditions. CC ID 12215
    [The security of the device is not compromised by altering: \ - Environmental conditions\ - Operational conditions A3
    The security of the device is not compromised by altering: \ - Environmental conditions\ - Operational conditions A3]
    Physical and environmental protection Configuration
    Protect assets from tampering or unapproved substitution. CC ID 11902
    [The unauthorized alteration of prompts for non-PIN data entry into the PIN entry key pad such that PINs are compromised, i.e., by prompting for the PIN entry when the output is not encrypted, cannot occur without requiring an attack potential of at least 18 per device for identification and initial exploitation with a minimum of 9 for exploitation. A7
    It is not feasible to penetrate the device to make any additions, substitutions, or modifications to the magnetic-stripe reader and associated hardware or software, in order to determine or modify magnetic-stripe track data, without requiring an attack potential of at least 16 per device, for identification and initial exploitation, with a minimum of 8 for exploitation. A9
    Secure components intended for unattended devices