PCI DSS 4.0262
PCI DSS 4.0 · PCI DSS 4.0.1 Requirement 1.1.1 · PCI DSS 4.0.1 Requirement 1.1.2 · PCI DSS 4.0.1 Requirement 1.2.1 · PCI DSS 4.0.1 Requirement 1.2.2 · PCI DSS 4.0.1 Requirement 1.2.3 · PCI DSS 4.0.1 Requirement 1.2.4 · PCI DSS 4.0.1 Requirement 1.2.5 · PCI DSS 4.0.1 Requirement 1.2.6 · PCI DSS 4.0.1 Requirement 1.2.7 · PCI DSS 4.0.1 Requirement 1.2.8 · PCI DSS 4.0.1 Requirement 1.3.1 · PCI DSS 4.0.1 Requirement 1.3.2 · PCI DSS 4.0.1 Requirement 1.3.3 · PCI DSS 4.0.1 Requirement 1.4.1 · PCI DSS 4.0.1 Requirement 1.4.2 · PCI DSS 4.0.1 Requirement 1.4.3 · PCI DSS 4.0.1 Requirement 1.4.4 · PCI DSS 4.0.1 Requirement 1.4.5 · PCI DSS 4.0.1 Requirement 1.5.1 · PCI DSS 4.0.1 Requirement 10.1.1 · PCI DSS 4.0.1 Requirement 10.1.2 · PCI DSS 4.0.1 Requirement 10.2.1 · PCI DSS 4.0.1 Requirement 10.2.1.1 · PCI DSS 4.0.1 Requirement 10.2.1.2 · PCI DSS 4.0.1 Requirement 10.2.1.3 · PCI DSS 4.0.1 Requirement 10.2.1.4 · PCI DSS 4.0.1 Requirement 10.2.1.5 · PCI DSS 4.0.1 Requirement 10.2.1.6 · PCI DSS 4.0.1 Requirement 10.2.1.7 · PCI DSS 4.0.1 Requirement 10.2.2 · PCI DSS 4.0.1 Requirement 10.3.1 · PCI DSS 4.0.1 Requirement 10.3.2 · PCI DSS 4.0.1 Requirement 10.3.3 · PCI DSS 4.0.1 Requirement 10.3.4 · PCI DSS 4.0.1 Requirement 10.4.1 · PCI DSS 4.0.1 Requirement 10.4.1.1 · PCI DSS 4.0.1 Requirement 10.4.2 · PCI DSS 4.0.1 Requirement 10.4.2.1 · PCI DSS 4.0.1 Requirement 10.4.3 · PCI DSS 4.0.1 Requirement 10.5.1 · PCI DSS 4.0.1 Requirement 10.6.1 · PCI DSS 4.0.1 Requirement 10.6.2 · PCI DSS 4.0.1 Requirement 10.6.3 · PCI DSS 4.0.1 Requirement 10.7.1 · PCI DSS 4.0.1 Requirement 10.7.2 · PCI DSS 4.0.1 Requirement 10.7.3 · PCI DSS 4.0.1 Requirement 11.1.1 · PCI DSS 4.0.1 Requirement 11.1.2 · PCI DSS 4.0.1 Requirement 11.2.1 · PCI DSS 4.0.1 Requirement 11.2.2 · PCI DSS 4.0.1 Requirement 11.3.1 · PCI DSS 4.0.1 Requirement 11.3.1.1 · PCI DSS 4.0.1 Requirement 11.3.1.2 · PCI DSS 4.0.1 Requirement 11.3.1.3 · PCI DSS 4.0.1 Requirement 11.3.2 · PCI DSS 4.0.1 Requirement 11.3.2.1 · PCI DSS 4.0.1 Requirement 11.4.1 · PCI DSS 4.0.1 Requirement 11.4.2 · PCI DSS 4.0.1 Requirement 11.4.3 · PCI DSS 4.0.1 Requirement 11.4.4 · PCI DSS 4.0.1 Requirement 11.4.5 · PCI DSS 4.0.1 Requirement 11.4.6 · PCI DSS 4.0.1 Requirement 11.4.7 · PCI DSS 4.0.1 Requirement 11.5.1 · PCI DSS 4.0.1 Requirement 11.5.1.1 · PCI DSS 4.0.1 Requirement 11.5.2 · PCI DSS 4.0.1 Requirement 11.6.1 · PCI DSS 4.0.1 Requirement 12.1.1 · PCI DSS 4.0.1 Requirement 12.1.2 · PCI DSS 4.0.1 Requirement 12.1.3 · PCI DSS 4.0.1 Requirement 12.1.4 · PCI DSS 4.0.1 Requirement 12.10.1 · PCI DSS 4.0.1 Requirement 12.10.2 · PCI DSS 4.0.1 Requirement 12.10.3 · PCI DSS 4.0.1 Requirement 12.10.4 · PCI DSS 4.0.1 Requirement 12.10.4.1 · PCI DSS 4.0.1 Requirement 12.10.5 · PCI DSS 4.0.1 Requirement 12.10.6 · PCI DSS 4.0.1 Requirement 12.10.7 · PCI DSS 4.0.1 Requirement 12.2.1 · PCI DSS 4.0.1 Requirement 12.3.1 · PCI DSS 4.0.1 Requirement 12.3.2 · PCI DSS 4.0.1 Requirement 12.3.3 · PCI DSS 4.0.1 Requirement 12.3.4 · PCI DSS 4.0.1 Requirement 12.4.1 · PCI DSS 4.0.1 Requirement 12.4.2 · PCI DSS 4.0.1 Requirement 12.4.2.1 · PCI DSS 4.0.1 Requirement 12.5.1 · PCI DSS 4.0.1 Requirement 12.5.2 · PCI DSS 4.0.1 Requirement 12.5.2.1 · PCI DSS 4.0.1 Requirement 12.5.3 · PCI DSS 4.0.1 Requirement 12.6.1 · PCI DSS 4.0.1 Requirement 12.6.2 · PCI DSS 4.0.1 Requirement 12.6.3 · PCI DSS 4.0.1 Requirement 12.6.3.1 · PCI DSS 4.0.1 Requirement 12.6.3.2 · PCI DSS 4.0.1 Requirement 12.7.1 · PCI DSS 4.0.1 Requirement 12.8.1 · PCI DSS 4.0.1 Requirement 12.8.2 · PCI DSS 4.0.1 Requirement 12.8.3 · PCI DSS 4.0.1 Requirement 12.8.4 · PCI DSS 4.0.1 Requirement 12.8.5 · PCI DSS 4.0.1 Requirement 12.9.1 · PCI DSS 4.0.1 Requirement 12.9.2 · PCI DSS 4.0.1 Requirement 2.1.1 · PCI DSS 4.0.1 Requirement 2.1.2 · PCI DSS 4.0.1 Requirement 2.2.1 · PCI DSS 4.0.1 Requirement 2.2.2 · PCI DSS 4.0.1 Requirement 2.2.3 · PCI DSS 4.0.1 Requirement 2.2.4 · PCI DSS 4.0.1 Requirement 2.2.5 · PCI DSS 4.0.1 Requirement 2.2.6 · PCI DSS 4.0.1 Requirement 2.2.7 · PCI DSS 4.0.1 Requirement 2.3.1 · PCI DSS 4.0.1 Requirement 2.3.2 · PCI DSS 4.0.1 Requirement 3.1.1 · PCI DSS 4.0.1 Requirement 3.1.2 · PCI DSS 4.0.1 Requirement 3.2.1 · PCI DSS 4.0.1 Requirement 3.3.1 · PCI DSS 4.0.1 Requirement 3.3.1.1 · PCI DSS 4.0.1 Requirement 3.3.1.2 · PCI DSS 4.0.1 Requirement 3.3.1.3 · PCI DSS 4.0.1 Requirement 3.3.2 · PCI DSS 4.0.1 Requirement 3.3.3 · PCI DSS 4.0.1 Requirement 3.4.1 · PCI DSS 4.0.1 Requirement 3.4.2 · PCI DSS 4.0.1 Requirement 3.5.1 · PCI DSS 4.0.1 Requirement 3.5.1.1 · PCI DSS 4.0.1 Requirement 3.5.1.2 · PCI DSS 4.0.1 Requirement 3.5.1.3 · PCI DSS 4.0.1 Requirement 3.6.1 · PCI DSS 4.0.1 Requirement 3.6.1.1 · PCI DSS 4.0.1 Requirement 3.6.1.2 · PCI DSS 4.0.1 Requirement 3.6.1.3 · PCI DSS 4.0.1 Requirement 3.6.1.4 · PCI DSS 4.0.1 Requirement 3.7.1 · PCI DSS 4.0.1 Requirement 3.7.2 · PCI DSS 4.0.1 Requirement 3.7.3 · PCI DSS 4.0.1 Requirement 3.7.4 · PCI DSS 4.0.1 Requirement 3.7.5 · PCI DSS 4.0.1 Requirement 3.7.6 · PCI DSS 4.0.1 Requirement 3.7.7 · PCI DSS 4.0.1 Requirement 3.7.8 · PCI DSS 4.0.1 Requirement 3.7.9 · PCI DSS 4.0.1 Requirement 4.1.1 · PCI DSS 4.0.1 Requirement 4.1.2 · PCI DSS 4.0.1 Requirement 4.2.1 · PCI DSS 4.0.1 Requirement 4.2.1.1 · PCI DSS 4.0.1 Requirement 4.2.1.2 · PCI DSS 4.0.1 Requirement 4.2.2 · PCI DSS 4.0.1 Requirement 5.1.1 · PCI DSS 4.0.1 Requirement 5.1.2 · PCI DSS 4.0.1 Requirement 5.2.1 · PCI DSS 4.0.1 Requirement 5.2.2 · PCI DSS 4.0.1 Requirement 5.2.3 · PCI DSS 4.0.1 Requirement 5.2.3.1 · PCI DSS 4.0.1 Requirement 5.3.1 · PCI DSS 4.0.1 Requirement 5.3.2 · PCI DSS 4.0.1 Requirement 5.3.2.1 · PCI DSS 4.0.1 Requirement 5.3.3 · PCI DSS 4.0.1 Requirement 5.3.4 · PCI DSS 4.0.1 Requirement 5.3.5 · PCI DSS 4.0.1 Requirement 5.4.1 · PCI DSS 4.0.1 Requirement 6.1.1 · PCI DSS 4.0.1 Requirement 6.1.2 · PCI DSS 4.0.1 Requirement 6.2.1 · PCI DSS 4.0.1 Requirement 6.2.2 · PCI DSS 4.0.1 Requirement 6.2.3 · PCI DSS 4.0.1 Requirement 6.2.3.1 · PCI DSS 4.0.1 Requirement 6.2.4 · PCI DSS 4.0.1 Requirement 6.3.1 · PCI DSS 4.0.1 Requirement 6.3.2 · PCI DSS 4.0.1 Requirement 6.3.3 · PCI DSS 4.0.1 Requirement 6.4.1 · PCI DSS 4.0.1 Requirement 6.4.2 · PCI DSS 4.0.1 Requirement 6.4.3 · PCI DSS 4.0.1 Requirement 6.5.1 · PCI DSS 4.0.1 Requirement 6.5.2 · PCI DSS 4.0.1 Requirement 6.5.3 · PCI DSS 4.0.1 Requirement 6.5.4 · PCI DSS 4.0.1 Requirement 6.5.5 · PCI DSS 4.0.1 Requirement 6.5.6 · PCI DSS 4.0.1 Requirement 7.1.1 · PCI DSS 4.0.1 Requirement 7.1.2 · PCI DSS 4.0.1 Requirement 7.2.1 · PCI DSS 4.0.1 Requirement 7.2.2 · PCI DSS 4.0.1 Requirement 7.2.3 · PCI DSS 4.0.1 Requirement 7.2.4 · PCI DSS 4.0.1 Requirement 7.2.5 · PCI DSS 4.0.1 Requirement 7.2.5.1 · PCI DSS 4.0.1 Requirement 7.2.6 · PCI DSS 4.0.1 Requirement 7.3.1 · PCI DSS 4.0.1 Requirement 7.3.2 · PCI DSS 4.0.1 Requirement 7.3.3 · PCI DSS 4.0.1 Requirement 8.1.1 · PCI DSS 4.0.1 Requirement 8.1.2 · PCI DSS 4.0.1 Requirement 8.2.1 · PCI DSS 4.0.1 Requirement 8.2.2 · PCI DSS 4.0.1 Requirement 8.2.3 · PCI DSS 4.0.1 Requirement 8.2.4 · PCI DSS 4.0.1 Requirement 8.2.5 · PCI DSS 4.0.1 Requirement 8.2.6 · PCI DSS 4.0.1 Requirement 8.2.7 · PCI DSS 4.0.1 Requirement 8.2.8 · PCI DSS 4.0.1 Requirement 8.3.1 · PCI DSS 4.0.1 Requirement 8.3.10 · PCI DSS 4.0.1 Requirement 8.3.10.1 · PCI DSS 4.0.1 Requirement 8.3.11 · PCI DSS 4.0.1 Requirement 8.3.2 · PCI DSS 4.0.1 Requirement 8.3.3 · PCI DSS 4.0.1 Requirement 8.3.4 · PCI DSS 4.0.1 Requirement 8.3.5 · PCI DSS 4.0.1 Requirement 8.3.6 · PCI DSS 4.0.1 Requirement 8.3.7 · PCI DSS 4.0.1 Requirement 8.3.8 · PCI DSS 4.0.1 Requirement 8.3.9 · PCI DSS 4.0.1 Requirement 8.4.1 · PCI DSS 4.0.1 Requirement 8.4.2 · PCI DSS 4.0.1 Requirement 8.4.3 · PCI DSS 4.0.1 Requirement 8.5.1 · PCI DSS 4.0.1 Requirement 8.6.1 · PCI DSS 4.0.1 Requirement 8.6.2 · PCI DSS 4.0.1 Requirement 8.6.3 · PCI DSS 4.0.1 Requirement 9.1.1 · PCI DSS 4.0.1 Requirement 9.1.2 · PCI DSS 4.0.1 Requirement 9.2.1 · PCI DSS 4.0.1 Requirement 9.2.1.1 · PCI DSS 4.0.1 Requirement 9.2.2 · PCI DSS 4.0.1 Requirement 9.2.3 · PCI DSS 4.0.1 Requirement 9.2.4 · PCI DSS 4.0.1 Requirement 9.3.1 · PCI DSS 4.0.1 Requirement 9.3.1.1 · PCI DSS 4.0.1 Requirement 9.3.2 · PCI DSS 4.0.1 Requirement 9.3.3 · PCI DSS 4.0.1 Requirement 9.3.4 · PCI DSS 4.0.1 Requirement 9.4.1 · PCI DSS 4.0.1 Requirement 9.4.1.1 · PCI DSS 4.0.1 Requirement 9.4.1.2 · PCI DSS 4.0.1 Requirement 9.4.2 · PCI DSS 4.0.1 Requirement 9.4.3 · PCI DSS 4.0.1 Requirement 9.4.4 · PCI DSS 4.0.1 Requirement 9.4.5 · PCI DSS 4.0.1 Requirement 9.4.5.1 · PCI DSS 4.0.1 Requirement 9.4.6 · PCI DSS 4.0.1 Requirement 9.4.7 · PCI DSS 4.0.1 Requirement 9.5.1 · PCI DSS 4.0.1 Requirement 9.5.1.1 · PCI DSS 4.0.1 Requirement 9.5.1.2 · PCI DSS 4.0.1 Requirement 9.5.1.2.1 · PCI DSS 4.0.1 Requirement 9.5.1.3
Requirements in this framework
- 24/7 Incident Response Personnel
- Acceptable Use Policies
- Acceptable Use Training
- Access Based on Job Classification
- Access Control Enforcement
- Access Control Model
- Access Control System
- Account and authentication security
- Accurate Data-Flow Diagram
- Accurate Network Diagram
- Additional Key Management for Service Providers
- Additional Key Protection for Service Providers
- Address Log Review Exceptions
- Allowed Services, Protocols, and Ports
- Anti-Malware Audit Logs
- Anti-Malware Cannot Be Disabled
- Anti-Malware Deployment
- Anti-Malware Detection Capabilities
- Anti-Malware Kept Current
- Anti-Malware Scanning
- Anti-Phishing Mechanisms
- Anti-Spoofing Measures
- Application Account Access Review
- Application and System Account Management
- Apply secure configurations to all system components
- Audit Log Backup
- Audit Log Content Requirements
- Audit Log Modification Protection
- Audit Log Retention
- Audit Logs Enabled
- Authenticated Internal Scanning
- Authentication Attempt Lockout
- Authentication Factor Encryption
- Authentication Factor Requirements
- Authentication Policy Communication
- Automated Log Review Mechanisms
- Automated Web Attack Prevention
- Card Verification Codes Not Retained
- Change Control Procedures
- Change-Detection Mechanism
- CISO Responsibility Assignment
- Configuration Standards for System Components
- Console Access Restriction in Sensitive Areas
- Cryptographic Key Changes at Cryptoperiod End
- Cryptographic Key Protection Procedures
- Cryptographic Key Storage
- Cryptographic Suite Documentation
- Customized Approach Risk Analysis
- Daily Log Review
- Data Retention and Disposal Policies
- Default Deny Access
- Develop and maintain secure systems and software
- Disk-Level Encryption Access Controls
- Disk-Level Encryption for Removable Media
- Electronic Media Destruction
- Electronic Media Inventory
- Electronic Media Inventory Frequency
- Enable Only Necessary Services
- Encrypt Non-Console Administrative Access
- Evaluation of Systems Not at Risk
- External Penetration Testing
- External Scans After Significant Changes
- External Vulnerability Scans
- Facility Entry Controls for CDE
- File Integrity Monitoring for Logs
- Frequency of Anti-Malware Scans
- Frequency of Malware Risk Evaluations
- Frequency of Periodic Log Reviews
- Full Track Data Not Retained
- Group and Shared Account Management
- Hard Copy Material Destruction
- Hardware and Software Technology Review
- Identity Verification Before Authentication Changes
- In-Scope System Component Inventory
- Inactive Account Disabling
- Incident Response Lessons Learned
- Incident Response Monitoring
- Incident Response Plan
- Incident Response Plan Review and Testing
- Incident Response Training
- Incident Response Training Frequency
- Information Security Policy
- Information Security Policy Annual Review
- Initial Password Requirements
- Insecure Services Documentation
- Internal Penetration Testing
- Internal Scan Vulnerability Management
- Internal Scans After Significant Changes
- Internal Vulnerability Scans
- Intrusion Detection and Prevention
- Inventory of Trusted Keys and Certificates
- Issuers SAD Storage
- Key Custodian Acknowledgment
- Key Generation Policies
- Key Retirement and Replacement
- Keyed Cryptographic Hashes for PAN
- Limit Disclosure of Internal IP Addresses
- Live PANs Not in Pre-Production
- Log Access to Audit Logs
- Log Administrative Actions
- Log Audit Log Changes
- Log Credential and Account Changes
- Log Individual User Access to CHD
- Log Invalid Access Attempts
- Log System-Level Object Changes
- Logging and monitoring
- Management Approval for Media Transfer
- Manual Code Review Requirements
- Media Classification
- MFA for Administrative CDE Access
- MFA for All CDE Access
- MFA for Remote Network Access
- MFA System Configuration
- Monitoring Physical Access to CDE
- Multi-Tenant Service Provider Penetration Testing
- Network security controls
- No Direct Access to CHD from Untrusted Networks
- No Hardcoded Passwords
- NSC Change Control Process
- NSC Configuration File Security
- NSC Configuration Review
- NSC Ruleset Configuration Standards
- NSCs Between Trusted and Untrusted Networks
- NSCs Between Wireless and CDE
- Offline Media Backup Location Review
- Offline Media Backup Security
- PAN Masking in Display
- PAN Rendered Unreadable in Storage
- PAN Security via End-User Messaging
- Password Change Frequency
- Password Complexity Requirements
- Password History
- Payment Page Change Detection
- Payment Page Script Management
- PCI DSS Confirmation After Significant Changes
- PCI DSS Scope Documentation and Validation
- Penetration Testing Methodology
- Periodic Review of Other Logs
- Personnel Background Screening
- Personnel Physical Access Authorization
- Personnel Security Training
- Physical Access to Sensitive CDE Areas
- Physical Access to Wireless and Network Hardware
- Physical and Logical Token Management
- Physical Network Jack Controls
- Physical Security of Media
- PINs Not Retained
- POI Device Inspection
- POI Device Inventory
- POI Device Protection
- POI Device Tampering Training
- POI Inspection Frequency
- Prevent PAN Copy via Remote Access
- Prevention of Unauthorized Key Substitution
- Primary Functions Requiring Different Security Levels
- Privilege Approval by Authorized Personnel
- Protect account data with strong cryptography during transmission
- Protect stored account data
- Protect stored and transmitted account data
- Protect systems and networks from malicious software
- Public-Facing Web Application Protection
- Read Access to Audit Logs Restricted
- Remediate Penetration Test Findings
- Removable Media Scanning
- Remove Test Data Before Production
- Restrict Access to Cardholder Data Queries
- Restrict Access to Cleartext Keys
- Restrict access to system components and cardholder data by business need
- Restrict Inbound Traffic from Untrusted Networks
- Restrict Inbound Traffic to CDE
- Restrict Outbound Traffic from CDE
- Roles and Responsibilities for Access Restriction
- Roles and Responsibilities for Anti-Malware
- Roles and Responsibilities for Authentication
- Roles and Responsibilities for Data Transmission
- Roles and Responsibilities for Logging
- Roles and Responsibilities for Network Security Controls
- Roles and Responsibilities for Physical Access
- Roles and Responsibilities for Secure Configurations
- Roles and Responsibilities for Secure Development
- Roles and Responsibilities for Security Testing
- Roles and Responsibilities for Stored Data Protection
- SAD Encryption Before Authorization
- SAD Not Retained After Authorization
- Secure Key Distribution
- Secure Key Storage
- Secure Media Distribution
- Secure Software Development Practices
- Security Awareness Program
- Security Awareness Program Review
- Security Awareness Threat Training
- Security Control Failure Detection
- Security Control Failure Response
- Security Controls for Dual-Network Devices
- Security Features for Insecure Services
- Security governance and third-party oversight
- Security Patch Installation
- Security Policies and Procedures for Access Restriction
- Security Policies and Procedures for Anti-Malware
- Security Policies and Procedures for Authentication
- Security Policies and Procedures for Data Transmission
- Security Policies and Procedures for Logging
- Security Policies and Procedures for Network Security Controls
- Security Policies and Procedures for Physical Access
- Security Policies and Procedures for Secure Configurations
- Security Policies and Procedures for Secure Development
- Security Policies and Procedures for Security Testing
- Security Policies and Procedures for Stored Data Protection
- Security Roles and Responsibilities
- Security Vulnerability Identification
- Segmentation Control Testing
- Separation of Duties Between Environments
- Separation of Pre-Production and Production
- Service Provider Compliance Acknowledgment
- Service Provider Compliance Monitoring
- Service Provider Compliance Responsibility
- Service Provider Compliance Review Documentation
- Service Provider Covert Communication Detection
- Service Provider Customer Compliance Support
- Service Provider Customer Password Changes
- Service Provider Customer Password Guidance
- Service Provider Due Diligence
- Service Provider Inventory
- Service Provider Quarterly Compliance Reviews
- Service Provider Responsibility Documentation
- Service Provider Scope Change Review
- Service Provider Scope Validation Frequency
- Service Provider Security Control Failure Detection
- Service Provider Segmentation Testing Frequency
- Service Provider Unique Authentication
- Service Provider Written Agreements
- Session Idle Timeout
- Software Attack Prevention
- Software Code Review Before Release
- Software Development Training
- Software Inventory for Vulnerability Management
- Split Knowledge and Dual Control
- Store Keys in Fewest Locations
- Strong Cryptography for PAN Transmission
- System Account Interactive Login Management
- System Account Password Management
- System Security Parameters
- Targeted Risk Analysis for Flexible Requirements
- Terminated User Access Revocation
- Third-Party Remote Access Accounts
- Time Synchronization Access Controls
- Time Synchronization Configuration
- Time Synchronization Technology
- Unexpected PAN Discovery Procedures
- Unique User Identification
- User Account Lifecycle Management
- User Account Review
- Vendor Default Account Management
- Visitor Access Procedures
- Visitor Badge Management
- Visitor Log
- Vulnerability and malware management
- Wireless Access Point Detection
- Wireless Access Point Inventory
- Wireless Encryption Key Management
- Wireless Network Encryption
- Wireless Vendor Default Security