FrameworksPCI DSS v4.0.1
sector specificv4.0.1Published
PCI DSS v4.0.1
PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Version 4.0.1 introduced new requirements for phishing-resistant MFA, customized implementation, and targeted risk analysis.
Issuing Body
PCI Security Standards Council (PCI SSC)
Version
4.0.1
Published
2024-06-11
Controls
36
Mapped Laws
—
| Control ID | Title | Domain | Maturity |
|---|---|---|---|
| PCI-1.1 | Req 1 — Network Security Controls Processes and mechanisms for installing and maintaining network security controls are defined and understood. Firewall and router configurations restrict inbound and outbound traffic to only that which is necessary. | — | managed |
| PCI-1.2 | Req 1 — Network Connections Network security controls (NSCs) are configured and maintained. All connections between trusted and untrusted networks are controlled. | — | managed |
| PCI-1.3 | Req 1 — Network Access Restriction Network access to and from the cardholder data environment is restricted. Inbound and outbound traffic is limited to what is necessary. | — | managed |
| PCI-2.1 | Req 2 — Secure Configurations Processes and mechanisms for applying secure configurations to all system components are defined and understood. Vendor-supplied defaults are changed before installation. | — | managed |
| PCI-2.2 | Req 2 — System Component Configuration System components are configured and managed securely. All unnecessary functionality is removed or disabled. | — | managed |
| PCI-3.1 | Req 3 — Account Data Storage Processes and mechanisms for protecting stored account data are defined and understood. Data retention and disposal policies are implemented. | — | managed |
| PCI-3.2 | Req 3 — Sensitive Authentication Data Sensitive authentication data (SAD) is not retained after authorization. Primary account numbers (PANs) are protected wherever stored. | — | managed |
| PCI-3.3 | Req 3 — Cryptographic Protection Sensitive authentication data is not stored after authorization. PANs are rendered unreadable anywhere they are stored using strong cryptography. | — | managed |
| PCI-4.1 | Req 4 — Transmission Security Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and understood. | — | managed |
| PCI-4.2 | Req 4 — Encryption in Transit PAN is protected with strong cryptography during transmission. Only trusted keys/certificates are accepted. TLS is implemented properly. | — | managed |
| PCI-5.1 | Req 5 — Anti-Malware Protection Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood. Anti-malware solutions are deployed on all applicable systems. | — | managed |
| PCI-5.2 | Req 5 — Malware Detection and Response Malicious software (malware) is prevented, or detected and addressed. Anti-malware mechanisms are kept current and generate audit logs. | — | managed |
| PCI-6.1 | Req 6 — Secure Development Processes and mechanisms for developing and maintaining secure systems and software are defined and understood. Security vulnerabilities are identified and addressed. | — | managed |
| PCI-6.2 | Req 6 — Bespoke and Custom Software Bespoke and custom software are developed securely. Security vulnerabilities are identified and remediated. Secure coding practices are followed. | — | managed |
| PCI-6.3 | Req 6 — Vulnerability Management Security vulnerabilities are identified and addressed. New vulnerabilities are identified using industry-recognized sources. A vulnerability management process is maintained. | — | managed |
| PCI-6.4 | Req 6 — Web-Facing Applications Public-facing web applications are protected against attacks. Web application firewalls (WAF) or automated technical solutions detect and prevent web-based attacks. | — | managed |
| PCI-7.1 | Req 7 — Access Control Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood. | — | managed |
| PCI-7.2 | Req 7 — Least Privilege Access to system components and data is appropriately defined and assigned. Access is granted based on least privilege. All access is approved by authorized personnel. | — | managed |
| PCI-8.1 | Req 8 — User Identification and Authentication Processes and mechanisms for identifying users and authenticating access to system components are defined and understood. Unique IDs are assigned to all users. | — | managed |
| PCI-8.2 | Req 8 — Authentication Factors User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle. Passwords/passphrases meet minimum requirements. | — | managed |
| PCI-8.3 | Req 8 — Multi-Factor Authentication User authentication to the CDE uses multi-factor authentication (MFA). MFA is implemented for all access into the CDE. | — | managed |
| PCI-9.1 | Req 9 — Physical Access Controls Processes and mechanisms for restricting physical access to cardholder data are defined and understood. Physical access to facilities is controlled. | — | managed |
| PCI-9.2 | Req 9 — Physical Media Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted. Media is classified and secured. | — | managed |
| PCI-10.1 | Req 10 — Logging and Monitoring Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and understood. Audit logs capture all access. | — | managed |
| PCI-10.2 | Req 10 — Audit Log Implementation Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events. Logs are protected from destruction and unauthorized modifications. | — | managed |
| PCI-10.3 | Req 10 — Log Protection Audit logs are protected from destruction and unauthorized modifications. Log-management technology is used to perform log reviews. | — | managed |
| PCI-11.1 | Req 11 — Security Testing Processes and mechanisms for testing security of systems and networks regularly are defined and understood. Authorized and unauthorized wireless access points are managed. | — | managed |
| PCI-11.2 | Req 11 — Vulnerability Scanning Wireless access points are managed, and unauthorized wireless access points are identified and addressed. Internal and external vulnerability scans are performed regularly. | — | managed |
| PCI-11.3 | Req 11 — Penetration Testing External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected. Penetration testing methodology is defined. | — | managed |
| PCI-11.4 | Req 11 — Intrusion Detection Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network. All traffic at the perimeter and critical points is monitored. | — | managed |
| PCI-12.1 | Req 12 — Security Policies A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current. Security policy is reviewed at least once every 12 months. | — | managed |
| PCI-12.2 | Req 12 — Acceptable Use Policy Acceptable use policies for end-user technologies are defined and implemented. Policies address use of end-user technologies including removable electronic media. | — | managed |
| PCI-12.3 | Req 12 — Risk Management Risks to the cardholder data environment are formally identified, evaluated, and managed. A targeted risk analysis is performed for each PCI DSS requirement that allows flexibility. | — | managed |
| PCI-12.4 | Req 12 — Third-Party Risk PCI DSS compliance is managed throughout the year. Responsibility for protecting cardholder data and managing PCI DSS compliance is assigned to a Chief Information Security Officer or other knowledgeable senior executive. | — | managed |
| PCI-12.5 | Req 12 — PCI DSS Scope PCI DSS scope is documented and validated. The PCI DSS scope is determined, documented, and validated at least once every 12 months and upon significant change to the in-scope environment. | — | managed |
| PCI-12.6 | Req 12 — Security Awareness Security awareness education is an ongoing activity. A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures. | — | managed |