Back

Payment Card Organizations > PCI Security Standards Council

Payment Card Industry (PCI) Card Production, Logical Security Requirements, Version 1.1



AD ID

0002774

AD STATUS

Payment Card Industry (PCI) Card Production, Logical Security Requirements, Version 1.1

ORIGINATOR

PCI Security Standards Council

TYPE

Contractual Obligation

AVAILABILITY

Free

SYNONYMS

PCI Card Production Logical Security Requirements 1.1

Payment Card Industry (PCI) Card Production, Logical Security Requirements

EFFECTIVE

2015-03-01

ADDED

AD ID

0002774

AD STATUS

Free

ORIGINATOR

PCI Security Standards Council

TYPE

Contractual Obligation

AVAILABILITY

SYNONYMS

PCI Card Production Logical Security Requirements 1.1

Payment Card Industry (PCI) Card Production, Logical Security Requirements

EFFECTIVE

2015-03-01

ADDED


Important Notice

This Authority Document In Depth Report is copyrighted - © 2019 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Payment Card Industry (PCI) Card Production, Logical Security Requirements, Version 1.1 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Payment Card Industry (PCI) Card Production, Logical Security Requirements, Version 1.1 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
96 Mandated Controls - bold    
112 Implied Controls - italic     106 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
314 Total
  • Human Resources management
    14
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish and maintain high level operational roles and responsibilities. CC ID 00806 Establish Roles Preventive
    Define and assign the head of Information Security's roles and responsibilities. CC ID 06091
    [The vendor must designate, in writing, a senior manager with adequate security knowledge to be responsible for the vendor’s Information Security Management. These requirements refer to this person as the “Chief Information Security Officer” (“CISO”). § 2.1 a)]
    Establish Roles Preventive
    Designate an alternate for each organizational leader. CC ID 12053
    [The CISO must Designate a back-up person who is qualified and empowered to act upon critical security events in the event the CISO is not available. § 2.2 a) iv.]
    Human Resources Management Preventive
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Behavior Preventive
    Define and assign the business unit manager's roles and responsibilities. CC ID 00810
    [Where managers have security compliance responsibilities, the activities for which the manager has responsibility must be clearly defined. § 2.2 c)]
    Establish Roles Preventive
    Establish and maintain an ethics program. CC ID 11496 Human Resources Management Preventive
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 Business Processes Preventive
    Establish and maintain a training program for interested personnel to report compliance violations. CC ID 11835
    [The vendor must Ensure staff report any unexpected or unusual activity relating to production equipment and operations. § 3.3 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources Management Preventive
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061
    [Staff responsible for day-to-day production activities must not be assigned security compliance assessment responsibility for the production activities that they perform. § 2.2 d)]
    Establish Roles Preventive
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060
    [When the CISO backup is functioning on behalf of the CISO, the backup must not perform activities for which they have approval responsibility and must not approve activities which they previously performed. § 2.2 b)]
    Behavior Preventive
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059
    [When the CISO backup is functioning on behalf of the CISO, the backup must not perform activities for which they have approval responsibility and must not approve activities which they previously performed. § 2.2 b)]
    Behavior Preventive
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052
    [The CISO must Not perform activities that they have the responsibility for approving. § 2.2 a) iii.]
    Behavior Preventive
  • Leadership and high level objectives
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Establish and maintain a strategic plan. CC ID 12784 Establish/Maintain Documentation Preventive
    Establish and maintain a high-level Strategic Information Technology Plan. CC ID 00628 Establish/Maintain Documentation Preventive
    Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 Establish/Maintain Documentation Preventive
    Assign accountability for the Information Governance Plan to senior management. CC ID 10054
    [The CISO must Be responsible for compliance to these requirements. § 2.2 a) i.]
    Human Resources Management Preventive
    Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058
    [The CISO must Have sufficient authority to enforce the requirements of this document. § 2.2 a) ii.]
    Human Resources Management Preventive
  • Monitoring and measurement
    14
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Establish and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a storage media inventory. CC ID 00694 Establish/Maintain Documentation Preventive
    Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962
    [All removable media must be securely stored, controlled, and tracked. § 4.6 b)]
    Establish/Maintain Documentation Detective
    Establish and maintain testing programs, necessary. CC ID 00654 Behavior Preventive
    Implement and comply with the security test program. CC ID 11870 Testing Detective
    Establish and maintain a vulnerability assessment program. CC ID 11636 Establish/Maintain Documentation Preventive
    Perform vulnerability scans, as necessary. CC ID 11637 Technical Security Detective
    Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638
    [The vendor must Perform quarterly external network vulnerability scans using an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). § 5.8.1 ¶ 1 a)]
    Technical Security Detective
    Establish and maintain a compliance monitoring policy. CC ID 00671 Establish/Maintain Documentation Preventive
    Establish and maintain a metrics policy. CC ID 01654 Establish/Maintain Documentation Preventive
    Establish and maintain an information risk threshold metrics program. CC ID 01694 Establish/Maintain Documentation Preventive
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041
    [The CISO must, on a monthly basis, report to executive management the current status of security compliance and issues that pose potentials risks to the organization. § 2.1 c)]
    Actionable Reports or Measurements Detective
    Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676
    [The CISO must, on a monthly basis, report to executive management the current status of security compliance and issues that pose potentials risks to the organization. § 2.1 c)]
    Actionable Reports or Measurements Corrective
  • Operational management
    78
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Establish/Maintain Documentation Preventive
    Establish and maintain an information security program. CC ID 00812 Establish/Maintain Documentation Preventive
    Establish and maintain an information security policy. CC ID 11740
    [The vendor must define and document an information security policy (ISP) for the facility. § 3.1 a)]
    Establish/Maintain Documentation Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Business Processes Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Establish/Maintain Documentation Preventive
    Include information security objectives in the information security policy. CC ID 13493 Establish/Maintain Documentation Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Establish/Maintain Documentation Preventive
    Review and update the information security policy, as necessary. CC ID 11741 Establish/Maintain Documentation Corrective
    Review the information security procedures, as necessary. CC ID 12006
    [The security procedures must be reviewed, validated, and where necessary updated annually. § 3.2 b)
    The vendor must maintain procedures for each function associated with the ISP to support compliance with these requirements. § 3.2 a)]
    Business Processes Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737
    [Senior management must review and endorse the validity of the ISP at least once each year. § 3.1 b)]
    Process or Activity Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304
    [Security procedures must describe the groups, roles, and responsibilities for all activities that protect cardholder data. § 3.2 c)]
    Establish/Maintain Documentation Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294
    [Security procedures must describe the groups, roles, and responsibilities for all activities that protect cardholder data. § 3.2 c)]
    Establish/Maintain Documentation Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814
    [The ISP must include a named individual assigned as the “policy owner” and be responsible for management and enforcement of that policy. § 3.1 c)]
    Establish Roles Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Human Resources Management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Establish/Maintain Documentation Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Human Resources Management Preventive
    Establish and maintain a customer service program. CC ID 00846 Establish/Maintain Documentation Preventive
    Establish and maintain an Incident Management program. CC ID 00853 Business Processes Preventive
    Include intrusion detection procedures in the Incident Management program. CC ID 00588 Establish/Maintain Documentation Preventive
    Contain the incident to prevent further loss and preserve the system for forensic analysis. CC ID 01751 Process or Activity Corrective
    Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754
    [The vendor must Identify and preserve specific logs, documents, equipment, and other relevant items that provide evidence for forensic analysis. § 3.3 ¶ 1 f)]
    Log Management Corrective
    Assess all security incidents to determine what information was accessed. CC ID 01226
    [The vendor must Investigate the incident and provide at least weekly updates about investigation progress. § 3.3 ¶ 1 d)]
    Testing Corrective
    Check the precursors and indicators when assessing the security incidents. CC ID 01761 Monitor and Evaluate Occurrences Corrective
    Share incident information with interested personnel and affected parties. CC ID 01212
    [Within 24 hours, report in writing any known or suspected compromise of confidential or secret data to the Vendor Program Administrator (VPA) and the impacted issuers. Confirmed incidences must be reported to appropriate law enforcement agencies upon confirmation. § 3.3 ¶ 1 c)]
    Data and Information Management Corrective
    Share data loss event information with the media. CC ID 01759 Behavior Corrective
    Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 Data and Information Management Preventive
    Share data loss event information with interconnected system owners. CC ID 01209 Establish/Maintain Documentation Corrective
    Report data loss event information to breach notification organizations. CC ID 01210
    [Within 24 hours, report in writing any known or suspected compromise of confidential or secret data to the Vendor Program Administrator (VPA) and the impacted issuers. Confirmed incidences must be reported to appropriate law enforcement agencies upon confirmation. § 3.3 ¶ 1 c)]
    Data and Information Management Corrective
    Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 Log Management Detective
    Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 Behavior Corrective
    Include data loss event notifications in the Incident Response program. CC ID 00364 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 Behavior Corrective
    Include information required by law in incident response notifications. CC ID 00802 Establish/Maintain Documentation Detective
    Include details of the investigation in incident response notifications. CC ID 12296
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Description of the incident including: - Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) § 3.3 ¶ 1 c) ¶ 2 v.]
    Establish/Maintain Documentation Preventive
    Include the issuer's name in incident response notifications. CC ID 12062
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Name of issuer § 3.3 ¶ 1 c) ¶ 2 i.]
    Establish/Maintain Documentation Preventive
    Include a "What Happened" heading in breach notifications. CC ID 12978 Establish/Maintain Documentation Preventive
    Include the date (or estimated date) the privacy breach was detected in incident response notifications. CC ID 04745
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Description of the incident including: - Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) § 3.3 ¶ 1 c) ¶ 2 v.]
    Establish/Maintain Documentation Preventive
    Include the identification of the data source in incident response notifications. CC ID 12305
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Identification of the source of the data § 3.3 ¶ 1 c) ¶ 2 iv.]
    Establish/Maintain Documentation Preventive
    Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 Establish/Maintain Documentation Preventive
    Include the type of information that was lost in incident response notifications. CC ID 04735
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Type of data § 3.3 ¶ 1 c) ¶ 2 ii.]
    Establish/Maintain Documentation Preventive
    Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 Establish/Maintain Documentation Preventive
    Include a "For More Information" heading in breach notifications. CC ID 12981 Establish/Maintain Documentation Preventive
    Include details of the companies and persons involved in incident response notifications. CC ID 12295
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Description of the incident including: - Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) § 3.3 ¶ 1 c) ¶ 2 v.]
    Establish/Maintain Documentation Preventive
    Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 Establish/Maintain Documentation Preventive
    Include the reporting individual's contact information in incident response notifications. CC ID 12297
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Description of the incident including: - Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) § 3.3 ¶ 1 c) ¶ 2 v.]
    Establish/Maintain Documentation Preventive
    Include contact information in incident response notifications. CC ID 04739
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Name and address of the vendor § 3.3 ¶ 1 c) ¶ 2 iii.
    The written communication must contain information regarding the loss or theft including but not limited to the following information Description of the incident including: - Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) § 3.3 ¶ 1 c) ¶ 2 v.]
    Establish/Maintain Documentation Preventive
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Establish/Maintain Documentation Preventive
    Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298
    [The vendor must Investigate the incident and provide at least weekly updates about investigation progress. § 3.3 ¶ 1 d)]
    Investigate Preventive
    Establish and maintain an Incident Response program. CC ID 00579 Establish/Maintain Documentation Preventive
    Establish and maintain an incident response plan. CC ID 12056
    [The vendor must Have a documented incident response plan (IRP) for known or suspected compromise of any classified data. § 3.3 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Include addressing external communications in the incident response plan. CC ID 13351 Establish/Maintain Documentation Preventive
    Include addressing internal communications in the incident response plan. CC ID 13350 Establish/Maintain Documentation Preventive
    Include addressing information sharing in the incident response plan. CC ID 13349 Establish/Maintain Documentation Preventive
    Include incident response team structures in the Incident Response program. CC ID 01237 Establish/Maintain Documentation Preventive
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 Establish Roles Preventive
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Establish Roles Preventive
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788
    [The vendor must log and inform the card brands of all issuers sending the vendor cardholder data in clear text. § 4.4 ¶ 1 e)]
    Communicate Corrective
    Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306
    [The vendor must Supply a final incident report providing the investigation results and any remediation. § 3.3 ¶ 1 e)]
    Actionable Reports or Measurements Preventive
    Establish and maintain a change control program. CC ID 00886 Establish/Maintain Documentation Preventive
    Establish and maintain a patch management program. CC ID 00896 Process or Activity Preventive
    Deploy software patches. CC ID 07032
    [The vendor must Implement patches in compliance with Section 6.3, Configuration and Patch Management. § 5.3 ¶ 2 f)]
    Configuration Corrective
    Test software patches for any potential compromise of the system's security. CC ID 13175 Testing Detective
    Patch software. CC ID 11825 Technical Security Corrective
    Patch Operating System software. CC ID 11824 Technical Security Corrective
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Configuration Corrective
    Remove outdated software after software has been updated. CC ID 11792 Configuration Corrective
    Update associated documentation after the system configuration has been changed. CC ID 00891 Establish/Maintain Documentation Preventive
    Establish and maintain a configuration change log. CC ID 08710
    [The vendor must Maintain an audit trail of all changes and the associated approval. § 5.3 ¶ 2 g)]
    Configuration Detective
    Document the organization's local environments. CC ID 06726
    [The data security requirements in this and embedded sections apply to confidential and secret data. § 4 ¶ 1
    The vendor must maintain detailed procedures relating to each activity in this section. § 4 ¶ 2
    Secret data is data that, if known to any individual, would result in risks of widespread compromise of financial assets § 4.1.1 ¶ 1
    All symmetric (e.g., Triple DES, AES) and private asymmetric keys (e.g., RSA)—except keys used only for encryption of cardholder data—are secret data and must be managed in accordance with Section 8 of this document, “Key Management: Secret Data.” § 4.1 ¶ 2
    Confidential data is data restricted to authorized individuals. This includes cardholder data and the keys used to encrypt cardholder data. These are confidential data and must be managed in accordance with Section 9 of this document, “Key Management: Confidential Data.” § 4.1.2 ¶ 1
    Unrestricted / public data includes any data not defined in the above terms. Controls are out of scope of these requirements and may be defined by the vendor. § 4.1.3 ¶ 1
    The requirements in this section apply to data transmitted to or from the issuer or authorized processor. § 4.4 ¶ 1
    The secure administration of all key-management activity plays an important role in terms of logical security. The following requirements relate to the procedures and activities for managing keys and key sets. § 8.4 ¶ 1
    The security requirements for dual-interface cards that are personalized using the contact interface are the same as for any other chip card. The requirements in this section apply to personalization of chip cards via the contactless NFC interface. § 4.7 ¶ 1
    The requirements in this section do not apply to vendors that only perform key management or pre-personalization activities on a stand-alone wired system and do not perform data preparation or personalization within their facilities. § 5.1 ¶ 1
    The diagram above shows a typical network setup of a vendor environment and a generic connection from the data source to the machines on the production floor. § 5.1 ¶ 2
    This is the network that contains the card personalization machines. § 5.1.5 ¶ 1
    This is the issuer that owns the cardholder data or that sends it to the vendor on behalf of the issuer. § 5.1.1 ¶ 1
    This is the network that contains the server(s) where the cardholder data is stored pending personalization. This is also the network where the data is prepared and sent to the production floor. § 5.1.4 ¶ 1
    The following diagrams illustrate acceptable placement of the DMZ and associated firewalls: § 5.1.3 ¶ 2
    This is the network segment that contains servers and applications that are accessible by an external network (i.e., any network that is outside the card-production network or its DMZ). § 5.1.3 ¶ 1
    Cardholder data are typically sent over these three main types of network to the personalization vendor. § 5.1.2 ¶ 1
    Ensure a process is in place for updates and patches and identification of their criticality, as detailed in Section 6.3. § 5.2 ¶ 1 k)
    The requirements in this section apply to all hardware (e.g., routers, controllers, firewalls, storage devices) that comprises the data-preparation and personalization networks. § 5.3 ¶ 1
    The requirements in this section apply to firewalls protecting the data-preparation and personalization networks. § 5.4 ¶ 1
    If managed remotely, be managed according to the remote access section. § 5.4.2 ¶ 1 e)]
    Establish/Maintain Documentation Preventive
    Establish and maintain local environment security profiles. CC ID 07037 Establish/Maintain Documentation Preventive
    Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 Establish/Maintain Documentation Preventive
    Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 Establish/Maintain Documentation Preventive
    Include the technology used in the local environment in the local environment security profile. CC ID 07040 Establish/Maintain Documentation Preventive
    Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 Establish/Maintain Documentation Preventive
    Include facility information for the local environment in the local environment security profile. CC ID 07042 Establish/Maintain Documentation Preventive
    Include facility access information for the local environment in the local environment security profile. CC ID 11773 Establish/Maintain Documentation Preventive
    Update the local environment security profile, as necessary. CC ID 07043 Establish/Maintain Documentation Preventive
  • Physical and environmental protection
    29
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Physical and environmental protection CC ID 00709 IT Impact Zone IT Impact Zone
    Establish and maintain a physical security program. CC ID 11757 Establish/Maintain Documentation Preventive
    Establish and maintain a facility physical security program. CC ID 00711 Establish/Maintain Documentation Preventive
    Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 Establish/Maintain Documentation Preventive
    Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311
    [Access to cardholder data and the processing facilities must not be provided until the appropriate access controls have been implemented and a contract defining terms for access has been signed. § 4.3 ¶ 1 f) ii.]
    Behavior Preventive
    Implement physical security standards for mainframe rooms or data centers. CC ID 00749
    [{physical access} {data-preparation network} The vendor must Prevent physical and logical access from outside the high security area (HSA) to the data-preparation or personalization networks. § 4.3 ¶ 1 a)]
    Physical and Environmental Protection Preventive
    Establish and maintain equipment security cages in a shared space environment. CC ID 06711 Physical and Environmental Protection Preventive
    Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 Physical and Environmental Protection Preventive
    Lock all lockable equipment cabinets. CC ID 11673 Physical and Environmental Protection Detective
    Establish and maintain physical security controls for distributed Information Technology assets. CC ID 00718 Physical and Environmental Protection Preventive
    Establish and maintain removable storage media controls. CC ID 06680
    [All removable media must be securely stored, controlled, and tracked. § 4.6 b)]
    Data and Information Management Preventive
    Control access to restricted storage media. CC ID 04889 Data and Information Management Preventive
    Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 Physical and Environmental Protection Preventive
    Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 Records Management Preventive
    Treat archive media as evidence. CC ID 00960 Records Management Preventive
    Log the transfer of removable storage media. CC ID 12322
    [Transfer of removable media to and from the HSA must be authorized and logged. § 4.6 f)]
    Log Management Preventive
    Establish and maintain storage media access control procedures. CC ID 00959 Establish/Maintain Documentation Preventive
    Require removable storage media be in the custody of an authorized individual. CC ID 12319
    [All removable media within the HSA must be in the custody of an authorized individual. § 4.6 c)]
    Behavior Preventive
    Control the storage of restricted storage media. CC ID 00965 Records Management Preventive
    Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717
    [All removable media must be securely stored, controlled, and tracked. § 4.6 b)
    The vendor must Ensure data is always stored within the high security area (HSA). § 4.5 ¶ 1 g)]
    Physical and Environmental Protection Preventive
    Protect the combinations for all combination locks. CC ID 02199 Physical and Environmental Protection Preventive
    Establish and maintain electronic media storage container repair guidelines. CC ID 02200 Establish/Maintain Documentation Preventive
    Establish and maintain eavesdropping protection for vaults. CC ID 02231 Physical and Environmental Protection Preventive
    Serialize all removable storage media. CC ID 00949 Configuration Preventive
    Control the transiting and internal distribution or external distribution of restricted storage media. CC ID 00963 Records Management Preventive
    Log the transferring of custody of removable storage media. CC ID 12321
    [Transfers of custody between two individuals must be authorized and logged. § 4.6 e)]
    Log Management Preventive
    Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964
    [Transfer of removable media to and from the HSA must be authorized and logged. § 4.6 f)]
    Records Management Preventive
    Transport restricted media using a delivery method that can be tracked. CC ID 11777 Business Processes Preventive
    Track restricted storage media while it is in transit. CC ID 00967 Data and Information Management Detective
  • Privacy protection for information and data
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Privacy protection for information and data CC ID 00008 IT Impact Zone IT Impact Zone
    Establish and maintain a privacy framework that protects restricted data. CC ID 11850 Establish/Maintain Documentation Preventive
    Establish and maintain a personal data use limitation program. CC ID 13428 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 Establish/Maintain Documentation Preventive
    Dispose of media and personal data in a timely manner. CC ID 00125
    [The vendor must Delete data on the personalization machine as soon as the job is completed. § 4.5 ¶ 1 b)]
    Data and Information Management Preventive
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Records Management Preventive
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Communicate Preventive
  • Records management
    43
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Records management CC ID 00902 IT Impact Zone IT Impact Zone
    Establish and maintain records management policies used to manage organizational records. CC ID 00903 Establish/Maintain Documentation Preventive
    Establish and maintain a record classification scheme. CC ID 00914 Establish/Maintain Documentation Preventive
    Establish and maintain Records Management procedures. CC ID 00919 Establish/Maintain Documentation Preventive
    Establish and maintain data processing integrity controls. CC ID 00923
    [The vendor must protect the integrity of cardholder data against modification and deletion at all times. § 4.4 ¶ 1 c)]
    Establish Roles Preventive
    Compare each record's data input to its final form. CC ID 11813 Records Management Detective
    Establish and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 Data and Information Management Preventive
    Establish and maintain Automated Data Processing error handling procedures. CC ID 00925 Establish/Maintain Documentation Preventive
    Establish and maintain Automated Data Processing error handling reporting. CC ID 11659 Establish/Maintain Documentation Preventive
    Define each system's preservation requirements for records and logs. CC ID 00904 Establish/Maintain Documentation Detective
    Establish and maintain a data retention program. CC ID 00906 Establish/Maintain Documentation Detective
    Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314
    [Ensure that data retained for longer than 30 days after personalization complies with the following additional requirements. This data must Be stored on a separate server or media § 4.5 ¶ 1 h) ii.]
    Data and Information Management Preventive
    Establish and maintain storage media disposition and destruction procedures. CC ID 11657 Establish/Maintain Documentation Preventive
    Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643
    [{secret data} The vendor must Ensure that all secret or confidential data has been irrecoverably removed before the media is used for any other purpose. § 4.5 ¶ 1 e)]
    Data and Information Management Preventive
    Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970
    [{secret data} Physically destroy any media holding secret or confidential data when it is not possible to delete the data so that it is no longer recoverable. § 4.6 g)]
    Testing Detective
    Maintain media sanitization equipment in operational condition. CC ID 00721 Testing Detective
    Define each system's disposition requirements for records and logs. CC ID 11651 Process or Activity Preventive
    Establish and maintain records disposition procedures. CC ID 00971 Establish/Maintain Documentation Preventive
    Manage the disposition status for all records. CC ID 00972 Records Management Preventive
    Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313
    [The vendor must Confirm the deletion of manually deleted data including sign-off by a second authorized person. § 4.5 ¶ 1 c)]
    Data and Information Management Preventive
    Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621
    [The vendor must: Delete cardholder data within 30 days of the date the card is personalized unless the issuer has authorized longer retention in writing. § 4.5 ¶ 1 a)
    Ensure that data retained for longer than 30 days after personalization complies with the following additional requirements. This data must Be removed from the active production environment. § 4.5 ¶ 1 h) i.]
    Records Management Preventive
    Place printed records awaiting destruction into secure containers. CC ID 12464 Physical and Environmental Protection Preventive
    Destroy printed records so they cannot be reconstructed. CC ID 11779 Physical and Environmental Protection Preventive
    Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 Data and Information Management Preventive
    Establish and maintain records management procedures used to manage organizational records. CC ID 11619 Establish/Maintain Documentation Preventive
    Capture the records required by organizational compliance requirements. CC ID 00912 Records Management Detective
    Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555
    [All removable media (e.g., USB devices, tapes, disks) within the HSA must be clearly labeled with a unique identifier and the data classification. § 4.6 a)]
    Data and Information Management Detective
    Establish and maintain electronic storage media management procedures. CC ID 00931 Establish/Maintain Documentation Preventive
    Establish and maintain storage media and record security label procedures. CC ID 06747 Establish/Maintain Documentation Preventive
    Label restricted storage media appropriately. CC ID 00966
    [All removable media (e.g., USB devices, tapes, disks) within the HSA must be clearly labeled with a unique identifier and the data classification. § 4.6 a)]
    Data and Information Management Preventive
    Establish and maintain online storage controls. CC ID 00942 Technical Security Preventive
    Establish and maintain security controls appropriate to the record types and electronic storage media in use. CC ID 00943 Records Management Preventive
    Provide encryption for different types of electronic storage media. CC ID 00945
    [{secret data} All secret and confidential data must be: Encrypted at all times during transmission and storage. § 4.2 ¶ 1 b)]
    Technical Security Preventive
    Provide audit trails for all pertinent records. CC ID 00372
    [The vendor must maintain audit trails to demonstrate that the ISP and all updates are communicated and received by relevant staff. § 3.1 d)]
    Establish/Maintain Documentation Detective
    Establish and maintain a removable storage media log. CC ID 12317
    [A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain: § 4.6 d)]
    Log Management Preventive
    Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320
    [A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain Unique identifier § 4.6 d) i.]
    Establish/Maintain Documentation Preventive
    Include the date and time in the removable storage media log. CC ID 12318
    [A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain Date and time § 4.6 d) ii.]
    Establish/Maintain Documentation Preventive
    Include the name and signature of the current custodian in the removable storage media log. CC ID 12315
    [A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain Name and signature of current custodian § 4.6 d) iii.]
    Establish/Maintain Documentation Preventive
    Record the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 Establish/Maintain Documentation Preventive
    Record the recipient's name for the data transfer in the removable storage media log. CC ID 12753 Establish/Maintain Documentation Preventive
    Record the sender's name in the removable storage media log. CC ID 12752 Establish/Maintain Documentation Preventive
    Record the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 Establish/Maintain Documentation Preventive
    Include the reason for transfer in the removable storage media log. CC ID 12316
    [A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain Reason for transfer § 4.6 d) v.]
    Establish/Maintain Documentation Preventive
  • System hardening through configuration management
    18
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    System hardening through configuration management CC ID 00860 IT Impact Zone IT Impact Zone
    Establish and maintain system hardening procedures. CC ID 12001 Establish/Maintain Documentation Preventive
    Change default configurations, as necessary. CC ID 00877 Configuration Preventive
    Change all default passwords. CC ID 06080
    [Default passwords on the AP must be changed. § 5.7.3 ¶ 1 e)
    The vendor must Change all default passwords. § 7.2.1 ¶ 1 f)]
    Configuration Preventive
    Enable and configure auditing operations and logging operations, as necessary. CC ID 01522 Log Management Preventive
    Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc. CC ID 06331
    [The vendor must Make certain that access audit trails are produced that provide sufficient details to identify the cardholder data accessed and the individual user accessing the data. § 4.3 ¶ 1 d)]
    Configuration Preventive
    Configure the log to capture creates, reads, updates, or deletes of records containing personal data. CC ID 11890 Log Management Detective
    Configure the log to capture the information referent when personal data is being accessed. CC ID 11968 Log Management Detective
    Configure the log to capture the user's identification. CC ID 01334 Configuration Preventive
    Configure the log to capture a date and time stamp. CC ID 01336 Configuration Preventive
    Configure the log to capture each auditable event's origination. CC ID 01338 Log Management Detective
    Configure the log to uniquely identify each asset. CC ID 01339 Configuration Preventive
    Configure the log to capture remote access information. CC ID 05596
    [Remote access must be logged, and the log must be reviewed weekly for suspicious activity. § 5.6.2 h)]
    Configuration Detective
    Configure the log to capture the type of each event. CC ID 06423 Configuration Preventive
    Configure the log to capture each event's success or failure indication. CC ID 06424 Configuration Preventive
    Establish and maintain procedures for configuring the appropriate network parameter modifications. CC ID 01517 Establish/Maintain Documentation Preventive
    Enable the firewall and configure it to meet organizational standards. CC ID 01926 Configuration Preventive
    Configure the firewall to display notifications. CC ID 04399
    [The firewalls must Notify the administrator in real time of any items requiring immediate attention. § 5.4.2 ¶ 1 i)]
    Configuration Preventive
  • Systems design, build, and implementation
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Systems design, build, and implementation CC ID 00989 IT Impact Zone IT Impact Zone
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems Design, Build, and Implementation Preventive
    Establish and maintain system design principles and system design guidelines. CC ID 01057 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security controls definition document. CC ID 01080 Establish/Maintain Documentation Preventive
    Implement security controls into the system during the development process. CC ID 01082 Configuration Preventive
    Establish and maintain a coding manual for secure coding techniques. CC ID 11863 Establish/Maintain Documentation Preventive
    Refrain from hard-coding cryptographic keys in source code. CC ID 12307
    [Cryptographic keys must not be hard-coded into software. § 8.1 g)]
    Technical Security Preventive
    Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 Systems Design, Build, and Implementation Preventive
    Perform Quality Management on all newly developed or modified systems. CC ID 01100 Testing Detective
    Establish and maintain system testing procedures. CC ID 11744 Establish/Maintain Documentation Preventive
    Control the test data used in the development environment. CC ID 12013
    [{test key} {test data} Test (non-production) keys and test (non-production) data cannot be used with production equipment. § 4.8 a)]
    Systems Design, Build, and Implementation Preventive
  • Technical security
    85
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Technical security CC ID 00508 IT Impact Zone IT Impact Zone
    Establish and maintain an access classification scheme. CC ID 00509 Establish/Maintain Documentation Preventive
    Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510
    [The vendor must Ensure that access is on a need-to-know basis and that an individual is granted no more than sufficient access to perform his or her job. § 4.3 ¶ 1 b)]
    Establish/Maintain Documentation Preventive
    Include business security requirements in the access classification scheme. CC ID 00002 Establish/Maintain Documentation Preventive
    Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 Establish/Maintain Documentation Preventive
    Include third party access in the access classification scheme. CC ID 11786 Establish/Maintain Documentation Preventive
    Establish and maintain an access control program. CC ID 11702 Establish/Maintain Documentation Preventive
    Establish and maintain an access rights management plan. CC ID 00513 Establish/Maintain Documentation Preventive
    Control access rights to organizational assets. CC ID 00004 Technical Security Preventive
    Establish access rights based on least privilege. CC ID 01411
    [The vendor must Ensure that access is on a need-to-know basis and that an individual is granted no more than sufficient access to perform his or her job. § 4.3 ¶ 1 b)]
    Technical Security Preventive
    Assign user permissions based on job responsibilities. CC ID 00538 Technical Security Preventive
    Assign user privileges after they have management sign off. CC ID 00542 Technical Security Preventive
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Configuration Preventive
    Include digital identification procedures in the Access Control program. CC ID 11841 Technical Security Preventive
    Employ unique user identifiers. CC ID 01273
    [The vendor must Implement unique IDs for each administrator. § 5.3 ¶ 2 h)]
    Testing Detective
    Require proper authentication for user identifiers. CC ID 11785
    [The vendor must Establish proper user authentication prior to access. § 4.3 ¶ 1 c)]
    Technical Security Preventive
    Assign passwords to user accounts, as necessary. CC ID 06855 Configuration Preventive
    Assign authentication mechanisms for user account authentication. CC ID 06856 Configuration Preventive
    Establish and maintain a memorized secret list. CC ID 13791 Establish/Maintain Documentation Preventive
    Limit account credential reuse as a part of digital identification procedures. CC ID 12357 Configuration Preventive
    Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 Technical Security Preventive
    Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 Technical Security Preventive
    Use biometric authentication for identification and authentication, as necessary. CC ID 06857 Establish Roles Preventive
    Employ live scans to verify biometric authentication. CC ID 06847 Technical Security Preventive
    Identify the user when enrolling them in the biometric system. CC ID 06882 Testing Detective
    Disallow self-enrollment of biometric information. CC ID 11834 Process or Activity Preventive
    Tune the biometric identification equipment, as necessary. CC ID 07077 Configuration Corrective
    Notify a user when an authenticator for a user account is changed. CC ID 13820 Communicate Preventive
    Enforce information flow control. CC ID 11781 Monitor and Evaluate Occurrences Preventive
    Identify and control all network access controls. CC ID 00529 Technical Security Preventive
    Establish and maintain information flow control configuration standards. CC ID 01924 Establish/Maintain Documentation Preventive
    Establish and maintain an automated information flow approval process or semi-automated information flow approval process for transmitting or receiving restricted data or restricted information. CC ID 06734
    [The vendor must establish mechanisms that ensure the authenticity and validate the integrity of data transmitted and received. § 4.4 ¶ 1 b)
    The vendor must establish mechanisms that ensure the authenticity and validate the integrity of data transmitted and received. § 4.4 ¶ 1 b)]
    Data and Information Management Detective
    Establish and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 Establish/Maintain Documentation Preventive
    Establish and maintain a network configuration standard. CC ID 00530 Establish/Maintain Documentation Preventive
    Maintain up-to-date network diagrams. CC ID 00531
    [The vendor must Maintain a current network topology diagram that includes all system components on the network § 5.2 ¶ 1 a)]
    Establish/Maintain Documentation Preventive
    Establish and maintain information exchange procedures. CC ID 11782 Establish/Maintain Documentation Preventive
    Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 Process or Activity Detective
    Accept, by formal signature, the security implications of the network topology. CC ID 12323
    [The vendor must Ensure that the CISO accepts, by formal signature, the security implications of the current network topology. § 5.2 ¶ 1 c)]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 Communicate Preventive
    Enable encryption of a protected distribution system if sending restricted data or restricted information. CC ID 01749 Configuration Preventive
    Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312
    [The vendor must log and inform the card brands of all issuers sending the vendor cardholder data in clear text. § 4.4 ¶ 1 e)]
    Log Management Preventive
    Establish and maintain a Boundary Defense program. CC ID 00544 Establish/Maintain Documentation Preventive
    Segregate out of scope systems from in scope systems. CC ID 12546 Technical Security Preventive
    Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533
    [The firewalls must Prohibit direct public access between any external networks and any system component that stores cardholder data. § 5.4.2 ¶ 1 c)]
    Technical Security Preventive
    Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310
    [{physical access} {data-preparation network} The vendor must Prevent physical and logical access from outside the high security area (HSA) to the data-preparation or personalization networks. § 4.3 ¶ 1 a)]
    Technical Security Preventive
    Design demilitarized zones with proper isolation rules. CC ID 00532
    [Effective 1 January 2016, the DMZ must be located in the Server Room of the HSA. § 5.1.3 ¶ 1 b)]
    Technical Security Preventive
    Restrict inbound Internet traffic inside the Demilitarized Zone. CC ID 01285 Data and Information Management Preventive
    Restrict inbound Internet traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998 Technical Security Preventive
    Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 Technical Security Preventive
    Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 Data and Information Management Preventive
    Establish and maintain a network access control standard. CC ID 00546
    [The vendor must have controls in place to ensure that wireless networks cannot be used to access cardholder data. § 5.7.2 ¶ 1 b) ¶ 2]
    Establish/Maintain Documentation Preventive
    Include assigned roles and responsibilities in the network access control standard. CC ID 06410 Establish Roles Preventive
    Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 Technical Security Preventive
    Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274
    [The vendor must Install a firewall between the data-preparation network and the personalization network unless both are located within the same high security area or network. § 5.4.1 ¶ 1 c)]
    Configuration Preventive
    Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 Configuration Preventive
    Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784 Configuration Preventive
    Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588
    [The vendor must deploy a firewall to segregate the wireless network and the wired network. § 5.7.2 ¶ 1 c)]
    Technical Security Preventive
    Include Configuration Management and rulesets in the network access control standard. CC ID 11845 Establish/Maintain Documentation Preventive
    Secure the network access control standard against unauthorized changes. CC ID 11920 Establish/Maintain Documentation Preventive
    Configure network access and control points to protect restricted data or restricted information. CC ID 01284 Configuration Preventive
    Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 Configuration Preventive
    Allow remote administration exceptions on the firewall, as necessary. CC ID 01957
    [Remote access is permitted only for the administration of the network or system components. § 5.6.1 a)]
    Configuration Preventive
    Control all methods of remote access and teleworking. CC ID 00559 Technical Security Preventive
    Control remote access through a network access control. CC ID 01421
    [All remote access must use a VPN that meets the requirements in the following section. § 5.6.1 l)]
    Technical Security Preventive
    Employ multifactor authentication for remote access to the organization's network. CC ID 12505 Technical Security Preventive
    Protect remote access accounts with encryption. CC ID 00562
    [Traffic on the VPN must be encrypted using Triple DES with at least double-length keys or Advanced Encryption Standard (AES). § 5.6.2 a)]
    Configuration Preventive
    Monitor and evaluate all remote access usage. CC ID 00563
    [Remote access must be logged, and the log must be reviewed weekly for suspicious activity. § 5.6.2 h)]
    Monitor and Evaluate Occurrences Detective
    Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324
    [Remote access is prohibited to any system where clear-text cardholder data is being processed. § 5.6.1 h)]
    Technical Security Preventive
    Manage the use of encryption controls and cryptographic controls. CC ID 00570 Technical Security Preventive
    Establish and maintain an encryption management and cryptographic controls policy. CC ID 04546 Establish/Maintain Documentation Preventive
    Encrypt restricted data or restricted information using the most secure method possible. CC ID 04824
    [{secret data} All secret and confidential data must be Encrypted using algorithms and key sizes as stated in Normative Annex A. § 4.2 ¶ 1 a)
    The vendor must Ensure that when personalization signals are encrypted, they comply with the encryption standards defined in Normative Annex A. If the signals are encrypted, 4.7 a, b, and d herein do not apply. § 4.7 ¶ 2 c)]
    Data and Information Management Preventive
    Decrypt restricted data for the minimum time required. CC ID 12308
    [{secret data} All secret and confidential data must be Decrypted for the minimum time required for data preparation and personalization. § 4.2 ¶ 1 c)]
    Data and Information Management Preventive
    Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309
    [{data-preparation network} The vendor must only decrypt or translate cardholder data on the data-preparation or personalization network and not while it is on an Internet or public facing network. § 4.2 ¶ 1 d)]
    Data and Information Management Preventive
    Use strong data encryption to transmit restricted data or restricted information over public networks. CC ID 00564
    [{secret data} All secret and confidential data must be: Encrypted at all times during transmission and storage. § 4.2 ¶ 1 b)]
    Technical Security Preventive
    Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 Technical Security Preventive
    Encrypt traffic over public networks with trusted cryptographic keys. CC ID 12490 Technical Security Preventive
    Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 Establish/Maintain Documentation Preventive
    Implement non-repudiation for transactions. CC ID 00567 Testing Detective
    Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 Technical Security Preventive
    Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 Technical Security Preventive
    Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 Technical Security Preventive
    Protect application services information transmitted over a public network from contract disputes. CC ID 12019 Technical Security Preventive
    Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 Technical Security Preventive
    Establish and maintain a malicious code protection program. CC ID 00574 Establish/Maintain Documentation Preventive
    Install security and protection software on all systems. CC ID 00575
    [The vendor must Deploy anti-virus software on all systems potentially affected by malicious software (e.g., personal computers and servers). § 5.5 ¶ 1 a)]
    Configuration Preventive
  • Third Party and supply chain oversight
    9
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Third Party and supply chain oversight CC ID 08807 IT Impact Zone IT Impact Zone
    Establish and maintain a supply chain management program. CC ID 11742 Establish/Maintain Documentation Preventive
    Formalize client and third party relationships with contracts or nondisclosure agreements, as necessary. CC ID 00794 Process or Activity Detective
    Include a description of the data or information to be covered in third party contracts. CC ID 06510 Establish/Maintain Documentation Preventive
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [Third-party access must be based on a formal contract referencing applicable security policies and standards. § 4.3 ¶ 1 f) i.]
    Business Processes Preventive
    Include third party acknowledgement of their data protection responsibilities in third party contracts. CC ID 01364 Testing Detective
    Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264
    [Access to cardholder data and the processing facilities must not be provided until the appropriate access controls have been implemented and a contract defining terms for access has been signed. § 4.3 ¶ 1 f) ii.]
    Data and Information Management Detective
    Establish, implement, and maintain a supply chain management policy. CC ID 08808 Establish/Maintain Documentation Preventive
    Require third parties to employ a Chief Information Security Officer. CC ID 12057
    [The CISO must be an employee of the vendor. § 2.1 b)]
    Human Resources Management Preventive
Common Controls and
mandates by Type
96 Mandated Controls - bold    
112 Implied Controls - italic     106 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
314 Total
  • Actionable Reports or Measurements
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041
    [The CISO must, on a monthly basis, report to executive management the current status of security compliance and issues that pose potentials risks to the organization. § 2.1 c)]
    Monitoring and measurement Detective
    Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676
    [The CISO must, on a monthly basis, report to executive management the current status of security compliance and issues that pose potentials risks to the organization. § 2.1 c)]
    Monitoring and measurement Corrective
    Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306
    [The vendor must Supply a final incident report providing the investigation results and any remediation. § 3.3 ¶ 1 e)]
    Operational management Preventive
  • Behavior
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish and maintain testing programs, necessary. CC ID 00654 Monitoring and measurement Preventive
    Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311
    [Access to cardholder data and the processing facilities must not be provided until the appropriate access controls have been implemented and a contract defining terms for access has been signed. § 4.3 ¶ 1 f) ii.]
    Physical and environmental protection Preventive
    Require removable storage media be in the custody of an authorized individual. CC ID 12319
    [All removable media within the HSA must be in the custody of an authorized individual. § 4.6 c)]
    Physical and environmental protection Preventive
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Human Resources management Preventive
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060
    [When the CISO backup is functioning on behalf of the CISO, the backup must not perform activities for which they have approval responsibility and must not approve activities which they previously performed. § 2.2 b)]
    Human Resources management Preventive
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059
    [When the CISO backup is functioning on behalf of the CISO, the backup must not perform activities for which they have approval responsibility and must not approve activities which they previously performed. § 2.2 b)]
    Human Resources management Preventive
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052
    [The CISO must Not perform activities that they have the responsibility for approving. § 2.2 a) iii.]
    Human Resources management Preventive
    Share data loss event information with the media. CC ID 01759 Operational management Corrective
    Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 Operational management Corrective
    Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 Operational management Corrective
  • Business Processes
    6
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Transport restricted media using a delivery method that can be tracked. CC ID 11777 Physical and environmental protection Preventive
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 Human Resources management Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Operational management Preventive
    Review the information security procedures, as necessary. CC ID 12006
    [The security procedures must be reviewed, validated, and where necessary updated annually. § 3.2 b)
    The vendor must maintain procedures for each function associated with the ISP to support compliance with these requirements. § 3.2 a)]
    Operational management Preventive
    Establish and maintain an Incident Management program. CC ID 00853 Operational management Preventive
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [Third-party access must be based on a formal contract referencing applicable security policies and standards. § 4.3 ¶ 1 f) i.]
    Third Party and supply chain oversight Preventive
  • Communicate
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Notify a user when an authenticator for a user account is changed. CC ID 13820 Technical security Preventive
    Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 Technical security Preventive
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788
    [The vendor must log and inform the card brands of all issuers sending the vendor cardholder data in clear text. § 4.4 ¶ 1 e)]
    Operational management Corrective
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Privacy protection for information and data Preventive
  • Configuration
    31
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Technical security Preventive
    Assign passwords to user accounts, as necessary. CC ID 06855 Technical security Preventive
    Assign authentication mechanisms for user account authentication. CC ID 06856 Technical security Preventive
    Limit account credential reuse as a part of digital identification procedures. CC ID 12357 Technical security Preventive
    Tune the biometric identification equipment, as necessary. CC ID 07077 Technical security Corrective
    Enable encryption of a protected distribution system if sending restricted data or restricted information. CC ID 01749 Technical security Preventive
    Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274
    [The vendor must Install a firewall between the data-preparation network and the personalization network unless both are located within the same high security area or network. § 5.4.1 ¶ 1 c)]
    Technical security Preventive
    Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 Technical security Preventive
    Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784 Technical security Preventive
    Configure network access and control points to protect restricted data or restricted information. CC ID 01284 Technical security Preventive
    Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 Technical security Preventive
    Allow remote administration exceptions on the firewall, as necessary. CC ID 01957
    [Remote access is permitted only for the administration of the network or system components. § 5.6.1 a)]
    Technical security Preventive
    Protect remote access accounts with encryption. CC ID 00562
    [Traffic on the VPN must be encrypted using Triple DES with at least double-length keys or Advanced Encryption Standard (AES). § 5.6.2 a)]
    Technical security Preventive
    Install security and protection software on all systems. CC ID 00575
    [The vendor must Deploy anti-virus software on all systems potentially affected by malicious software (e.g., personal computers and servers). § 5.5 ¶ 1 a)]
    Technical security Preventive
    Serialize all removable storage media. CC ID 00949 Physical and environmental protection Preventive
    Deploy software patches. CC ID 07032
    [The vendor must Implement patches in compliance with Section 6.3, Configuration and Patch Management. § 5.3 ¶ 2 f)]
    Operational management Corrective
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Operational management Corrective
    Remove outdated software after software has been updated. CC ID 11792 Operational management Corrective
    Establish and maintain a configuration change log. CC ID 08710
    [The vendor must Maintain an audit trail of all changes and the associated approval. § 5.3 ¶ 2 g)]
    Operational management Detective
    Change default configurations, as necessary. CC ID 00877 System hardening through configuration management Preventive
    Change all default passwords. CC ID 06080
    [Default passwords on the AP must be changed. § 5.7.3 ¶ 1 e)
    The vendor must Change all default passwords. § 7.2.1 ¶ 1 f)]
    System hardening through configuration management Preventive
    Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc. CC ID 06331
    [The vendor must Make certain that access audit trails are produced that provide sufficient details to identify the cardholder data accessed and the individual user accessing the data. § 4.3 ¶ 1 d)]
    System hardening through configuration management Preventive
    Configure the log to capture the user's identification. CC ID 01334 System hardening through configuration management Preventive
    Configure the log to capture a date and time stamp. CC ID 01336 System hardening through configuration management Preventive
    Configure the log to uniquely identify each asset. CC ID 01339 System hardening through configuration management Preventive
    Configure the log to capture remote access information. CC ID 05596
    [Remote access must be logged, and the log must be reviewed weekly for suspicious activity. § 5.6.2 h)]
    System hardening through configuration management Detective
    Configure the log to capture the type of each event. CC ID 06423 System hardening through configuration management Preventive
    Configure the log to capture each event's success or failure indication. CC ID 06424 System hardening through configuration management Preventive
    Enable the firewall and configure it to meet organizational standards. CC ID 01926 System hardening through configuration management Preventive
    Configure the firewall to display notifications. CC ID 04399
    [The firewalls must Notify the administrator in real time of any items requiring immediate attention. § 5.4.2 ¶ 1 i)]
    System hardening through configuration management Preventive
    Implement security controls into the system during the development process. CC ID 01082 Systems design, build, and implementation Preventive
  • Data and Information Management
    21
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish and maintain an automated information flow approval process or semi-automated information flow approval process for transmitting or receiving restricted data or restricted information. CC ID 06734
    [The vendor must establish mechanisms that ensure the authenticity and validate the integrity of data transmitted and received. § 4.4 ¶ 1 b)
    The vendor must establish mechanisms that ensure the authenticity and validate the integrity of data transmitted and received. § 4.4 ¶ 1 b)]
    Technical security Detective
    Restrict inbound Internet traffic inside the Demilitarized Zone. CC ID 01285 Technical security Preventive
    Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 Technical security Preventive
    Encrypt restricted data or restricted information using the most secure method possible. CC ID 04824
    [{secret data} All secret and confidential data must be Encrypted using algorithms and key sizes as stated in Normative Annex A. § 4.2 ¶ 1 a)
    The vendor must Ensure that when personalization signals are encrypted, they comply with the encryption standards defined in Normative Annex A. If the signals are encrypted, 4.7 a, b, and d herein do not apply. § 4.7 ¶ 2 c)]
    Technical security Preventive
    Decrypt restricted data for the minimum time required. CC ID 12308
    [{secret data} All secret and confidential data must be Decrypted for the minimum time required for data preparation and personalization. § 4.2 ¶ 1 c)]
    Technical security Preventive
    Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309
    [{data-preparation network} The vendor must only decrypt or translate cardholder data on the data-preparation or personalization network and not while it is on an Internet or public facing network. § 4.2 ¶ 1 d)]
    Technical security Preventive
    Establish and maintain removable storage media controls. CC ID 06680
    [All removable media must be securely stored, controlled, and tracked. § 4.6 b)]
    Physical and environmental protection Preventive
    Control access to restricted storage media. CC ID 04889 Physical and environmental protection Preventive
    Track restricted storage media while it is in transit. CC ID 00967 Physical and environmental protection Detective
    Share incident information with interested personnel and affected parties. CC ID 01212
    [Within 24 hours, report in writing any known or suspected compromise of confidential or secret data to the Vendor Program Administrator (VPA) and the impacted issuers. Confirmed incidences must be reported to appropriate law enforcement agencies upon confirmation. § 3.3 ¶ 1 c)]
    Operational management Corrective
    Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 Operational management Preventive
    Report data loss event information to breach notification organizations. CC ID 01210
    [Within 24 hours, report in writing any known or suspected compromise of confidential or secret data to the Vendor Program Administrator (VPA) and the impacted issuers. Confirmed incidences must be reported to appropriate law enforcement agencies upon confirmation. § 3.3 ¶ 1 c)]
    Operational management Corrective
    Establish and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 Records management Preventive
    Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314
    [Ensure that data retained for longer than 30 days after personalization complies with the following additional requirements. This data must Be stored on a separate server or media § 4.5 ¶ 1 h) ii.]
    Records management Preventive
    Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643
    [{secret data} The vendor must Ensure that all secret or confidential data has been irrecoverably removed before the media is used for any other purpose. § 4.5 ¶ 1 e)]
    Records management Preventive
    Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313
    [The vendor must Confirm the deletion of manually deleted data including sign-off by a second authorized person. § 4.5 ¶ 1 c)]
    Records management Preventive
    Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 Records management Preventive
    Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555
    [All removable media (e.g., USB devices, tapes, disks) within the HSA must be clearly labeled with a unique identifier and the data classification. § 4.6 a)]
    Records management Detective
    Label restricted storage media appropriately. CC ID 00966
    [All removable media (e.g., USB devices, tapes, disks) within the HSA must be clearly labeled with a unique identifier and the data classification. § 4.6 a)]
    Records management Preventive
    Dispose of media and personal data in a timely manner. CC ID 00125
    [The vendor must Delete data on the personalization machine as soon as the job is completed. § 4.5 ¶ 1 b)]
    Privacy protection for information and data Preventive
    Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264
    [Access to cardholder data and the processing facilities must not be provided until the appropriate access controls have been implemented and a contract defining terms for access has been signed. § 4.3 ¶ 1 f) ii.]
    Third Party and supply chain oversight Detective
  • Establish Roles
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Use biometric authentication for identification and authentication, as necessary. CC ID 06857 Technical security Preventive
    Include assigned roles and responsibilities in the network access control standard. CC ID 06410 Technical security Preventive
    Establish and maintain high level operational roles and responsibilities. CC ID 00806 Human Resources management Preventive
    Define and assign the head of Information Security's roles and responsibilities. CC ID 06091
    [The vendor must designate, in writing, a senior manager with adequate security knowledge to be responsible for the vendor’s Information Security Management. These requirements refer to this person as the “Chief Information Security Officer” (“CISO”). § 2.1 a)]
    Human Resources management Preventive
    Define and assign the business unit manager's roles and responsibilities. CC ID 00810
    [Where managers have security compliance responsibilities, the activities for which the manager has responsibility must be clearly defined. § 2.2 c)]
    Human Resources management Preventive
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061
    [Staff responsible for day-to-day production activities must not be assigned security compliance assessment responsibility for the production activities that they perform. § 2.2 d)]
    Human Resources management Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814
    [The ISP must include a named individual assigned as the “policy owner” and be responsible for management and enforcement of that policy. § 3.1 c)]
    Operational management Preventive
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 Operational management Preventive
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Operational management Preventive
    Establish and maintain data processing integrity controls. CC ID 00923
    [The vendor must protect the integrity of cardholder data against modification and deletion at all times. § 4.4 ¶ 1 c)]
    Records management Preventive
  • Establish/Maintain Documentation
    116
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Establish and maintain a strategic plan. CC ID 12784 Leadership and high level objectives Preventive
    Establish and maintain a high-level Strategic Information Technology Plan. CC ID 00628 Leadership and high level objectives Preventive
    Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 Leadership and high level objectives Preventive
    Establish and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 Monitoring and measurement Preventive
    Establish, implement, and maintain a storage media inventory. CC ID 00694 Monitoring and measurement Preventive
    Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962
    [All removable media must be securely stored, controlled, and tracked. § 4.6 b)]
    Monitoring and measurement Detective
    Establish and maintain a vulnerability assessment program. CC ID 11636 Monitoring and measurement Preventive
    Establish and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Preventive
    Establish and maintain a metrics policy. CC ID 01654 Monitoring and measurement Preventive
    Establish and maintain an information risk threshold metrics program. CC ID 01694 Monitoring and measurement Preventive
    Establish and maintain an access classification scheme. CC ID 00509 Technical security Preventive
    Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510
    [The vendor must Ensure that access is on a need-to-know basis and that an individual is granted no more than sufficient access to perform his or her job. § 4.3 ¶ 1 b)]
    Technical security Preventive
    Include business security requirements in the access classification scheme. CC ID 00002 Technical security Preventive
    Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 Technical security Preventive
    Include third party access in the access classification scheme. CC ID 11786 Technical security Preventive
    Establish and maintain an access control program. CC ID 11702 Technical security Preventive
    Establish and maintain an access rights management plan. CC ID 00513 Technical security Preventive
    Establish and maintain a memorized secret list. CC ID 13791 Technical security Preventive
    Establish and maintain information flow control configuration standards. CC ID 01924 Technical security Preventive
    Establish and maintain a network configuration standard. CC ID 00530 Technical security Preventive
    Establish and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 Technical security Preventive
    Establish and maintain information exchange procedures. CC ID 11782 Technical security Preventive
    Maintain up-to-date network diagrams. CC ID 00531
    [The vendor must Maintain a current network topology diagram that includes all system components on the network § 5.2 ¶ 1 a)]
    Technical security Preventive
    Accept, by formal signature, the security implications of the network topology. CC ID 12323
    [The vendor must Ensure that the CISO accepts, by formal signature, the security implications of the current network topology. § 5.2 ¶ 1 c)]
    Technical security Preventive
    Establish and maintain a Boundary Defense program. CC ID 00544 Technical security Preventive
    Establish and maintain a network access control standard. CC ID 00546
    [The vendor must have controls in place to ensure that wireless networks cannot be used to access cardholder data. § 5.7.2 ¶ 1 b) ¶ 2]
    Technical security Preventive
    Include Configuration Management and rulesets in the network access control standard. CC ID 11845 Technical security Preventive
    Secure the network access control standard against unauthorized changes. CC ID 11920 Technical security Preventive
    Establish and maintain an encryption management and cryptographic controls policy. CC ID 04546 Technical security Preventive
    Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 Technical security Preventive
    Establish and maintain a malicious code protection program. CC ID 00574 Technical security Preventive
    Establish and maintain a physical security program. CC ID 11757 Physical and environmental protection Preventive
    Establish and maintain a facility physical security program. CC ID 00711 Physical and environmental protection Preventive
    Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 Physical and environmental protection Preventive
    Establish and maintain storage media access control procedures. CC ID 00959 Physical and environmental protection Preventive
    Establish and maintain electronic media storage container repair guidelines. CC ID 02200 Physical and environmental protection Preventive
    Establish and maintain a training program for interested personnel to report compliance violations. CC ID 11835
    [The vendor must Ensure staff report any unexpected or unusual activity relating to production equipment and operations. § 3.3 ¶ 1 b)]
    Human Resources management Preventive
    Establish and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Preventive
    Establish and maintain an information security program. CC ID 00812 Operational management Preventive
    Establish and maintain an information security policy. CC ID 11740
    [The vendor must define and document an information security policy (ISP) for the facility. § 3.1 a)]
    Operational management Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Operational management Preventive
    Include information security objectives in the information security policy. CC ID 13493 Operational management Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Operational management Preventive
    Review and update the information security policy, as necessary. CC ID 11741 Operational management Corrective
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304
    [Security procedures must describe the groups, roles, and responsibilities for all activities that protect cardholder data. § 3.2 c)]
    Operational management Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294
    [Security procedures must describe the groups, roles, and responsibilities for all activities that protect cardholder data. § 3.2 c)]
    Operational management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Operational management Preventive
    Establish and maintain a customer service program. CC ID 00846 Operational management Preventive
    Include intrusion detection procedures in the Incident Management program. CC ID 00588 Operational management Preventive
    Share data loss event information with interconnected system owners. CC ID 01209 Operational management Corrective
    Include data loss event notifications in the Incident Response program. CC ID 00364 Operational management Preventive
    Include information required by law in incident response notifications. CC ID 00802 Operational management Detective
    Include details of the investigation in incident response notifications. CC ID 12296
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Description of the incident including: - Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) § 3.3 ¶ 1 c) ¶ 2 v.]
    Operational management Preventive
    Include the issuer's name in incident response notifications. CC ID 12062
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Name of issuer § 3.3 ¶ 1 c) ¶ 2 i.]
    Operational management Preventive
    Include a "What Happened" heading in breach notifications. CC ID 12978 Operational management Preventive
    Include the date (or estimated date) the privacy breach was detected in incident response notifications. CC ID 04745
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Description of the incident including: - Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) § 3.3 ¶ 1 c) ¶ 2 v.]
    Operational management Preventive
    Include the identification of the data source in incident response notifications. CC ID 12305
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Identification of the source of the data § 3.3 ¶ 1 c) ¶ 2 iv.]
    Operational management Preventive
    Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 Operational management Preventive
    Include the type of information that was lost in incident response notifications. CC ID 04735
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Type of data § 3.3 ¶ 1 c) ¶ 2 ii.]
    Operational management Preventive
    Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 Operational management Preventive
    Include a "For More Information" heading in breach notifications. CC ID 12981 Operational management Preventive
    Include details of the companies and persons involved in incident response notifications. CC ID 12295
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Description of the incident including: - Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) § 3.3 ¶ 1 c) ¶ 2 v.]
    Operational management Preventive
    Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 Operational management Preventive
    Include the reporting individual's contact information in incident response notifications. CC ID 12297
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Description of the incident including: - Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) § 3.3 ¶ 1 c) ¶ 2 v.]
    Operational management Preventive
    Include contact information in incident response notifications. CC ID 04739
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Name and address of the vendor § 3.3 ¶ 1 c) ¶ 2 iii.
    The written communication must contain information regarding the loss or theft including but not limited to the following information Description of the incident including: - Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) § 3.3 ¶ 1 c) ¶ 2 v.]
    Operational management Preventive
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Operational management Preventive
    Establish and maintain an Incident Response program. CC ID 00579 Operational management Preventive
    Establish and maintain an incident response plan. CC ID 12056
    [The vendor must Have a documented incident response plan (IRP) for known or suspected compromise of any classified data. § 3.3 ¶ 1 a)]
    Operational management Preventive
    Include addressing external communications in the incident response plan. CC ID 13351 Operational management Preventive
    Include addressing internal communications in the incident response plan. CC ID 13350 Operational management Preventive
    Include addressing information sharing in the incident response plan. CC ID 13349 Operational management Preventive
    Include incident response team structures in the Incident Response program. CC ID 01237 Operational management Preventive
    Establish and maintain a change control program. CC ID 00886 Operational management Preventive
    Update associated documentation after the system configuration has been changed. CC ID 00891 Operational management Preventive
    Document the organization's local environments. CC ID 06726
    [The data security requirements in this and embedded sections apply to confidential and secret data. § 4 ¶ 1
    The vendor must maintain detailed procedures relating to each activity in this section. § 4 ¶ 2
    Secret data is data that, if known to any individual, would result in risks of widespread compromise of financial assets § 4.1.1 ¶ 1
    All symmetric (e.g., Triple DES, AES) and private asymmetric keys (e.g., RSA)—except keys used only for encryption of cardholder data—are secret data and must be managed in accordance with Section 8 of this document, “Key Management: Secret Data.” § 4.1 ¶ 2
    Confidential data is data restricted to authorized individuals. This includes cardholder data and the keys used to encrypt cardholder data. These are confidential data and must be managed in accordance with Section 9 of this document, “Key Management: Confidential Data.” § 4.1.2 ¶ 1
    Unrestricted / public data includes any data not defined in the above terms. Controls are out of scope of these requirements and may be defined by the vendor. § 4.1.3 ¶ 1
    The requirements in this section apply to data transmitted to or from the issuer or authorized processor. § 4.4 ¶ 1
    The secure administration of all key-management activity plays an important role in terms of logical security. The following requirements relate to the procedures and activities for managing keys and key sets. § 8.4 ¶ 1
    The security requirements for dual-interface cards that are personalized using the contact interface are the same as for any other chip card. The requirements in this section apply to personalization of chip cards via the contactless NFC interface. § 4.7 ¶ 1
    The requirements in this section do not apply to vendors that only perform key management or pre-personalization activities on a stand-alone wired system and do not perform data preparation or personalization within their facilities. § 5.1 ¶ 1
    The diagram above shows a typical network setup of a vendor environment and a generic connection from the data source to the machines on the production floor. § 5.1 ¶ 2
    This is the network that contains the card personalization machines. § 5.1.5 ¶ 1
    This is the issuer that owns the cardholder data or that sends it to the vendor on behalf of the issuer. § 5.1.1 ¶ 1
    This is the network that contains the server(s) where the cardholder data is stored pending personalization. This is also the network where the data is prepared and sent to the production floor. § 5.1.4 ¶ 1
    The following diagrams illustrate acceptable placement of the DMZ and associated firewalls: § 5.1.3 ¶ 2
    This is the network segment that contains servers and applications that are accessible by an external network (i.e., any network that is outside the card-production network or its DMZ). § 5.1.3 ¶ 1
    Cardholder data are typically sent over these three main types of network to the personalization vendor. § 5.1.2 ¶ 1
    Ensure a process is in place for updates and patches and identification of their criticality, as detailed in Section 6.3. § 5.2 ¶ 1 k)
    The requirements in this section apply to all hardware (e.g., routers, controllers, firewalls, storage devices) that comprises the data-preparation and personalization networks. § 5.3 ¶ 1
    The requirements in this section apply to firewalls protecting the data-preparation and personalization networks. § 5.4 ¶ 1
    If managed remotely, be managed according to the remote access section. § 5.4.2 ¶ 1 e)]
    Operational management Preventive
    Establish and maintain local environment security profiles. CC ID 07037 Operational management Preventive
    Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 Operational management Preventive
    Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 Operational management Preventive
    Include the technology used in the local environment in the local environment security profile. CC ID 07040 Operational management Preventive
    Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 Operational management Preventive
    Include facility information for the local environment in the local environment security profile. CC ID 07042 Operational management Preventive
    Include facility access information for the local environment in the local environment security profile. CC ID 11773 Operational management Preventive
    Update the local environment security profile, as necessary. CC ID 07043 Operational management Preventive
    Establish and maintain system hardening procedures. CC ID 12001 System hardening through configuration management Preventive
    Establish and maintain procedures for configuring the appropriate network parameter modifications. CC ID 01517 System hardening through configuration management Preventive
    Establish and maintain records management policies used to manage organizational records. CC ID 00903 Records management Preventive
    Establish and maintain a record classification scheme. CC ID 00914 Records management Preventive
    Establish and maintain Records Management procedures. CC ID 00919 Records management Preventive
    Establish and maintain Automated Data Processing error handling procedures. CC ID 00925 Records management Preventive
    Establish and maintain Automated Data Processing error handling reporting. CC ID 11659 Records management Preventive
    Define each system's preservation requirements for records and logs. CC ID 00904 Records management Detective
    Establish and maintain a data retention program. CC ID 00906 Records management Detective
    Establish and maintain storage media disposition and destruction procedures. CC ID 11657 Records management Preventive
    Establish and maintain records disposition procedures. CC ID 00971 Records management Preventive
    Establish and maintain records management procedures used to manage organizational records. CC ID 11619 Records management Preventive
    Establish and maintain electronic storage media management procedures. CC ID 00931 Records management Preventive
    Establish and maintain storage media and record security label procedures. CC ID 06747 Records management Preventive
    Provide audit trails for all pertinent records. CC ID 00372
    [The vendor must maintain audit trails to demonstrate that the ISP and all updates are communicated and received by relevant staff. § 3.1 d)]
    Records management Detective
    Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320
    [A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain Unique identifier § 4.6 d) i.]
    Records management Preventive
    Include the date and time in the removable storage media log. CC ID 12318
    [A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain Date and time § 4.6 d) ii.]
    Records management Preventive
    Include the name and signature of the current custodian in the removable storage media log. CC ID 12315
    [A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain Name and signature of current custodian § 4.6 d) iii.]
    Records management Preventive
    Record the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 Records management Preventive
    Record the recipient's name for the data transfer in the removable storage media log. CC ID 12753 Records management Preventive
    Record the sender's name in the removable storage media log. CC ID 12752 Records management Preventive
    Record the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 Records management Preventive
    Include the reason for transfer in the removable storage media log. CC ID 12316
    [A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain Reason for transfer § 4.6 d) v.]
    Records management Preventive
    Establish and maintain system design principles and system design guidelines. CC ID 01057 Systems design, build, and implementation Preventive
    Establish, implement, and maintain a security controls definition document. CC ID 01080 Systems design, build, and implementation Preventive
    Establish and maintain a coding manual for secure coding techniques. CC ID 11863 Systems design, build, and implementation Preventive
    Establish and maintain system testing procedures. CC ID 11744 Systems design, build, and implementation Preventive
    Establish and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Preventive
    Establish and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Preventive
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 Privacy protection for information and data Preventive
    Establish and maintain a supply chain management program. CC ID 11742 Third Party and supply chain oversight Preventive
    Include a description of the data or information to be covered in third party contracts. CC ID 06510 Third Party and supply chain oversight Preventive
    Establish, implement, and maintain a supply chain management policy. CC ID 08808 Third Party and supply chain oversight Preventive
  • Human Resources Management
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Assign accountability for the Information Governance Plan to senior management. CC ID 10054
    [The CISO must Be responsible for compliance to these requirements. § 2.2 a) i.]
    Leadership and high level objectives Preventive
    Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058
    [The CISO must Have sufficient authority to enforce the requirements of this document. § 2.2 a) ii.]
    Leadership and high level objectives Preventive
    Designate an alternate for each organizational leader. CC ID 12053
    [The CISO must Designate a back-up person who is qualified and empowered to act upon critical security events in the event the CISO is not available. § 2.2 a) iv.]
    Human Resources management Preventive
    Establish and maintain an ethics program. CC ID 11496 Human Resources management Preventive
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources management Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Operational management Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Operational management Preventive
    Require third parties to employ a Chief Information Security Officer. CC ID 12057
    [The CISO must be an employee of the vendor. § 2.1 b)]
    Third Party and supply chain oversight Preventive
  • IT Impact Zone
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Physical and environmental protection CC ID 00709 Physical and environmental protection IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    System hardening through configuration management CC ID 00860 System hardening through configuration management IT Impact Zone
    Records management CC ID 00902 Records management IT Impact Zone
    Systems design, build, and implementation CC ID 00989 Systems design, build, and implementation IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Investigate
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298
    [The vendor must Investigate the incident and provide at least weekly updates about investigation progress. § 3.3 ¶ 1 d)]
    Operational management Preventive
  • Log Management
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312
    [The vendor must log and inform the card brands of all issuers sending the vendor cardholder data in clear text. § 4.4 ¶ 1 e)]
    Technical security Preventive
    Log the transfer of removable storage media. CC ID 12322
    [Transfer of removable media to and from the HSA must be authorized and logged. § 4.6 f)]
    Physical and environmental protection Preventive
    Log the transferring of custody of removable storage media. CC ID 12321
    [Transfers of custody between two individuals must be authorized and logged. § 4.6 e)]
    Physical and environmental protection Preventive
    Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754
    [The vendor must Identify and preserve specific logs, documents, equipment, and other relevant items that provide evidence for forensic analysis. § 3.3 ¶ 1 f)]
    Operational management Corrective
    Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 Operational management Detective
    Enable and configure auditing operations and logging operations, as necessary. CC ID 01522 System hardening through configuration management Preventive
    Configure the log to capture creates, reads, updates, or deletes of records containing personal data. CC ID 11890 System hardening through configuration management Detective
    Configure the log to capture the information referent when personal data is being accessed. CC ID 11968 System hardening through configuration management Detective
    Configure the log to capture each auditable event's origination. CC ID 01338 System hardening through configuration management Detective
    Establish and maintain a removable storage media log. CC ID 12317
    [A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain: § 4.6 d)]
    Records management Preventive
  • Monitor and Evaluate Occurrences
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Enforce information flow control. CC ID 11781 Technical security Preventive
    Monitor and evaluate all remote access usage. CC ID 00563
    [Remote access must be logged, and the log must be reviewed weekly for suspicious activity. § 5.6.2 h)]
    Technical security Detective
    Check the precursors and indicators when assessing the security incidents. CC ID 01761 Operational management Corrective
  • Physical and Environmental Protection
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Implement physical security standards for mainframe rooms or data centers. CC ID 00749
    [{physical access} {data-preparation network} The vendor must Prevent physical and logical access from outside the high security area (HSA) to the data-preparation or personalization networks. § 4.3 ¶ 1 a)]
    Physical and environmental protection Preventive
    Establish and maintain equipment security cages in a shared space environment. CC ID 06711 Physical and environmental protection Preventive
    Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 Physical and environmental protection Preventive
    Lock all lockable equipment cabinets. CC ID 11673 Physical and environmental protection Detective
    Establish and maintain physical security controls for distributed Information Technology assets. CC ID 00718 Physical and environmental protection Preventive
    Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 Physical and environmental protection Preventive
    Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717
    [All removable media must be securely stored, controlled, and tracked. § 4.6 b)
    The vendor must Ensure data is always stored within the high security area (HSA). § 4.5 ¶ 1 g)]
    Physical and environmental protection Preventive
    Protect the combinations for all combination locks. CC ID 02199 Physical and environmental protection Preventive
    Establish and maintain eavesdropping protection for vaults. CC ID 02231 Physical and environmental protection Preventive
    Place printed records awaiting destruction into secure containers. CC ID 12464 Records management Preventive
    Destroy printed records so they cannot be reconstructed. CC ID 11779 Records management Preventive
  • Process or Activity
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disallow self-enrollment of biometric information. CC ID 11834 Technical security Preventive
    Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 Technical security Detective
    Approve the information security policy at the organization's management level or higher. CC ID 11737
    [Senior management must review and endorse the validity of the ISP at least once each year. § 3.1 b)]
    Operational management Preventive
    Contain the incident to prevent further loss and preserve the system for forensic analysis. CC ID 01751 Operational management Corrective
    Establish and maintain a patch management program. CC ID 00896 Operational management Preventive
    Define each system's disposition requirements for records and logs. CC ID 11651 Records management Preventive
    Formalize client and third party relationships with contracts or nondisclosure agreements, as necessary. CC ID 00794 Third Party and supply chain oversight Detective
  • Records Management
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 Physical and environmental protection Preventive
    Treat archive media as evidence. CC ID 00960 Physical and environmental protection Preventive
    Control the storage of restricted storage media. CC ID 00965 Physical and environmental protection Preventive
    Control the transiting and internal distribution or external distribution of restricted storage media. CC ID 00963 Physical and environmental protection Preventive
    Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964
    [Transfer of removable media to and from the HSA must be authorized and logged. § 4.6 f)]
    Physical and environmental protection Preventive
    Compare each record's data input to its final form. CC ID 11813 Records management Detective
    Manage the disposition status for all records. CC ID 00972 Records management Preventive
    Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621
    [The vendor must: Delete cardholder data within 30 days of the date the card is personalized unless the issuer has authorized longer retention in writing. § 4.5 ¶ 1 a)
    Ensure that data retained for longer than 30 days after personalization complies with the following additional requirements. This data must Be removed from the active production environment. § 4.5 ¶ 1 h) i.]
    Records management Preventive
    Capture the records required by organizational compliance requirements. CC ID 00912 Records management Detective
    Establish and maintain security controls appropriate to the record types and electronic storage media in use. CC ID 00943 Records management Preventive
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Privacy protection for information and data Preventive
  • Systems Design, Build, and Implementation
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems design, build, and implementation Preventive
    Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 Systems design, build, and implementation Preventive
    Control the test data used in the development environment. CC ID 12013
    [{test key} {test data} Test (non-production) keys and test (non-production) data cannot be used with production equipment. § 4.8 a)]
    Systems design, build, and implementation Preventive
  • Technical Security
    38
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Perform vulnerability scans, as necessary. CC ID 11637 Monitoring and measurement Detective
    Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638
    [The vendor must Perform quarterly external network vulnerability scans using an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). § 5.8.1 ¶ 1 a)]
    Monitoring and measurement Detective
    Control access rights to organizational assets. CC ID 00004 Technical security Preventive
    Establish access rights based on least privilege. CC ID 01411
    [The vendor must Ensure that access is on a need-to-know basis and that an individual is granted no more than sufficient access to perform his or her job. § 4.3 ¶ 1 b)]
    Technical security Preventive
    Assign user permissions based on job responsibilities. CC ID 00538 Technical security Preventive
    Assign user privileges after they have management sign off. CC ID 00542 Technical security Preventive
    Include digital identification procedures in the Access Control program. CC ID 11841 Technical security Preventive
    Require proper authentication for user identifiers. CC ID 11785
    [The vendor must Establish proper user authentication prior to access. § 4.3 ¶ 1 c)]
    Technical security Preventive
    Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 Technical security Preventive
    Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 Technical security Preventive
    Employ live scans to verify biometric authentication. CC ID 06847 Technical security Preventive
    Identify and control all network access controls. CC ID 00529 Technical security Preventive
    Segregate out of scope systems from in scope systems. CC ID 12546 Technical security Preventive
    Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533
    [The firewalls must Prohibit direct public access between any external networks and any system component that stores cardholder data. § 5.4.2 ¶ 1 c)]
    Technical security Preventive
    Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310
    [{physical access} {data-preparation network} The vendor must Prevent physical and logical access from outside the high security area (HSA) to the data-preparation or personalization networks. § 4.3 ¶ 1 a)]
    Technical security Preventive
    Design demilitarized zones with proper isolation rules. CC ID 00532
    [Effective 1 January 2016, the DMZ must be located in the Server Room of the HSA. § 5.1.3 ¶ 1 b)]
    Technical security Preventive
    Restrict inbound Internet traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998 Technical security Preventive
    Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 Technical security Preventive
    Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 Technical security Preventive
    Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588
    [The vendor must deploy a firewall to segregate the wireless network and the wired network. § 5.7.2 ¶ 1 c)]
    Technical security Preventive
    Control all methods of remote access and teleworking. CC ID 00559 Technical security Preventive
    Control remote access through a network access control. CC ID 01421
    [All remote access must use a VPN that meets the requirements in the following section. § 5.6.1 l)]
    Technical security Preventive
    Employ multifactor authentication for remote access to the organization's network. CC ID 12505 Technical security Preventive
    Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324
    [Remote access is prohibited to any system where clear-text cardholder data is being processed. § 5.6.1 h)]
    Technical security Preventive
    Manage the use of encryption controls and cryptographic controls. CC ID 00570 Technical security Preventive
    Use strong data encryption to transmit restricted data or restricted information over public networks. CC ID 00564
    [{secret data} All secret and confidential data must be: Encrypted at all times during transmission and storage. § 4.2 ¶ 1 b)]
    Technical security Preventive
    Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 Technical security Preventive
    Encrypt traffic over public networks with trusted cryptographic keys. CC ID 12490 Technical security Preventive
    Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 Technical security Preventive
    Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 Technical security Preventive
    Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 Technical security Preventive
    Protect application services information transmitted over a public network from contract disputes. CC ID 12019 Technical security Preventive
    Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 Technical security Preventive
    Patch software. CC ID 11825 Operational management Corrective
    Patch Operating System software. CC ID 11824 Operational management Corrective
    Establish and maintain online storage controls. CC ID 00942 Records management Preventive
    Provide encryption for different types of electronic storage media. CC ID 00945
    [{secret data} All secret and confidential data must be: Encrypted at all times during transmission and storage. § 4.2 ¶ 1 b)]
    Records management Preventive
    Refrain from hard-coding cryptographic keys in source code. CC ID 12307
    [Cryptographic keys must not be hard-coded into software. § 8.1 g)]
    Systems design, build, and implementation Preventive
  • Testing
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Implement and comply with the security test program. CC ID 11870 Monitoring and measurement Detective
    Employ unique user identifiers. CC ID 01273
    [The vendor must Implement unique IDs for each administrator. § 5.3 ¶ 2 h)]
    Technical security Detective
    Identify the user when enrolling them in the biometric system. CC ID 06882 Technical security Detective
    Implement non-repudiation for transactions. CC ID 00567 Technical security Detective
    Assess all security incidents to determine what information was accessed. CC ID 01226
    [The vendor must Investigate the incident and provide at least weekly updates about investigation progress. § 3.3 ¶ 1 d)]
    Operational management Corrective
    Test software patches for any potential compromise of the system's security. CC ID 13175 Operational management Detective
    Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970
    [{secret data} Physically destroy any media holding secret or confidential data when it is not possible to delete the data so that it is no longer recoverable. § 4.6 g)]
    Records management Detective
    Maintain media sanitization equipment in operational condition. CC ID 00721 Records management Detective
    Perform Quality Management on all newly developed or modified systems. CC ID 01100 Systems design, build, and implementation Detective
    Include third party acknowledgement of their data protection responsibilities in third party contracts. CC ID 01364 Third Party and supply chain oversight Detective
Common Controls and
mandates by Classification
96 Mandated Controls - bold    
112 Implied Controls - italic     106 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
314 Total
  • Corrective
    19
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676
    [The CISO must, on a monthly basis, report to executive management the current status of security compliance and issues that pose potentials risks to the organization. § 2.1 c)]
    Monitoring and measurement Actionable Reports or Measurements
    Tune the biometric identification equipment, as necessary. CC ID 07077 Technical security Configuration
    Review and update the information security policy, as necessary. CC ID 11741 Operational management Establish/Maintain Documentation
    Contain the incident to prevent further loss and preserve the system for forensic analysis. CC ID 01751 Operational management Process or Activity
    Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754
    [The vendor must Identify and preserve specific logs, documents, equipment, and other relevant items that provide evidence for forensic analysis. § 3.3 ¶ 1 f)]
    Operational management Log Management
    Assess all security incidents to determine what information was accessed. CC ID 01226
    [The vendor must Investigate the incident and provide at least weekly updates about investigation progress. § 3.3 ¶ 1 d)]
    Operational management Testing
    Check the precursors and indicators when assessing the security incidents. CC ID 01761 Operational management Monitor and Evaluate Occurrences
    Share incident information with interested personnel and affected parties. CC ID 01212
    [Within 24 hours, report in writing any known or suspected compromise of confidential or secret data to the Vendor Program Administrator (VPA) and the impacted issuers. Confirmed incidences must be reported to appropriate law enforcement agencies upon confirmation. § 3.3 ¶ 1 c)]
    Operational management Data and Information Management
    Share data loss event information with the media. CC ID 01759 Operational management Behavior
    Share data loss event information with interconnected system owners. CC ID 01209 Operational management Establish/Maintain Documentation
    Report data loss event information to breach notification organizations. CC ID 01210
    [Within 24 hours, report in writing any known or suspected compromise of confidential or secret data to the Vendor Program Administrator (VPA) and the impacted issuers. Confirmed incidences must be reported to appropriate law enforcement agencies upon confirmation. § 3.3 ¶ 1 c)]
    Operational management Data and Information Management
    Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731 Operational management Behavior
    Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 Operational management Behavior
    Notify interested personnel and affected parties that a security breach was detected. CC ID 11788
    [The vendor must log and inform the card brands of all issuers sending the vendor cardholder data in clear text. § 4.4 ¶ 1 e)]
    Operational management Communicate
    Deploy software patches. CC ID 07032
    [The vendor must Implement patches in compliance with Section 6.3, Configuration and Patch Management. § 5.3 ¶ 2 f)]
    Operational management Configuration
    Patch software. CC ID 11825 Operational management Technical Security
    Patch Operating System software. CC ID 11824 Operational management Technical Security
    Deploy software patches in the disaster recovery environment to mirror those in the production environment. CC ID 13174 Operational management Configuration
    Remove outdated software after software has been updated. CC ID 11792 Operational management Configuration
  • Detective
    33
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Include all electronic storage media containing restricted data or restricted information in the storage media inventory. CC ID 00962
    [All removable media must be securely stored, controlled, and tracked. § 4.6 b)]
    Monitoring and measurement Establish/Maintain Documentation
    Implement and comply with the security test program. CC ID 11870 Monitoring and measurement Testing
    Perform vulnerability scans, as necessary. CC ID 11637 Monitoring and measurement Technical Security
    Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638
    [The vendor must Perform quarterly external network vulnerability scans using an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). § 5.8.1 ¶ 1 a)]
    Monitoring and measurement Technical Security
    Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041
    [The CISO must, on a monthly basis, report to executive management the current status of security compliance and issues that pose potentials risks to the organization. § 2.1 c)]
    Monitoring and measurement Actionable Reports or Measurements
    Employ unique user identifiers. CC ID 01273
    [The vendor must Implement unique IDs for each administrator. § 5.3 ¶ 2 h)]
    Technical security Testing
    Identify the user when enrolling them in the biometric system. CC ID 06882 Technical security Testing
    Establish and maintain an automated information flow approval process or semi-automated information flow approval process for transmitting or receiving restricted data or restricted information. CC ID 06734
    [The vendor must establish mechanisms that ensure the authenticity and validate the integrity of data transmitted and received. § 4.4 ¶ 1 b)
    The vendor must establish mechanisms that ensure the authenticity and validate the integrity of data transmitted and received. § 4.4 ¶ 1 b)]
    Technical security Data and Information Management
    Use a passive asset inventory discovery tool to identify assets when network mapping. CC ID 13735 Technical security Process or Activity
    Monitor and evaluate all remote access usage. CC ID 00563
    [Remote access must be logged, and the log must be reviewed weekly for suspicious activity. § 5.6.2 h)]
    Technical security Monitor and Evaluate Occurrences
    Implement non-repudiation for transactions. CC ID 00567 Technical security Testing
    Lock all lockable equipment cabinets. CC ID 11673 Physical and environmental protection Physical and Environmental Protection
    Track restricted storage media while it is in transit. CC ID 00967 Physical and environmental protection Data and Information Management
    Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326 Operational management Log Management
    Include information required by law in incident response notifications. CC ID 00802 Operational management Establish/Maintain Documentation
    Test software patches for any potential compromise of the system's security. CC ID 13175 Operational management Testing
    Establish and maintain a configuration change log. CC ID 08710
    [The vendor must Maintain an audit trail of all changes and the associated approval. § 5.3 ¶ 2 g)]
    Operational management Configuration
    Configure the log to capture creates, reads, updates, or deletes of records containing personal data. CC ID 11890 System hardening through configuration management Log Management
    Configure the log to capture the information referent when personal data is being accessed. CC ID 11968 System hardening through configuration management Log Management
    Configure the log to capture each auditable event's origination. CC ID 01338 System hardening through configuration management Log Management
    Configure the log to capture remote access information. CC ID 05596
    [Remote access must be logged, and the log must be reviewed weekly for suspicious activity. § 5.6.2 h)]
    System hardening through configuration management Configuration
    Compare each record's data input to its final form. CC ID 11813 Records management Records Management
    Define each system's preservation requirements for records and logs. CC ID 00904 Records management Establish/Maintain Documentation
    Establish and maintain a data retention program. CC ID 00906 Records management Establish/Maintain Documentation
    Destroy electronic storage media following the storage media disposition and destruction procedures. CC ID 00970
    [{secret data} Physically destroy any media holding secret or confidential data when it is not possible to delete the data so that it is no longer recoverable. § 4.6 g)]
    Records management Testing
    Maintain media sanitization equipment in operational condition. CC ID 00721 Records management Testing
    Capture the records required by organizational compliance requirements. CC ID 00912 Records management Records Management
    Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555
    [All removable media (e.g., USB devices, tapes, disks) within the HSA must be clearly labeled with a unique identifier and the data classification. § 4.6 a)]
    Records management Data and Information Management
    Provide audit trails for all pertinent records. CC ID 00372
    [The vendor must maintain audit trails to demonstrate that the ISP and all updates are communicated and received by relevant staff. § 3.1 d)]
    Records management Establish/Maintain Documentation
    Perform Quality Management on all newly developed or modified systems. CC ID 01100 Systems design, build, and implementation Testing
    Formalize client and third party relationships with contracts or nondisclosure agreements, as necessary. CC ID 00794 Third Party and supply chain oversight Process or Activity
    Include third party acknowledgement of their data protection responsibilities in third party contracts. CC ID 01364 Third Party and supply chain oversight Testing
    Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264
    [Access to cardholder data and the processing facilities must not be provided until the appropriate access controls have been implemented and a contract defining terms for access has been signed. § 4.3 ¶ 1 f) ii.]
    Third Party and supply chain oversight Data and Information Management
  • IT Impact Zone
    11
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Monitoring and measurement CC ID 00636 Monitoring and measurement IT Impact Zone
    Technical security CC ID 00508 Technical security IT Impact Zone
    Physical and environmental protection CC ID 00709 Physical and environmental protection IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    System hardening through configuration management CC ID 00860 System hardening through configuration management IT Impact Zone
    Records management CC ID 00902 Records management IT Impact Zone
    Systems design, build, and implementation CC ID 00989 Systems design, build, and implementation IT Impact Zone
    Privacy protection for information and data CC ID 00008 Privacy protection for information and data IT Impact Zone
    Third Party and supply chain oversight CC ID 08807 Third Party and supply chain oversight IT Impact Zone
  • Preventive
    251
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Establish and maintain a strategic plan. CC ID 12784 Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain a high-level Strategic Information Technology Plan. CC ID 00628 Leadership and high level objectives Establish/Maintain Documentation
    Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 Leadership and high level objectives Establish/Maintain Documentation
    Assign accountability for the Information Governance Plan to senior management. CC ID 10054
    [The CISO must Be responsible for compliance to these requirements. § 2.2 a) i.]
    Leadership and high level objectives Human Resources Management
    Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058
    [The CISO must Have sufficient authority to enforce the requirements of this document. § 2.2 a) ii.]
    Leadership and high level objectives Human Resources Management
    Establish and maintain an Information Technology inventory with asset discovery audit trails. CC ID 00689 Monitoring and measurement Establish/Maintain Documentation
    Establish, implement, and maintain a storage media inventory. CC ID 00694 Monitoring and measurement Establish/Maintain Documentation
    Establish and maintain testing programs, necessary. CC ID 00654 Monitoring and measurement Behavior
    Establish and maintain a vulnerability assessment program. CC ID 11636 Monitoring and measurement Establish/Maintain Documentation
    Establish and maintain a compliance monitoring policy. CC ID 00671 Monitoring and measurement Establish/Maintain Documentation
    Establish and maintain a metrics policy. CC ID 01654 Monitoring and measurement Establish/Maintain Documentation
    Establish and maintain an information risk threshold metrics program. CC ID 01694 Monitoring and measurement Establish/Maintain Documentation
    Establish and maintain an access classification scheme. CC ID 00509 Technical security Establish/Maintain Documentation
    Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme. CC ID 00510
    [The vendor must Ensure that access is on a need-to-know basis and that an individual is granted no more than sufficient access to perform his or her job. § 4.3 ¶ 1 b)]
    Technical security Establish/Maintain Documentation
    Include business security requirements in the access classification scheme. CC ID 00002 Technical security Establish/Maintain Documentation
    Interpret and apply security requirements based upon the information classification of the system. CC ID 00003 Technical security Establish/Maintain Documentation
    Include third party access in the access classification scheme. CC ID 11786 Technical security Establish/Maintain Documentation
    Establish and maintain an access control program. CC ID 11702 Technical security Establish/Maintain Documentation
    Establish and maintain an access rights management plan. CC ID 00513 Technical security Establish/Maintain Documentation
    Control access rights to organizational assets. CC ID 00004 Technical security Technical Security
    Establish access rights based on least privilege. CC ID 01411
    [The vendor must Ensure that access is on a need-to-know basis and that an individual is granted no more than sufficient access to perform his or her job. § 4.3 ¶ 1 b)]
    Technical security Technical Security
    Assign user permissions based on job responsibilities. CC ID 00538 Technical security Technical Security
    Assign user privileges after they have management sign off. CC ID 00542 Technical security Technical Security
    Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767 Technical security Configuration
    Include digital identification procedures in the Access Control program. CC ID 11841 Technical security Technical Security
    Require proper authentication for user identifiers. CC ID 11785
    [The vendor must Establish proper user authentication prior to access. § 4.3 ¶ 1 c)]
    Technical security Technical Security
    Assign passwords to user accounts, as necessary. CC ID 06855 Technical security Configuration
    Assign authentication mechanisms for user account authentication. CC ID 06856 Technical security Configuration
    Limit account credential reuse as a part of digital identification procedures. CC ID 12357 Technical security Configuration
    Establish and maintain a memorized secret list. CC ID 13791 Technical security Establish/Maintain Documentation
    Refrain from allowing individuals to share authentication mechanisms. CC ID 11932 Technical security Technical Security
    Refrain from assigning authentication mechanisms for shared accounts. CC ID 11910 Technical security Technical Security
    Use biometric authentication for identification and authentication, as necessary. CC ID 06857 Technical security Establish Roles
    Employ live scans to verify biometric authentication. CC ID 06847 Technical security Technical Security
    Disallow self-enrollment of biometric information. CC ID 11834 Technical security Process or Activity
    Notify a user when an authenticator for a user account is changed. CC ID 13820 Technical security Communicate
    Enforce information flow control. CC ID 11781 Technical security Monitor and Evaluate Occurrences
    Identify and control all network access controls. CC ID 00529 Technical security Technical Security
    Establish and maintain information flow control configuration standards. CC ID 01924 Technical security Establish/Maintain Documentation
    Establish and maintain a network configuration standard. CC ID 00530 Technical security Establish/Maintain Documentation
    Establish and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 Technical security Establish/Maintain Documentation
    Establish and maintain information exchange procedures. CC ID 11782 Technical security Establish/Maintain Documentation
    Maintain up-to-date network diagrams. CC ID 00531
    [The vendor must Maintain a current network topology diagram that includes all system components on the network § 5.2 ¶ 1 a)]
    Technical security Establish/Maintain Documentation
    Accept, by formal signature, the security implications of the network topology. CC ID 12323
    [The vendor must Ensure that the CISO accepts, by formal signature, the security implications of the current network topology. § 5.2 ¶ 1 c)]
    Technical security Establish/Maintain Documentation
    Disseminate and communicate network diagrams to interested personnel and affected parties. CC ID 13137 Technical security Communicate
    Enable encryption of a protected distribution system if sending restricted data or restricted information. CC ID 01749 Technical security Configuration
    Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312
    [The vendor must log and inform the card brands of all issuers sending the vendor cardholder data in clear text. § 4.4 ¶ 1 e)]
    Technical security Log Management
    Establish and maintain a Boundary Defense program. CC ID 00544 Technical security Establish/Maintain Documentation
    Segregate out of scope systems from in scope systems. CC ID 12546 Technical security Technical Security
    Segregate servers that contain restricted data or restricted information from direct public access. CC ID 00533
    [The firewalls must Prohibit direct public access between any external networks and any system component that stores cardholder data. § 5.4.2 ¶ 1 c)]
    Technical security Technical Security
    Prevent logical access to dedicated networks from outside the secure areas. CC ID 12310
    [{physical access} {data-preparation network} The vendor must Prevent physical and logical access from outside the high security area (HSA) to the data-preparation or personalization networks. § 4.3 ¶ 1 a)]
    Technical security Technical Security
    Design demilitarized zones with proper isolation rules. CC ID 00532
    [Effective 1 January 2016, the DMZ must be located in the Server Room of the HSA. § 5.1.3 ¶ 1 b)]
    Technical security Technical Security
    Restrict inbound Internet traffic inside the Demilitarized Zone. CC ID 01285 Technical security Data and Information Management
    Restrict inbound Internet traffic into the Demilitarized Zone to Internet Protocol addresses within the Demilitarized Zone. CC ID 11998 Technical security Technical Security
    Restrict inbound Internet traffic within the Demilitarized Zone to system components that provide publicly accessible services, protocols, and ports. CC ID 11993 Technical security Technical Security
    Segregate applications and databases that contain restricted data or restricted information in an internal network zone. CC ID 01289 Technical security Data and Information Management
    Establish and maintain a network access control standard. CC ID 00546
    [The vendor must have controls in place to ensure that wireless networks cannot be used to access cardholder data. § 5.7.2 ¶ 1 b) ¶ 2]
    Technical security Establish/Maintain Documentation
    Include assigned roles and responsibilities in the network access control standard. CC ID 06410 Technical security Establish Roles
    Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary. CC ID 11821 Technical security Technical Security
    Place firewalls between all security domains and between any Demilitarized Zone and internal network zones. CC ID 01274
    [The vendor must Install a firewall between the data-preparation network and the personalization network unless both are located within the same high security area or network. § 5.4.1 ¶ 1 c)]
    Technical security Configuration
    Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information. CC ID 01293 Technical security Configuration
    Place firewalls between all security domains and between any secure subnet and internal network zones. CC ID 11784 Technical security Configuration
    Separate the wireless access points and wireless bridges from the wired network via a firewall. CC ID 04588
    [The vendor must deploy a firewall to segregate the wireless network and the wired network. § 5.7.2 ¶ 1 c)]
    Technical security Technical Security
    Include Configuration Management and rulesets in the network access control standard. CC ID 11845 Technical security Establish/Maintain Documentation
    Secure the network access control standard against unauthorized changes. CC ID 11920 Technical security Establish/Maintain Documentation
    Configure network access and control points to protect restricted data or restricted information. CC ID 01284 Technical security Configuration
    Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547 Technical security Configuration
    Allow remote administration exceptions on the firewall, as necessary. CC ID 01957
    [Remote access is permitted only for the administration of the network or system components. § 5.6.1 a)]
    Technical security Configuration
    Control all methods of remote access and teleworking. CC ID 00559 Technical security Technical Security
    Control remote access through a network access control. CC ID 01421
    [All remote access must use a VPN that meets the requirements in the following section. § 5.6.1 l)]
    Technical security Technical Security
    Employ multifactor authentication for remote access to the organization's network. CC ID 12505 Technical security Technical Security
    Protect remote access accounts with encryption. CC ID 00562
    [Traffic on the VPN must be encrypted using Triple DES with at least double-length keys or Advanced Encryption Standard (AES). § 5.6.2 a)]
    Technical security Configuration
    Prohibit remote access to systems processing cleartext restricted data or restricted information. CC ID 12324
    [Remote access is prohibited to any system where clear-text cardholder data is being processed. § 5.6.1 h)]
    Technical security Technical Security
    Manage the use of encryption controls and cryptographic controls. CC ID 00570 Technical security Technical Security
    Establish and maintain an encryption management and cryptographic controls policy. CC ID 04546 Technical security Establish/Maintain Documentation
    Encrypt restricted data or restricted information using the most secure method possible. CC ID 04824
    [{secret data} All secret and confidential data must be Encrypted using algorithms and key sizes as stated in Normative Annex A. § 4.2 ¶ 1 a)
    The vendor must Ensure that when personalization signals are encrypted, they comply with the encryption standards defined in Normative Annex A. If the signals are encrypted, 4.7 a, b, and d herein do not apply. § 4.7 ¶ 2 c)]
    Technical security Data and Information Management
    Decrypt restricted data for the minimum time required. CC ID 12308
    [{secret data} All secret and confidential data must be Decrypted for the minimum time required for data preparation and personalization. § 4.2 ¶ 1 c)]
    Technical security Data and Information Management
    Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309
    [{data-preparation network} The vendor must only decrypt or translate cardholder data on the data-preparation or personalization network and not while it is on an Internet or public facing network. § 4.2 ¶ 1 d)]
    Technical security Data and Information Management
    Use strong data encryption to transmit restricted data or restricted information over public networks. CC ID 00564
    [{secret data} All secret and confidential data must be: Encrypted at all times during transmission and storage. § 4.2 ¶ 1 b)]
    Technical security Technical Security
    Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492 Technical security Technical Security
    Encrypt traffic over public networks with trusted cryptographic keys. CC ID 12490 Technical security Technical Security
    Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566 Technical security Establish/Maintain Documentation
    Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568 Technical security Technical Security
    Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021 Technical security Technical Security
    Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020 Technical security Technical Security
    Protect application services information transmitted over a public network from contract disputes. CC ID 12019 Technical security Technical Security
    Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018 Technical security Technical Security
    Establish and maintain a malicious code protection program. CC ID 00574 Technical security Establish/Maintain Documentation
    Install security and protection software on all systems. CC ID 00575
    [The vendor must Deploy anti-virus software on all systems potentially affected by malicious software (e.g., personal computers and servers). § 5.5 ¶ 1 a)]
    Technical security Configuration
    Establish and maintain a physical security program. CC ID 11757 Physical and environmental protection Establish/Maintain Documentation
    Establish and maintain a facility physical security program. CC ID 00711 Physical and environmental protection Establish/Maintain Documentation
    Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050 Physical and environmental protection Establish/Maintain Documentation
    Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311
    [Access to cardholder data and the processing facilities must not be provided until the appropriate access controls have been implemented and a contract defining terms for access has been signed. § 4.3 ¶ 1 f) ii.]
    Physical and environmental protection Behavior
    Implement physical security standards for mainframe rooms or data centers. CC ID 00749
    [{physical access} {data-preparation network} The vendor must Prevent physical and logical access from outside the high security area (HSA) to the data-preparation or personalization networks. § 4.3 ¶ 1 a)]
    Physical and environmental protection Physical and Environmental Protection
    Establish and maintain equipment security cages in a shared space environment. CC ID 06711 Physical and environmental protection Physical and Environmental Protection
    Secure systems in lockable equipment cabinets, as necessary. CC ID 06716 Physical and environmental protection Physical and Environmental Protection
    Establish and maintain physical security controls for distributed Information Technology assets. CC ID 00718 Physical and environmental protection Physical and Environmental Protection
    Establish and maintain removable storage media controls. CC ID 06680
    [All removable media must be securely stored, controlled, and tracked. § 4.6 b)]
    Physical and environmental protection Data and Information Management
    Control access to restricted storage media. CC ID 04889 Physical and environmental protection Data and Information Management
    Physically secure all electronic storage media that store restricted data or restricted information. CC ID 11664 Physical and environmental protection Physical and Environmental Protection
    Separate duplicate originals and backup media from the original electronic storage media. CC ID 00961 Physical and environmental protection Records Management
    Treat archive media as evidence. CC ID 00960 Physical and environmental protection Records Management
    Log the transfer of removable storage media. CC ID 12322
    [Transfer of removable media to and from the HSA must be authorized and logged. § 4.6 f)]
    Physical and environmental protection Log Management
    Establish and maintain storage media access control procedures. CC ID 00959 Physical and environmental protection Establish/Maintain Documentation
    Require removable storage media be in the custody of an authorized individual. CC ID 12319
    [All removable media within the HSA must be in the custody of an authorized individual. § 4.6 c)]
    Physical and environmental protection Behavior
    Control the storage of restricted storage media. CC ID 00965 Physical and environmental protection Records Management
    Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults. CC ID 00717
    [All removable media must be securely stored, controlled, and tracked. § 4.6 b)
    The vendor must Ensure data is always stored within the high security area (HSA). § 4.5 ¶ 1 g)]
    Physical and environmental protection Physical and Environmental Protection
    Protect the combinations for all combination locks. CC ID 02199 Physical and environmental protection Physical and Environmental Protection
    Establish and maintain electronic media storage container repair guidelines. CC ID 02200 Physical and environmental protection Establish/Maintain Documentation
    Establish and maintain eavesdropping protection for vaults. CC ID 02231 Physical and environmental protection Physical and Environmental Protection
    Serialize all removable storage media. CC ID 00949 Physical and environmental protection Configuration
    Control the transiting and internal distribution or external distribution of restricted storage media. CC ID 00963 Physical and environmental protection Records Management
    Log the transferring of custody of removable storage media. CC ID 12321
    [Transfers of custody between two individuals must be authorized and logged. § 4.6 e)]
    Physical and environmental protection Log Management
    Obtain management authorization for restricted storage media transit or distribution from a controlled access area. CC ID 00964
    [Transfer of removable media to and from the HSA must be authorized and logged. § 4.6 f)]
    Physical and environmental protection Records Management
    Transport restricted media using a delivery method that can be tracked. CC ID 11777 Physical and environmental protection Business Processes
    Establish and maintain high level operational roles and responsibilities. CC ID 00806 Human Resources management Establish Roles
    Designate an alternate for each organizational leader. CC ID 12053
    [The CISO must Designate a back-up person who is qualified and empowered to act upon critical security events in the event the CISO is not available. § 2.2 a) iv.]
    Human Resources management Human Resources Management
    Define and assign the head of Information Security's roles and responsibilities. CC ID 06091
    [The vendor must designate, in writing, a senior manager with adequate security knowledge to be responsible for the vendor’s Information Security Management. These requirements refer to this person as the “Chief Information Security Officer” (“CISO”). § 2.1 a)]
    Human Resources management Establish Roles
    Limit the activities performed as a proxy to an organizational leader. CC ID 12054 Human Resources management Behavior
    Define and assign the business unit manager's roles and responsibilities. CC ID 00810
    [Where managers have security compliance responsibilities, the activities for which the manager has responsibility must be clearly defined. § 2.2 c)]
    Human Resources management Establish Roles
    Establish and maintain an ethics program. CC ID 11496 Human Resources management Human Resources Management
    Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 Human Resources management Business Processes
    Establish and maintain a training program for interested personnel to report compliance violations. CC ID 11835
    [The vendor must Ensure staff report any unexpected or unusual activity relating to production equipment and operations. § 3.3 ¶ 1 b)]
    Human Resources management Establish/Maintain Documentation
    Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 Human Resources management Human Resources Management
    Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061
    [Staff responsible for day-to-day production activities must not be assigned security compliance assessment responsibility for the production activities that they perform. § 2.2 d)]
    Human Resources management Establish Roles
    Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060
    [When the CISO backup is functioning on behalf of the CISO, the backup must not perform activities for which they have approval responsibility and must not approve activities which they previously performed. § 2.2 b)]
    Human Resources management Behavior
    Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059
    [When the CISO backup is functioning on behalf of the CISO, the backup must not perform activities for which they have approval responsibility and must not approve activities which they previously performed. § 2.2 b)]
    Human Resources management Behavior
    Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052
    [The CISO must Not perform activities that they have the responsibility for approving. § 2.2 a) iii.]
    Human Resources management Behavior
    Establish and maintain a Governance, Risk, and Compliance framework. CC ID 01406 Operational management Establish/Maintain Documentation
    Establish and maintain an information security program. CC ID 00812 Operational management Establish/Maintain Documentation
    Establish and maintain an information security policy. CC ID 11740
    [The vendor must define and document an information security policy (ISP) for the facility. § 3.1 a)]
    Operational management Establish/Maintain Documentation
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Operational management Business Processes
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Operational management Establish/Maintain Documentation
    Include information security objectives in the information security policy. CC ID 13493 Operational management Establish/Maintain Documentation
    Include the use of Cloud Services in the information security policy. CC ID 13146 Operational management Establish/Maintain Documentation
    Review the information security procedures, as necessary. CC ID 12006
    [The security procedures must be reviewed, validated, and where necessary updated annually. § 3.2 b)
    The vendor must maintain procedures for each function associated with the ISP to support compliance with these requirements. § 3.2 a)]
    Operational management Business Processes
    Approve the information security policy at the organization's management level or higher. CC ID 11737
    [Senior management must review and endorse the validity of the ISP at least once each year. § 3.1 b)]
    Operational management Process or Activity
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304
    [Security procedures must describe the groups, roles, and responsibilities for all activities that protect cardholder data. § 3.2 c)]
    Operational management Establish/Maintain Documentation
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294
    [Security procedures must describe the groups, roles, and responsibilities for all activities that protect cardholder data. § 3.2 c)]
    Operational management Establish/Maintain Documentation
    Assign ownership of the information security program to the appropriate role. CC ID 00814
    [The ISP must include a named individual assigned as the “policy owner” and be responsible for management and enforcement of that policy. § 3.1 c)]
    Operational management Establish Roles
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Operational management Human Resources Management
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Operational management Establish/Maintain Documentation
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Operational management Human Resources Management
    Establish and maintain a customer service program. CC ID 00846 Operational management Establish/Maintain Documentation
    Establish and maintain an Incident Management program. CC ID 00853 Operational management Business Processes
    Include intrusion detection procedures in the Incident Management program. CC ID 00588 Operational management Establish/Maintain Documentation
    Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036 Operational management Data and Information Management
    Include data loss event notifications in the Incident Response program. CC ID 00364 Operational management Establish/Maintain Documentation
    Include details of the investigation in incident response notifications. CC ID 12296
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Description of the incident including: - Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) § 3.3 ¶ 1 c) ¶ 2 v.]
    Operational management Establish/Maintain Documentation
    Include the issuer's name in incident response notifications. CC ID 12062
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Name of issuer § 3.3 ¶ 1 c) ¶ 2 i.]
    Operational management Establish/Maintain Documentation
    Include a "What Happened" heading in breach notifications. CC ID 12978 Operational management Establish/Maintain Documentation
    Include the date (or estimated date) the privacy breach was detected in incident response notifications. CC ID 04745
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Description of the incident including: - Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) § 3.3 ¶ 1 c) ¶ 2 v.]
    Operational management Establish/Maintain Documentation
    Include the identification of the data source in incident response notifications. CC ID 12305
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Identification of the source of the data § 3.3 ¶ 1 c) ¶ 2 iv.]
    Operational management Establish/Maintain Documentation
    Include a "What Information Was Involved" heading in the breach notification. CC ID 12979 Operational management Establish/Maintain Documentation
    Include the type of information that was lost in incident response notifications. CC ID 04735
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Type of data § 3.3 ¶ 1 c) ¶ 2 ii.]
    Operational management Establish/Maintain Documentation
    Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776 Operational management Establish/Maintain Documentation
    Include a "For More Information" heading in breach notifications. CC ID 12981 Operational management Establish/Maintain Documentation
    Include details of the companies and persons involved in incident response notifications. CC ID 12295
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Description of the incident including: - Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) § 3.3 ¶ 1 c) ¶ 2 v.]
    Operational management Establish/Maintain Documentation
    Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744 Operational management Establish/Maintain Documentation
    Include the reporting individual's contact information in incident response notifications. CC ID 12297
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Description of the incident including: - Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) § 3.3 ¶ 1 c) ¶ 2 v.]
    Operational management Establish/Maintain Documentation
    Include contact information in incident response notifications. CC ID 04739
    [The written communication must contain information regarding the loss or theft including but not limited to the following information Name and address of the vendor § 3.3 ¶ 1 c) ¶ 2 iii.
    The written communication must contain information regarding the loss or theft including but not limited to the following information Description of the incident including: - Date and time of incident - Details of companies and persons involved - Details of the investigation - Name, e-mail, and telephone number of the person reporting the loss or theft - Name, e-mail, and telephone number of the person to contact for additional information (if different from the person reporting the incident) § 3.3 ¶ 1 c) ¶ 2 v.]
    Operational management Establish/Maintain Documentation
    Analyze security violations in Suspicious Activity Reports. CC ID 00591 Operational management Establish/Maintain Documentation
    Provide progress reports of the incident investigation to the appropriate roles, as necessary. CC ID 12298
    [The vendor must Investigate the incident and provide at least weekly updates about investigation progress. § 3.3 ¶ 1 d)]
    Operational management Investigate
    Establish and maintain an Incident Response program. CC ID 00579 Operational management Establish/Maintain Documentation
    Establish and maintain an incident response plan. CC ID 12056
    [The vendor must Have a documented incident response plan (IRP) for known or suspected compromise of any classified data. § 3.3 ¶ 1 a)]
    Operational management Establish/Maintain Documentation
    Include addressing external communications in the incident response plan. CC ID 13351 Operational management Establish/Maintain Documentation
    Include addressing internal communications in the incident response plan. CC ID 13350 Operational management Establish/Maintain Documentation
    Include addressing information sharing in the incident response plan. CC ID 13349 Operational management Establish/Maintain Documentation
    Include incident response team structures in the Incident Response program. CC ID 01237 Operational management Establish/Maintain Documentation
    Include the incident response team member's roles and responsibilities in the Incident Response program. CC ID 01652 Operational management Establish Roles
    Include the incident response point of contact's roles and responsibilities in the Incident Response program. CC ID 01877 Operational management Establish Roles
    Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results. CC ID 12306
    [The vendor must Supply a final incident report providing the investigation results and any remediation. § 3.3 ¶ 1 e)]
    Operational management Actionable Reports or Measurements
    Establish and maintain a change control program. CC ID 00886 Operational management Establish/Maintain Documentation
    Establish and maintain a patch management program. CC ID 00896 Operational management Process or Activity
    Update associated documentation after the system configuration has been changed. CC ID 00891 Operational management Establish/Maintain Documentation
    Document the organization's local environments. CC ID 06726
    [The data security requirements in this and embedded sections apply to confidential and secret data. § 4 ¶ 1
    The vendor must maintain detailed procedures relating to each activity in this section. § 4 ¶ 2
    Secret data is data that, if known to any individual, would result in risks of widespread compromise of financial assets § 4.1.1 ¶ 1
    All symmetric (e.g., Triple DES, AES) and private asymmetric keys (e.g., RSA)—except keys used only for encryption of cardholder data—are secret data and must be managed in accordance with Section 8 of this document, “Key Management: Secret Data.” § 4.1 ¶ 2
    Confidential data is data restricted to authorized individuals. This includes cardholder data and the keys used to encrypt cardholder data. These are confidential data and must be managed in accordance with Section 9 of this document, “Key Management: Confidential Data.” § 4.1.2 ¶ 1
    Unrestricted / public data includes any data not defined in the above terms. Controls are out of scope of these requirements and may be defined by the vendor. § 4.1.3 ¶ 1
    The requirements in this section apply to data transmitted to or from the issuer or authorized processor. § 4.4 ¶ 1
    The secure administration of all key-management activity plays an important role in terms of logical security. The following requirements relate to the procedures and activities for managing keys and key sets. § 8.4 ¶ 1
    The security requirements for dual-interface cards that are personalized using the contact interface are the same as for any other chip card. The requirements in this section apply to personalization of chip cards via the contactless NFC interface. § 4.7 ¶ 1
    The requirements in this section do not apply to vendors that only perform key management or pre-personalization activities on a stand-alone wired system and do not perform data preparation or personalization within their facilities. § 5.1 ¶ 1
    The diagram above shows a typical network setup of a vendor environment and a generic connection from the data source to the machines on the production floor. § 5.1 ¶ 2
    This is the network that contains the card personalization machines. § 5.1.5 ¶ 1
    This is the issuer that owns the cardholder data or that sends it to the vendor on behalf of the issuer. § 5.1.1 ¶ 1
    This is the network that contains the server(s) where the cardholder data is stored pending personalization. This is also the network where the data is prepared and sent to the production floor. § 5.1.4 ¶ 1
    The following diagrams illustrate acceptable placement of the DMZ and associated firewalls: § 5.1.3 ¶ 2
    This is the network segment that contains servers and applications that are accessible by an external network (i.e., any network that is outside the card-production network or its DMZ). § 5.1.3 ¶ 1
    Cardholder data are typically sent over these three main types of network to the personalization vendor. § 5.1.2 ¶ 1
    Ensure a process is in place for updates and patches and identification of their criticality, as detailed in Section 6.3. § 5.2 ¶ 1 k)
    The requirements in this section apply to all hardware (e.g., routers, controllers, firewalls, storage devices) that comprises the data-preparation and personalization networks. § 5.3 ¶ 1
    The requirements in this section apply to firewalls protecting the data-preparation and personalization networks. § 5.4 ¶ 1
    If managed remotely, be managed according to the remote access section. § 5.4.2 ¶ 1 e)]
    Operational management Establish/Maintain Documentation
    Establish and maintain local environment security profiles. CC ID 07037 Operational management Establish/Maintain Documentation
    Include individuals assigned to the local environment in the local environment security profile. CC ID 07038 Operational management Establish/Maintain Documentation
    Include the business processes assigned to the local environment in the local environment security profile. CC ID 07039 Operational management Establish/Maintain Documentation
    Include the technology used in the local environment in the local environment security profile. CC ID 07040 Operational management Establish/Maintain Documentation
    Include contact information for critical personnel assigned to the local environment in the local environment security profile. CC ID 07041 Operational management Establish/Maintain Documentation
    Include facility information for the local environment in the local environment security profile. CC ID 07042 Operational management Establish/Maintain Documentation
    Include facility access information for the local environment in the local environment security profile. CC ID 11773 Operational management Establish/Maintain Documentation
    Update the local environment security profile, as necessary. CC ID 07043 Operational management Establish/Maintain Documentation
    Establish and maintain system hardening procedures. CC ID 12001 System hardening through configuration management Establish/Maintain Documentation
    Change default configurations, as necessary. CC ID 00877 System hardening through configuration management Configuration
    Change all default passwords. CC ID 06080
    [Default passwords on the AP must be changed. § 5.7.3 ¶ 1 e)
    The vendor must Change all default passwords. § 7.2.1 ¶ 1 f)]
    System hardening through configuration management Configuration
    Enable and configure auditing operations and logging operations, as necessary. CC ID 01522 System hardening through configuration management Log Management
    Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc. CC ID 06331
    [The vendor must Make certain that access audit trails are produced that provide sufficient details to identify the cardholder data accessed and the individual user accessing the data. § 4.3 ¶ 1 d)]
    System hardening through configuration management Configuration
    Configure the log to capture the user's identification. CC ID 01334 System hardening through configuration management Configuration
    Configure the log to capture a date and time stamp. CC ID 01336 System hardening through configuration management Configuration
    Configure the log to uniquely identify each asset. CC ID 01339 System hardening through configuration management Configuration
    Configure the log to capture the type of each event. CC ID 06423 System hardening through configuration management Configuration
    Configure the log to capture each event's success or failure indication. CC ID 06424 System hardening through configuration management Configuration
    Establish and maintain procedures for configuring the appropriate network parameter modifications. CC ID 01517 System hardening through configuration management Establish/Maintain Documentation
    Enable the firewall and configure it to meet organizational standards. CC ID 01926 System hardening through configuration management Configuration
    Configure the firewall to display notifications. CC ID 04399
    [The firewalls must Notify the administrator in real time of any items requiring immediate attention. § 5.4.2 ¶ 1 i)]
    System hardening through configuration management Configuration
    Establish and maintain records management policies used to manage organizational records. CC ID 00903 Records management Establish/Maintain Documentation
    Establish and maintain a record classification scheme. CC ID 00914 Records management Establish/Maintain Documentation
    Establish and maintain Records Management procedures. CC ID 00919 Records management Establish/Maintain Documentation
    Establish and maintain data processing integrity controls. CC ID 00923
    [The vendor must protect the integrity of cardholder data against modification and deletion at all times. § 4.4 ¶ 1 c)]
    Records management Establish Roles
    Establish and maintain Automated Data Processing validation checks and editing checks. CC ID 00924 Records management Data and Information Management
    Establish and maintain Automated Data Processing error handling procedures. CC ID 00925 Records management Establish/Maintain Documentation
    Establish and maintain Automated Data Processing error handling reporting. CC ID 11659 Records management Establish/Maintain Documentation
    Store personal data that is retained for long periods after use on a separate server or media. CC ID 12314
    [Ensure that data retained for longer than 30 days after personalization complies with the following additional requirements. This data must Be stored on a separate server or media § 4.5 ¶ 1 h) ii.]
    Records management Data and Information Management
    Establish and maintain storage media disposition and destruction procedures. CC ID 11657 Records management Establish/Maintain Documentation
    Sanitize all electronic storage media before disposing a system or redeploying a system. CC ID 01643
    [{secret data} The vendor must Ensure that all secret or confidential data has been irrecoverably removed before the media is used for any other purpose. § 4.5 ¶ 1 e)]
    Records management Data and Information Management
    Define each system's disposition requirements for records and logs. CC ID 11651 Records management Process or Activity
    Establish and maintain records disposition procedures. CC ID 00971 Records management Establish/Maintain Documentation
    Manage the disposition status for all records. CC ID 00972 Records management Records Management
    Use a second person to confirm and sign-off that manually deleted data was deleted. CC ID 12313
    [The vendor must Confirm the deletion of manually deleted data including sign-off by a second authorized person. § 4.5 ¶ 1 c)]
    Records management Data and Information Management
    Remove and/or destroy records according to the records' retention event and retention period schedule. CC ID 06621
    [The vendor must: Delete cardholder data within 30 days of the date the card is personalized unless the issuer has authorized longer retention in writing. § 4.5 ¶ 1 a)
    Ensure that data retained for longer than 30 days after personalization complies with the following additional requirements. This data must Be removed from the active production environment. § 4.5 ¶ 1 h) i.]
    Records management Records Management
    Place printed records awaiting destruction into secure containers. CC ID 12464 Records management Physical and Environmental Protection
    Destroy printed records so they cannot be reconstructed. CC ID 11779 Records management Physical and Environmental Protection
    Automate a programmatic process to remove stored data and records that exceed retention requirements. CC ID 06082 Records management Data and Information Management
    Establish and maintain records management procedures used to manage organizational records. CC ID 11619 Records management Establish/Maintain Documentation
    Establish and maintain electronic storage media management procedures. CC ID 00931 Records management Establish/Maintain Documentation
    Establish and maintain storage media and record security label procedures. CC ID 06747 Records management Establish/Maintain Documentation
    Label restricted storage media appropriately. CC ID 00966
    [All removable media (e.g., USB devices, tapes, disks) within the HSA must be clearly labeled with a unique identifier and the data classification. § 4.6 a)]
    Records management Data and Information Management
    Establish and maintain online storage controls. CC ID 00942 Records management Technical Security
    Establish and maintain security controls appropriate to the record types and electronic storage media in use. CC ID 00943 Records management Records Management
    Provide encryption for different types of electronic storage media. CC ID 00945
    [{secret data} All secret and confidential data must be: Encrypted at all times during transmission and storage. § 4.2 ¶ 1 b)]
    Records management Technical Security
    Establish and maintain a removable storage media log. CC ID 12317
    [A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain: § 4.6 d)]
    Records management Log Management
    Include a unique identifier for each removable storage media asset in the removable storage media log. CC ID 12320
    [A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain Unique identifier § 4.6 d) i.]
    Records management Establish/Maintain Documentation
    Include the date and time in the removable storage media log. CC ID 12318
    [A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain Date and time § 4.6 d) ii.]
    Records management Establish/Maintain Documentation
    Include the name and signature of the current custodian in the removable storage media log. CC ID 12315
    [A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain Name and signature of current custodian § 4.6 d) iii.]
    Records management Establish/Maintain Documentation
    Record the number of physical media used for the data transfer in the removable storage media log. CC ID 12754 Records management Establish/Maintain Documentation
    Record the recipient's name for the data transfer in the removable storage media log. CC ID 12753 Records management Establish/Maintain Documentation
    Record the sender's name in the removable storage media log. CC ID 12752 Records management Establish/Maintain Documentation
    Record the type of physical media being used for the data transfer in the removable storage media log. CC ID 12751 Records management Establish/Maintain Documentation
    Include the reason for transfer in the removable storage media log. CC ID 12316
    [A log must be maintained when media is removed from or returned to its storage location, or transferred to the custody of another individual. The log must contain Reason for transfer § 4.6 d) v.]
    Records management Establish/Maintain Documentation
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish and maintain system design principles and system design guidelines. CC ID 01057 Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain a security controls definition document. CC ID 01080 Systems design, build, and implementation Establish/Maintain Documentation
    Implement security controls into the system during the development process. CC ID 01082 Systems design, build, and implementation Configuration
    Establish and maintain a coding manual for secure coding techniques. CC ID 11863 Systems design, build, and implementation Establish/Maintain Documentation
    Refrain from hard-coding cryptographic keys in source code. CC ID 12307
    [Cryptographic keys must not be hard-coded into software. § 8.1 g)]
    Systems design, build, and implementation Technical Security
    Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish and maintain system testing procedures. CC ID 11744 Systems design, build, and implementation Establish/Maintain Documentation
    Control the test data used in the development environment. CC ID 12013
    [{test key} {test data} Test (non-production) keys and test (non-production) data cannot be used with production equipment. § 4.8 a)]
    Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish and maintain a privacy framework that protects restricted data. CC ID 11850 Privacy protection for information and data Establish/Maintain Documentation
    Establish and maintain a personal data use limitation program. CC ID 13428 Privacy protection for information and data Establish/Maintain Documentation
    Establish, implement, and maintain a personal data use purpose specification. CC ID 00093 Privacy protection for information and data Establish/Maintain Documentation
    Dispose of media and personal data in a timely manner. CC ID 00125
    [The vendor must Delete data on the personalization machine as soon as the job is completed. § 4.5 ¶ 1 b)]
    Privacy protection for information and data Data and Information Management
    Refrain from destroying records being inspected or reviewed. CC ID 13015 Privacy protection for information and data Records Management
    Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 Privacy protection for information and data Communicate
    Establish and maintain a supply chain management program. CC ID 11742 Third Party and supply chain oversight Establish/Maintain Documentation
    Include a description of the data or information to be covered in third party contracts. CC ID 06510 Third Party and supply chain oversight Establish/Maintain Documentation
    Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610
    [Third-party access must be based on a formal contract referencing applicable security policies and standards. § 4.3 ¶ 1 f) i.]
    Third Party and supply chain oversight Business Processes
    Establish, implement, and maintain a supply chain management policy. CC ID 08808 Third Party and supply chain oversight Establish/Maintain Documentation
    Require third parties to employ a Chief Information Security Officer. CC ID 12057
    [The CISO must be an employee of the vendor. § 2.1 b)]
    Third Party and supply chain oversight Human Resources Management