This document contains mappings of the CIS Controls and Safeguards to Payment Card Industry (PCI) Data

Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]

Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]

Editors
Thomas Sager

Contributors
License for Use

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS Controls® content, you are authorized to copy an
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th
subject to the prior approval of CIS® (Center for Internet Security, Inc.).
 tives 4.0 International Public License (the link can be found at

ou are authorized to copy and redistribute the content as a framework for use by you, within your
ed that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if
materials. Users of the CIS Controls framework are also required to refer to
e that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is
Mapping Methodology
Mapping Methodology

This page describes the methodology used to map the CIS Critical Security Controls to Payment Card Indu
Reference link for PCI DSS v3.2.1: https://www.pcisecuritystandards.org/document_library

The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
The general strategy used is to identify all of the aspects within a control and attempt to discern if both item

CIS Control 6.1 - Establish an Acess Granting Process

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new h

For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights

If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of 5 possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• Intersects: Although the CIS Control and the defensive mitigation have many similarities, neither is contai
awareness program and another requiring an information governance program.
• No relationship: This will be represented by a blank cell.

The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m

The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. T
can often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.

If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
CIS Controls Navigator
Remember to download the CIS Controls Version 8 Guide where you can learn more about:

- This Version of the CIS Controls

- The CIS Controls Ecosystem ("It's not about the list')
- How to Get Started
- Using or Transitioning from Prior Versions of the CIS Controls
- Structure of the CIS Controls
- Implementation Groups
- Why is this Controls critical
- Procedures and tools
https://www.cisecurity.org/controls/v8/

A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/

Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
 CIS CIS Security
Asset Type Title
Control Safeguard Function

1 Inventory and Control of Enterprise Assets

Actively manage (inventory, track, and correct)

including portable and mobile; network devices
devices; and servers) connected to the infrastr
those within cloud environments, to accurately
be monitored and protected within the enterpri
unauthorized and unmanaged assets to remove

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory

1 1.2 Devices Respond Address Unauthorized Assets

1 1.3 Devices Detect Utilize an Active Discovery Tool

 Use Dynamic Host Configuration
1 1.4 Devices Identify Protocol (DHCP) Logging to
Update Enterprise Asset Inventory

Use a Passive Asset Discovery

1 1.5 Devices Detect
Tool

2 Inventory and Control of Software Assets

Actively manage (inventory, track, and correct)

applications) on the network so that only autho
execute, and that unauthorized and unmanaged
installation or execution.

Establish and Maintain a Software

2 2.1 Applications Protect
Inventory

Ensure Authorized Software is

2 2.2 Applications Identify
Currently Supported
2 2.3 Applications Respond Address Unauthorized Software

Utilize Automated Software

2 2.4 Applications Identify
Inventory Tools

2 2.5 Applications Protect Allowlist Authorized Software

2 2.6 Applications Protect Allowlist Authorized Libraries

2 2.7 Applications Protect Allowlist Authorized Scripts

3 Data Protection

Develop processes and technical controls to id

and dispose of data.

Establish and Maintain a Data

3 3.1 Data Identify
Management Process

Establish and Maintain a Data

3 3.2 Data Protect
Inventory

Configure Data Access Control

3 3.3 Data Protect
Lists
 Configure Data Access Control
3 3.3 Data Protect
Lists

3 3.4 Data Protect Enforce Data Retention

3 3.5 Data Identify Securely Dispose of Data

3 3.6 Devices Protect Encrypt Data on End-User Devices

Establish and Maintain a Data

3 3.7 Data Identify
Classification Scheme

3 3.8 Data Identify Document Data Flows

3 3.9 Data Protect Encrypt Data on Removable Media

3 3.10 Data Protect Encrypt Sensitive Data in Transit

3 3.11 Data Protect Encrypt Sensitive Data at Rest

Segment Data Processing and

3 3.12 Network Protect
Storage Based on Sensitivity
 Segment Data Processing and
3 3.12 Network Protect
Storage Based on Sensitivity

Deploy a Data Loss Prevention

3 3.13 Data Protect
Solution

3 3.14 Data Detect Log Sensitive Data Access

4 Secure Configuration of Enterprise Assets and

Establish and maintain the secure configuratio

including portable and mobile; network devices
servers) and software (operating systems and

Establish and Maintain a Secure

4 4.1 Applications Protect
Configuration Process

Establish and Maintain a Secure

4 4.1 Applications Protect
Configuration Process
 Establish and Maintain a Secure
4 4.2 Network Protect Configuration Process for Network
Infrastructure

Configure Automatic Session

4 4.3 Users Protect
Locking on Enterprise Assets

Implement and Manage a Firewall

4 4.4 Devices Protect
on Servers

Implement and Manage a Firewall

4 4.5 Devices Protect
on End-User Devices

Securely Manage Enterprise

4 4.6 Network Protect
Assets and Software

Manage Default Accounts on

4 4.7 Users Protect
Enterprise Assets and Software
 Manage Default Accounts on
4 4.7 Users Protect
Enterprise Assets and Software

Uninstall or Disable Unnecessary

4 4.8 Devices Protect Services on Enterprise Assets and
Software

Configure Trusted DNS Servers on

4 4.9 Devices Protect
Enterprise Assets

Enforce Automatic Device Lockout

4 4.10 Devices Respond
on Portable End-User Devices

Enforce Remote Wipe Capability

4 4.11 Devices Protect
on Portable End-User Devices

Separate Enterprise Workspaces

4 4.12 Devices Protect
on Mobile End-User Devices

5 Account Management
 Use processes and tools to assign and manage
accounts, including administrator accounts, as
assets and software.

Establish and Maintain an

5 5.1 Users Identify
Inventory of Accounts

5 5.2 Users Protect Use Unique Passwords

5 5.3 Users Respond Disable Dormant Accounts

Restrict Administrator Privileges to

5 5.4 Users Protect
Dedicated Administrator Accounts

Establish and Maintain an

5 5.5 Users Identify
Inventory of Service Accounts

5 5.6 Users Protect Centralize Account Management

6 Access Control Management

 Use processes and tools to create, assign, man
privileges for user, administrator, and service a
software.

Establish an Access Granting

6 6.1 Users Protect
Process

Establish an Access Revoking

6 6.2 Users Protect
Process

Require MFA for Externally-

6 6.3 Users Protect
Exposed Applications

Require MFA for Remote Network

6 6.4 Users Protect
Access

Require MFA for Administrative

6 6.5 Users Protect
Access

Establish and Maintain an

6 6.6 Users Identify Inventory of Authentication and
Authorization Systems
6 6.7 Users Protect Centralize Access Control

Define and Maintain Role-Based

6 6.8 Data Protect
Access Control

7 Continuous Vulnerability Management

Develop a plan to continuously assess and trac

within the enterprise’s infrastructure, in order t
opportunity for attackers. Monitor public and p
vulnerability information.

Establish and Maintain a

7 7.1 Applications Protect
Vulnerability Management Process

Establish and Maintain a

7 7.2 Applications Respond
Remediation Process

Perform Automated Operating

7 7.3 Applications Protect
System Patch Management

Perform Automated Application

7 7.4 Applications Protect
Patch Management
 Perform Automated Vulnerability
7 7.5 Applications Identify Scans of Internal Enterprise
Assets

Perform Automated Vulnerability

7 7.6 Applications Identify Scans of Externally-Exposed
Enterprise Assets

7 7.7 Applications Respond Remediate Detected Vulnerabilities

8 Audit Log Management

Collect, alert, review, and retain audit logs of ev

or recover from an attack.

Establish and Maintain an Audit

8 8.1 Network Protect
Log Management Process

8 8.2 Network Detect Collect Audit Logs

Ensure Adequate Audit Log

8 8.3 Network Protect
Storage

8 8.4 Network Protect Standardize Time Synchronization

8 8.5 Network Detect Collect Detailed Audit Logs

8 8.5 Network Detect Collect Detailed Audit Logs

8 8.5 Network Detect Collect Detailed Audit Logs

8 8.6 Network Detect Collect DNS Query Audit Logs

8 8.7 Network Detect Collect URL Request Audit Logs

8 8.8 Devices Detect Collect Command-Line Audit Logs

8 8.9 Network Detect Centralize Audit Logs

8 8.10 Network Protect Retain Audit Logs

8 8.11 Network Detect Conduct Audit Log Reviews

8 8.12 Data Detect Collect Service Provider Logs

9 Email and Web Browser Protections

Improve protections and detections of threats f

opportunities for attackers to manipulate huma

Ensure Use of Only Fully

9 9.1 Applications Protect Supported Browsers and Email
Clients

9 9.2 Network Protect Use DNS Filtering Services

Maintain and Enforce Network-

9 9.3 Network Protect
Based URL Filters

Restrict Unnecessary or
9 9.4 Applications Protect Unauthorized Browser and Email
Client Extensions

9 9.5 Network Protect Implement DMARC

9 9.6 Network Protect Block Unnecessary File Types

Deploy and Maintain Email Server

9 9.7 Network Protect
Anti-Malware Protections
10 Malware Defenses

Prevent or control the installation, spread, and

code, or scripts on enterprise assets.

Deploy and Maintain Anti-Malware

10 10.1 Devices Protect
Software

Configure Automatic Anti-Malware

10 10.2 Devices Protect
Signature Updates

Disable Autorun and Autoplay for

10 10.3 Devices Protect
Removable Media

Configure Automatic Anti-Malware

10 10.4 Devices Detect
Scanning of Removable Media

Configure Automatic Anti-Malware

10 10.4 Devices Detect
Scanning of Removable Media

10 10.5 Devices Protect Enable Anti-Exploitation Features

 Centrally Manage Anti-Malware
10 10.6 Devices Protect
Software

Use Behavior-Based Anti-Malware

10 10.7 Devices Detect
Software

11 Data Recovery

Establish and maintain data recovery practices

assets to a pre-incident and trusted state.

Establish and Maintain a Data

11 11.1 Data Recover
Recovery Process 

11 11.2 Data Recover Perform Automated Backups 

11 11.3 Data Protect Protect Recovery Data

 Establish and Maintain an Isolated
11 11.4 Data Recover
Instance of Recovery Data 

11 11.5 Data Recover Test Data Recovery

Network Infrastructure
12
Management

Establish, implement, and actively manage (tra

order to prevent attackers from exploiting vuln
points.

Ensure Network Infrastructure is

12 12.1 Network Protect
Up-to-Date

Establish and Maintain a Secure

12 12.2 Network Protect
Network Architecture

Securely Manage Network

12 12.3 Network Protect
Infrastructure

Establish and Maintain

12 12.4 Network Identify
Architecture Diagram(s)

Centralize Network Authentication,

12 12.5 Network Protect
Authorization, and Auditing (AAA)
 Use of Secure Network
12 12.6 Network Protect Management and Communication
Protocols 

Ensure Remote Devices Utilize a

12 12.7 Devices Protect VPN and are Connecting to an
Enterprise’s AAA Infrastructure

Establish and Maintain Dedicated

12 12.8 Devices Protect Computing Resources for All
Administrative Work

Network Monitoring and

13
Defense

Operate processes and tooling to establish and

monitoring and defense against security threat
infrastructure and user base.

13 13.1 Network Detect Centralize Security Event Alerting

 Deploy a Host-Based Intrusion
13 13.2 Devices Detect
Detection Solution

Deploy a Network Intrusion

13 13.3 Network Detect
Detection Solution

Perform Traffic Filtering Between

13 13.4 Network Protect
Network Segments

Manage Access Control for

13 13.5 Devices Protect
Remote Assets

13 13.6 Network Detect Collect Network Traffic Flow Logs

Deploy a Host-Based Intrusion

13 13.7 Devices Protect
Prevention Solution

Deploy a Network Intrusion

13 13.8 Network Protect
Prevention Solution
 Deploy a Network Intrusion
13 13.8 Network Protect
Prevention Solution

13 13.9 Devices Protect Deploy Port-Level Access Control

13 13.10 Network Protect Perform Application Layer Filtering

Tune Security Event Alerting

13 13.11 Network Detect
Thresholds

14 Security Awareness and Skills Training

 Establish and maintain a security awareness p
workforce to be security conscious and proper
the enterprise.

Establish and Maintain a Security

14 14.1 N/A Protect
Awareness Program

Train Workforce Members to

14 14.2 N/A Protect Recognize Social Engineering
Attacks

Train Workforce Members on

14 14.3 N/A Protect
Authentication Best Practices

Train Workforce on Data Handling

14 14.4 N/A Protect
Best Practices

Train Workforce Members on

14 14.5 N/A Protect Causes of Unintentional Data
Exposure

Train Workforce Members on

14 14.6 N/A Protect Recognizing and Reporting
Security Incidents
 Train Workforce on How to Identify
and Report if Their Enterprise
14 14.7 N/A Protect
Assets are Missing Security
Updates

Train Workforce on the Dangers of

Connecting to and Transmitting
14 14.8 N/A Protect
Enterprise Data Over Insecure
Networks

Conduct Role-Specific Security

14 14.9 N/A Protect
Awareness and Skills Training

Conduct Role-Specific Security

14 14.9 N/A Protect
Awareness and Skills Training

15 Service Provider Management

Develop a process to evaluate service provider

responsible for an enterprise’s critical IT platfo
providers are protecting those platforms and d

Establish and Maintain an

15 15.1 N/A Identify
Inventory of Service Providers

Establish and Maintain a Service

15 15.2 N/A Identify
Provider Management Policy
15 15.3 N/A Identify Classify Service Providers

Ensure Service Provider Contracts

15 15.4 N/A Protect
Include Security Requirements

15 15.5 N/A Identify Assess Service Providers

15 15.6 Data Detect Monitor Service Providers

Securely Decommission Service

15 15.7 Data Protect
Providers

16 Application Software Security

Manage the security life cycle of in-house deve

prevent, detect, and remediate security weakne
enterprise.

Establish and Maintain a Secure

16 16.1 Applications Protect
Application Development Process
 Establish and Maintain a Process
16 16.2 Applications Protect to Accept and Address Software
Vulnerabilities

Perform Root Cause Analysis on

16 16.3 Applications Protect
Security Vulnerabilities

Establish and Manage an

16 16.4 Applications Protect Inventory of Third-Party Software
Components

Use Up-to-Date and Trusted Third-

16 16.5 Applications Protect
Party Software Components

Establish and Maintain a Severity

16 16.6 Applications Protect Rating System and Process for
Application Vulnerabilities
 Use Standard Hardening
16 16.7 Applications Protect Configuration Templates for
Application Infrastructure

Separate Production and Non-

16 16.8 Applications Protect
Production Systems

Train Developers in Application

16 16.9 Applications Protect Security Concepts and Secure
Coding
 Apply Secure Design Principles in
16 16.10 Applications Protect
Application Architectures

Leverage Vetted Modules or

16 16.11 Applications Protect Services for Application Security
Components

Implement Code-Level Security

16 16.12 Applications Protect
Checks

Conduct Application Penetration

16 16.13 Applications Protect
Testing
16 16.14 Applications Protect Conduct Threat Modeling

17 Incident Response Management

Establish a program to develop and maintain a

policies, plans, procedures, defined roles, train
detect, and quickly respond to an attack.

Designate Personnel to Manage

17 17.1 N/A Respond
Incident Handling

Establish and Maintain Contact

17 17.2 N/A Respond Information for Reporting Security
Incidents

Establish and Maintain an

17 17.3 N/A Respond Enterprise Process for Reporting
Incidents
 Establish and Maintain an Incident
17 17.4 N/A Respond
Response Process

Assign Key Roles and

17 17.5 N/A Respond
Responsibilities

Define Mechanisms for

17 17.6 N/A Respond Communicating During Incident
Response

Conduct Routine Incident

17 17.7 N/A Recover
Response Exercises

17 17.8 N/A Recover Conduct Post-Incident Reviews

 Establish and Maintain Security
17 17.9 N/A Recover
Incident Thresholds

18 Penetration Testing

Test the effectiveness and resiliency of enterpr

exploiting weaknesses in controls (people, pro
the objectives and actions of an attacker.

Establish and Maintain a

18 18.1 N/A Identify
Penetration Testing Program

Perform Periodic External

18 18.2 Network Identify
Penetration Tests

Remediate Penetration Test

18 18.3 Network Protect
Findings
18 18.4 Network Protect Validate Security Measures

Perform Periodic Internal

18 18.5 N/A Identify
Penetration Tests
 Description IG1 IG2 IG3 Relationship

of Enterprise Assets

tory, track, and correct) all enterprise assets (end-user devices,

mobile; network devices; non-computing/Internet of Things (IoT)
onnected to the infrastructure physically, virtually, remotely, and
ronments, to accurately know the totality of assets that need to
ected within the enterprise. This will also support identifying
anaged assets to remove or remediate.

Superset

Establish and maintain an accurate, detailed, and up-to-

date inventory of all enterprise assets with the potential to Equivalent
store or process data, to include: end-user devices
(including portable and mobile), network devices, non-
computing/IoT devices, and servers. Ensure the inventory
records the network address (if static), hardware address,
machine name, enterprise asset owner, department for
each asset, and whether the asset has been approved to
connect to the network. For mobile end-user devices, MDM x x x
type tools can support this process, where appropriate.
This inventory includes assets connected to the
infrastructure physically, virtually, remotely, and those Superset
within cloud environments. Additionally, it includes assets
that are regularly connected to the enterprise’s network
infrastructure, even if they are not under control of the
enterprise. Review and update the inventory of all
enterprise assets bi-annually, or more frequently.

Ensure that a process exists to address unauthorized

assets on a weekly basis. The enterprise may choose to
remove the asset from the network, deny the asset from x x x
connecting remotely to the network, or quarantine the
asset.

Utilize an active discovery tool to identify assets connected

to the enterprise’s network. Configure the active discovery x x
tool to execute daily, or more frequently.
 Use DHCP logging on all DHCP servers or Internet
Protocol (IP) address management tools to update the
x x
enterprise’s asset inventory. Review and use logs to update
the enterprise’s asset inventory weekly, or more frequently.

x Superset
Use a passive discovery tool to identify assets connected to
the enterprise’s network. Review and use scans to update
the enterprise’s asset inventory at least weekly, or more
frequently.
x Superset

of Software Assets

tory, track, and correct) all software (operating systems and

twork so that only authorized software is installed and can
thorized and unmanaged software is found and prevented from
n.

Establish and maintain a detailed inventory of all licensed Superset

software installed on enterprise assets. The software
inventory must document the title, publisher, initial
install/use date, and business purpose for each entry;
x x x
where appropriate, include the Uniform Resource Locator
(URL), app store(s), version(s), deployment mechanism,
and decommission date. Review and update the software
inventory bi-annually, or more frequently.
Superset

Ensure that only currently supported software is designated

as authorized in the software inventory for enterprise
assets. If software is unsupported, yet necessary for the
fulfillment of the enterprise’s mission, document an
exception detailing mitigating controls and residual risk x x x
acceptance. For any unsupported software without an
exception documentation, designate as unauthorized.
Review the software list to verify software support at least
monthly, or more frequently.
 Ensure that unauthorized software is either removed from
use on enterprise assets or receives a documented x x x
exception. Review monthly, or more frequently.

Utilize software inventory tools, when possible, throughout

the enterprise to automate the discovery and x x
documentation of installed software.

Use technical controls, such as application allowlisting, to

ensure that only authorized software can execute or be x x
accessed. Reassess bi-annually, or more frequently.

Use technical controls to ensure that only authorized

software libraries, such as specific .dll, .ocx, .so, etc., files,
are allowed to load into a system process. Block x x
unauthorized libraries from loading into a system process.
Reassess bi-annually, or more frequently.

Use technical controls, such as digital signatures and

version control, to ensure that only authorized scripts, such
as specific .ps1, .py, etc., files, are allowed to execute. x
Block unauthorized scripts from executing. Reassess bi-
annually, or more frequently.

d technical controls to identify, classify, securely handle, retain,

Establish and maintain a data management process. In the

process, address data sensitivity, data owner, handling of
data, data retention limits, and disposal requirements,
based on sensitivity and retention standards for the x x x
enterprise. Review and update documentation annually, or
when significant enterprise changes occur that could
impact this Safeguard.

Establish and maintain a data inventory, based on the

enterprise’s data management process. Inventory sensitive
x x x Superset
data, at a minimum. Review and update inventory annually,
at a minimum, with a priority on sensitive data.

Equivalent

Configure data access control lists based on a user’s need

to know. Apply data access control lists, also known as
x x x
access permissions, to local and remote file systems,
databases, and applications.
Configure data access control lists based on a user’s need
to know. Apply data access control lists, also known as Superset
x x x
access permissions, to local and remote file systems,
databases, and applications.

Superset

Superset

Retain data according to the enterprise’s data management

process. Data retention must include both minimum and x x x
maximum timelines.

Securely dispose of data as outlined in the enterprise’s

data management process. Ensure the disposal process x x x
and method are commensurate with the data sensitivity.

Encrypt data on end-user devices containing sensitive data.

Example implementations can include: Windows x x x
BitLocker®, Apple FileVault®, Linux® dm-crypt.

Establish and maintain an overall data classification

scheme for the enterprise. Enterprises may use labels,
such as “Sensitive,” “Confidential,” and “Public,” and
classify their data according to those labels. Review and x x Equivalent
update the classification scheme annually, or when
significant enterprise changes occur that could impact this
Safeguard.

Document data flows. Data flow documentation includes

service provider data flows and should be based on the Equivalent
enterprise’s data management process. Review and update x x
documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Equivalent

Encrypt data on removable media. x x Subset

 Superset

Superset
Encrypt sensitive data in transit. Example implementations
can include: Transport Layer Security (TLS) and Open x x
Secure Shell (OpenSSH).

Superset

Subset

Subset

Encrypt sensitive data at rest on servers, applications, and

databases containing sensitive data. Storage-layer
encryption, also known as server-side encryption, meets
the minimum requirement of this Safeguard. Additional
x x
encryption methods may include application-layer
encryption, also known as client-side encryption, where
access to the data storage device(s) does not permit
access to the plain-text data. Superset

Subset

Superset
Segment data processing and storage based on the
sensitivity of the data. Do not process sensitive data on x x
enterprise assets intended for lower sensitivity data.
 Segment data processing and storage based on the
sensitivity of the data. Do not process sensitive data on x x
enterprise assets intended for lower sensitivity data.
Intersects

Intersects

Implement an automated tool, such as a host-based Data

Loss Prevention (DLP) tool to identify all sensitive data
stored, processed, or transmitted through enterprise
x
assets, including those located onsite or at a remote
service provider, and update the enterprise's sensitive data
inventory.

Superset

Log sensitive data access, including modification and

x
disposal.
Intersects

f Enterprise Assets and Software

the secure configuration of enterprise assets (end-user devices,

mobile; network devices; non-computing/IoT devices; and
operating systems and applications).

Establish and maintain a secure configuration process for

enterprise assets (end-user devices, including portable and
mobile, non-computing/IoT devices, and servers) and
x x x Equivalent
software (operating systems and applications). Review and
update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.

Establish and maintain a secure configuration process for

enterprise assets (end-user devices, including portable and
mobile, non-computing/IoT devices, and servers) and
x x x Subset
software (operating systems and applications). Review and
update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a secure configuration process for
network devices. Review and update documentation Superset
x x x
annually, or when significant enterprise changes occur that
could impact this Safeguard.
Superset
Configure automatic session locking on enterprise assets
after a defined period of inactivity. For general purpose
operating systems, the period must not exceed 15 minutes. x x x Equivalent
For mobile end-user devices, the period must not exceed 2
minutes.

Implement and manage a firewall on servers, where Subset

supported. Example implementations include a virtual
x x x
firewall, operating system firewall, or a third-party firewall
agent.
Superset

Implement and manage a host-based firewall or port- Equivalent

filtering tool on end-user devices, with a default-deny rule
x x x
that drops all traffic except those services and ports that
are explicitly allowed.

Subset

Securely manage enterprise assets and software. Example

implementations include managing configuration through
version-controlled-infrastructure-as-code and accessing
administrative interfaces over secure network protocols,
x x x
such as Secure Shell (SSH) and Hypertext Transfer
Protocol Secure (HTTPS). Do not use insecure
management protocols, such as Telnet (Teletype Network)
and HTTP, unless operationally essential.

Equivalent
Manage default accounts on enterprise assets and
software, such as root, administrator, and other pre-
configured vendor accounts. Example implementations can x x x
include: disabling default accounts or making them
unusable.
Manage default accounts on enterprise assets and
software, such as root, administrator, and other pre-
configured vendor accounts. Example implementations can x x x
include: disabling default accounts or making them
unusable.
Equivalent

Subset

Uninstall or disable unnecessary services on enterprise

assets and software, such as an unused file sharing x x Subset
service, web application module, or service function.

Equivalent

Equivalent

Configure trusted DNS servers on enterprise assets.

Example implementations include: configuring assets to
x x
use enterprise-controlled DNS servers and/or reputable
externally accessible DNS servers.

Enforce automatic device lockout following a predetermined

threshold of local failed authentication attempts on portable
end-user devices, where supported. For laptops, do not
allow more than 20 failed authentication attempts; for
x x
tablets and smartphones, no more than 10 failed
authentication attempts. Example implementations include
Microsoft® InTune Device Lock and Apple® Configuration
Profile maxFailedAttempts.

Remotely wipe enterprise data from enterprise-owned

portable end-user devices when deemed appropriate such
x x
as lost or stolen devices, or when an individual no longer
supports the enterprise.

Ensure separate enterprise workspaces are used on mobile

end-user devices, where supported. Example
implementations include using an Apple® Configuration x
Profile or Android™ Work Profile to separate enterprise
applications and data from personal applications and data.
ls to assign and manage authorization to credentials for user
ministrator accounts, as well as service accounts, to enterprise

Subset
Establish and maintain an inventory of all accounts
managed in the enterprise. The inventory must include both
user and administrator accounts. The inventory, at a
minimum, should contain the person’s name, username, x x x
start/stop dates, and department. Validate that all active Superset
accounts are authorized, on a recurring schedule at a
minimum quarterly, or more frequently.

Use unique passwords for all enterprise assets. Best

practice implementation includes, at a minimum, an 8-
x x x
character password for accounts using MFA and a 14-
character password for accounts not using MFA.

Delete or disable any dormant accounts after a period of 45

x x x Equivalent
days of inactivity, where supported.

Subset

Restrict administrator privileges to dedicated administrator

accounts on enterprise assets. Conduct general computing
x x x
activities, such as internet browsing, email, and productivity Subset
suite use, from the user’s primary, non-privileged account.

Subset

Subset

Establish and maintain an inventory of service accounts.

The inventory, at a minimum, must contain department
owner, review date, and purpose. Perform service account
x x
reviews to validate that all active accounts are authorized,
on a recurring schedule at a minimum quarterly, or more
frequently.
Centralize account management through a directory or
x x
identity service.
 ls to create, assign, manage, and revoke access credentials and
ministrator, and service accounts for enterprise assets and

Establish and follow a process, preferably automated, for

granting access to enterprise assets upon new hire, rights x x x
grant, or role change of a user.

Establish and follow a process, preferably automated, for

revoking access to enterprise assets, through disabling
accounts immediately upon termination, rights revocation,
x x x Equivalent
or role change of a user. Disabling accounts, instead of
deleting accounts, may be necessary to preserve audit
trails.

Require all externally-exposed enterprise or third-party

applications to enforce MFA, where supported. Enforcing
x x x Subset
MFA through a directory service or SSO provider is a
satisfactory implementation of this Safeguard.

Superset

Superset

Require MFA for remote network access. x x x

Equivalent

Equivalent

Subset

Require MFA for all administrative access accounts, where Subset

supported, on all enterprise assets, whether managed on- x x x
site or through a third-party provider.

Subset

Establish and maintain an inventory of the enterprise’s

authentication and authorization systems, including those
hosted on-site or at a remote service provider. Review and x x
update the inventory, at a minimum, annually, or more
frequently.
 Centralize access control for all enterprise assets through a
x x
directory service or SSO provider, where supported.

Define and maintain role-based access control, through

determining and documenting the access rights necessary
for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of x
enterprise assets to validate that all privileges are
authorized, on a recurring schedule at a minimum annually,
or more frequently.

ty Management

nuously assess and track vulnerabilities on all enterprise assets

infrastructure, in order to remediate, and minimize, the window of
rs. Monitor public and private industry sources for new threat and
n.

Establish and maintain a documented vulnerability

management process for enterprise assets. Review and
x x x
update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.

Subset

Establish and maintain a risk-based remediation strategy

documented in a remediation process, with monthly, or x x x
more frequent, reviews.

Superset

Perform operating system updates on enterprise assets

through automated patch management on a monthly, or x x x Subset
more frequent, basis.

Perform application updates on enterprise assets through

automated patch management on a monthly, or more x x x Subset
frequent, basis.
 Perform automated vulnerability scans of internal enterprise
assets on a quarterly, or more frequent, basis. Conduct
x x Superset
both authenticated and unauthenticated scans, using a
SCAP-compliant vulnerability scanning tool.

Perform automated vulnerability scans of externally-

exposed enterprise assets using a SCAP-compliant
x x Superset
vulnerability scanning tool. Perform scans on a monthly, or
more frequent, basis.

Remediate detected vulnerabilities in software through

processes and tooling on a monthly, or more frequent, x x
basis, based on the remediation process.

nd retain audit logs of events that could help detect, understand,

ck.
Establish and maintain an audit log management process
that defines the enterprise’s logging requirements. At a
minimum, address the collection, review, and retention of
x x x
audit logs for enterprise assets. Review and update
documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s Superset
audit log management process, has been enabled across x x x
enterprise assets. Superset

Ensure that logging destinations maintain adequate storage

to comply with the enterprise’s audit log management x x x Subset
process.

Standardize time synchronization. Configure at least two

synchronized time sources across enterprise assets, where x x Equivalent
supported.

Configure detailed audit logging for enterprise assets

containing sensitive data. Include event source, date,
username, timestamp, source addresses, destination x x Superset
addresses, and other useful elements that could assist in a
forensic investigation.

Superset

Configure detailed audit logging for enterprise assets

containing sensitive data. Include event source, date,
username, timestamp, source addresses, destination x x
 Superset
Configure detailed audit logging for enterprise assets
containing sensitive data. Include event source, date,
username, timestamp, source addresses, destination x x
addresses, and other useful elements that could assist in a
forensic investigation. Superset

Superset

Collect DNS query audit logs on enterprise assets, where

x x
appropriate and supported.
Collect URL request audit logs on enterprise assets, where
x x
appropriate and supported.

Collect command-line audit logs. Example implementations

include collecting audit logs from PowerShell®, BASH™, x x
and remote administrative terminals.

Subset
Centralize, to the extent possible, audit log collection and
x x
retention across enterprise assets.
Subset

Retain audit logs across enterprise assets for a minimum of

x x Equivalent
90 days.

Equivalent

Conduct reviews of audit logs to detect anomalies or Subset

abnormal events that could indicate a potential threat. x x
Conduct reviews on a weekly, or more frequent, basis.

Equivalent
 Collect service provider logs, where supported. Example
implementations include collecting authentication and
x
authorization events, data creation and disposal events,
and user management events.

r Protections

d detections of threats from email and web vectors, as these are

kers to manipulate human behavior through direct engagement.

Ensure only fully supported browsers and email clients are

allowed to execute in the enterprise, only using the latest
x x x
version of browsers and email clients provided through the
vendor.

Use DNS filtering services on all enterprise assets to block

x x x
access to known malicious domains.

Subset

Enforce and update network-based URL filters to limit an

enterprise asset from connecting to potentially malicious or
unapproved websites. Example implementations include
x x
category-based filtering, reputation-based filtering, or
through the use of block lists. Enforce filters for all
enterprise assets.
Subset

Restrict, either through uninstalling or disabling, any

unauthorized or unnecessary browser or email client x x
plugins, extensions, and add-on applications.

To lower the chance of spoofed or modified emails from

valid domains, implement DMARC policy and verification,
starting with implementing the Sender Policy Framework x x
(SPF) and the DomainKeys Identified Mail (DKIM)
standards.
Block unnecessary file types attempting to enter the
x x
enterprise’s email gateway.

Deploy and maintain email server anti-malware protections,

x
such as attachment scanning and/or sandboxing.
nstallation, spread, and execution of malicious applications,
erprise assets.

Deploy and maintain anti-malware software on all

x x x Equivalent
enterprise assets.

Subset

Subset

Configure automatic updates for anti-malware signature

x x x
files on all enterprise assets.

Subset

Disable autorun and autoplay auto-execute functionality for

x x x
removable media.

Configure anti-malware software to automatically scan

x x
removable media.

Configure anti-malware software to automatically scan

x x
removable media.

Enable anti-exploitation features on enterprise assets and

software, where possible, such as Microsoft® Data
Execution Prevention (DEP), Windows® Defender Exploit x x Subset
Guard (WDEG), or Apple® System Integrity Protection
(SIP) and Gatekeeper™.
 Centrally manage anti-malware software. x x Subset

Use behavior-based anti-malware software. x x

data recovery practices sufficient to restore in-scope enterprise

t and trusted state.

Establish and maintain a data recovery process. In the

process, address the scope of data recovery activities,
recovery prioritization, and the security of backup data.
x x x
Review and update documentation annually, or when
significant enterprise changes occur that could impact this
Safeguard.

Perform automated backups of in-scope enterprise assets.

Run backups weekly, or more frequently, based on the x x x Subset
sensitivity of the data.

Superset
Protect recovery data with equivalent controls to the
original data. Reference encryption or data separation, x x x
based on requirements.
Superset
 Establish and maintain an isolated instance of recovery
data. Example implementations include, version controlling
x x x
backup destinations through offline, cloud, or off-site
systems or services.

Test backup recovery quarterly, or more frequently, for a

x x
sampling of in-scope enterprise assets.

nd actively manage (track, report, correct) network devices, in

ers from exploiting vulnerable network services and access

Ensure network infrastructure is kept up-to-date. Example

implementations include running the latest stable release of
software and/or using currently supported network-as-a- x x x
service (NaaS) offerings. Review software versions
monthly, or more frequently, to verify software support.

Superset

Establish and maintain a secure network architecture. A

secure network architecture must address segmentation, x x
least privilege, and availability, at a minimum. Superset

Superset

Securely manage network infrastructure. Example

implementations include version-controlled-infrastructure-
x x Superset
as-code, and the use of secure network protocols, such as
SSH and HTTPS.

Establish and maintain architecture diagram(s) and/or other

network system documentation. Review and update
x x
documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.

Centralize network AAA. x x

 Superset
Use secure network management and communication
protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) x x
Enterprise or greater).

Superset

Require users to authenticate to enterprise-managed VPN

and authentication services prior to accessing enterprise x x
resources on end-user devices.

Establish and maintain dedicated computing resources,

either physically or logically separated, for all administrative
tasks or tasks requiring administrative access. The
x
computing resources should be segmented from the
enterprise's primary network and not be allowed internet
access.

tooling to establish and maintain comprehensive network

e against security threats across the enterprise’s network
base.

Superset

Centralize security event alerting across enterprise assets

for log correlation and analysis. Best practice
implementation requires the use of a SIEM, which includes
x x
vendor-defined event correlation alerts. A log analytics
platform configured with security-relevant correlation alerts
also satisfies this Safeguard.
Equivalent
Deploy a host-based intrusion detection solution on
x x Subset
enterprise assets, where appropriate and/or supported.

Deploy a network intrusion detection solution on enterprise

assets, where appropriate. Example implementations
x x Subset
include the use of a Network Intrusion Detection System
(NIDS) or equivalent cloud service provider (CSP) service.

Perform traffic filtering between network segments, where

x x
appropriate.

Manage access control for assets remotely connecting to

enterprise resources. Determine amount of access to
enterprise resources based on: up-to-date anti-malware
x x
software installed, configuration compliance with the
enterprise’s secure configuration process, and ensuring the
operating system and applications are up-to-date.

Collect network traffic flow logs and/or network traffic to

x x
review and alert upon from network devices.

Deploy a host-based intrusion prevention solution on

enterprise assets, where appropriate and/or supported.
Example implementations include use of an Endpoint x Subset
Detection and Response (EDR) client or host-based IPS
agent.

Superset

Deploy a network intrusion prevention solution, where

appropriate. Example implementations include the use of a
x
Network Intrusion Prevention System (NIPS) or equivalent
CSP service.
 Deploy a network intrusion prevention solution, where
appropriate. Example implementations include the use of a
x
Network Intrusion Prevention System (NIPS) or equivalent
CSP service.

Subset

Deploy port-level access control. Port-level access control Superset

utilizes 802.1x, or similar network access control protocols,
x
such as certificates, and may incorporate user and/or
device authentication.
Superset

Superset

Superset

Superset

Superset

Perform application layer filtering. Example Superset

implementations include a filtering proxy, application layer x
firewall, or gateway. Superset

Superset

Tune security event alerting thresholds monthly, or more

x
frequently.

d Skills Training
a security awareness program to influence behavior among the
y conscious and properly skilled to reduce cybersecurity risks to

Superset
Establish and maintain a security awareness program. The
purpose of a security awareness program is to educate the
enterprise’s workforce on how to interact with enterprise
assets and data in a secure manner. Conduct training at x x x
hire and, at a minimum, annually. Review and update
content annually, or when significant enterprise changes
occur that could impact this Safeguard.

Superset

Equivalent

Superset

Train workforce members to recognize social engineering

x x x
attacks, such as phishing, pre-texting, and tailgating. 

Train workforce members on authentication best practices.

Example topics include MFA, password composition, and x x x
credential management.

Train workforce members on how to identify and properly

store, transfer, archive, and destroy sensitive data. This
also includes training workforce members on clear screen
and desk best practices, such as locking their screen when x x x Equivalent
they step away from their enterprise asset, erasing physical
and virtual whiteboards at the end of meetings, and storing
data and assets securely.

Train workforce members to be aware of causes for

unintentional data exposure. Example topics include mis-
x x x
delivery of sensitive data, losing a portable end-user
device, or publishing data to unintended audiences.

Train workforce members to be able to recognize a

x x x
potential incident and be able to report such an incident. 
 Train workforce to understand how to verify and report out-
of-date software patches or any failures in automated
processes and tools. Part of this training should include x x x
notifying IT personnel of any failures in automated
processes and tools.

Train workforce members on the dangers of connecting to,

and transmitting data over, insecure networks for enterprise
activities. If the enterprise has remote workers, training x x x
must include guidance to ensure that all users securely
configure their home network infrastructure.

Conduct role-specific security awareness and skills training.

Example implementations include secure system
administration courses for IT professionals, (OWASP® Top
x x Superset
10 vulnerability awareness and prevention training for web
application developers, and advanced social engineering
awareness training for high-profile roles.

Conduct role-specific security awareness and skills training.

Example implementations include secure system
administration courses for IT professionals, (OWASP® Top
x x Superset
10 vulnerability awareness and prevention training for web
application developers, and advanced social engineering
awareness training for high-profile roles.

valuate service providers who hold sensitive data, or are

rprise’s critical IT platforms or processes, to ensure these
g those platforms and data appropriately.

Establish and maintain an inventory of service providers.

The inventory is to list all known service providers, include
classification(s), and designate an enterprise contact for
x x x
each service provider. Review and update the inventory
annually, or when significant enterprise changes occur that
could impact this Safeguard.

Establish and maintain a service provider management

policy. Ensure the policy addresses the classification,
inventory, assessment, monitoring, and decommissioning
x x
of service providers. Review and update the policy
annually, or when significant enterprise changes occur that
could impact this Safeguard.
 Classify service providers. Classification consideration may
include one or more characteristics, such as data
sensitivity, data volume, availability requirements,
applicable regulations, inherent risk, and mitigated risk. x x
Update and review classifications annually, or when
significant
Ensure enterprise
service changes
provider occur
contracts that could
include impact this
security
Safeguard.
requirements. Example requirements may include minimum
security program requirements, security incident and/or
data breach notification and response, data encryption
requirements,
Assess serviceand data disposal
providers commitments.
consistent These
with the enterprise’s x x
securityprovider
service requirements must be policy.
management consistent with the scope
Assessment
enterprise’s
may vary basedservice provider management
on classification(s), and may policy. Review
include
service
review of standardized assessment reports, such as are
provider contracts annually to ensure contracts
not missing
Service security requirements.
Organization Control 2 (SOC 2) and Payment Card x
Industry (PCI) Attestation of Compliance (AoC), customized
questionnaires,
Monitor service or other appropriately
providers rigorous
consistent with processes.
the enterprise’s
Reassess
service servicemanagement
provider providers annually, at a minimum,
policy. Monitoring mayor with
new andperiodic
include renewed contracts. of service provider
reassessment x
compliance, monitoring service provider release notes, and
dark web decommission
Securely monitoring. service providers. Example
considerations include user and service account
x
deactivation, termination of data flows, and secure disposal
of enterprise data within service provider systems.

ecurity

e cycle of in-house developed, hosted, or acquired software to

mediate security weaknesses before they can impact the

Equivalent
Establish and maintain a secure application development
process. In the process, address such items as: secure
application design standards, secure coding practices,
developer training, vulnerability management, security of
x x
third-party code, and application security testing
procedures. Review and update documentation annually, or
when significant enterprise changes occur that could
impact this Safeguard.
Superset
Establish and maintain a process to accept and address
reports of software vulnerabilities, including providing a
means for external entities to report. The process is to
include such items as: a vulnerability handling policy that
identifies reporting process, responsible party for handling
vulnerability reports, and a process for intake, assignment,
remediation, and remediation testing. As part of the
process, use a vulnerability tracking system that includes
severity ratings, and metrics for measuring timing for x x Superset
identification, analysis, and remediation of
vulnerabilities. Review and update documentation annually,
or when significant enterprise changes occur that could
impact this Safeguard.

Third-party application developers need to consider this an

externally-facing policy that helps to set expectations for
outside stakeholders.

Perform root cause analysis on security vulnerabilities.

When reviewing vulnerabilities, root cause analysis is the
task of evaluating underlying issues that create
x x
vulnerabilities in code, and allows development teams to
move beyond just fixing individual vulnerabilities as they
arise.

Establish and manage an updated inventory of third-party

components used in development, often referred to as a
“bill of materials,” as well as components slated for future
use. This inventory is to include any risks that each third-
x x
party component could pose. Evaluate the list at least
monthly to identify any changes or updates to these
components, and validate that the component is still
supported. 

Use up-to-date and trusted third-party software

components. When possible, choose established and
proven frameworks and libraries that provide adequate x x Subset
security. Acquire these components from trusted sources or
evaluate the software for vulnerabilities before use.

Establish and maintain a severity rating system and

process for application vulnerabilities that facilitates
prioritizing the order in which discovered vulnerabilities are
fixed. This process includes setting a minimum level of
security acceptability for releasing code or applications. x x Superset
Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps
ensure the most severe bugs are fixed first. Review and
update the system and process annually.
Use standard, industry-recommended hardening
configuration templates for application infrastructure
components. This includes underlying servers, databases,
and web servers, and applies to cloud containers, Platform x x Subset
as a Service (PaaS) components, and SaaS components.
Do not allow in-house developed software to weaken
configuration hardening.

Equivalent
Maintain separate environments for production and non-
x x
production systems.
Equivalent

Equivalent

Ensure that all software development personnel receive Superset

training in writing secure code for their specific
development environment and responsibilities. Training can Superset
include general security principles and application security x x
Superset
standard practices. Conduct training at least annually and
design in a way to promote security within the development Superset
team, and build a culture of security among the developers. Superset

Superset

Superset

Superset

Superset
Superset
Apply secure design principles in application architectures.
Secure design principles include the concept of least
privilege and enforcing mediation to validate every
operation that the user makes, promoting the concept of
"never trust user input." Examples include ensuring that
explicit error checking is performed and documented for all
x x
input, including for size, data type, and acceptable ranges
or formats. Secure design also means minimizing the
application infrastructure attack surface, such as turning off
unprotected ports and services, removing unnecessary
programs and files, and renaming or removing default
accounts.

Leverage vetted modules or services for application

security components, such as identity management,
encryption, and auditing and logging. Using platform
features in critical security functions will reduce developers’
workload and minimize the likelihood of design or
implementation errors. Modern operating systems provide
x x
effective mechanisms for identification, authentication, and
authorization and make those mechanisms available to
applications. Use only standardized, currently accepted,
and extensively reviewed encryption algorithms. Operating
systems also provide mechanisms to create and maintain
secure audit logs.

Apply static and dynamic analysis tools within the

application life cycle to verify that secure coding practices x Equivalent
are being followed.

Conduct application penetration testing. For critical

applications, authenticated penetration testing is better
suited to finding business logic vulnerabilities than code
scanning and automated security testing. Penetration x
testing relies on the skill of the tester to manually
manipulate an application as an authenticated and
unauthenticated user. 
 Conduct threat modeling. Threat modeling is the process of
identifying and addressing application security design flaws
within a design, before code is created. It is conducted
through specially trained individuals who evaluate the
x
application design and gauge security risks for each entry
point and access level. The goal is to map out the
application, architecture, and infrastructure in a structured
way to understand its weaknesses.

develop and maintain an incident response capability (e.g.,

ures, defined roles, training, and communications) to prepare,
pond to an attack.
Designate one key person, and at least one backup, who
will manage the enterprise’s incident handling process.
Management personnel are responsible for the
Equivalent
coordination and documentation of incident response and
recovery efforts and can consist of employees internal to
x x x
the enterprise, third-party vendors, or a hybrid approach. If
using a third-party vendor, designate at least one person
Superset
internal to the enterprise to oversee any third-party work.
Review annually, or when significant enterprise changes
occur that could impact this Safeguard.
Establish and maintain contact information for parties that
need to be informed of security incidents. Contacts may
include internal staff, third-party vendors, law enforcement,
cyber insurance providers, relevant government agencies, x x x
Information Sharing and Analysis Center (ISAC) partners,
or other stakeholders. Verify contacts annually to ensure
that information is up-to-date.

Establish and maintain an enterprise process for the

workforce to report security incidents. The process includes
reporting timeframe, personnel to report to, mechanism for
reporting, and the minimum information to be reported. x x x Subset
Ensure the process is publicly available to all of the
workforce. Review annually, or when significant enterprise
changes occur that could impact this Safeguard.
Establish and maintain an incident response process that Equivalent
addresses roles and responsibilities, compliance
requirements, and a communication plan. Review annually, x x
or when significant enterprise changes occur that could
impact this Safeguard.

Assign key roles and responsibilities for incident response,

including staff from legal, IT, information security, facilities,
public relations, human resources, incident responders,
x x
and analysts, as applicable. Review annually, or when
significant enterprise changes occur that could impact this
Safeguard.

Determine which primary and secondary mechanisms will

be used to communicate and report during a security
incident. Mechanisms can include phone calls, emails, or
letters. Keep in mind that certain mechanisms, such as x x
emails, can be affected during a security incident. Review
annually, or when significant enterprise changes occur that
could impact this Safeguard.

Plan and conduct routine incident response exercises and

scenarios for key personnel involved in the incident
response process to prepare for responding to real-world
x x
incidents. Exercises need to test communication channels,
decision making, and workflows. Conduct testing on an
annual basis, at a minimum.

Conduct post-incident reviews. Post-incident reviews help

prevent incident recurrence through identifying lessons x x
learned and follow-up action.
 Establish and maintain security incident thresholds,
including, at a minimum, differentiating between an incident
and an event. Examples can include: abnormal activity,
x
security vulnerability, security weakness, data breach,
privacy incident, etc. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.

and resiliency of enterprise assets through identifying and

in controls (people, processes, and technology), and simulating
ons of an attacker.

Establish and maintain a penetration testing program

appropriate to the size, complexity, and maturity of the
enterprise. Penetration testing program characteristics
include scope, such as network, web application,
Application Programming Interface (API), hosted services, x x Equivalent
and physical premise controls; frequency; limitations, such
as acceptable hours, and excluded attack types; point of
contact information; remediation, such as how findings will
be routed internally; and retrospective requirements.

Perform periodic external penetration tests based on

program requirements, no less than annually. External
penetration testing must include enterprise and
environmental reconnaissance to detect exploitable x x Equivalent
information. Penetration testing requires specialized skills
and experience and must be conducted through a qualified
party. The testing may be clear box or opaque box.

Remediate penetration test findings based on the

x x
enterprise’s policy for remediation scope and prioritization.
Validate security measures after each penetration test. If
deemed necessary, modify rulesets and capabilities to x
detect the techniques used during testing.

Perform periodic internal penetration tests based on

program requirements, no less than annually. The testing x Equivalent
may be clear box or opaque box.
DSS Req. # Requirement Notes

Maintain an inventory of system components that are in scope

2.4
for PCI DSS.
Maintain an up-to-date list of devices. The list should include
the following:
• Make, model of device
9.9.1
• Location of device (for example, the address of the site or
facility where the device is located)
• Device serial number or other method of unique identification.

Maintain an inventory of authorized wireless access points

11.1.1
including a documented business justification.
 Implement processes to test for the presence of wireless
11.1 access points (802.11), and detect and identify all authorized
and unauthorized wireless access points on a quarterly basis.

Implement incident response procedures in the event

11.1.2
unauthorized wireless access points are detected.

Maintain an inventory of system components that are in scope

2.4
for PCI DSS.

Documentation of business justification and approval for use of

all services, protocols, and ports allowed, including
1.1.6
documentation of security features implemented for those
protocols considered to be insecure.
9.6.1 Classify media so the sensitivity of the data can be determined.

Limit access to system components and cardholder data to only

7.1
those individuals whose job requires such access.
 Define access needs for each role, including:
• System components and data resources that each role needs
7.1.1 to access for their job function
• Level of privilege required (for example, user, administrator,
etc.) for accessing resources.
Restrict access to privileged user IDs to least privileges
7.1.2
necessary to perform job responsibilities.
Assign access based on individual personnel’s job classification
7.1.3
and function.

9.6.1 Classify media so the sensitivity of the data can be determined.

Current network diagram that identifies all connections between

1.1.2 the cardholder data environment and other networks, including
any wireless networks.

Current diagram that shows all cardholder data flows across

1.1.3
systems and networks.

Render PAN unreadable anywhere it is stored (including on

portable digital media, backup media, and in logs) by using any
of the following approaches: • One-way hashes based on
strong cryptography, (hash must be of the entire PAN)
3.4 • Truncation (hashing cannot be used to replace the truncated
segment of PAN)
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key-management
processes and procedures.
 For wireless environments connected to the cardholder data
environment or transmitting cardholder data, change ALL
2.1.1 wireless vendor defaults at installation, including but not limited
to default wireless encryption keys, passwords, and SNMP
community strings. See 2.1.1.d and 2.1.1.e
Use strong cryptography and security protocols to safeguard
sensitive cardholder data during transmission over open, public
networks, including the following: • Only trusted keys and
certificates are accepted.
4.1
• The protocol in use only supports secure versions or
configurations.
• The encryption strength is appropriate for the encryption
methodology in use.

Ensure wireless networks transmitting cardholder data or

connected to the cardholder data environment, use industry
4.1.1
best practices to implement strong encryption for authentication
and transmission.

Using strong cryptography, render all authentication credentials

8.2.1 (such as passwords/phrases) unreadable during transmission
and storage on all system components.

Render PAN unreadable anywhere it is stored (including on

portable digital media, backup media, and in logs) by using any
of the following approaches: • One-way hashes based on
strong cryptography, (hash must be of the entire PAN)
3.4 • Truncation (hashing cannot be used to replace the truncated
segment of PAN)
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key-management
processes and procedures.

If disk encryption is used (rather than file- or column-level

database encryption), logical access must be managed
separately and independently of native operating system
3.4.1 authentication and access control mechanisms (for example, by
not using local user account databases or general network login
credentials). Decryption keys must not be associated with user
accounts.

Using strong cryptography, render all authentication credentials

8.2.1 (such as passwords/phrases) unreadable during transmission
and storage on all system components.

Implement only one primary function per server to prevent

functions that require different security levels from co-existing
2.2.1
on the same server. (For example, web servers, database
servers, and DNS should be implemented on separate servers.)
 Maintain an inventory of system components that are in scope
2.4
for PCI DSS.
Limit access to system components and cardholder data to only
7.1
those individuals whose job requires such access.

Implement automated audit trails for all system components to

10.2.1 reconstruct the following events: All individual user accesses to
cardholder data
Deploy a change-detection mechanism (for example, file-
integrity monitoring tools) to alert personnel to unauthorized
modification (including changes, additions, and deletions) of
11.5
critical system files, configuration files, or content files; and
configure the software to perform critical file comparisons at
least weekly.

Develop configuration standards for all system components.

Assure that these standards address all known security
vulnerabilities and are consistent with industry-accepted system
hardening standards. Sources of industry-accepted system
2.2 hardening standards may include, but are not limited to:
• Center for Internet Security (CIS)
• International Organization for Standardization (ISO)
• SysAdmin Audit Network Security (SANS) Institute
• National Institute of Standards Technology (NIST).

Deploy a change-detection mechanism (for example, file-

integrity monitoring tools) to alert personnel to unauthorized
modification (including changes, additions, and deletions) of
11.5
critical system files, configuration files, or content files; and
configure the software to perform critical file comparisons at
least weekly.
 A formal process for approving and testing all network
1.1.1 connections and changes to the firewall and router
configurations

1.2.2 Secure and synchronize router configuration files.

If a session has been idle for more than 15 minutes, require the
8.1.8
user to re-authenticate to re-activate the terminal or session.

Requirements for a firewall at each Internet connection and

1.1.4 between any demilitarized zone (DMZ) and the internal network
zone

Implement a DMZ to limit inbound traffic to only system

1.3.1 components that provide authorized publicly accessible
services, protocols, and ports.

Install personal firewall software or equivalent functionality on

any portable computing devices (including company and/or
employee-owned) that connect to the Internet when outside the
network (for example, laptops used by employees), and which
are also used to access the CDE. Firewall (or equivalent)
1.4 configurations include: • Specific configuration settings are
defined.
• Personal firewall (or equivalent functionality) is actively
running.
• Personal firewall (or equivalent functionality) is not alterable by
users of the portable computing devices.

Requirements for a firewall at each Internet connection and

1.1.4 between any demilitarized zone (DMZ) and the internal network
zone

Always change vendor-supplied defaults and remove or disable

2.1 unnecessary default accounts before installing a system on the
network.
 For wireless environments connected to the cardholder data
environment or transmitting cardholder data, change ALL
2.1.1 wireless vendor defaults at installation, including but not limited
to default wireless encryption keys, passwords, and SNMP
community strings.

Documentation of business justification and approval for use of

all services, protocols, and ports allowed, including
1.1.6
documentation of security features implemented for those
protocols considered to be insecure.

Restrict inbound and outbound traffic to that which is necessary

1.2.1 for the cardholder data environment, and specifically deny all
other traffic.
Enable only necessary services, protocols, daemons, etc., as
2.2.2
required for the function of the system.
Remove all unnecessary functionality, such as scripts, drivers,
2.2.5 features, subsystems, file systems, and unnecessary web
servers.
 Define and implement policies and procedures to ensure proper
8.1 user identification management for non-consumer users and
administrators on all system components as follows:

Assign all users a unique ID before allowing them to access

8.1.1
system components or cardholder data.

8.1.4 Remove/disable inactive user accounts within 90 days.

Limit access to system components and cardholder data to only

7.1
those individuals whose job requires such access.

Define access needs for each role, including:

• System components and data resources that each role needs
7.1.1 to access for their job function
• Level of privilege required (for example, user, administrator,
etc.) for accessing resources.
Restrict access to privileged user IDs to least privileges
7.1.2
necessary to perform job responsibilities.
Assign access based on individual personnel’s job classification
7.1.3
and function.
8.1.3 Immediately revoke access for any terminated users.

Secure all individual non-console administrative access and all

8.3
remote access to the CDE using multi-factor authentication.

Encrypt all non-console administrative access using strong

2.3
cryptography.

Secure all individual non-console administrative access and all

8.3
remote access to the CDE using multi-factor authentication.

Incorporate multi-factor authentication for all remote network

access (both user and administrator, and including third-party
8.3.2
access for support or maintenance) originating from outside the
entity’s network.

Secure all individual non-console administrative access and all

8.3
remote access to the CDE using multi-factor authentication.

Secure all individual non-console administrative access and all

8.3
remote access to the CDE using multi-factor authentication.

Incorporate multi-factor authentication for all non-console

8.3.1
access into the CDE for personnel with administrative access.

Incorporate multi-factor authentication for all remote network

access (both user and administrator, and including third-party
8.3.2
access for support or maintenance) originating from outside the
entity’s network.
 Perform quarterly internal vulnerability scans. Address
vulnerabilities and perform rescans to verify all “high risk”
11.2.1 vulnerabilities are resolved in accordance with the entity’s
vulnerability ranking (per Requirement 6.1). Scans must be
performed by qualified personnel.

Establish a process to identify security vulnerabilities, using

reputable outside sources for security vulnerability information,
6.1
and assign a risk ranking (for example, as “high,” “medium,” or
“low”) to newly discovered security vulnerabilities.

Ensure that all system components and software are protected

from known vulnerabilities by installing applicable vendor-
6.2
supplied security patches. Install critical security patches within
one month of release.
Ensure that all system components and software are protected
from known vulnerabilities by installing applicable vendor-
6.2
supplied security patches. Install critical security patches within
one month of release.
 Run internal and external network vulnerability scans at least
quarterly and after any significant change in the network (such
11.2
as new system component installations, changes in network
topology, firewall rule modifications, product upgrades).

Run internal and external network vulnerability scans at least

quarterly and after any significant change in the network (such
11.2
as new system component installations, changes in network
topology, firewall rule modifications, product upgrades).

Implement automated audit trails for all system components to

10.2
reconstruct the following events: See 10.21-10.2.7
Record at least the following audit trail entries for all system
10.3
components for each event: See 10.3.1-10.3.6

Retain audit trail history for at least one year, with a minimum of
10.7 three months immediately available for analysis (for example,
online, archived, or restorable from backup).

Using time-synchronization technology, synchronize all critical

10.4 system clocks and times and ensure that the following is
implemented for acquiring, distributing, and storing time.

Implement audit trails to link all access to system components

10.1
to each individual user.

All actions taken by any individual with root or administrative

10.2.2
privileges
 Implement automated audit trails for all system components to
10.2.4 reconstruct the following events: Invalid logical access
attempts.

Use of and changes to identification and authentication

mechanisms—including but not limited to creation of new
10.2.5 accounts and elevation of privileges—and all changes,
additions, or deletions to accounts with root or administrative
privileges.

Record at least the following audit trail entries for all system
10.3
components for each event:
See 10.3.1-10.3.6

Promptly back up audit trail files to a centralized log server or

10.5.3
media that is difficult to alter.
Write logs for external-facing technologies onto a secure,
10.5.4
centralized, internal log server or media device.

Retain audit trail history for at least one year, with a minimum of
10.7 three months immediately available for analysis (for example,
online, archived, or restorable from backup).

Review logs and security events for all system components to

10.6
identify anomalies or suspicious activity.

Review the following at least daily: • All security events

• Logs of all system components that store, process, or transmit
CHD and/or SAD
• Logs of all critical system components
10.6.1
• Logs of all servers and system components that perform
security functions (for example, firewalls, intrusion-detection
systems/intrusion-prevention systems (IDS/IPS), authentication
servers, e-commerce redirection servers, etc.).

Review logs of all other system components periodically based

10.6.2 on the organization’s policies and risk management strategy, as
determined by the organization’s annual risk assessment.
 Documentation of business justification and approval for use of
all services, protocols, and ports allowed, including
1.1.6
documentation of security features implemented for those
protocols considered to be insecure.

Use intrusion-detection and/or intrusion-prevention techniques

to detect and/or prevent intrusions into the network. Monitor all
traffic at the perimeter of the cardholder data environment as
11.4 well as at critical points in the cardholder data environment, and
alert personnel to suspected compromises. Keep all intrusion-
detection and prevention engines, baselines, and signatures up
to date.
 Deploy anti-virus software on all systems commonly affected by
5.1 malicious software (particularly personal computers and
servers).
Ensure that anti-virus programs are capable of detecting,
removing, and protecting against all known types of malicious
5.1.1 software.
Ensure that all anti-virus mechanisms are maintained as
follows: • Are kept current,
• Perform periodic scans
• Generate audit logs which are retained per PCI DSS
5.2 Requirement 10.7.

Use intrusion-detection and/or intrusion-prevention techniques

to detect and/or prevent intrusions into the network. Monitor all
traffic at the perimeter of the cardholder data environment as
well as at critical points in the cardholder data environment, and
alert personnel to suspected compromises.
Keep all intrusion-detection and prevention engines, baselines,
11.4 and signatures up to date.

Install personal firewall software or equivalent functionality on

any portable computing devices (including company and/or
employee-owned) that connect to the Internet when outside the
network (for example, laptops used by employees), and which
are also used to access the CDE. Firewall (or equivalent)
1.4 configurations include: • Specific configuration settings are
defined.
• Personal firewall (or equivalent functionality) is actively
running.
• Personal firewall (or equivalent functionality) is not alterable by
users of the portable computing devices.
 Use intrusion-detection and/or intrusion-prevention techniques
to detect and/or prevent intrusions into the network. Monitor all
traffic at the perimeter of the cardholder data environment as
11.4 well as at critical points in the cardholder data environment, and
alert personnel to suspected compromises.
Keep all intrusion-detection and prevention engines, baselines,
and signatures up to date.

Create the incident response plan to be implemented in the

event of system breach. Ensure the plan addresses the
following, at a minimum: • Roles, responsibilities, and
communication and contact strategies in the event of a
compromise including notification of the payment brands, at a
minimum
12.10.1 • Specific incident response procedures
• Business recovery and continuity procedures
• Data backup processes
• Analysis of legal requirements for reporting compromises
• Coverage and responses of all critical system components
• Reference or inclusion of incident response procedures from
the payment brands.

9.5 Physically secure all media.

Store media backups in a secure location, preferably an off-site

9.5.1 facility, such as an alternate or backup site, or a commercial
storage facility. Review the location’s security at least annually.
 Documentation of business justification and approval for use of
all services, protocols, and ports allowed, including
1.1.6
documentation of security features implemented for those
protocols considered to be insecure.

Install perimeter firewalls between all wireless networks and the

cardholder data environment, and configure these firewalls to
1.2.3 deny or, if traffic is necessary for business purposes, permit
only authorized traffic between the wireless environment and
the cardholder data environment.

Enable only necessary services, protocols, daemons, etc., as

2.2.2
required for the function of the system.

Secure all individual non-console administrative access and all

8.3
remote access to the CDE using multi-factor authentication.
 For wireless environments connected to the cardholder data
environment or transmitting cardholder data, change ALL
2.1.1 wireless vendor defaults at installation, including but not limited
to default wireless encryption keys, passwords, and SNMP
community strings.
Ensure wireless networks transmitting cardholder data or
connected to the cardholder data environment, use industry
4.1.1
best practices to implement strong encryption for authentication
and transmission.

Promptly back up audit trail files to a centralized log server or

10.5.3
media that is difficult to alter.

Review the following at least daily: • All security events

• Logs of all system components that store, process, or transmit
CHD and/or SAD
• Logs of all critical system components
10.6.1
• Logs of all servers and system components that perform
security functions (for example, firewalls, intrusion-detection
systems/intrusion-prevention systems (IDS/IPS), authentication
servers, e-commerce redirection servers, etc.).
 Use intrusion-detection and/or intrusion-prevention techniques
to detect and/or prevent intrusions into the network. Monitor all
traffic at the perimeter of the cardholder data environment as
11.4 well as at critical points in the cardholder data environment, and
alert personnel to suspected compromises. Keep all intrusion-
detection and prevention engines, baselines, and signatures up
to date.

Use intrusion-detection and/or intrusion-prevention techniques

to detect and/or prevent intrusions into the network. Monitor all
traffic at the perimeter of the cardholder data environment as
11.4 well as at critical points in the cardholder data environment, and
alert personnel to suspected compromises. Keep all intrusion-
detection and prevention engines, baselines, and signatures up
to date.

Use intrusion-detection and/or intrusion-prevention techniques

to detect and/or prevent intrusions into the network. Monitor all
traffic at the perimeter of the cardholder data environment as
11.4 well as at critical points in the cardholder data environment, and
alert personnel to suspected compromises. Keep all intrusion-
detection and prevention engines, baselines, and signatures up
to date.

Implement processes to test for the presence of wireless

11.1 access points (802.11), and detect and identify all authorized
and unauthorized wireless access points on a quarterly basis.
 Use intrusion-detection and/or intrusion-prevention techniques
to detect and/or prevent intrusions into the network. Monitor all
traffic at the perimeter of the cardholder data environment as
11.4 well as at critical points in the cardholder data environment, and
alert personnel to suspected compromises. Keep all intrusion-
detection and prevention engines, baselines, and signatures up
to date.

Documentation of business justification and approval for use of

all services, protocols, and ports allowed, including
1.1.6
documentation of security features implemented for those
protocols considered to be insecure.

Build firewall and router configurations that restrict connections

1.2 between untrusted networks and any system components in the
cardholder data environment.
Requirements for a firewall at each Internet connection and
1.1.4 between any demilitarized zone (DMZ) and the internal network
zone
Build firewall and router configurations that restrict connections
1.2 between untrusted networks and any system components in the
cardholder data environment.

1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.

Implement anti-spoofing measures to detect and block forged

1.3.3
source IP addresses from entering the network.
Do not allow unauthorized outbound traffic from the cardholder
1.3.4
data environment to the Internet.
1.3.5 Permit only “established” connections into the network.

For public-facing web applications, address new threats and

vulnerabilities on an ongoing basis and ensure these
applications are protected against known attacks by either of
the following methods: • Reviewing public-facing web
applications via manual or automated application vulnerability
6.6
security assessment tools or methods, at least annually and
after any changes • Installing an automated technical solution
that detects and prevents web-based attacks (for example, a
web-application firewall) in front of public-facing web
applications, to continually check all traffic.
 Provide training for personnel to be aware of attempted
tampering or replacement of devices. Training should include
the following:
• Verify the identity of any third-party persons claiming to be
repair or maintenance personnel, prior to granting them access
to modify or troubleshoot devices.
9.9.3
• Do not install, replace, or return devices without verification.
• Be aware of suspicious behavior around devices (for example,
attempts by unknown persons to unplug or open devices).
• Report suspicious behavior and indications of device
tampering or substitution to appropriate personnel (for example,
to a manager or security officer).

Implement a formal security awareness program to make all

12.6 personnel aware of the cardholder data security policy and
procedures.
12.6.1 Educate personnel upon hire and at least annually.

Require personnel to acknowledge at least annually that they

12.6.2
have read and understood the security policy and procedures.

Implement a formal security awareness program to make all

12.6 personnel aware of the cardholder data security policy and
procedures.
 Provide appropriate training to staff with security breach
12.10.4
response responsibilities.

Address common coding vulnerabilities in software-

development processes as follows:
• Train developers at least annually in up-to-date secure coding
6.5
techniques, including how to avoid common coding
vulnerabilities.
• Develop applications based on secure coding guidelines.
 Develop internal and external software applications (including
web-based administrative access to applications) securely, as
follows:
• In accordance with PCI DSS (for example, secure
6.3
authentication and logging)
• Based on industry standards and/or best practices.
• Incorporating information security throughout the software-
development life cycle

Address common coding vulnerabilities in software-

development processes as follows:
• Train developers at least annually in up-to-date secure coding
6.5
techniques, including how to avoid common coding
vulnerabilities.
• Develop applications based on secure coding guidelines.
 Review custom code prior to release to production or customers
in order to identify any potential coding vulnerability (using
either manual or automated processes) to include at least the
following:
• Code changes are reviewed by individuals other than the
originating code author, and by individuals knowledgeable
6.3.2
about code-review techniques and secure coding practices.
• Code reviews ensure code is developed according to secure
coding guidelines
• Appropriate corrections are implemented prior to release.
• Code-review results are reviewed and approved by
management prior to release.

Ensure that all system components and software are protected

from known vulnerabilities by installing applicable vendor-
6.2
supplied security patches. Install critical security patches within
one month of release.

Establish a process to identify security vulnerabilities, using

reputable outside sources for security vulnerability information,
6.1
and assign a risk ranking (for example, as “high,” “medium,” or
“low”) to newly discovered security vulnerabilities.
 Develop configuration standards for all system components.
Assure that these standards address all known security
vulnerabilities and are consistent with industry-accepted system
hardening standards.
Sources of industry-accepted system hardening standards may
2.2
include, but are not limited to:
• Center for Internet Security (CIS)
• International Organization for Standardization (ISO)
• SysAdmin Audit Network Security (SANS) Institute
• National Institute of Standards Technology (NIST).

Separate development/test environments from production

6.4.1
environments, and enforce the separation with access controls.

Separation of duties between development/test and production

6.4.2
environments.

Address common coding vulnerabilities in software-

development processes as follows:
• Train developers at least annually in up-to-date secure coding
6.5
techniques, including how to avoid common coding
vulnerabilities.
• Develop applications based on secure coding guidelines.

Injection flaws, particularly SQL injection. Also consider OS

6.5.1 Command Injection, LDAP and XPath injection flaws as well as
other injection flaws.
6.5.2 Buffer overflows.
6.5.3 Insecure cryptographic storage.
6.5.4 Insecure communications.
6.5.5 Improper error handling.

All “high risk” vulnerabilities identified in the vulnerability

6.5.6
identification process (as defined in PCI DSS Requirement 6.1).

6.5.7 Cross-site scripting (XSS).

Improper access control (such as insecure direct object
6.5.8 references, failure to restrict URL access, directory traversal,
and failure to restrict user access to functions).
6.5.9 Cross-site request forgery (CSRF).
6.5.10 Broken authentication and session management.
 Review custom code prior to release to production or customers
in order to identify any potential coding vulnerability (using
either manual or automated processes) to include at least the
following:
• Code changes are reviewed by individuals other than the
originating code author, and by individuals knowledgeable
6.3.2
about code-review techniques and secure coding practices.
• Code reviews ensure code is developed according to secure
coding guidelines
• Appropriate corrections are implemented prior to release.
• Code-review results are reviewed and approved by
management prior to release.
 Designate specific personnel to be available on a 24/7 basis to
12.10.3
respond to alerts.

Provide appropriate training to staff with security breach

12.10.4
response responsibilities.

Create the incident response plan to be implemented in the

event of system breach. Ensure the plan addresses the
following, at a minimum:
• Roles, responsibilities, and communication and contact
strategies in the event of a compromise including notification of
the payment brands, at a minimum
12.10.1 • Specific incident response procedures
• Business recovery and continuity procedures
• Data backup processes
• Analysis of legal requirements for reporting compromises
• Coverage and responses of all critical system components
• Reference or inclusion of incident response procedures from
the payment brands.
 Create the incident response plan to be implemented in the
event of system breach. Ensure the plan addresses the
following, at a minimum:
• Roles, responsibilities, and communication and contact
strategies in the event of a compromise including notification of
the payment brands, at a minimum
12.10.1 • Specific incident response procedures
• Business recovery and continuity procedures
• Data backup processes
• Analysis of legal requirements for reporting compromises
• Coverage and responses of all critical system components
• Reference or inclusion of incident response procedures from
the payment brands.
 Implement a methodology for penetration testing that includes
the following:
• Is based on industry-accepted penetration testing approaches
(for example, NIST SP800-115)
• Includes coverage for the entire CDE perimeter and critical
systems
• Includes testing from both inside and outside the network
• Includes testing to validate any segmentation and scope-
11.3 reduction controls
• Defines application-layer penetration tests to include, at a
minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components
that support network functions as well as operating systems
• Includes review and consideration of threats and
vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and
remediation activities results.

Perform external penetration testing at least annually and after

any significant infrastructure or application upgrade or
11.3.1 modification (such as an operating system upgrade, a sub-
network added to the environment, or a web server added to
the environment).
 Perform internal penetration testing at least annually and after
any significant infrastructure or application upgrade or
11.3.2 modification (such as an operating system upgrade, a sub-
network added to the environment, or a web server added to
the environment).
The following items do not map from the CIS Controls to PCI DSS.

Non-Mapped PCI DSS Requirements

Identifier
1.1
1.1.5
1.1.7
1.3

1.3.6
1.3.7
1.5
2.2.3
2.2.4

2.5

2.6

3.1

3.2.1

3.2.2
3.2.3

3.3

3.4

3.4.1
3.5

3.5.1
3.5.2
 3.5.3
3.5.4

3.6
3.6.1
3.6.2
3.6.3

3.6.4

3.6.5

3.6.6
3.6.7

3.6.8

3.7
4.2

4.3

5.1.2

5.3

5.4

6.3.1
6.4
6.4.3
6.4.4
6.4.5
6.4.5.1
6.4.5.2
6.4.5.3
6.4.5.4

6.4.6

6.7
7.1.4
7.2.3

7.3
8.1.2

8.1.5
8.1.6
8.1.7

8.2

8.2.2

8.2.3
8.2.4

8.2.5
8.2.6

8.4

8.5

8.5.1

8.6

8.7

8.8
9.1
 9.1.1
9.1.2

9.1.3

9.2

9.3

9.4
9.4.1
9.4.2
9.4.3

9.4.4
9.6
9.6.2
9.6.3
9.7
9.8

9.8.1
9.8.2
9.9

9.9.2

9.9.3

9.10

10.2.2
10.2.3

10.2.6
 10.2.7
10.5
10.5.1
10.5.2

10.5.5
10.6.3

10.7

10.8

10.8.1

10.9

11.2.2

11.2.3
11.3.3

11.3.4

11.3.4.1
11.5.1

11.6
12.1
12.1.1
 12.2
12.3
12.3.1
12.3.2
12.3.3

12.3.4
12.3.5
12.3.6
12.3.7
12.3.8

12.3.9

12.3.10
12.4

12.4.1
12.5
12.5.1
12.5.2

12.5.3
12.5.4
12.5.5

12.7

12.8
12.8.1

12.8.2
12.8.3
12.8.4
12.8.5

12.9
12.10.2
12.10.5

12.10.6

12.11

12.11.1
e following items do not map from the CIS Controls to PCI DSS.

on-Mapped PCI DSS Requirements

Requirement
Establish and implement firewall and router configuration standards that include the following:
Description of groups, roles, and responsibilities for management of network components
Requirement to review firewall and router rule sets at least every six months
Prohibit direct public access between the Internet and any system component in the cardholder data environment.
Place system components that store cardholder data (such as a database) in an internal network zone, segregated
networks.
Do not disclose private IP addresses and routing information to unauthorized parties.
Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known
Implement additional security features for any required services, protocols, or daemons that are considered to be ins
Configure system security parameters to prevent misuse.
Ensure that security policies and operational procedures for managing vendor defaults and other security parameter
known to all affected parties.
Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must
detailed in Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers.

Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and p
following for all cardholder data (CHD) storage:
• Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requ
• Specific retention requirements for cardholder data
• Processes for secure deletion of data when no longer needed
• A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.
Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data co
after authorization. This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data.
Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a paym
present transactions) after authorization.
Do not store the personal identification number (PIN) or the encrypted PIN block after authorization.
Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such
legitimate business need can see more than the first six/last four digits of the PAN.

Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by us
approaches:
• One-way hashes based on strong cryptography, (hash must be of the entire PAN)
• Truncation (hashing cannot be used to replace the truncated segment of PAN)
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key-management processes and procedures.
If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed se
native operating system authentication and access control mechanisms (for example, by not using local user accoun
login credentials). Decryption keys must not be associated with user accounts.
Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and
Additional requirement for service providers only: Maintain a documented description of the cryptographic architectu
• Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and
• Description of the key usage for each key
• Inventory of any HSMs and other SCDs used for key management
Restrict access to cryptographic keys to the fewest number of custodians necessary.
Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all ti
• Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separa
• Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of
• As at least two full-length key components or key shares, in accordance with an industry-accepted method
Store cryptographic keys in the fewest possible locations.
Fully document and implement all key-management processes and procedures for cryptographic keys used for encr
including the following:
Generation of strong cryptographic keys
Secure cryptographic key distribution
Secure cryptographic key storage
Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined pe
after a certain amount of cipher-text has been produced by a given key), as defined by the associated application ve
industry best practices and guidelines (for example, NIST Special Publication 800-57).
Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary wh
been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are
compromised.

If manual clear-text cryptographic key-management operations are used, these operations must be managed using
Prevention of unauthorized substitution of cryptographic keys.

Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-cu
Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in u
parties.
Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS,
Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are docume
affected parties.
For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify
threats in order to confirm whether such systems continue to not require anti-virus software.
Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifica
a case-by-case basis for a limited time period.
Ensure that security policies and operational procedures for protecting systems against malware are documented, in
parties.
Remove development, test and/or custom application accounts, user IDs, and passwords before applications becom
customers.
Follow change control processes and procedures for all changes to system components. The processes must includ
Production data (live PANs) are not used for testing or development
Removal of test data and accounts from system components before the system becomes active / goes into producti
Change control procedures must include the following:
Documentation of impact.
Documented change approval by authorized parties.
Functionality testing to verify that the change does not adversely impact the security of the system.
Back-out procedures.
Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or cha
documentation updated as applicable.
Ensure that security policies and operational procedures for developing and maintaining secure systems and applica
and known to all affected parties.
Require documented approval by authorized parties specifying required privileges.
Default “deny-all” setting.
Ensure that security policies and operational procedures for restricting access to cardholder data are documented, i
parties.
Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
Manage IDs used by third parties to access, support, or maintain system components via remote access as follows:
• Enabled only during the time period needed and disabled when not in use.
• Monitored when in use.
Limit repeated access attempts by locking out the user ID after not more than six attempts.
Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.

In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and ad
components by employing at least one of the following methods to authenticate all users:
• Something you know, such as a password or passphrase
• Something you have, such as a token device or smart card
• Something you are, such as a biometric.
Verify user identity before modifying any authentication credential—for example, performing password resets, provis
new keys.
Passwords/passphrases must meet the following:
• Require a minimum length of at least seven characters.
• Contain both numeric and alphabetic characters.
Alternatively, the passwords/ passphrases must have complexity and strength at least equivalent to the parameters
Change user passwords/passphrases at least once every 90 days.

Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/
Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediat

Document and communicate authentication policies and procedures to all users including:
• Guidance on selecting strong authentication credentials
• Guidance for how users should protect their authentication credentials
• Instructions not to reuse previously used passwords
• Instructions to change passwords if there is any suspicion the password could be compromised.
Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:
• Generic user IDs are disabled or removed.
• Shared user IDs do not exist for system administration and other critical functions.
• Shared and generic user IDs are not used to administer any system components.
Additional requirement for service providers only: Service providers with remote access to customer premises (for ex
systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, cer
mechanisms must be assigned as follows:
• Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.
• Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to g

All access to any database containing cardholder data (including access by applications, administrators, and all othe
• All user access to, user queries of, and user actions on databases are through programmatic methods.
• Only database administrators have the ability to directly access or query databases.
• Application IDs for database applications can only be used by the applications (and not by individual users or other
Ensure that security policies and operational procedures for identification and authentication are documented, in use
parties.
Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environ
Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive
correlate with other entries. Store for at least three months, unless otherwise restricted by law.
Implement physical and/or logical controls to restrict access to publicly accessible network jacks.

Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardw
Develop procedures to easily distinguish between onsite personnel and visitors, to include:
• Identifying onsite personnel and visitors (for example, assigning badges)
• Changes to access requirements
• Revoking or terminating onsite personnel and expired visitor identification (such as ID badges).

Control physical access for onsite personnel to sensitive areas as follows:

• Access must be authorized and based on individual job function.
• Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards
Implement procedures to identify and authorize visitors.
Procedures should include the following:
Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed o
Visitors are identified and given a badge or other identification that expires and that visibly distinguishes the visitors
Visitors are asked to surrender the badge or identification before leaving the facility or at the date of expiration.
A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and da
is stored or transmitted.
Document the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log.
Retain this log for a minimum of three months, unless otherwise restricted by law.
Maintain strict control over the internal or external distribution of any kind of media, including the following:
Send the media by secured courier or other delivery method that can be accurately tracked.
Ensure management approves any and all media that is moved from a secured area (including when media is distrib
Maintain strict control over the storage and accessibility of media.
Destroy media when it is no longer needed for business or legal reasons as follows:
Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage con
to be destroyed.
Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.
Protect devices that capture payment card data via direct physical interaction with the card from tampering and subs
Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or subs
the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).

Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should includ
• Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them
devices.
• Do not install, replace, or return devices without verification.
• Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open de
• Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for examp
officer).
Ensure that security policies and operational procedures for restricting physical access to cardholder data are docum
affected parties.
Implement automated audit trails for all system components to reconstruct the following events: All actions taken by
administrative privileges
Implement automated audit trails for all system components to reconstruct the following events: Access to all audit t

Implement automated audit trails for all system components to reconstruct the following events: Initialization, stoppin
Implement automated audit trails for all system components to reconstruct the following events: Creation and deletio
Secure audit trails so they cannot be altered.
Limit viewing of audit trails to those with a job-related need.
Protect audit trail files from unauthorized modifications.
Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed
(although new data being added should not cause an alert).
Follow up exceptions and anomalies identified during the review process.
Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for
restorable from backup).

Additional requirement for service providers only: Implement a process for the timely detection and reporting of failu
systems, including but not limited to failure of:
• Firewalls
• IDS/IPS
• FIM
• Anti-virus
• Physical access controls
• Logical access controls
• Audit logging mechanisms
• Segmentation controls (if used)

Additional requirement for service providers only: Respond to failures of any critical security controls in a timely man
failures in security controls must include:
• Restoring security functions
• Identifying and documenting the duration (date and time start to end) of the security failure
• Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to ad
• Identifying and addressing any security issues that arose during the failure
• Performing a risk assessment to determine whether further actions are required as a result of the security failure
• Implementing controls to prevent cause of failure from reoccurring
• Resuming monitoring of security controls
Ensure that security policies and operational procedures for monitoring all access to network resources and cardhol
and known to all affected parties.
Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment C
Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.

Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed
Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the correcti
If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after
controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope
CDE.
Additional requirement for service providers only: If segmentation is used, confirm PCI DSS scope by performing pe
controls at least every six months and after any changes to segmentation controls/methods.
Implement a process to respond to any alerts generated by the change-detection solution.

Ensure that security policies and operational procedures for security monitoring and testing are documented, in use,
Establish, publish, maintain, and disseminate a security policy.
Review the security policy at least annually and update the policy when the environment changes.
Implement a risk-assessment process that:
• Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, r
• Identifies critical assets, threats, and vulnerabilities, and
• Results
Develop usage policies for critical technologies and define proper use of these technologies. Ensure these usage po
Explicit approval by authorized parties
Authentication for use of the technology
A list of all such devices and personnel with access

A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, codin
Acceptable uses of the technology
Acceptable network locations for the technologies
List of company-approved products
Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity
Activation of remote-access technologies for vendors and business partners only when needed by vendors and busi
deactivation after use
For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage
hard drives and removable electronic media, unless explicitly authorized for a defined business need.
Where there is an authorized business need, the usage policies must require the data be protected in accordance w
Requirements.
Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
Additional requirement for service providers only: Executive management shall establish responsibility for the protec
DSS compliance program to include:
• Overall accountability for maintaining PCI DSS compliance
• Defining a charter for a PCI DSS compliance program and communication to executive management
Assign to an individual or team the following information security management responsibilities:
Establish, document, and distribute security policies and procedures.
Monitor and analyze security alerts and information, and distribute to appropriate personnel.

Establish, document, and distribute security incident response and escalation procedures to ensure timely and effec
Administer user accounts, including additions, deletions, and modifications.
Monitor and control all access to data.
Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of backgrou
employment history, criminal record, credit history, and reference checks.)
Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared,
cardholder data, as follows:
Maintain a list of service providers including a description of the service provided.
Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the s
service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that the
customer’s cardholder data environment.
Ensure there is an established process for engaging service providers including proper due diligence prior to engage
Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
Maintain information about which PCI DSS requirements are managed by each service provider, and which are man
Additional requirement for service providers only: Service providers acknowledge in writing to customers that they ar
cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the custom
impact the security of the customer’s cardholder data environment.
Review and test the (incident response) plan, including all elements listed in Requirement 12.10.1, at least annually.
Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention,
monitoring systems.

Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate

Additional requirement for service providers only: Perform reviews at least quarterly to confirm personnel are followin
operational procedures. Reviews must cover the following processes:
• Daily log reviews
• Firewall rule-set reviews
• Applying configuration standards to new systems
• Responding to security alerts
• Change management processes
Additional requirement for service providers only: Maintain documentation of quarterly review process to include:
• Documenting results of the reviews
• Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program