ZaNCmYJq

1raw_data = [['PCI DSS v3.2.1 Req. § 1.1', '1.1 Establish and implement firewall and router configuration standards that include the following:', 'not tested', 'Are firewall & router configuration standards documented?', '1.1 Inspect the firewall and router configuration standards and other documentation specified below and verify that standards are complete and implemented as follows:', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.1.a', '1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations', 'not tested', 'Are there documented procedures for testing and approving of all network connections and changes to firewall & router configurations?', '1.1.1.a Examine documented procedures to verify there is a formal process for testing and approval of all:\nx  Network connections and\nx  Changes to firewall and router configurations', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.1.b', '1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations', 'not tested', 'Do you have records showing that network connections were approved and tested?', '1.1.1.b For a sample of network connections, interview responsible personnel and examine records to verify that network connections were approved and tested.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.1.c', '1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations', 'not tested', 'Have changes been made to network connections or firewall & router configurations this year?', '1.1.1.c Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.2.a', '1.1.2 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks', 'not tested', 'Is there a current network diagram (for example, one that shows cardholder data flows over the network) that documents all connections to cardholder data, including any wireless networks?', '1.1.2.a Examine diagram(s) and observe network configurations to verify that a current network diagram exists and that it documents all connections to cardholder data, including any wireless networks.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.2.b', '1.1.2 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks', 'not tested', 'Is there a process to ensure the network diagram is kept current?', '1.1.2.b Interview responsible personnel to verify that the diagram is kept current.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.3', '1.1.3 Current diagram that shows all cardholder data flows across systems and networks', 'not tested', 'Does the current diagram include all cardholder data flows across systems and networks?', '1.1.3 Examine data-flow diagram and interview personnel to verify the diagram:\nx  Shows all cardholder data flows across systems and networks.\nx  Is kept current and updated as needed upon changes to the environment.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.4.a', '1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone', 'not tested', 'Do established firewall configuration standards include requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone?', '1.1.4.a Examine the firewall configuration standards and verify that they include requirements for a firewall at each Internet connection and between any DMZ and the internal network zone.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.4.b', '1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone', 'not tested', 'Is the current network diagram consistent with the firewall configuration standards?', '1.1.4.b Verify that the current network diagram is consistent with the firewall configuration standards.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.4.c', '1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone', 'not tested', 'Is a firewall in place at each internet connection and between any demilitarized zone (DMZ) and the internal network zone?', '1.1.4.c Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.5.a', '1.1.5 Description of groups, roles, and responsibilities for management of network components', 'not tested', 'Are groups, roles, and responsibilities for logical management of network components assigned and documented in the firewall and router configuration standards?', '1.1.5.a Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for management of network components.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.5.b', '1.1.5 Description of groups, roles, and responsibilities for management of network components', 'not tested', 'Do personnel know which network components they are responsible for?', '1.1.5.b Interview personnel responsible for management of network components to confirm that roles and responsibilities are assigned as documented.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.6.a', '1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.', 'not tested', 'Do firewall and router configuration standards include a documented list of services, protocols, and ports, including business justification (for example, hypertext transfer protocol (HTTP), Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols)?', '1.1.6.a Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification and approval for each.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.6.b', '1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.', 'not tested', 'Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service? Note: Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.', '1.1.6.b Identify insecure services, protocols, and ports allowed; and verify that security features are documented for each service.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.6.c', '1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.', 'not tested', 'Do the current "live" firewall & router configurations match the documented security features for each insecure service, protocol and port?', '1.1.6.c Examine firewall and router configurations to verify that the documented security features are implemented for each insecure service, protocol, and port.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.7.a', '1.1.7 Requirement to review firewall and router rule sets at least every six months', 'not tested', 'Do firewall and router configuration standards require review of firewall and router rule sets at least every six months?', '1.1.7.a Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.1.7.b', '1.1.7 Requirement to review firewall and router rule sets at least every six months', 'not tested', 'Are firewall and router rule sets reviewed at least every six months?', '1.1.7.b Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.2', "1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.\n\nNote: An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.", 'not tested', 'Are connections between untrusted networks and system components in the cardholder data environment (CDE) restricted?', '1.2 Examine firewall and router configurations and perform the following to verify that connections are restricted between untrusted networks and system components in the cardholder data environment:', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.2.1.a', '1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.', 'not tested', 'Are inbound and outbound traffic restricted to that which is necessary for the cardholder data environment?', '1.2.1.a Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.2.1.b', '1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.', 'not tested', 'Is all other inbound and outbound traffic specifically denied or implicitly denied? Note: for example by using an explicit “deny all” or an implicit deny after allow statement.', '1.2.1.b Examine firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.2.1.c', '1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.', 'not tested', 'Is all "unnecessary" inbound and outbound traffic specifically denied?', '1.2.1.c Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.2.2.a', '1.2.2 Secure and synchronize router configuration files.', 'not tested', 'Are router configuration files secured from unauthorized access?', '1.2.2.a Examine router configuration files to verify they are secured from unauthorized access.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.2.2.b', '1.2.2 Secure and synchronize router configuration files.', 'not tested', 'Do the running (or active) router configuration files match the start-up configuration (used when machines are booted)?', '1.2.2.b Examine router configurations to verify they are synchronized—for example, the running (or active) configuration matches the start-up configuration (used when machines are booted).', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.2.3.a', '1.2.3 Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.', 'not tested', 'Have perimeter firewalls been installed between all wireless networks and the cardholder data environment?', '1.2.3.a Examine firewall and router configurations to verify that there are perimeter firewalls installed between all wireless networks and the cardholder data environment.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.2.3.b', '1.2.3 Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.', 'not tested', 'Are the perimeter firewalls installed between the wireless networks and the cardholder data environment configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment?', '1.2.3.b Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.3', '1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.', 'not tested', 'Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment (CDE)?', '1.3 Examine firewall and router configurations—including but not limited to the choke router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment—and perform the\nfollowing to determine that there is no direct access between the\nInternet and system components in the internal cardholder network segment:', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.3.1', '1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.', 'not tested', 'Has the DMZ been implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports?', '1.3.1 Examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.3.2', '1.3.2 Limit inbound Internet traffic to IP\naddresses within the DMZ.', 'not tested', 'Does the inbound Internet traffic limited to IP addresses within the DMZ?', '1.3.2 Examine firewall and router configurations to verify that inbound Internet traffic is limited to IP addresses within the DMZ.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.3.3', '1.3.3 Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.\n(For example, block traffic originating from the Internet with an internal source address.)', 'not tested', 'Have the anti-spoofing measures been implemented to detect and block forged sourced IP addresses from entering the network? For example, block traffic originating from the internet with an internal address.', '1.3.3 Examine firewall and router configurations to verify that anti-spoofing measures are implemented, for example internal addresses cannot pass from the Internet into the DMZ.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.3.4', '1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.', 'not tested', 'Is the outbound traffic from the cardholder data environment to the Internet explicitly authorized?', '1.3.4 Examine firewall and router configurations to verify that outbound traffic from the cardholder data environment to the Internet is explicitly authorized.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.3.5', '1.3.5 Permit only “established”\nconnections into the network.', 'not tested', 'Has stateful inspection or dynamic packet filtering been implemented? (In other words, only "established" connections are allowed into the network?)', '1.3.5 Examine firewall and router configurations to verify that the firewall permits only established connections into the internal network and denies any inbound connections not associated with a previously established session.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.3.6', '1.3.6 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.', 'not tested', 'Are system components that store cardholder data (such as a database) placed in an internal network zone, segregated from the DMZ and other untrusted networks?', '1.3.6 Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.3.7.a', '1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties.\n\nNote: Methods to obscure IP addressing\nmay include, but are not limited to:\nx    Network Address Translation\n(NAT)\nx    Placing servers containing cardholder data behind proxy servers/firewalls,\nx    Removal or filtering of route advertisements for private networks that employ registered addressing,\nx    Internal use of RFC1918 address space instead of registered addresses.', 'not tested', 'Are methods in place to prevent the disclosure of private IP addresses and routing information to the Internet like NAT, Proxy etc?', '1.3.7.a Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to\nthe Internet.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.3.7.b', '1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties.\n\nNote: Methods to obscure IP addressing\nmay include, but are not limited to:\nx    Network Address Translation\n(NAT)\nx    Placing servers containing cardholder data behind proxy servers/firewalls,\nx    Removal or filtering of route advertisements for private networks that employ registered addressing,\nx    Internal use of RFC1918 address space instead of registered addresses.', 'not tested', 'Are disclosures of private IP addresses and routing information to external entities authorized?', '1.3.7.b Interview personnel and examine documentation to verify that any disclosure of private IP addresses and routing information to external entities is authorized.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 1.5', '1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.', 'not tested', 'Are the security policies and operational procedures for managing firewalls documented, in use and known to all affected parties?', '1.5 Examine documentation and interview personnel to verify that security policies and operational procedures for managing firewalls are:\nx   Documented,\nx   In use, and\nx   Known to all affected parties.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.1', '10.1 Implement audit trails to link all access to system components to each individual user.', 'not tested', 'Are audit trails enabled and active for system components and is access to system components linked to individual users?', '10.1 Verify, through observation and interviewing the system administrator, that:\nx    Audit trails are enabled and active for system components.\nx    Access to system components is linked to individual users.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.1', '10.1 Implement audit trails to link all access to system components to each individual user.', 'not tested', 'Are audit trails enabled and active for system components and is access to system components linked to individual users?', '10.1 Verify, through observation and interviewing the system administrator, that:\nx    Audit trails are enabled and active for system components.\nx    Access to system components is linked to individual users.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.1', '10.1 Implement audit trails to link all access to system components to each individual user.', 'not tested', 'Are audit trails enabled and active for system components and is access to system components linked to individual users?', '10.1 Verify, through observation and interviewing the system administrator, that:\nx    Audit trails are enabled and active for system components.\nx    Access to system components is linked to individual users.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.2', '10.2 Implement automated audit trails for all system components to reconstruct the following events:', 'not tested', 'Have automated audit trails been implemented?', '10.2 Through interviews of responsible personnel, observation of audit logs, and examination of audit log settings, perform the following:', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.2', '10.2 Implement automated audit trails for all system components to reconstruct the following events:', 'not tested', 'Have automated audit trails been implemented?', '10.2 Through interviews of responsible personnel, observation of audit logs, and examination of audit log settings, perform the following:', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.2', '10.2 Implement automated audit trails for all system components to reconstruct the following events:', 'not tested', 'Have automated audit trails been implemented?', '10.2 Through interviews of responsible personnel, observation of audit logs, and examination of audit log settings, perform the following:', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.2.1', '10.2.1 All individual user accesses to cardholder data', 'not tested', 'Have automated audit trails been implemented for all system components to log all individual user access to cardholder data?', '10.2.1 Verify all individual access to cardholder data is logged.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.2.1', '10.2.1 All individual user accesses to cardholder data', 'not tested', 'Have automated audit trails been implemented for all system components to log all individual user access to cardholder data?', '10.2.1 Verify all individual access to cardholder data is logged.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.2.1', '10.2.1 All individual user accesses to cardholder data', 'not tested', 'Have automated audit trails been implemented for all system components to log all individual user access to cardholder data?', '10.2.1 Verify all individual access to cardholder data is logged.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.2.2', '10.2.2 All actions taken by any individual with root or administrative privileges', 'not tested', 'Are automated audit trails implemented for all system components to log all actions taken by any individual with root or administrative privileges?', '10.2.2 Verify all actions taken by any individual with root or administrative privileges are logged.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.2.2', '10.2.2 All actions taken by any individual with root or administrative privileges', 'not tested', 'Are automated audit trails implemented for all system components to log all actions taken by any individual with root or administrative privileges?', '10.2.2 Verify all actions taken by any individual with root or administrative privileges are logged.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.2.2', '10.2.2 All actions taken by any individual with root or administrative privileges', 'not tested', 'Are automated audit trails implemented for all system components to log all actions taken by any individual with root or administrative privileges?', '10.2.2 Verify all actions taken by any individual with root or administrative privileges are logged.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.2.3', '10.2.3 Access to all audit trails', 'not tested', 'Are automated audit trails implemented for all system components to log all access to audit trails?', '10.2.3 Verify access to all audit trails is logged.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.2.3', '10.2.3 Access to all audit trails', 'not tested', 'Are automated audit trails implemented for all system components to log all access to audit trails?', '10.2.3 Verify access to all audit trails is logged.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.2.3', '10.2.3 Access to all audit trails', 'not tested', 'Are automated audit trails implemented for all system components to log all access to audit trails?', '10.2.3 Verify access to all audit trails is logged.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.2.4', '10.2.4 Invalid logical access attempts', 'not tested', 'Are automated audit trails implemented to log all invalid logical access attempts?', '10.2.4 Verify invalid logical access attempts are logged.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.2.4', '10.2.4 Invalid logical access attempts', 'not tested', 'Are automated audit trails implemented to log all invalid logical access attempts?', '10.2.4 Verify invalid logical access attempts are logged.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.2.4', '10.2.4 Invalid logical access attempts', 'not tested', 'Are automated audit trails implemented to log all invalid logical access attempts?', '10.2.4 Verify invalid logical access attempts are logged.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.2.5.a', '10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges', 'not tested', 'Are automated audit trails implemented to log use of identification and authentication mechanisms?', '10.2.5.a Verify use of identification and authentication mechanisms is logged.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.2.5.a', '10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges', 'not tested', 'Are automated audit trails implemented to log use of identification and authentication mechanisms?', '10.2.5.a Verify use of identification and authentication mechanisms is logged.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.2.5.a', '10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges', 'not tested', 'Are automated audit trails implemented to log use of identification and authentication mechanisms?', '10.2.5.a Verify use of identification and authentication mechanisms is logged.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.2.5.b', '10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges', 'not tested', 'Are automated audit trails implemented to log all elevation of privileges?', '10.2.5.b Verify all elevation of privileges is logged.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.2.5.b', '10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges', 'not tested', 'Are automated audit trails implemented to log all elevation of privileges?', '10.2.5.b Verify all elevation of privileges is logged.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.2.5.b', '10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges', 'not tested', 'Are automated audit trails implemented to log all elevation of privileges?', '10.2.5.b Verify all elevation of privileges is logged.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.2.5.c', '10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges', 'not tested', 'Are automated audit trails implemented to log changes, additions, or deletions to any account with root or administrative privileges?', '10.2.5.c Verify all changes, additions, or deletions to any account with root or administrative privileges are logged.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.2.5.c', '10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges', 'not tested', 'Are automated audit trails implemented to log changes, additions, or deletions to any account with root or administrative privileges?', '10.2.5.c Verify all changes, additions, or deletions to any account with root or administrative privileges are logged.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.2.5.c', '10.2.5 Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges', 'not tested', 'Are automated audit trails implemented to log changes, additions, or deletions to any account with root or administrative privileges?', '10.2.5.c Verify all changes, additions, or deletions to any account with root or administrative privileges are logged.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.2.6', '10.2.6 Initialization, stopping, or pausing of the audit logs', 'not tested', 'Are automated audit trails implemented to log the initialization, stopping, or pausing of the audit logs?', '10.2.6 Verify the following are logged:\n\nx  Initialization of audit logs\nx  Stopping or pausing of audit logs.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.2.6', '10.2.6 Initialization, stopping, or pausing of the audit logs', 'not tested', 'Are automated audit trails implemented to log the initialization, stopping, or pausing of the audit logs?', '10.2.6 Verify the following are logged:\n\nx  Initialization of audit logs\nx  Stopping or pausing of audit logs.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.2.6', '10.2.6 Initialization, stopping, or pausing of the audit logs', 'not tested', 'Are automated audit trails implemented to log the initialization, stopping, or pausing of the audit logs?', '10.2.6 Verify the following are logged:\n\nx  Initialization of audit logs\nx  Stopping or pausing of audit logs.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.2.7', '10.2.7 Creation and deletion of system- level objects', 'not tested', 'Are automated audit trails implemented to log the creation and deletion of system-level objects?', '10.2.7 Verify creation and deletion of system level objects are logged.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.2.7', '10.2.7 Creation and deletion of system- level objects', 'not tested', 'Are automated audit trails implemented to log the creation and deletion of system-level objects?', '10.2.7 Verify creation and deletion of system level objects are logged.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.2.7', '10.2.7 Creation and deletion of system- level objects', 'not tested', 'Are automated audit trails implemented to log the creation and deletion of system-level objects?', '10.2.7 Verify creation and deletion of system level objects are logged.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.3', '10.3 Record at least the following audit trail entries for all system components for each event:', 'not tested', 'Are audit trail entries recorded for all system components for each event?', '10.3 Through interviews and observation of audit logs, for each auditable event (from 10.2), perform the following:', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.3', '10.3 Record at least the following audit trail entries for all system components for each event:', 'not tested', 'Are audit trail entries recorded for all system components for each event?', '10.3 Through interviews and observation of audit logs, for each auditable event (from 10.2), perform the following:', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.3', '10.3 Record at least the following audit trail entries for all system components for each event:', 'not tested', 'Are audit trail entries recorded for all system components for each event?', '10.3 Through interviews and observation of audit logs, for each auditable event (from 10.2), perform the following:', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.3.1', '10.3.1 User identification', 'not tested', 'Do audit trail entries for all system components include user identification?', '10.3.1 Verify user identification is included in log entries.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.3.1', '10.3.1 User identification', 'not tested', 'Do audit trail entries for all system components include user identification?', '10.3.1 Verify user identification is included in log entries.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.3.1', '10.3.1 User identification', 'not tested', 'Do audit trail entries for all system components include user identification?', '10.3.1 Verify user identification is included in log entries.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.3.2', '10.3.2 Type of event', 'not tested', 'Do audit trail entries for all system components include type of event?', '10.3.2 Verify type of event is included in log entries.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.3.2', '10.3.2 Type of event', 'not tested', 'Do audit trail entries for all system components include type of event?', '10.3.2 Verify type of event is included in log entries.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.3.2', '10.3.2 Type of event', 'not tested', 'Do audit trail entries for all system components include type of event?', '10.3.2 Verify type of event is included in log entries.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.3.3', '10.3.3 Date and time', 'not tested', 'Do audit trail entries for all system components include date and time stamp?', '10.3.3 Verify date and time stamp is included in log entries.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.3.3', '10.3.3 Date and time', 'not tested', 'Do audit trail entries for all system components include date and time stamp?', '10.3.3 Verify date and time stamp is included in log entries.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.3.3', '10.3.3 Date and time', 'not tested', 'Do audit trail entries for all system components include date and time stamp?', '10.3.3 Verify date and time stamp is included in log entries.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.3.4', '10.3.4 Success or failure indication', 'not tested', 'Do audit trail entries for all system components include success or failure indicator?', '10.3.4 Verify success or failure indication is included in log entries.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.3.4', '10.3.4 Success or failure indication', 'not tested', 'Do audit trail entries for all system components include success or failure indicator?', '10.3.4 Verify success or failure indication is included in log entries.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.3.4', '10.3.4 Success or failure indication', 'not tested', 'Do audit trail entries for all system components include success or failure indicator?', '10.3.4 Verify success or failure indication is included in log entries.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.3.5', '10.3.5 Origination of event', 'not tested', 'Do audit trail entries for all system components include origination of event?', '10.3.5 Verify origination of event is included in log entries.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.3.5', '10.3.5 Origination of event', 'not tested', 'Do audit trail entries for all system components include origination of event?', '10.3.5 Verify origination of event is included in log entries.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.3.5', '10.3.5 Origination of event', 'not tested', 'Do audit trail entries for all system components include origination of event?', '10.3.5 Verify origination of event is included in log entries.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.3.6', '10.3.6 Identity or name of affected data, system component, or resource.', 'not tested', 'Do audit trail entries for all system components include identity or name of affected data, system component, or resource?', '10.3.6 Verify identity or name of affected data, system component, or resources is included in log entries.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.3.6', '10.3.6 Identity or name of affected data, system component, or resource.', 'not tested', 'Do audit trail entries for all system components include identity or name of affected data, system component, or resource?', '10.3.6 Verify identity or name of affected data, system component, or resources is included in log entries.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.3.6', '10.3.6 Identity or name of affected data, system component, or resource.', 'not tested', 'Do audit trail entries for all system components include identity or name of affected data, system component, or resource?', '10.3.6 Verify identity or name of affected data, system component, or resources is included in log entries.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.4', '10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.\n\nNote: One example of time synchronization technology is Network Time Protocol (NTP).', 'not tested', 'Are all critical system clocks and times synchronized through use of time synchronization technology, and is the technology kept current? Note: One example of time synchronization technology is Network Time Protocol (NTP).', '10.4 Examine configuration standards and processes to verify that time-synchronization technology is implemented and kept current per PCI DSS Requirements 6.1 and 6.2.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.4', '10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.\n\nNote: One example of time synchronization technology is Network Time Protocol (NTP).', 'not tested', 'Are all critical system clocks and times synchronized through use of time synchronization technology, and is the technology kept current? Note: One example of time synchronization technology is Network Time Protocol (NTP).', '10.4 Examine configuration standards and processes to verify that time-synchronization technology is implemented and kept current per PCI DSS Requirements 6.1 and 6.2.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.4', '10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.\n\nNote: One example of time synchronization technology is Network Time Protocol (NTP).', 'not tested', 'Are all critical system clocks and times synchronized through use of time synchronization technology, and is the technology kept current? Note: One example of time synchronization technology is Network Time Protocol (NTP).', '10.4 Examine configuration standards and processes to verify that time-synchronization technology is implemented and kept current per PCI DSS Requirements 6.1 and 6.2.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.4.1.a', '10.4.1 Critical systems have the correct and consistent time.', 'not tested', 'Does the process for acquiring, distributing, and storing the correct time within the organization require that:\n\n. Only designated central time server(s) receive time signals from external sources, and time signals from external sources based on International Atomic Time or UTC\n\n. Where there is more than one designated time server, the time servers peer with one another to keep accurate time\n\n. Systems receive time information only from designated central time server(s)?', '10.4.1.a Examine the process for acquiring, distributing and storing the correct time within the organization to verify that:\nx    Only the designated central time server(s) receives time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.\nx    Where there is more than one designated time server, the time servers peer with one another to keep accurate time,\nx    Systems receive time information only from designated central time server(s).', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.4.1.a', '10.4.1 Critical systems have the correct and consistent time.', 'not tested', 'Does the process for acquiring, distributing, and storing the correct time within the organization require that:\n\n. Only designated central time server(s) receive time signals from external sources, and time signals from external sources based on International Atomic Time or UTC\n\n. Where there is more than one designated time server, the time servers peer with one another to keep accurate time\n\n. Systems receive time information only from designated central time server(s)?', '10.4.1.a Examine the process for acquiring, distributing and storing the correct time within the organization to verify that:\nx    Only the designated central time server(s) receives time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.\nx    Where there is more than one designated time server, the time servers peer with one another to keep accurate time,\nx    Systems receive time information only from designated central time server(s).', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.4.1.a', '10.4.1 Critical systems have the correct and consistent time.', 'not tested', 'Does the process for acquiring, distributing, and storing the correct time within the organization require that:\n\n. Only designated central time server(s) receive time signals from external sources, and time signals from external sources based on International Atomic Time or UTC\n\n. Where there is more than one designated time server, the time servers peer with one another to keep accurate time\n\n. Systems receive time information only from designated central time server(s)?', '10.4.1.a Examine the process for acquiring, distributing and storing the correct time within the organization to verify that:\nx    Only the designated central time server(s) receives time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.\nx    Where there is more than one designated time server, the time servers peer with one another to keep accurate time,\nx    Systems receive time information only from designated central time server(s).', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.4.1.b', '', 'not tested', 'Do system components receive time information only from the designated central time server(s)?', '10.4.1.b Observe the time-related system-parameter settings for a sample of system components to verify:\nx    Only the designated central time server(s) receives time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.\nx    Where there is more than one designated time server, the designated central time server(s) peer with one another to keep accurate time.\nx    Systems receive time only from designated central time server(s).', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.4.1.b', '', 'not tested', 'Do system components receive time information only from the designated central time server(s)?', '10.4.1.b Observe the time-related system-parameter settings for a sample of system components to verify:\nx    Only the designated central time server(s) receives time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.\nx    Where there is more than one designated time server, the designated central time server(s) peer with one another to keep accurate time.\nx    Systems receive time only from designated central time server(s).', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.4.1.b', '', 'not tested', 'Do system components receive time information only from the designated central time server(s)?', '10.4.1.b Observe the time-related system-parameter settings for a sample of system components to verify:\nx    Only the designated central time server(s) receives time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.\nx    Where there is more than one designated time server, the designated central time server(s) peer with one another to keep accurate time.\nx    Systems receive time only from designated central time server(s).', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.4.2.a', '10.4.2 Time data is protected.', 'not tested', 'Is access to time data restricted to only personnel with a business need to access time data?', '10.4.2.a Examine system configurations and time- synchronization settings to verify that access to time data is restricted to only personnel with a business need to access time data.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.4.2.a', '10.4.2 Time data is protected.', 'not tested', 'Is access to time data restricted to only personnel with a business need to access time data?', '10.4.2.a Examine system configurations and time- synchronization settings to verify that access to time data is restricted to only personnel with a business need to access time data.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.4.2.a', '10.4.2 Time data is protected.', 'not tested', 'Is access to time data restricted to only personnel with a business need to access time data?', '10.4.2.a Examine system configurations and time- synchronization settings to verify that access to time data is restricted to only personnel with a business need to access time data.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.4.2.b', '10.4.2 Time data is protected.', 'not tested', 'Are all changes to time settings on critical systems logged, monitored. and reviewed?', '10.4.2.b Examine system configurations, time synchronization settings and logs, and processes to verify that any changes to time settings on critical systems are logged, monitored, and reviewed.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.4.2.b', '10.4.2 Time data is protected.', 'not tested', 'Are all changes to time settings on critical systems logged, monitored. and reviewed?', '10.4.2.b Examine system configurations, time synchronization settings and logs, and processes to verify that any changes to time settings on critical systems are logged, monitored, and reviewed.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.4.2.b', '10.4.2 Time data is protected.', 'not tested', 'Are all changes to time settings on critical systems logged, monitored. and reviewed?', '10.4.2.b Examine system configurations, time synchronization settings and logs, and processes to verify that any changes to time settings on critical systems are logged, monitored, and reviewed.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.4.3', '10.4.3 Time settings are received from industry-accepted time sources.', 'not tested', 'Are time settings received from specific, industry-accepted time sources?  Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the time updates (to prevent unauthorized use of internal time servers).', '10.4.3 Examine systems configurations to verify that the time server(s) accept time updates from specific, industry-accepted external sources (to prevent a malicious individual from changing the clock). Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the time updates (to prevent unauthorized use of internal time servers).', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.4.3', '10.4.3 Time settings are received from industry-accepted time sources.', 'not tested', 'Are time settings received from specific, industry-accepted time sources?  Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the time updates (to prevent unauthorized use of internal time servers).', '10.4.3 Examine systems configurations to verify that the time server(s) accept time updates from specific, industry-accepted external sources (to prevent a malicious individual from changing the clock). Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the time updates (to prevent unauthorized use of internal time servers).', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.4.3', '10.4.3 Time settings are received from industry-accepted time sources.', 'not tested', 'Are time settings received from specific, industry-accepted time sources?  Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the time updates (to prevent unauthorized use of internal time servers).', '10.4.3 Examine systems configurations to verify that the time server(s) accept time updates from specific, industry-accepted external sources (to prevent a malicious individual from changing the clock). Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the time updates (to prevent unauthorized use of internal time servers).', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.5', '10.5 Secure audit trails so they cannot be altered.', 'not tested', 'Are audit trails secured so they cannot be altered?', '10.5 Interview system administrators and examine system configurations and permissions to verify that audit trails are secured so that they cannot be altered as follows:', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.5', '10.5 Secure audit trails so they cannot be altered.', 'not tested', 'Are audit trails secured so they cannot be altered?', '10.5 Interview system administrators and examine system configurations and permissions to verify that audit trails are secured so that they cannot be altered as follows:', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.5', '10.5 Secure audit trails so they cannot be altered.', 'not tested', 'Are audit trails secured so they cannot be altered?', '10.5 Interview system administrators and examine system configurations and permissions to verify that audit trails are secured so that they cannot be altered as follows:', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.5.1', '10.5.1 Limit viewing of audit trails to those with a job-related need.', 'not tested', 'Is viewing of audit trails limited to those with a job related need?', '10.5.1 Only individuals who have a job-related need can view audit trail files.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.5.1', '10.5.1 Limit viewing of audit trails to those with a job-related need.', 'not tested', 'Is viewing of audit trails limited to those with a job related need?', '10.5.1 Only individuals who have a job-related need can view audit trail files.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.5.1', '10.5.1 Limit viewing of audit trails to those with a job-related need.', 'not tested', 'Is viewing of audit trails limited to those with a job related need?', '10.5.1 Only individuals who have a job-related need can view audit trail files.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.5.2', '10.5.2 Protect audit trail files from unauthorized modifications.', 'not tested', 'Are audit trail files protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation?', '10.5.2 Current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.5.2', '10.5.2 Protect audit trail files from unauthorized modifications.', 'not tested', 'Are audit trail files protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation?', '10.5.2 Current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.5.2', '10.5.2 Protect audit trail files from unauthorized modifications.', 'not tested', 'Are audit trail files protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation?', '10.5.2 Current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.5.3', '10.5.3 Promptly back up audit trail files to a centralized log server or media\nthat is difficult to alter.', 'not tested', 'Are current audit trail files promptly backed up to a centralized log server or media that is difficult to alter?', '10.5.3 Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.5.3', '10.5.3 Promptly back up audit trail files to a centralized log server or media\nthat is difficult to alter.', 'not tested', 'Are current audit trail files promptly backed up to a centralized log server or media that is difficult to alter?', '10.5.3 Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.5.3', '10.5.3 Promptly back up audit trail files to a centralized log server or media\nthat is difficult to alter.', 'not tested', 'Are current audit trail files promptly backed up to a centralized log server or media that is difficult to alter?', '10.5.3 Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.5.4', '10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.', 'not tested', 'Are audit logs for external-facing technologies like wireless, firewalls, DNS, mail written onto a secure, centralized, internal log server or media?', '10.5.4 Logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are written onto a secure, centralized, internal log server or media.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.5.4', '10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.', 'not tested', 'Are audit logs for external-facing technologies like wireless, firewalls, DNS, mail written onto a secure, centralized, internal log server or media?', '10.5.4 Logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are written onto a secure, centralized, internal log server or media.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.5.4', '10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.', 'not tested', 'Are audit logs for external-facing technologies like wireless, firewalls, DNS, mail written onto a secure, centralized, internal log server or media?', '10.5.4 Logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are written onto a secure, centralized, internal log server or media.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.5.5', '10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).', 'not tested', 'Is file-integrity monitoring or change-detection software used on audit logs to ensure that existing log data cannot be changed without generating alerts?', '10.5.5 Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change-detection software on logs.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.5.5', '10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).', 'not tested', 'Is file-integrity monitoring or change-detection software used on audit logs to ensure that existing log data cannot be changed without generating alerts?', '10.5.5 Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change-detection software on logs.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.5.5', '10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).', 'not tested', 'Is file-integrity monitoring or change-detection software used on audit logs to ensure that existing log data cannot be changed without generating alerts?', '10.5.5 Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change-detection software on logs.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.6', '10.6 Review logs and security events for all system components to identify anomalies or suspicious activity.\n\nNote: Log harvesting, parsing, and alerting tools may be used to meet this Requirement.', 'not tested', 'Are logs and security events for all system components reviewed to identify anomalies or suspicious activity? \n\nNote: Log harvesting, parsing, and alerting tools may be used.', '10.6 Perform the following:', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.6', '10.6 Review logs and security events for all system components to identify anomalies or suspicious activity.\n\nNote: Log harvesting, parsing, and alerting tools may be used to meet this Requirement.', 'not tested', 'Are logs and security events for all system components reviewed to identify anomalies or suspicious activity? \n\nNote: Log harvesting, parsing, and alerting tools may be used.', '10.6 Perform the following:', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.6', '10.6 Review logs and security events for all system components to identify anomalies or suspicious activity.\n\nNote: Log harvesting, parsing, and alerting tools may be used to meet this Requirement.', 'not tested', 'Are logs and security events for all system components reviewed to identify anomalies or suspicious activity? \n\nNote: Log harvesting, parsing, and alerting tools may be used.', '10.6 Perform the following:', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.6.1.a', '10.6.1 Review the following at least daily:\nx  All security events\nx  Logs of all system components that store, process, or transmit CHD and/or SAD\nx  Logs of all critical system components\nx  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).', 'not tested', 'Do documented policies and procedures require reviewing the following at least daily, either manually or via log tools:\n\n. All Security events\n\n. Logs of all system components that  store, process, or transmit cardholder data and/or sensitive authentication data\n\n. Logs of all critical system components\n\n. Logs of all servers and system components that perform security functions (for example firewalls, intrusion-detection systems/intrusion prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)', '10.6.1.a Examine security policies and procedures to verify that procedures are defined for reviewing the following at least daily, either manually or via log tools:\nx  All security events\nx  Logs of all system components that store, process, or transmit CHD and/or SAD\nx  Logs of all critical system components\nx  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.6.1.a', '10.6.1 Review the following at least daily:\nx  All security events\nx  Logs of all system components that store, process, or transmit CHD and/or SAD\nx  Logs of all critical system components\nx  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).', 'not tested', 'Do documented policies and procedures require reviewing the following at least daily, either manually or via log tools:\n\n. All Security events\n\n. Logs of all system components that  store, process, or transmit cardholder data and/or sensitive authentication data\n\n. Logs of all critical system components\n\n. Logs of all servers and system components that perform security functions (for example firewalls, intrusion-detection systems/intrusion prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)', '10.6.1.a Examine security policies and procedures to verify that procedures are defined for reviewing the following at least daily, either manually or via log tools:\nx  All security events\nx  Logs of all system components that store, process, or transmit CHD and/or SAD\nx  Logs of all critical system components\nx  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.6.1.a', '10.6.1 Review the following at least daily:\nx  All security events\nx  Logs of all system components that store, process, or transmit CHD and/or SAD\nx  Logs of all critical system components\nx  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).', 'not tested', 'Do documented policies and procedures require reviewing the following at least daily, either manually or via log tools:\n\n. All Security events\n\n. Logs of all system components that  store, process, or transmit cardholder data and/or sensitive authentication data\n\n. Logs of all critical system components\n\n. Logs of all servers and system components that perform security functions (for example firewalls, intrusion-detection systems/intrusion prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)', '10.6.1.a Examine security policies and procedures to verify that procedures are defined for reviewing the following at least daily, either manually or via log tools:\nx  All security events\nx  Logs of all system components that store, process, or transmit CHD and/or SAD\nx  Logs of all critical system components\nx  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.6.1.b', '10.6.1 Review the following at least daily:\nx  All security events\nx  Logs of all system components that store, process, or transmit CHD and/or SAD\nx  Logs of all critical system components\nx  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).', 'not tested', 'Are these logs and security events reviewed daily?', '10.6.1.b Observe processes and interview personnel to verify that the following are reviewed at least daily:\nx  All security events\nx  Logs of all system components that store, process, or transmit CHD and/or SAD\nx  Logs of all critical system components\nx  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.6.1.b', '10.6.1 Review the following at least daily:\nx  All security events\nx  Logs of all system components that store, process, or transmit CHD and/or SAD\nx  Logs of all critical system components\nx  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).', 'not tested', 'Are these logs and security events reviewed daily?', '10.6.1.b Observe processes and interview personnel to verify that the following are reviewed at least daily:\nx  All security events\nx  Logs of all system components that store, process, or transmit CHD and/or SAD\nx  Logs of all critical system components\nx  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.6.1.b', '10.6.1 Review the following at least daily:\nx  All security events\nx  Logs of all system components that store, process, or transmit CHD and/or SAD\nx  Logs of all critical system components\nx  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).', 'not tested', 'Are these logs and security events reviewed daily?', '10.6.1.b Observe processes and interview personnel to verify that the following are reviewed at least daily:\nx  All security events\nx  Logs of all system components that store, process, or transmit CHD and/or SAD\nx  Logs of all critical system components\nx  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.6.2.a', '10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment.', 'not tested', 'Are written policies and procedures defined for reviewing logs of all system components periodically, either manually or via log tools, based on the organization’s policies and risk management strategy?', '10.6.2.a Examine security policies and procedures to verify that procedures are defined for reviewing logs of all other system components periodically—either manually or via log tools—based on the organization’s policies and risk management strategy.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.6.2.a', '10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment.', 'not tested', 'Are written policies and procedures defined for reviewing logs of all system components periodically, either manually or via log tools, based on the organization’s policies and risk management strategy?', '10.6.2.a Examine security policies and procedures to verify that procedures are defined for reviewing logs of all other system components periodically—either manually or via log tools—based on the organization’s policies and risk management strategy.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.6.2.a', '10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment.', 'not tested', 'Are written policies and procedures defined for reviewing logs of all system components periodically, either manually or via log tools, based on the organization’s policies and risk management strategy?', '10.6.2.a Examine security policies and procedures to verify that procedures are defined for reviewing logs of all other system components periodically—either manually or via log tools—based on the organization’s policies and risk management strategy.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.6.2.b', '10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment.', 'not tested', "Are reviews of all other system components performed in accordance with organization's policies and risk management strategy?", '10.6.2.b Examine the organization’s risk-assessment documentation and interview personnel to verify that reviews are performed in accordance with organization’s policies and risk management strategy.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.6.2.b', '10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment.', 'not tested', "Are reviews of all other system components performed in accordance with organization's policies and risk management strategy?", '10.6.2.b Examine the organization’s risk-assessment documentation and interview personnel to verify that reviews are performed in accordance with organization’s policies and risk management strategy.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.6.2.b', '10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment.', 'not tested', "Are reviews of all other system components performed in accordance with organization's policies and risk management strategy?", '10.6.2.b Examine the organization’s risk-assessment documentation and interview personnel to verify that reviews are performed in accordance with organization’s policies and risk management strategy.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.6.3.a', '10.6.3 Follow up exceptions and anomalies identified during the review process.', 'not tested', 'Do documented policies and procedures require following up on exceptions and anomalies identified during the review process?', '10.6.3.a Examine security policies and procedures to verify that procedures are defined for following up on exceptions and anomalies identified during the review process.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.6.3.a', '10.6.3 Follow up exceptions and anomalies identified during the review process.', 'not tested', 'Do documented policies and procedures require following up on exceptions and anomalies identified during the review process?', '10.6.3.a Examine security policies and procedures to verify that procedures are defined for following up on exceptions and anomalies identified during the review process.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.6.3.a', '10.6.3 Follow up exceptions and anomalies identified during the review process.', 'not tested', 'Do documented policies and procedures require following up on exceptions and anomalies identified during the review process?', '10.6.3.a Examine security policies and procedures to verify that procedures are defined for following up on exceptions and anomalies identified during the review process.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.6.3.b', '10.6.3 Follow up exceptions and anomalies identified during the review process.', 'not tested', 'Is follow up to exceptions and anomalies performed?', '10.6.3.b Observe processes and interview personnel to verify that follow-up to exceptions and anomalies is performed.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.6.3.b', '10.6.3 Follow up exceptions and anomalies identified during the review process.', 'not tested', 'Is follow up to exceptions and anomalies performed?', '10.6.3.b Observe processes and interview personnel to verify that follow-up to exceptions and anomalies is performed.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.6.3.b', '10.6.3 Follow up exceptions and anomalies identified during the review process.', 'not tested', 'Is follow up to exceptions and anomalies performed?', '10.6.3.b Observe processes and interview personnel to verify that follow-up to exceptions and anomalies is performed.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.7.a', '10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).', 'not tested', 'Do documented policies and procedures define the following:\n\n. Audit log retention policies\n\n. Procedures for retaining audit logs for at least one year, with a minimum of 3 months immediately available online?', '10.7.a Examine security policies and procedures to verify that they define the following:\nx    Audit log retention policies\nx    Procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.7.a', '10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).', 'not tested', 'Do documented policies and procedures define the following:\n\n. Audit log retention policies\n\n. Procedures for retaining audit logs for at least one year, with a minimum of 3 months immediately available online?', '10.7.a Examine security policies and procedures to verify that they define the following:\nx    Audit log retention policies\nx    Procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.7.a', '10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).', 'not tested', 'Do documented policies and procedures define the following:\n\n. Audit log retention policies\n\n. Procedures for retaining audit logs for at least one year, with a minimum of 3 months immediately available online?', '10.7.a Examine security policies and procedures to verify that they define the following:\nx    Audit log retention policies\nx    Procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.7.b', '10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).', 'not tested', 'Are audit logs retained for at least one year?', '10.7.b Interview personnel and examine audit logs to verify that audit logs are retained for at least one year.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.7.b', '10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).', 'not tested', 'Are audit logs retained for at least one year?', '10.7.b Interview personnel and examine audit logs to verify that audit logs are retained for at least one year.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.7.b', '10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).', 'not tested', 'Are audit logs retained for at least one year?', '10.7.b Interview personnel and examine audit logs to verify that audit logs are retained for at least one year.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.7.c', '10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).', 'not tested', "Are at least the last three months' logs immediately available for analysis?", '10.7.c Interview personnel and observe processes to verify that at least the last three months’ logs are immediately available for analysis.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 10.7.c', '10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).', 'not tested', "Are at least the last three months' logs immediately available for analysis?", '10.7.c Interview personnel and observe processes to verify that at least the last three months’ logs are immediately available for analysis.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.7.c', '10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).', 'not tested', "Are at least the last three months' logs immediately available for analysis?", '10.7.c Interview personnel and observe processes to verify that at least the last three months’ logs are immediately available for analysis.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 10.9', '10.9 Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.', 'not tested', 'Are security policies and operational procedures for monitoring all access to network resources and cardholder data:\n\n• Documented\n\n•  In use\n\n• Known to all affected parties?', '10.9 Examine documentation and interview personnel to verify that security policies and operational procedures for monitoring all access to network resources and cardholder data are:\nx    Documented,\nx    In use, and\nx    Known to all affected parties.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 10.9', '10.9 Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.', 'not tested', 'Are security policies and operational procedures for monitoring all access to network resources and cardholder data:\n\n• Documented\n\n•  In use\n\n• Known to all affected parties?', '10.9 Examine documentation and interview personnel to verify that security policies and operational procedures for monitoring all access to network resources and cardholder data are:\nx    Documented,\nx    In use, and\nx    Known to all affected parties.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 10.9', '10.9 Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties.', 'not tested', 'Are security policies and operational procedures for monitoring all access to network resources and cardholder data:\n\n• Documented\n\n•  In use\n\n• Known to all affected parties?', '10.9 Examine documentation and interview personnel to verify that security policies and operational procedures for monitoring all access to network resources and cardholder data are:\nx    Documented,\nx    In use, and\nx    Known to all affected parties.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 11.1.1', '11.1.1 Maintain an inventory of authorized wireless access points including a documented business justification.', 'not tested', 'Is an inventory of authorized wireless access points maintained with a business justification for each?', '11.1.1 Examine documented records to verify that an inventory of authorized wireless access points is maintained and a business justification is documented for all authorized wireless access points.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 11.1.2.a', '11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected.', 'not tested', 'Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected?', '11.1.2.a Examine the organization’s incident response plan (Requirement 12.10) to verify it defines and requires a response in the event that an unauthorized wireless access point is detected.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 11.1.2.b', '11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected.', 'not tested', 'Is action taken when unauthorized wireless access point are found?', '11.1.2.b Interview responsible personnel and/or inspect recent wireless scans and related responses to verify action is taken when unauthorized wireless access points are found.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 11.1.a', '11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.\n\nNote: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.\nWhichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices.', 'not tested', 'Do documented policies and procedures define processes for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis?', '11.1.a Examine policies and procedures to verify processes are defined for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 11.1.b', '11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.\n\nNote: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.\nWhichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices.', 'not tested', 'Is the methodology adequate to detect and identify any unauthorized wireless access points, including at least the following?\n\n. WLAN cards inserted into system components\n\n. Portable or mobile devices attached to system components to create a wireless access point\n\n.  Wireless devices attached to a network port or network device', '11.1.b Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:\nx   WLAN cards inserted into system components\nx   Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.)\nx   Wireless devices attached to a network port or network device.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 11.1.c', '11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.\n\nNote: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.\nWhichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices.', 'not tested', 'If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities?', '11.1.c If wireless scanning is utilized, examine output from recent wireless scans to verify that:\nx   Authorized and unauthorized wireless access points are identified, and\nx   The scan is performed at least quarterly for all system components and facilities.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 11.1.d', '11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.\n\nNote: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.\nWhichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices.', 'not tested', 'If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), is monitoring configured to generate alerts to notify personnel?', '11.1.d If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to notify personnel.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 11.2', '11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).\nNote: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed.\nFor initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing\nscan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.', 'not tested', 'Are internal and external network vulnerability scans performed?', '11.2 Examine scan reports and supporting documentation to verify that internal and external vulnerability scans are performed as follows:', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.2.1.a', '11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement\n6.1). Scans must be performed by qualified personnel.', 'not tested', 'Did four quarterly internal vulnerability scans occur in the most recent 12 month period?', '11.2.1.a Review the scan reports and verify that four quarterly internal scans occurred in the most recent 12- month period.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.2.1.b', '11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement\n6.1). Scans must be performed by qualified personnel.', 'not tested', 'Does scan process include rescans as needed until all "high-risk" vulnerabilities as defined in PCI DSS requirement 6.1 are resolved?', '11.2.1.b Review the scan reports and verify that all “high risk” vulnerabilities are addressed and the scan process includes rescans to verify that the “high risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.2.1.c', '11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement\n6.1). Scans must be performed by qualified personnel.', 'not tested', 'Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?', '11.2.1.c Interview personnel to verify that the scan was performed by a qualified internal resource(s) or qualified external third party and, if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.2.2.a', '11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.\nNote: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).\nRefer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.', 'not tested', 'Did four quarterly external vulnerability scans occur in the most recent 12 month period?', '11.2.2.a Review output from the four most recent quarters of external vulnerability scans and verify that four quarterly external vulnerability scans occurred in the most recent 12- month period.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.2.2.b', '11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.\nNote: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).\nRefer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.', 'not tested', 'Do external vulnerability scan and rescan results satisfy the ASV Program Guide requirements for pass scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)?', '11.2.2.b Review the results of each quarterly scan and rescan to verify that the ASV Program Guide requirements for a passing scan have been met (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures).', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.2.2.c', '11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.\nNote: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).\nRefer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.', 'not tested', 'Are external vulnerability scans performed by a PCI DSS Approved Scanning Vendor?', '11.2.2.c Review the scan reports to verify that the scans were completed by a PCI SSC Approved Scanning Vendor (ASV).', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.2.3.a', '11.2.3 Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel.', 'not tested', 'Are internal and external vulnerability scans performed after any significant changes to system components?', '11.2.3.a Inspect and correlate change control documentation and scan reports to verify that system components subject to any significant change were scanned.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.2.3.b', '11.2.3 Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel.', 'not tested', 'Does the scan process include rescans until:\n\n. For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS,\n\n. For internal scans, a passing result is obtained or all “high-risk” vulnerabilities as defined', '11.2.3.b Review scan reports and verify that the scan process includes rescans until:\nx  For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.\nx  For internal scans, all “high risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.2.3.c', '11.2.3 Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel.', 'not tested', 'Are scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does\n\norganizational independence of the tester exist (not required to be a QSA or ASV)?', '11.2.3.c Validate that the scan was performed by a qualified internal resource(s) or qualified external third party and, if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.3', '11.3 Implement a methodology for penetration testing that includes the following:\nx    Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)\nx    Includes coverage for the entire CDE\nperimeter and critical systems\nx    Includes testing from both inside and outside the network\nx    Includes testing to validate any segmentation and scope-reduction controls\nx    Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5\nx    Defines network-layer penetration tests to include components that support network functions as well as operating systems\nx    Includes review and consideration of threats and vulnerabilities experienced in the last 12 months\nx    Specifies retention of penetration testing results and remediation activities results.', 'not tested', 'Does the penetration-testing methodology include the following? \n\n. Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) \n\n. Includes coverage for the entire CDE perimeter and critical systems \n\n. Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope-reduction controls \n\n. Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 \n\n. Defines network-layer penetration tests to include components that support network functions as well as operating systems \n\n. Includes review and consideration of threats and vulnerabilities experienced in the last 12 months \n\n. Specifies retention of penetration testing results and remediation activities results', '11.3 Examine penetration-testing methodology and interview responsible personnel to verify a methodology is implemented that includes the following:\nx    Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)\nx    Includes coverage for the entire CDE perimeter and critical systems\nx    Testing from both inside and outside the network\nx    Includes testing to validate any segmentation and scope- reduction controls\nx    Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5\nx    Defines network-layer penetration tests to include components that support network functions as well as operating systems\nx    Includes review and consideration of threats and vulnerabilities experienced in the last 12 months\nx    Specifies retention of penetration testing results and remediation activities results.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.3.1.a', '11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web\nserver added to the environment).', 'not tested', 'Is external penetration testing performed per the defined methodology, at least annually, and after any significant\n\ninfrastructure or application changes to the environment?', '11.3.1.a Examine the scope of work and results from the most recent external penetration test to verify that penetration testing is performed as follows:\nx  Per the defined methodology\nx  At least annually\nx  After any significant changes to the environment.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.3.1.b', '11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web\nserver added to the environment).', 'not tested', 'Are external penetration tests performed by a qualified internal resource or qualified external third party, and if applicable, does\n\norganizational independence of the tester exist (not required to be a QSA or ASV)?', '11.3.1.b Verify that the test was performed by a qualified internal resource or qualified external third party and, if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.3.2.a', '11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web\nserver added to the environment).', 'not tested', 'Is internal penetration testing performed per the defined methodology, at least annually, and after any significant\n\ninfrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)?', '11.3.2.a Examine the scope of work and results from the most recent internal penetration test to verify that penetration testing is performed as follows.\nx  Per the defined methodology\nx  At least annually\nx  After any significant changes to the environment.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.3.2.b', '11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web\nserver added to the environment).', 'not tested', 'Are internal penetration tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?', '11.3.2.b Verify that the test was performed by a qualified internal resource or qualified external third party and, if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.3.3', '11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections.', 'not tested', 'Were exploitable vulnerabilities found during penetration testing corrected, followed by repeated testing to verify the corrections?', '11.3.3 Examine penetration testing results to verify that noted exploitable vulnerabilities were corrected and that repeated testing confirmed the vulnerability was corrected.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.3.4.a', '11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.', 'not tested', 'Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?', '11.3.4.a Examine segmentation controls and review penetration-testing methodology to verify that penetration- testing procedures are defined to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.3.4.b', '11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.', 'not tested', 'Does penetration testing to verify segmentation controls:\n\n • Occur at least annually and after any changes to segmentation controls/methods\n\n • Cover all segmentation controls/methods in use\n\n• Verify that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.', '11.3.4.b Examine the results from the most recent penetration test to verify that:\nx  Penetration testing to verify segmentation controls is performed at least annually and after any changes to segmentation controls/methods.\nx  The penetration testing covers all segmentation controls/methods in use.\nx  The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.3.4.c', '11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.', 'not tested', 'Are penetration tests utilized to test segmentation methods performed by a qualified internal resource or external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?', '11.3.4.c Verify that the test was performed by a qualified internal resource or qualified external third party and, if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.4.a', '11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.\nKeep all intrusion-detection and prevention engines, baselines, and signatures up to date.', 'not tested', 'Are techniques (such as intrusion-detection and/or intrusion-prevention systems)  in place to monitor all traffic at the perimeter and at critical points of the cardholder data environment?', '11.4.a Examine system configurations and network diagrams to verify that techniques (such as intrusion-detection systems and/or intrusion-prevention systems) are in place to monitor all traffic:\nx    At the perimeter of the cardholder data environment\nx    At critical points in the cardholder data environment.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 11.4.b', '11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.\nKeep all intrusion-detection and prevention engines, baselines, and signatures up to date.', 'not tested', 'Do intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises?', '11.4.b Examine system configurations and interview responsible personnel to confirm intrusion-detection and/or intrusion-prevention techniques alert personnel of suspected compromises.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 11.4.c', '11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.\nKeep all intrusion-detection and prevention engines, baselines, and signatures up to date.', 'not tested', 'Are intrusion-detection and/or intrusion-prevention techniques configured, maintained, and updated per vendor instructions to ensure optimal protection?', '11.4.c Examine IDS/IPS configurations and vendor documentation to verify intrusion-detection and/or intrusion- prevention techniques are configured, maintained, and updated per vendor instructions to ensure optimal protection.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 11.5.1', '11.5.1 Implement a process to respond to any alerts generated by the change- detection solution.', 'not tested', 'Are all IDS/IPS alerts investigated and resolved?', '11.5.1 Interview personnel to verify that all alerts are investigated and resolved.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 11.5.a', '11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.', 'not tested', 'Is a change-detection mechanism (for example, file integrity monitoring tools) deployed to detect unauthorized modification of critical system files, configuration files, or content files?  Examples of files that should be monitored include:  \n\nSystem executables \n\nApplication executables \n\nConfiguration and parameter files \n\nCentrally stored, historical or archived, log, and audit files \n\nAdditional critical files determined by entity (for example, through risk assessment or other means)', '11.5.a Verify the use of a change-detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities.\nExamples of files that should be monitored:\nx    System executables\nx    Application executables\nx    Configuration and parameter files\nx    Centrally stored, historical or archived, log and audit files\nx    Additional critical files determined by entity (for example, through risk assessment or other means).', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 11.5.b', 'Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre- configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).', 'not tested', 'Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly?', '11.5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files, and to perform critical file comparisons at least weekly.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 11.6', '11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.', 'not tested', 'Are security policies and operational procedures for security\n\nmonitoring and testing:\n\n• Documented\n\n• In use\n\n• Known to all affected parties?', '11.6 Examine documentation and interview personnel to verify that security policies and operational procedures for security monitoring and testing are:\nx    Documented,\nx    In use, and\nx    Known to all affected parties.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 11.6', '11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.', 'not tested', 'Are security policies and operational procedures for security\n\nmonitoring and testing:\n\n• Documented\n\n• In use\n\n• Known to all affected parties?', '11.6 Examine documentation and interview personnel to verify that security policies and operational procedures for security monitoring and testing are:\nx    Documented,\nx    In use, and\nx    Known to all affected parties.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 12.1', '12.1 Establish, publish, maintain, and disseminate a security policy.', 'not tested', 'Is an information security policy established, published, maintained, and disseminated to all relevant personnel?', '12.1 Examine the information security policy and verify that the policy is published and disseminated to all relevant personnel (including vendors and business partners).', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.1.1', '12.1.1 Review the security policy at least annually and update the policy when the environment changes.', 'not tested', 'Is the security policy reviewed at least annually and updated when the environment changes?', '12.1.1 Verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.10', '12.10 Implement an incident response plan. Be prepared to respond immediately to a system breach.', 'not tested', 'Has an incident response plan been implemented to enable immediate response to a system breach?', '12.10 Examine the incident response plan and related procedures to verify entity is prepared to respond immediately to a system breach by performing the following:', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.10.1.a', '12.10.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:\nx  Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum\nx  Specific incident response procedures\nx  Business recovery and continuity procedures\nx  Data backup processes\nx  Analysis of legal requirements for reporting compromises\nx  Coverage and responses of all critical system components\nx  Reference or inclusion of incident response procedures from the payment brands.', 'not tested', 'Is there a documented incident response plan that includes:\n\n. Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum\n\n. Specific incident response procedures \n\n. Business recovery and continuity procedures\n\n. Data backup processes\n\n. Analysis of legal requirements for reporting compromises\n\n. Coverage and responses of all critical system components\n\n. Reference or inclusion of incident response procedures from the payment brands?', '12.10.1.a Verify that the incident response plan includes:\n\nx  Roles, responsibilities, and communication strategies in the event of a compromise including notification of the payment brands, at a minimum\nx  Specific incident response procedures\nx  Business recovery and continuity procedures\nx  Data backup processes\nx  Analysis of legal requirements for reporting compromises (for example, California Bill 1386, which requires notification of affected consumers in the event of an actual or suspected compromise for any business with California residents in their database)\nx  Coverage and responses for all critical system components\nx  Reference or inclusion of incident response procedures from the payment brands.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.10.1.b', '12.10.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum:\nx  Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum\nx  Specific incident response procedures\nx  Business recovery and continuity procedures\nx  Data backup processes\nx  Analysis of legal requirements for reporting compromises\nx  Coverage and responses of all critical system components\nx  Reference or inclusion of incident response procedures from the payment brands.', 'not tested', 'Was the documented incident response plan followed for previously reported incidents?', '12.10.1.b Interview personnel and review documentation from a sample of previously reported incidents or alerts to verify that the documented incident response plan and procedures were followed.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.10.2', '12.10.2 Review and test the plan, including\nall elements listed in Requirement 12.10.1, at least annually.', 'not tested', 'Is the incident response plan reviewed and tested at least annually?', '12.10.2 Interview personnel and review documentation from testing to verify that the plan is tested at least annually, and that testing includes all elements listed in Requirement 12.10.1.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.10.3', '12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts.', 'not tested', 'Are designated personnel available for 24/7 incident response and monitoring coverage for any evidence of unauthorized activity, detection of unauthorized wireless access points, critical IDS alerts, and/or reports of unauthorized critical system or content file changes?', '12.10.3 Verify through observation, review of policies, and interviews of responsible personnel that designated personnel are available for 24/7 incident response and monitoring coverage for any evidence of unauthorized activity, detection of unauthorized wireless access points, critical IDS alerts, and/or reports of unauthorized critical system or content file changes.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.10.4', '12.10.4 Provide appropriate training to staff with security breach response responsibilities.', 'not tested', 'Is appropriate training provided to staff with security breach response responsibilities?', '12.10.4 Verify through observation, review of policies, and interviews of responsible personnel that staff with responsibilities for security breach response are periodically trained.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.10.5', '12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.', 'not tested', 'Is monitoring and responding to alerts from security monitoring systems, including detection of unauthorized wireless access points, included in the incident response plan?', '12.10.5 Verify through observation and review of processes that monitoring and responding to alerts from security monitoring systems are covered in the incident response plan.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.10.6', '12.10.6 Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.', 'not tested', 'Is there a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments?', '12.10.6 Verify through observation, review of policies, and interviews of responsible personnel that there is a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.2.a', '12.2 Implement a risk-assessment process that:\nx    Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),\nx    Identifies critical assets, threats, and vulnerabilities, and\nx    Results in a formal, documented analysis of risk.\n\nExamples of risk-assessment methodologies include but are not limited to OCTAVE, ISO\n27005 and NIST SP 800-30.', 'not tested', 'Is a documented annual risk assessment process implemented that identifies critical assets, threats, and vulnerabilities and results in a formal risk assessment?', '12.2.a Verify that an annual risk-assessment process is documented that:\nx    Identifies critical assets, threats, and vulnerabilities\nx    Results in a formal, documented analysis of risk', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.2.b', '12.2 Implement a risk-assessment process that:\nx    Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),\nx    Identifies critical assets, threats, and vulnerabilities, and\nx    Results in a formal, documented analysis of risk.\n\nExamples of risk-assessment methodologies include but are not limited to OCTAVE, ISO\n27005 and NIST SP 800-30.', 'not tested', 'Is the risk assessment process performed at least annually and upon significant changes to the environment?', '12.2.b Review risk-assessment documentation to verify that the risk-assessment process is performed at least annually and upon significant changes to the environment.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.3', '12.3 Develop usage policies for critical technologies and define proper use of these technologies.\n\nNote: Examples of critical technologies include, but are not limited to, remote access and wireless technologies, laptops, tablets, removable electronic media, e-mail usage and Internet usage.\n\nEnsure these usage policies require the following:', 'not tested', 'Do documented usage policies for critical technologies define proper use of these technologies?', '12.3 Examine the usage policies for critical technologies and interview responsible personnel to verify the following policies are implemented and followed:', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.3.1', '12.3.1 Explicit approval by authorized parties', 'not tested', 'Do documented usage policies for critical technologies require explicit approval from authorized parties to use the technologies?', '12.3.1 Verify that the usage policies include processes for explicit approval from authorized parties to use the technologies.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.3.10.a', '12.3.10 For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and\nremovable electronic media, unless explicitly\nauthorized for a defined business need.\n\nWhere there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements.', 'not tested', 'Does the usage policy specifically prohibit copying, moving, and storage of cardholder data onto local hard drives and removable electronic media when accessing such data via remote-access technologies, unless explicitly authorized?', '12.3.10.a Verify that the usage policies prohibit copying, moving, or storing of cardholder data onto local hard drives and removable electronic media when accessing such data via remote-access technologies.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.3.10.b', '12.3.10 For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and\nremovable electronic media, unless explicitly\nauthorized for a defined business need.\n\nWhere there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements.', 'not tested', 'Does the policy require the protection of cardholder data in accordance with PCI DSS Requirements for personnel with proper authorization?', '12.3.10.b For personnel with proper authorization, verify that usage policies require the protection of cardholder data in accordance with PCI DSS Requirements.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.3.2', '12.3.2 Authentication for use of the technology', 'not tested', 'Do documented usage policies for critical technologies require authentication for use of the technology?', '12.3.2 Verify that the usage policies include processes for all technology use to be authenticated with user ID and password or other authentication item (for example, token).', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.3.3', '12.3.3 A list of all such devices and personnel with access', 'not tested', 'Is there a list maintained for critical devices (remote access and wireless technologies, laptops, tablets, etc.) showing personnel authorized to use the devices?', '12.3.3 Verify that the usage policies define:\n\nx     A list of all critical devices, and\n\nx     A list of personnel authorized to use the devices.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.3.4', '12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices)', 'not tested', 'Do documented usage policies for critical technologies require a method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices)?', '12.3.4 Verify that the usage policies define a method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices).', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.3.5', '12.3.5 Acceptable uses of the technology', 'not tested', 'Do documented usage policies for critical technologies require that acceptable uses of the technologies are defined?', '12.3.5 Verify that the usage policies define acceptable uses for the technology.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.3.6', '12.3.6 Acceptable network locations for the technologies', 'not tested', 'Do documented usage policies for critical technologies require that acceptable network locations are defined for the technologies?', '12.3.6 Verify that the usage policies define acceptable network locations for the technology.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.3.7', '12.3.7 List of company-approved products', 'not tested', 'Do documented usage policies for critical technologies include a list of company-approved products?', '12.3.7 Verify that the usage policies include a list of company-approved products.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.3.8.a', '12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity', 'not tested', 'Do documented usage policies require an automatic disconnect of sessions for remote-access technologies after a specific period of inactivity?', '12.3.8.a Verify that the usage policies require automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.3.8.b', '12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity', 'not tested', 'Are remote access sessions automatically disconnected after a specific period of inactivity?', '12.3.8.b Examine configurations for remote access technologies to verify that remote access sessions will be automatically disconnected after a specific period of inactivity.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 12.3.9', '12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use', 'not tested', 'Do documented usage policies for critical technologies  require activation of remote-access technologies for vendors and business partners only when needed, with immediate deactivation after use?', '12.3.9 Verify that the usage policies require activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.4.a', '12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.', 'not tested', 'Do documented information security policies clearly define information security responsibilities for all personnel?', '12.4.a Verify that information security policies clearly define information security responsibilities for all personnel.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.4.b', '12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.', 'not tested', 'Do responsible personnel understand the security policies?', '12.4.b Interview a sample of responsible personnel to verify they understand the security policies.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.5', '12.5 Assign to an individual or team the following information security management responsibilities:', 'not tested', 'Is responsibility for information security formally assigned to a Chief Security Officer or other security-knowledgeable member of executive leadership?', '12.5 Examine information security policies and procedures to verify:\nx   The formal assignment of information security to a Chief Security Officer or other security-knowledgeable member of management.\nx   The following information security responsibilities are specifically and formally assigned:', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.5.1', '12.5.1 Establish, document, and distribute security policies and procedures.', 'not tested', 'Is the responsibility for establishing, documenting, and distributing security policies and procedures formally assigned?', '12.5.1 Verify that responsibility for establishing, documenting and distributing security policies and procedures is formally assigned.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.5.2', '12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel.', 'not tested', 'Is the responsibility for monitoring and analyzing security alerts and  distributing information to appropriate information security and business unit management personnel formally assigned?', '12.5.2 Verify that responsibility for monitoring and analyzing security alerts and distributing information to appropriate information security and business unit management personnel is formally assigned.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.5.3', '12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.', 'not tested', 'Is the responsibility for establishing, documenting, and distributing security incident response and escalation procedures formally assigned?', '12.5.3 Verify that responsibility for establishing, documenting, and distributing security incident response and escalation procedures is formally assigned.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.5.4', '12.5.4 Administer user accounts, including additions, deletions, and modifications.', 'not tested', 'Is the responsibility for administering (adding, deleting, and modifying) user account and authentication management formally assigned?', '12.5.4 Verify that responsibility for administering (adding, deleting, and modifying) user account and authentication management is formally assigned.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.5.5', '12.5.5 Monitor and control all access to data.', 'not tested', 'Is the responsibility for monitoring and controlling all access to data formally assigned?', '12.5.5 Verify that responsibility for monitoring and controlling all access to data is formally assigned.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.6.a', '12.6 Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.', 'not tested', 'Does the security awareness program provide awareness to all personnel about the importance of cardholder data security?', '12.6.a Review the security awareness program to verify it provides awareness to all personnel about the cardholder data security policy and procedures .', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.6.b', '12.6 Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.', 'not tested', 'Has a formal security awareness program been implemented?', '12.6.b Examine security awareness program procedures and documentation and perform the following:', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.7', '12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history, and reference checks.)\n\nNote: For those potential personnel to be hired for certain positions such as store cashiers\nwho only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.', 'not tested', 'Are background checks conducted (within the constraints of local laws) prior to hire on potential personnel who will have access to cardholder data or the cardholder data environment?', '12.7 Inquire with Human Resource department management and verify that background checks are conducted (within the constraints of local laws) prior to hire on potential personnel who will have access to cardholder data or the cardholder data environment.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.8', '12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:', 'not tested', 'Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data?', '12.8 Through observation, review of policies and procedures, and review of supporting documentation, verify that processes are implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data as follows:', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.8', '12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:', 'not tested', 'Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data?', '12.8 Through observation, review of policies and procedures, and review of supporting documentation, verify that processes are implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data as follows:', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 12.8.1', '12.8.1 Maintain a list of service providers including a description of the service provided.', 'not tested', 'Is a list of service providers maintained, and does that list include a description of the service provided?', '12.8.1 Verify that a list of service providers is maintained and includes a description of the service provided.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.8.1', '12.8.1 Maintain a list of service providers including a description of the service provided.', 'not tested', 'Is a list of service providers maintained, and does that list include a description of the service provided?', '12.8.1 Verify that a list of service providers is maintained and includes a description of the service provided.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 12.8.2', '12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.\n\nNote: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.', 'not tested', 'Is there a written agreement with the service providers that includes an acknowledgement that the service providers are responsible for the security of cardholder data that they possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment?', '12.8.2 Observe written agreements and confirm they include an acknowledgement by service providers that they are responsible for the security of cardholder data\nthe service providers possess or otherwise store, process\nor transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 12.8.2', '12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.\n\nNote: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.', 'not tested', 'Is there a written agreement with the service providers that includes an acknowledgement that the service providers are responsible for the security of cardholder data that they possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment?', '12.8.2 Observe written agreements and confirm they include an acknowledgement by service providers that they are responsible for the security of cardholder data\nthe service providers possess or otherwise store, process\nor transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.', '', '', 'Service Provider | AWS'], ['PCI DSS v3.2.1 Req. § 12.8.3', '12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.', 'not tested', 'Is there a documented process for engaging service providers, including proper due diligence prior to engaging any service provider?', '12.8.3 Verify that policies and procedures are documented and implemented including proper due diligence prior to engaging any service provider.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.8.4', '12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.', 'not tested', 'Is there a program to monitor service providers’ PCI DSS compliance status at least annually?', '12.8.4 Verify that the entity maintains a program to monitor its service providers’ PCI DSS compliance status at least annually.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 12.8.5', '12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.', 'not tested', 'Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?', '12.8.5 Verify the entity maintains information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 12.8.5', '12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.', 'not tested', 'Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?', '12.8.5 Verify the entity maintains information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.', '', '', 'Service Provider | AWS'], ['PCI DSS v3.2.1 Req. § 2.1.1.a', '2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP\ncommunity strings.', 'not tested', 'For wireless environments connected to the cardholder data environment or transmitting cardholder data, are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions?', '2.1.1.a Interview responsible personnel and examine supporting documentation to verify that:\nx  Encryption keys were changed from default at installation\nx  Encryption keys are changed anytime anyone with knowledge of the keys leaves the company or changes positions.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.1.1.b', '2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP\ncommunity strings.', 'not tested', 'Do documented policies and procedures require that default SNMP community strings and default passwords/phrases on access points for wireless devices are changed at installation?', '2.1.1.b Interview personnel and examine policies and procedures to verify:\nx  Default SNMP community strings are required to be changed upon installation.\nx  Default passwords/passphrases on access points are required to be changed upon installation.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.1.1.c', '2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP\ncommunity strings.', 'not tested', 'Are default SNMP community strings and default passwords/passphrases on wireless access points changed at installation?', '2.1.1.c Examine vendor documentation and login to wireless devices, with system administrator help, to verify:\nx  Default SNMP community strings are not used.\nx  Default passwords/passphrases on access points are not used.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.1.1.d', '2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP\ncommunity strings.', 'not tested', 'Is firmware on all wireless devices updated to support strong encryption for authentication and transmission over wireless networks?', '2.1.1.d Examine vendor documentation and observe wireless configuration settings to verify firmware on wireless devices is updated to support strong encryption for:\nx  Authentication over wireless networks\nx  Transmission over wireless networks.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.1.1.e', '2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP\ncommunity strings.', 'not tested', 'Are other security-related wireless vendor defaults changed at installation, if applicable?', '2.1.1.e Examine vendor documentation and observe wireless configuration settings to verify other security- related wireless vendor defaults were changed, if applicable.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.1.a', '2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.\nThis applies to ALL default passwords, including but not limited to those used by operating systems, software that\nprovides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).', 'not tested', 'Are the vendor-supplied default passwords (including those on OS, software that provides security services, application and system accounts, POS terminals, and SNMP community strings) always changed before installing a system on the network?', '2.1.a Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.)', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.1.a', '2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.\nThis applies to ALL default passwords, including but not limited to those used by operating systems, software that\nprovides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).', 'not tested', 'Are the vendor-supplied default passwords (including those on OS, software that provides security services, application and system accounts, POS terminals, and SNMP community strings) always changed before installing a system on the network?', '2.1.a Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor-supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.)', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.1.b', '2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.\nThis applies to ALL default passwords, including but not limited to those used by operating systems, software that\nprovides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).', 'not tested', 'Are all unnecessary default accounts removed or disabled before installing a system on the network?', '2.1.b For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.1.b', '2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.\nThis applies to ALL default passwords, including but not limited to those used by operating systems, software that\nprovides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).', 'not tested', 'Are all unnecessary default accounts removed or disabled before installing a system on the network?', '2.1.b For the sample of system components, verify that all unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.1.c', '2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.\nThis applies to ALL default passwords, including but not limited to those used by operating systems, software that\nprovides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).', 'not tested', 'Are documented procedures in place to require removal or disabling of vendor-supplied passwords or default accounts prior to implementation?', '2.1.c Interview personnel and examine supporting documentation to verify that:\nx    All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals,\nSimple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network.\nx    Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.1.c', '2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.\nThis applies to ALL default passwords, including but not limited to those used by operating systems, software that\nprovides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).', 'not tested', 'Are documented procedures in place to require removal or disabling of vendor-supplied passwords or default accounts prior to implementation?', '2.1.c Interview personnel and examine supporting documentation to verify that:\nx    All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals,\nSimple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network.\nx    Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.2.1.a', '2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)\n\nNote: Where virtualization technologies are in use, implement only one primary function per virtual system component.', 'not tested', 'Has only one primary function been implemented per server? \n\n(For example, web servers, database servers, and DNS should be implemented on separate servers.)', '2.2.1.a Select a sample of system components and inspect the system configurations to verify that only one primary function is implemented per server.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.2.1.b', '2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)\n\nNote: Where virtualization technologies are in use, implement only one primary function per virtual system component.', 'not tested', 'If virtualization technologies are used, is only one primary function implemented per virtual system component or device?', '2.2.1.b If virtualization technologies are used, inspect the system configurations to verify that only one primary function is implemented per virtual system component or device.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.2.2.a', '2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.', 'not tested', 'Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system?\n\n(Services and protocols not directly needed to perform the device’s specified function are disabled.)', '2.2.2.a Select a sample of system components and inspect enabled system services, daemons, and protocols to verify that only necessary services or protocols are enabled.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.2.2.a', '2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.', 'not tested', 'Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system?\n\n(Services and protocols not directly needed to perform the device’s specified function are disabled.)', '2.2.2.a Select a sample of system components and inspect enabled system services, daemons, and protocols to verify that only necessary services or protocols are enabled.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.2.2.b', '2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.', 'not tested', 'For all enabled insecure services, daemons, or protocols:  are they justified per documented configuration standards?', '2.2.2.b Identify any enabled insecure services, daemons, or protocols and interview personnel to verify they are justified per documented configuration standards.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.2.2.b', '2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system.', 'not tested', 'For all enabled insecure services, daemons, or protocols:  are they justified per documented configuration standards?', '2.2.2.b Identify any enabled insecure services, daemons, or protocols and interview personnel to verify they are justified per documented configuration standards.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.2.3', '2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.', 'not tested', 'Are security features documented and implemented for any required services, protocols or daemons that are considered to be insecure?  \n\n(For example, use of secured technologies such as SSH, S-FTP, TLS or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.)', '2.2.3.a Inspect configuration settings to verify that security features are documented and implemented for all insecure services, daemons, or protocols.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.2.3', '2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.', 'not tested', 'Are security features documented and implemented for any required services, protocols or daemons that are considered to be insecure?  \n\n(For example, use of secured technologies such as SSH, S-FTP, TLS or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.)', '2.2.3.a Inspect configuration settings to verify that security features are documented and implemented for all insecure services, daemons, or protocols.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.2.4.a', '2.2.4 Configure system security parameters to prevent misuse.', 'not tested', 'Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?', '2.2.4.a Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.2.4.a', '2.2.4 Configure system security parameters to prevent misuse.', 'not tested', 'Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?', '2.2.4.a Interview system administrators and/or security managers to verify that they have knowledge of common security parameter settings for system components.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.2.4.b', '2.2.4 Configure system security parameters to prevent misuse.', 'not tested', 'Do system configuration standards include common security parameter settings?', '2.2.4.b Examine the system configuration standards to verify that common security parameter settings are included.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.2.4.b', '2.2.4 Configure system security parameters to prevent misuse.', 'not tested', 'Do system configuration standards include common security parameter settings?', '2.2.4.b Examine the system configuration standards to verify that common security parameter settings are included.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.2.4.c', '2.2.4 Configure system security parameters to prevent misuse.', 'not tested', 'On system components, are security parameter settings set appropriately and in accordance with the configuration standards?', '2.2.4.c Select a sample of system components and\ninspect the common security parameters to verify that they are set appropriately and in accordance with the configuration standards.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.2.4.c', '2.2.4 Configure system security parameters to prevent misuse.', 'not tested', 'On system components, are security parameter settings set appropriately and in accordance with the configuration standards?', '2.2.4.c Select a sample of system components and\ninspect the common security parameters to verify that they are set appropriately and in accordance with the configuration standards.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.2.5.a', '2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.', 'not tested', 'Is all unnecessary functionality — such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers - removed?', '2.2.5.a Select a sample of system components and inspect the configurations to verify that all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.) is removed.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.2.5.a', '2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.', 'not tested', 'Is all unnecessary functionality — such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers - removed?', '2.2.5.a Select a sample of system components and inspect the configurations to verify that all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.) is removed.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.2.5.b.', '2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.', 'not tested', 'Are enabled functions documented and do they support secure configuration?', '2.2.5.b. Examine the documentation and security parameters to verify enabled functions are documented and support secure configuration.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.2.5.b.', '2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.', 'not tested', 'Are enabled functions documented and do they support secure configuration?', '2.2.5.b. Examine the documentation and security parameters to verify enabled functions are documented and support secure configuration.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.2.5.c.', '2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.', 'not tested', 'Do system components include only the documented functionality?', '2.2.5.c. Examine the documentation and security parameters to verify that only documented functionality is present on the sampled system components.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.2.5.c.', '2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.', 'not tested', 'Do system components include only the documented functionality?', '2.2.5.c. Examine the documentation and security parameters to verify that only documented functionality is present on the sampled system components.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.2.a', '2.2 Develop configuration standards for all system components. Assure that these standards address all known\nsecurity vulnerabilities and are consistent\nwith industry-accepted system hardening standards.\nSources of industry-accepted system hardening standards may include, but are not limited to:\nx    Center for Internet Security (CIS)\nx    International Organization for\nStandardization (ISO)\nx    SysAdmin Audit Network Security\n(SANS) Institute\nx    National Institute of Standards\nTechnology (NIST).', 'not tested', 'Do documented configuration standards exist for all system components and are they consistent with industry-accepted system hardening standards like NIST, SANS, CIS, ISO etc.?', '2.2.a Examine the organization’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry- accepted hardening standards.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.2.a', '2.2 Develop configuration standards for all system components. Assure that these standards address all known\nsecurity vulnerabilities and are consistent\nwith industry-accepted system hardening standards.\nSources of industry-accepted system hardening standards may include, but are not limited to:\nx    Center for Internet Security (CIS)\nx    International Organization for\nStandardization (ISO)\nx    SysAdmin Audit Network Security\n(SANS) Institute\nx    National Institute of Standards\nTechnology (NIST).', 'not tested', 'Do documented configuration standards exist for all system components and are they consistent with industry-accepted system hardening standards like NIST, SANS, CIS, ISO etc.?', '2.2.a Examine the organization’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry- accepted hardening standards.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.2.b', '2.2 Develop configuration standards for all system components. Assure that these standards address all known\nsecurity vulnerabilities and are consistent\nwith industry-accepted system hardening standards.\nSources of industry-accepted system hardening standards may include, but are not limited to:\nx    Center for Internet Security (CIS)\nx    International Organization for\nStandardization (ISO)\nx    SysAdmin Audit Network Security\n(SANS) Institute\nx    National Institute of Standards\nTechnology (NIST).', 'not tested', 'Are system configuration standards updated as new vulnerability issues are identified?', '2.2.b Examine policies and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement\n6.1.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.2.b', '2.2 Develop configuration standards for all system components. Assure that these standards address all known\nsecurity vulnerabilities and are consistent\nwith industry-accepted system hardening standards.\nSources of industry-accepted system hardening standards may include, but are not limited to:\nx    Center for Internet Security (CIS)\nx    International Organization for\nStandardization (ISO)\nx    SysAdmin Audit Network Security\n(SANS) Institute\nx    National Institute of Standards\nTechnology (NIST).', 'not tested', 'Are system configuration standards updated as new vulnerability issues are identified?', '2.2.b Examine policies and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement\n6.1.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.2.c', '2.2 Develop configuration standards for all system components. Assure that these standards address all known\nsecurity vulnerabilities and are consistent\nwith industry-accepted system hardening standards.\nSources of industry-accepted system hardening standards may include, but are not limited to:\nx    Center for Internet Security (CIS)\nx    International Organization for\nStandardization (ISO)\nx    SysAdmin Audit Network Security\n(SANS) Institute\nx    National Institute of Standards\nTechnology (NIST).', 'not tested', 'Do documented policies require that:\n\n. system configuration standards are applied when new systems are configured, and\n\n. verification that they are in place before a system is installed on the network?', '2.2.c Examine policies and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before a system is installed on the network.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.2.c', '2.2 Develop configuration standards for all system components. Assure that these standards address all known\nsecurity vulnerabilities and are consistent\nwith industry-accepted system hardening standards.\nSources of industry-accepted system hardening standards may include, but are not limited to:\nx    Center for Internet Security (CIS)\nx    International Organization for\nStandardization (ISO)\nx    SysAdmin Audit Network Security\n(SANS) Institute\nx    National Institute of Standards\nTechnology (NIST).', 'not tested', 'Do documented policies require that:\n\n. system configuration standards are applied when new systems are configured, and\n\n. verification that they are in place before a system is installed on the network?', '2.2.c Examine policies and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before a system is installed on the network.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.2.d', '2.2 Develop configuration standards for all system components. Assure that these standards address all known\nsecurity vulnerabilities and are consistent\nwith industry-accepted system hardening standards.\nSources of industry-accepted system hardening standards may include, but are not limited to:\nx    Center for Internet Security (CIS)\nx    International Organization for\nStandardization (ISO)\nx    SysAdmin Audit Network Security\n(SANS) Institute\nx    National Institute of Standards\nTechnology (NIST).', 'not tested', 'Do system configuration standards include the following procedures for all types of system components: \n\n  * Changing of all vendor-supplied defaults and elimination of unnecessary default accounts \n\n  * Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server \n\n  * Enabling only necessary services, protocols, daemons, etc., as required for the function of the system \n\n  * Implementing additional security features for any required services, protocols or daemons that are considered to be insecure \n\n  * Configuring system security parameters to prevent misuse \n  * Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.', '2.2.d Verify that system configuration standards include the following procedures for all types of system components:\nx    Changing of all vendor-supplied defaults and elimination of unnecessary default accounts\nx    Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server\nx    Enabling only necessary services, protocols, daemons, etc., as required for the function of the system\nx    Implementing additional security features for any required services, protocols or daemons that are considered to be insecure\nx    Configuring system security parameters to prevent misuse\nx    Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.2.d', '2.2 Develop configuration standards for all system components. Assure that these standards address all known\nsecurity vulnerabilities and are consistent\nwith industry-accepted system hardening standards.\nSources of industry-accepted system hardening standards may include, but are not limited to:\nx    Center for Internet Security (CIS)\nx    International Organization for\nStandardization (ISO)\nx    SysAdmin Audit Network Security\n(SANS) Institute\nx    National Institute of Standards\nTechnology (NIST).', 'not tested', 'Do system configuration standards include the following procedures for all types of system components: \n\n  * Changing of all vendor-supplied defaults and elimination of unnecessary default accounts \n\n  * Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server \n\n  * Enabling only necessary services, protocols, daemons, etc., as required for the function of the system \n\n  * Implementing additional security features for any required services, protocols or daemons that are considered to be insecure \n\n  * Configuring system security parameters to prevent misuse \n  * Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.', '2.2.d Verify that system configuration standards include the following procedures for all types of system components:\nx    Changing of all vendor-supplied defaults and elimination of unnecessary default accounts\nx    Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server\nx    Enabling only necessary services, protocols, daemons, etc., as required for the function of the system\nx    Implementing additional security features for any required services, protocols or daemons that are considered to be insecure\nx    Configuring system security parameters to prevent misuse\nx    Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.3', '2.3 Encrypt all non-console administrative access using strong cryptography.', 'not tested', 'Is all non-console administrative access encrypted?  (Note:  Console access to a server is access directly on the machine.)', '2.3 Select a sample of system components and verify that non-console administrative access is encrypted by performing the following:', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.3', '2.3 Encrypt all non-console administrative access using strong cryptography.', 'not tested', 'Is all non-console administrative access encrypted?  (Note:  Console access to a server is access directly on the machine.)', '2.3 Select a sample of system components and verify that non-console administrative access is encrypted by performing the following:', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.3.a', '2.3 Encrypt all non-console administrative access using strong cryptography.\n.', 'not tested', 'Is strong cryptography used to encrypt all non-console administrative access, and is a strong encryption method invoked before the administrator’s password is requested?', '2.3.a Observe an administrator log on to each system and examine system configurations to verify that a strong encryption method is invoked before the administrator’s password is requested.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.3.a', '2.3 Encrypt all non-console administrative access using strong cryptography.\n.', 'not tested', 'Is strong cryptography used to encrypt all non-console administrative access, and is a strong encryption method invoked before the administrator’s password is requested?', '2.3.a Observe an administrator log on to each system and examine system configurations to verify that a strong encryption method is invoked before the administrator’s password is requested.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.3.b', '2.3 Encrypt all non-console administrative access using strong cryptography.\n.', 'not tested', 'Have system services and parameter files been configured to prevent the use of Telnet and other insecure remote login commands?', '2.3.b Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.3.b', '2.3 Encrypt all non-console administrative access using strong cryptography.\n.', 'not tested', 'Have system services and parameter files been configured to prevent the use of Telnet and other insecure remote login commands?', '2.3.b Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.3.c', '2.3 Encrypt all non-console administrative access using strong cryptography.\n.', 'not tested', 'Is administrator access to any web-based management interfaces encrypted with strong cryptography?', '2.3.c Observe an administrator log on to each system to verify that administrator access to any web-based management interfaces is encrypted with strong cryptography.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.3.c', '2.3 Encrypt all non-console administrative access using strong cryptography.\n.', 'not tested', 'Is administrator access to any web-based management interfaces encrypted with strong cryptography?', '2.3.c Observe an administrator log on to each system to verify that administrator access to any web-based management interfaces is encrypted with strong cryptography.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.3.d', '2.3 Encrypt all non-console administrative access using strong cryptography.\n.', 'not tested', 'Based on a review of the vendor documentation, is strong cryptography for the technology in use implemented according to industry best practices and/or vendor recommendations?', '2.3.d Examine vendor documentation and interview personnel to verify that strong cryptography for the technology in use is implemented according to industry best practices and/or vendor recommendations.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.3.d', '2.3 Encrypt all non-console administrative access using strong cryptography.\n.', 'not tested', 'Based on a review of the vendor documentation, is strong cryptography for the technology in use implemented according to industry best practices and/or vendor recommendations?', '2.3.d Examine vendor documentation and interview personnel to verify that strong cryptography for the technology in use is implemented according to industry best practices and/or vendor recommendations.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.4.a', '2.4 Maintain an inventory of system components that are in scope for PCI DSS.', 'not tested', 'Has an inventory been maintained for systems components that are in scope for PCI DSS, including a list of hardware and software components and a description of function/use for each?', '2.4.a Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.4.a', '2.4 Maintain an inventory of system components that are in scope for PCI DSS.', 'not tested', 'Has an inventory been maintained for systems components that are in scope for PCI DSS, including a list of hardware and software components and a description of function/use for each?', '2.4.a Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.4.b', '2.4 Maintain an inventory of system components that are in scope for PCI DSS.', 'not tested', 'Is the documented inventory kept up-to-date?', '2.4.b Interview personnel to verify the documented inventory is kept current.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.4.b', '2.4 Maintain an inventory of system components that are in scope for PCI DSS.', 'not tested', 'Is the documented inventory kept up-to-date?', '2.4.b Interview personnel to verify the documented inventory is kept current.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 2.5', '2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.', 'not tested', 'Are security policies and operational procedures for managing vendor defaults and other security parameters documented, in use and known to all affected parties?', '2.5 Examine documentation and interview personnel to verify that security policies and operational procedures for managing vendor defaults and other security parameters are:\nx     Documented,\nx     In use, and\nx     Known to all affected parties.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 2.5', '2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.', 'not tested', 'Are security policies and operational procedures for managing vendor defaults and other security parameters documented, in use and known to all affected parties?', '2.5 Examine documentation and interview personnel to verify that security policies and operational procedures for managing vendor defaults and other security parameters are:\nx     Documented,\nx     In use, and\nx     Known to all affected parties.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 4.1.1', '4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission.', 'not tested', 'Have industry best practices (for example, IEEE 802.11i) been used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? \n\nNote: The use of WEP as a security control is prohibited.', '4.1.1 Identify all wireless networks transmitting cardholder data or connected to the cardholder data environment. Examine documented standards and compare to system configuration settings to verify the following for all wireless networks identified:\nx  Industry best practices are used to implement strong encryption for authentication and transmission.\nx  Weak encryption (for example, WEP, SSL) is not used as a security control for authentication or transmission.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 4.1.a', '4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:\nx    Only trusted keys and certificates are accepted.\nx    The protocol in use only supports secure versions or configurations.\nx    The encryption strength is appropriate for the encryption methodology in use.\n\n\nNote: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.\n\n\nExamples of open, public networks include but are not limited to:\nx     The Internet\nx     Wireless technologies, including 802.11 and Bluetooth\nx     Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA)\nx     General Packet Radio Service (GPRS)\nx     Satellite communications', 'not tested', 'To safeguard sensitive cardholder data during transmission over open, public networks, are strong cryptography and security protocols, such as TLS, SSH or IPSEC being used ? \n\nExamples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).', '4.1.a Identify all locations where cardholder data is transmitted or received over open, public networks. Examine documented standards and compare to system configurations to verify the use of security protocols and strong cryptography for all locations.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 4.1.b', '4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:\nx    Only trusted keys and certificates are accepted.\nx    The protocol in use only supports secure versions or configurations.\nx    The encryption strength is appropriate for the encryption methodology in use.\n\n\nNote: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.\n\n\nExamples of open, public networks include but are not limited to:\nx     The Internet\nx     Wireless technologies, including 802.11 and Bluetooth\nx     Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA)\nx     General Packet Radio Service (GPRS)\nx     Satellite communications', 'not tested', 'Do documented policies and procedures require that processes are specified:\n\n. For acceptance of only trusted keys and/or certificates\n\n. For the protocol in use to only support secure versions and configurations (that insecure versions or configurations are not supported)\n\n. for implementation of proper encryption strength per the encryption methodology in use?', '4.1.b Review documented policies and procedures to verify processes are specified for the following:\nx    For acceptance of only trusted keys and/or certificates\nx    For the protocol in use to only support secure versions and configurations (that insecure versions or configurations are not supported)\nx    For implementation of proper encryption strength per the encryption methodology in use', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 4.1.c', '4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:\nx    Only trusted keys and certificates are accepted.\nx    The protocol in use only supports secure versions or configurations.\nx    The encryption strength is appropriate for the encryption methodology in use.\n\n\nNote: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.\n\n\nExamples of open, public networks include but are not limited to:\nx     The Internet\nx     Wireless technologies, including 802.11 and Bluetooth\nx     Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA)\nx     General Packet Radio Service (GPRS)\nx     Satellite communications', 'not tested', 'Is all cardholder data encrypted with strong cryptography during transmission over public networks?', '4.1.c Select and observe a sample of inbound and outbound transmissions as they occur (for example, by observing system processes or network traffic) to verify that all cardholder data is encrypted with strong cryptography\nduring transit.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 4.1.d', '4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:\nx    Only trusted keys and certificates are accepted.\nx    The protocol in use only supports secure versions or configurations.\nx    The encryption strength is appropriate for the encryption methodology in use.\n\n\nNote: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.\n\n\nExamples of open, public networks include but are not limited to:\nx     The Internet\nx     Wireless technologies, including 802.11 and Bluetooth\nx     Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA)\nx     General Packet Radio Service (GPRS)\nx     Satellite communications', 'not tested', 'Have security protocols been implemented to accept only trusted keys and/or certificates?', '4.1.d Examine keys and certificates to verify that only trusted keys and/or certificates are accepted.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 4.1.e', '4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:\nx    Only trusted keys and certificates are accepted.\nx    The protocol in use only supports secure versions or configurations.\nx    The encryption strength is appropriate for the encryption methodology in use.\n\n\nNote: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.\n\n\nExamples of open, public networks include but are not limited to:\nx     The Internet\nx     Wireless technologies, including 802.11 and Bluetooth\nx     Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA)\nx     General Packet Radio Service (GPRS)\nx     Satellite communications', 'not tested', 'Have security protocols been implemented to use only secure configurations, and to not support insecure versions or configurations?', '4.1.e Examine system configurations to verify that the protocol is implemented to use only secure configurations and does not support insecure versions or configurations.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 4.1.f', '4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:\nx    Only trusted keys and certificates are accepted.\nx    The protocol in use only supports secure versions or configurations.\nx    The encryption strength is appropriate for the encryption methodology in use.\n\n\nNote: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.\n\n\nExamples of open, public networks include but are not limited to:\nx     The Internet\nx     Wireless technologies, including 802.11 and Bluetooth\nx     Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA)\nx     General Packet Radio Service (GPRS)\nx     Satellite communications', 'not tested', 'Is the proper encryption strength implemented for the encryption methodology in use?  \n\n(Check vendor recommendations / best practices.)', '4.1.f Examine system configurations to verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.)', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 4.1.g', '', 'not tested', 'For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received?\n\n(For example, for browser-based implementations:  "https" appears as the browser URL protocol and cardholder data is only requested if "https" appears as part of the URL)', '4.1.g For TLS implementations, examine system configurations to verify that TLS is enabled whenever cardholder data is transmitted or received.\nFor example, for browser-based implementations:\n\nx    “HTTPS” appears as the browser Universal Record\nLocator (URL) protocol, and\nx    Cardholder data is only requested if “HTTPS” appears as part of the URL.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 4.2.b', '4.2 Never send unprotected PANs by end- user messaging technologies (for example, e- mail, instant messaging, SMS, chat, etc.).', 'not tested', 'Are written policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies?', '4.2.b Review written policies to verify the existence of a policy stating that unprotected PANs are not to be sent via end-user messaging technologies.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 4.3', '4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties.', 'not tested', 'Are the security policies and operational procedures for encrypting transmissions of cardholder data documented, in use and known to all affected parties?', '4.3 Examine documentation and interview personnel to verify that security policies and operational procedures for encrypting transmissions of cardholder data are:\nx    Documented,\nx    In use, and\nx    Known to all affected parties.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 5.1', '5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).', 'not tested', 'Is anti-virus software deployed on all systems commonly affected by malicious software?', '5.1 For a sample of system components including all operating system types commonly affected by malicious software, verify that anti-virus software is deployed if applicable anti-virus technology exists.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 5.1.1', '5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.', 'not tested', 'Are anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software like viruses, Trojans, worms, spyware, adware, and rootkits?', '5.1.1 Review vendor documentation and examine anti-virus configurations to verify that anti-virus programs;\nx  Detect all known types of malicious software,\nx  Remove all known types of malicious software, and\nx  Protect against all known types of malicious software.\n\nExamples of types of malicious software include viruses, Trojans, worms, spyware, adware, and rootkits.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 5.1.2', '5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.', 'not tested', 'Is there periodic evaluation performed on systems considered not to require anti-virus to identify and evaluate evolving malware threats in order to confirm whether those systems considered to not be commonly affected by malicious software continue as such?', '5.1.2 Interview personnel to verify that evolving malware threats are monitored and evaluated for systems not currently considered to be commonly affected by malicious software, in order to confirm whether such systems continue to not require anti-virus software.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 5.2.a', '5.2 Ensure that all anti-virus mechanisms are maintained as follows:\nx    Are kept current,\nx    Perform periodic scans\nx    Generate audit logs which are retained per PCI DSS Requirement\n10.7.', 'not tested', 'Are all anti-virus software and definitions kept up-to-date?', '5.2.a Examine policies and procedures to verify that anti-virus software and definitions are required to be kept up to date.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 5.2.b', '5.2 Ensure that all anti-virus mechanisms are maintained as follows:\nx    Are kept current,\nx    Perform periodic scans\nx    Generate audit logs which are retained per PCI DSS Requirement\n10.7.', 'not tested', 'Are automatic updates and periodic scans enabled and being performed?', '5.2.b Examine anti-virus configurations, including the master installation of the software to verify anti-virus mechanisms are:\nx    Configured to perform automatic updates, and\nx    Configured to perform periodic scans.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 5.2.c', '5.2 Ensure that all anti-virus mechanisms are maintained as follows:\nx    Are kept current,\nx    Perform periodic scans\nx    Generate audit logs which are retained per PCI DSS Requirement\n10.7.', 'not tested', 'Is anti-virus software and definitions current?', '5.2.c Examine a sample of system components, including all operating system types commonly affected by malicious software, to verify that:\nx    The anti-virus software and definitions are current.\nx    Periodic scans are performed.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 5.2.d', '5.2 Ensure that all anti-virus mechanisms are maintained as follows:\nx    Are kept current,\nx    Perform periodic scans\nx    Generate audit logs which are retained per PCI DSS Requirement\n10.7.', 'not tested', 'Is audit log generation enabled and logs retained for at least one year, with a minimum of 3 months immediately available for analysis?', '5.2.d Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that:\nx    Anti-virus software log generation is enabled, and\nx    Logs are retained in accordance with PCI DSS Requirement 10.7.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 5.3.a', '5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.\n\nNote: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be\nimplemented for the period of time during which anti-virus protection is not active.', 'not tested', 'Are all anti-virus mechanisms actively running?  \n\n(Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.)', '5.3.a Examine anti-virus configurations, including the master installation of the software and a sample of system\ncomponents, to verify the anti-virus software is actively running.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 5.3.b', '5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.\n\nNote: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be\nimplemented for the period of time during which anti-virus protection is not active.', 'not tested', 'Are all anti-virus mechanisms unable to be disabled or altered by users?', '5.3.b Examine anti-virus configurations, including the master installation of the software and a sample of system components, to verify that the anti-virus software cannot be disabled or altered by users.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 5.3.c', '5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.\n\nNote: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be\nimplemented for the period of time during which anti-virus protection is not active.', 'not tested', 'Is all disabling or alteration of anti-virus mechanisms authorized by management on a case-by-case basis and restricted to a limited period of time?', '5.3.c Interview responsible personnel and observe processes to verify that anti-virus software cannot be disabled or altered by users, unless specifically authorized by management on a\ncase-by-case basis for a limited time period.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 5.4', '5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.', 'not tested', 'Are security policies and operational procedures for protecting systems against malware documented, in use and Known to all affected parties?', '5.4 Examine documentation and interview personnel to verify that security policies and operational procedures for protecting systems against malware are:\nx    Documented,\nx    In use, and\nx    Known to all affected parties.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 6.1.a', '6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.\n\nNote: Risk rankings should be based on\nindustry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected.\nMethods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization’s environment and risk- assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a “high risk” to the environment. In addition to the risk ranking, vulnerabilities may be considered “critical” if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not\naddressed. Examples of critical systems may\ninclude security systems, public-facing devices and systems, databases, and other systems that store, process, or transmit cardholder data.', 'not tested', 'Is there a process to identify security vulnerabilities, using reputable outside sources for vulnerability information and assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities?', '6.1.a Examine policies and procedures to verify that processes are defined for the following:\nx    To identify new security vulnerabilities\nx    To assign a risk ranking to vulnerabilities that includes identification of all “high risk” and “critical” vulnerabilities.\nx    To use reputable outside sources for security vulnerability information.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 6.1.b', '6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.\n\nNote: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected.\nMethods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization’s environment and risk- assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a “high risk” to the environment. In addition to the risk ranking, vulnerabilities may be considered “critical” if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not\naddressed. Examples of critical systems may\ninclude security systems, public-facing devices and systems, databases, and other systems that store, process, or transmit cardholder data.', 'not tested', 'Is the process to identify and assign a risk ranking to security vulnerabilities consistently followed?', '6.1.b Interview responsible personnel and observe processes to verify that:\nx    New security vulnerabilities are identified.\nx    A risk ranking is assigned to vulnerabilities that includes identification of all “high risk” and “critical”\nvulnerabilities.\nx    Processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 6.2.a', '6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release.\n\nNote: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.', 'not tested', 'Do documented policies and procedures require that all system components and software protected from known vulnerabilities by:\n\n. Installing applicable critical vendor-supplied security patches within one month of release\n\n. installing applicable vendor-supplied security patches within an appropriate timeframe (e.g. 3 months)?', '6.2.a Examine policies and procedures related to security- patch installation to verify processes are defined for:\nx    Installation of applicable critical vendor-supplied security patches within one month of release.\nx    Installation of all applicable vendor-supplied security patches within an appropriate time frame (for example, within three months).', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 6.2.a', '6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release.\n\nNote: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.', 'not tested', 'Do documented policies and procedures require that all system components and software protected from known vulnerabilities by:\n\n. Installing applicable critical vendor-supplied security patches within one month of release\n\n. installing applicable vendor-supplied security patches within an appropriate timeframe (e.g. 3 months)?', '6.2.a Examine policies and procedures related to security- patch installation to verify processes are defined for:\nx    Installation of applicable critical vendor-supplied security patches within one month of release.\nx    Installation of all applicable vendor-supplied security patches within an appropriate time frame (for example, within three months).', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 6.2.b', '6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release.\n\nNote: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.', 'not tested', 'Are critical security patches installed within one month of release?', '6.2.b For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify the following:\nx    That applicable critical vendor-supplied security patches are installed within one month of release.\nx    All applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months).', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 6.2.b', '6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor- supplied security patches. Install critical security patches within one month of release.\n\nNote: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.', 'not tested', 'Are critical security patches installed within one month of release?', '6.2.b For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify the following:\nx    That applicable critical vendor-supplied security patches are installed within one month of release.\nx    All applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months).', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 6.4.5.1', '6.4.5.1 Documentation of impact.', 'not tested', 'Does change control documentation include the documentation of impact for each change?', '6.4.5.1 Verify that documentation of impact is included in the change control documentation for each sampled change.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 6.4.5.2', '6.4.5.2 Documented change approval by authorized parties.', 'not tested', 'Does change control documentation contain documented approval by authorized parties for each change?', '6.4.5.2 Verify that documented approval by authorized parties is present for each sampled change.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 6.4.5.3.a', '6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system.', 'not tested', 'Is functionality testing performed to verify that the change does not adversely impact the security of the system for all changes?', '6.4.5.3.a For each sampled change, verify that functionality testing is performed to verify that the change does not adversely impact the security of the system.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 6.4.5.4', '6.4.5.4 Back-out procedures.', 'not tested', 'Does change control documentation contain back-out procedure for all changes?', '6.4.5.4 Verify that back-out procedures are prepared for each sampled change.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 6.4.5.a', '6.4.5 Change control procedures must include the following:', 'not tested', 'Do documented change control procedures require procedures to be defined for:\n\n. Documentation of impact\n\n. Documented change approval by authorized parties\n\n. Functionality testing to verify that the change does not adversely impact the security of the system\n\n. Back-out procedures?', '6.4.5.a Examine documented change control procedures and verify procedures are defined for:\nx  Documentation of impact\nx  Documented change approval by authorized parties\nx  Functionality testing to verify that the change does not adversely impact the security of the system\nx  Back-out procedures', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 6.4.5.b', '6.4.5 Change control procedures must include the following:', 'not tested', 'Are change control procedures consistently followed?', '6.4.5.b For a sample of system components, interview responsible personnel to determine recent changes. Trace those changes back to related change control documentation. For each change examined, perform the following:', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 6.4.6', '6.4.6 Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.', 'not tested', 'Are applicable PCI DSS requirements implemented and documentation updated as part of a significant change?', '6.4.6 For a sample of significant changes, examine change records, interview personnel, and observe the affected systems/networks to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 6.7', '6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties.', 'not tested', '', '6.7 Examine documentation and interview personnel to verify that security policies and operational procedures for developing and maintaining secure systems and applications are:\nx     Documented,\nx     In use, and\nx     Known to all affected parties.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 7.1', '7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.', 'not tested', 'Do written policies for access control require the following:\n\n.  Defining access needs and privilege assignments for each role \n\n. Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities \n\n. Assignment of access based on individual personnel’s job classification and function \n\n. Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved', '7.1 Examine written policy for access control, and verify that the policy incorporates 7.1.1 through 7.1.4 as follows:\nx  Defining access needs and privilege assignments for each role\nx  Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities\nx  Assignment of access based on individual personnel’s job\nclassification and function\nx  Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 7.1.1', '7.1.1 Define access needs for each role, including:\nx  System components and data resources that each role needs to access for their job function\nx  Level of privilege required (for example, user, administrator, etc.) for accessing resources.', 'not tested', 'Are access needs for each role defined and do they include:\n\n. system components and data resources that each role needs for their job function\n\n. identification of level of privilege necessary for each role to perform their job function?', '7.1.1 Select a sample of roles and verify access needs for each role are defined and include:\nx  System components and data resources that each role needs to access for their job function\nx  Identification of privilege necessary for each role to perform their job function.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 7.1.2.a', '7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.', 'not tested', 'Is access to privileged user IDs restricted to least privileges necessary to perform job responsibilities?', '7.1.2.a Interview personnel responsible for assigning access to verify that access to privileged user IDs is:\nx  Assigned only to roles that specifically require such privileged access\nx  Restricted to least privileges necessary to perform job responsibilities.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 7.1.2.b', '', 'not tested', 'Is access to privileged user IDs assigned only to roles that specifically require that privileged access?', '7.1.2.b Select a sample of user IDs with privileged access and interview responsible management personnel to verify that privileges assigned are:\nx  Necessary for that individual’s job function\nx  Restricted to least privileges necessary to perform job responsibilities.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 7.1.3', '7.1.3 Assign access based on individual personnel’s job classification and function.', 'not tested', "Are access privileges assigned based on an individual's job classification and function?", '7.1.3 Select a sample of user IDs and interview responsible management personnel to verify that privileges assigned are based on that individual’s job classification and function.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 7.1.4', '7.1.4 Require documented approval by authorized parties specifying required privileges.', 'not tested', 'Is documented approval by authorized parties required for the assigned privileges and do the privileges match the roles assigned to the individual?', '7.1.4 Select a sample of user IDs and compare with documented approvals to verify that:\nx  Documented approval exists for the assigned privileges\nx  The approval was by authorized parties\nx  That specified privileges match the roles assigned to the individual.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 7.2', '7.2 Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.\nThis access control system(s) must include the following:', 'not tested', "Is an access control system been implemented that restricts access based on a user's need to know?", '7.2 Examine system settings and vendor documentation to verify that an access control system(s) is implemented as follows:', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 7.2.1', '7.2.1 Coverage of all system components', 'not tested', 'Are access control systems in place on all system components?', '7.2.1 Confirm that access control systems are in place on all system components.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 7.2.2', '7.2.2 Assignment of privileges to individuals based on job classification and function.', 'not tested', 'Are access control systems configured to enforce privileges assigned to individuals based on job classification and function?', '7.2.2 Confirm that access control systems are configured to enforce privileges assigned to individuals based on job classification and function.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 7.2.3', '7.2.3 Default “deny-all” setting.', 'not tested', 'Do access control systems have a default “deny-all” setting?', '7.2.3 Confirm that the access control systems have a default\n“deny-all” setting.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 7.3', '7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to\nall affected parties.', 'not tested', 'Are security policies and operational procedures for restricting access to cardholder data documented, in use and known to all affected parties?', '7.3 Examine documentation and interview personnel to verify that security policies and operational procedures for restricting access to cardholder data are:\nx    Documented,\nx    In use, and\nx    Known to all affected parties.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.1.1', '8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.', 'not tested', 'Are all users assigned a unique ID before allowing them to access system components or cardholder data?', '8.1.1 Interview administrative personnel to confirm that all users are assigned a unique ID for access to system components or cardholder data.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.1.2', '8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.', 'not tested', 'Are additions, deletions, and modifications of user credentials controlled such that user IDs are implemented with only the privileges specified on the documented approval?', '8.1.2 For a sample of privileged user IDs and general user IDs, examine associated authorizations and observe system\nsettings to verify each user ID and privileged user ID has been\nimplemented with only the privileges specified on the documented approval.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.1.3.a', '8.1.3 Immediately revoke access for any terminated users.', 'not tested', 'Is access for any terminated users immediately deactivated or removed?', '8.1.3.a Select a sample of users terminated in the past six months, and review current user access lists—for both local and remote access—to verify that their IDs have been deactivated or removed from the access lists.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.1.3.b', '8.1.3 Immediately revoke access for any terminated users.', 'not tested', 'Are all physical authentication methods - such as smart cards, tokens, etc. - returned or deactivated upon termination?', '8.1.3.b Verify all physical authentication methods—such as, smart cards, tokens, etc.—have been returned or deactivated.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.1.4', '8.1.4 Remove/disable inactive user accounts within 90 days.', 'not tested', 'Are inactive user accounts either removed or disabled within 90 days?', '8.1.4 Observe user accounts to verify that any inactive accounts over 90 days old are either removed or disabled.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.1.5.a', '8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access as follows:\nx  Enabled only during the time period needed and disabled when not in use.\nx  Monitored when in use.', 'not tested', 'Are accounts used by third parties to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use?', '8.1.5.a Interview personnel and observe processes for managing accounts used by third parties to access, support, or maintain system components to verify that accounts used for remote access are:\nx  Disabled when not in use\nx  Enabled only when needed by the third party, and disabled when not in use.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.1.5.b', '8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access as follows:\nx  Enabled only during the time period needed and disabled when not in use.\nx  Monitored when in use.', 'not tested', 'Are vendor remote access accounts monitored when in use?', '8.1.5.b Interview personnel and observe processes to verify that third-party remote access accounts are monitored while being used.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.1.6.a', '8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts.', 'not tested', 'Are repeated access attempts limited by locking out the user ID after no more than six invalid attempts?', '8.1.6.a For a sample of system components, inspect system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than six invalid logon attempts.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.1.7', '8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.', 'not tested', 'Is the lockout duration set to a minimum of 30 minutes or until an administrator enables the user ID for locked out account?', '8.1.7 For a sample of system components, inspect system configuration settings to verify that password parameters are set to require that once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.1.8', '8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.', 'not tested', 'Are users required to re-authenticate to re-activate the terminal or session that has been idle for more than 15 minutes?', '8.1.8 For a sample of system components, inspect system configuration settings to verify that system/session idle time out features have been set to 15 minutes or less.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.1.a', '8.1 Define and implement policies and procedures to ensure proper user identification management for non- consumer users and administrators on all system components as follows:', 'not tested', 'Do documented policies and procedures require proper user identification management for non-consumer users and administrators on all system components?', '8.1.a Review procedures and confirm they define processes for each of the items below at 8.1.1 through 8.1.8', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.1.b', '8.1 Define and implement policies and procedures to ensure proper user identification management for non- consumer users and administrators on all system components as follows:', 'not tested', 'Are user identification management procedures consistently followed?', '8.1.b Verify that procedures are implemented for user identification management, by performing the following:', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.2', '8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:\nx    Something you know, such as a password or passphrase\nx    Something you have, such as a token device or smart card\nx    Something you are, such as a biometric.', 'not tested', 'In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?  \n\n. Something you know (such as a password or passphrase) \n\n. Something you have (such as a token device or smart card) \n\n. Something you are (such as a biometric)', '8.2 To verify that users are authenticated using unique ID and additional authentication (for example, a password/phrase) for access to the cardholder data environment, perform the following:\nx   Examine documentation describing the authentication method(s) used.\nx   For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s).', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.2.1.a', '8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.', 'not tested', 'Is strong cryptography used to render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components?', '8.2.1.a Examine vendor documentation and system configuration settings to verify that passwords are protected with strong cryptography during transmission and storage.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.2.1.b', '8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.', 'not tested', 'Is strong cryptography used to render all non-consumer users’ authentication credentials (such as passwords/phrases) unreadable during storage?', '8.2.1.b For a sample of system components, examine password files to verify that passwords are unreadable during storage.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.2.1.c', '8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.', 'not tested', 'Is strong cryptography used to render all non-consumer authentication credentials (such as passwords/phrases) unreadable during transmission on all system components?', '8.2.1.c For a sample of system components, examine data transmissions to verify that passwords are unreadable during transmission.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.2.2', '8.2.2 Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys.', 'not tested', 'Is user identity verified before modifying any authentication credential like performing password resets, provisioning new tokens, or generating new keys?', '8.2.2 Examine authentication procedures for modifying authentication credentials and observe security personnel to verify that, if a user requests a reset of an authentication credential by phone, e-mail, web, or other non-face-to-face method, the user’s identity is verified before the authentication credential is modified.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.2.3a', '8.2.3 Passwords/passphrases must meet the following:\nx  Require a minimum length of at least seven characters.\nx  Contain both numeric and alphabetic characters.\nAlternatively, the passwords/ passphrases must have complexity and strength at least equivalent to the parameters specified above.', 'not tested', 'Have user password parameters been configured to require at least the following strength/complexity:\n\n. Minimum password length of at least seven characters, and\n\n. Contain both numeric and alphabetic characters?', '8.2.3a For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require at least the following strength/complexity:\nx  Require a minimum length of at least seven characters.\nx  Contain both numeric and alphabetic characters.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.2.4.a', '8.2.4 Change user passwords/passphrases at least once every 90 days.', 'not tested', 'Are users required to change their  passwords/passphrases at least once every 90 days?', '8.2.4.a For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require users to change passwords at least once every 90 days.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.2.5.a', '8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.', 'not tested', 'Is password history configured such that new passwords cannot be the same as any of the four previously used passwords?', '8.2.5.a For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that new passwords/passphrases cannot be the same as the four previously used passwords/passphrases.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.2.6', '8.2.6 Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use.', 'not tested', 'Are first-time passwords for new users and reset passwords for existing users set to a unique value for each user and required to be changed after first use?', '8.2.6 Examine password procedures and observe security personnel to verify that first-time passwords/passphrases for new users, and reset passwords/passphrases for existing users, are set to a unique value for each user and changed after first use.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.3', '8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.\n\n\nNote: Multi-factor authentication requires that a minimum of two of the three authentication methods (see\nRequirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate\npasswords) is not considered multi-factor authentication.', 'not tested', 'Is multi-factor authentication required for remote network access for all personnel (including administrators and vendors)?', '', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 8.3.1.a', '8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.', 'not tested', 'Is multi-factor authentication required for all non-console administrative access into the cardholder data environment (CDE)?', '8.3.1.a Examine network and/or system configurations, as applicable, to verify multi-factor authentication is required for all non-console administrative access into the CDE.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 8.3.1.b', '8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.', 'not tested', 'When administrative personnel login to the cardholder data environment (CDE), are at least two different authentication methods used?', '8.3.1.b Observe a sample of administrator personnel login to the CDE and verify that at least two of the three authentication methods are used.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 8.3.2.a', '8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support\nor maintenance) originating from outside the entity’s network.', 'not tested', 'Do system configurations for remote access servers and systems require multi-factor authentication for:\n. All remote access by personnel (both user and administrator)\n. All third-party / vendor remote access (including access to applications and system components for support or maintenance purposes?', '8.3.2.a Examine system configurations for remote access servers and systems to verify multi-factor authentication is required for:\nx    All remote access by personnel, both user and administrator, and\nx    All third-party/vendor remote access (including access to applications and system components for support or maintenance purposes).', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 8.3.2.b', '8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.', 'not tested', 'When personnel connect remotely to the network, are at least two different authentication methods used?', '8.3.2.b Observe a sample of personnel (for example, users and administrators) connecting remotely to the network and verify that at least two of the three authentication methods are used.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 8.4.a', '8.4.a Examine procedures and interview personnel to verify that authentication policies and procedures are distributed to all users.', 'not tested', 'Are authentication procedures and policies documented and communicated to all users?', '8.4.a Examine procedures and interview personnel to verify that authentication policies and procedures are distributed to all users.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 8.4.a', '8.4.a Examine procedures and interview personnel to verify that authentication policies and procedures are distributed to all users.', 'not tested', 'Are authentication procedures and policies documented and communicated to all users?', '8.4.a Examine procedures and interview personnel to verify that authentication policies and procedures are distributed to all users.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.4.b', '8.4 Document and communicate authentication policies and procedures to all users including:\nx    Guidance on selecting strong authentication credentials\nx    Guidance for how users should protect their authentication credentials\nx    Instructions not to reuse previously used passwords\nx    Instructions to change passwords if there is any suspicion the password could be compromised.', 'not tested', 'Do authentication procedures and policies include the following? \n\n. Guidance on selecting strong authentication credentials \n\n. Guidance for how users should protect their authentication credentials\n\n. Instructions not to reuse previously used passwords \n\n. Instructions that users should change passwords if there is any suspicion the password could be compromised', '8.4.b Review authentication policies and procedures that are distributed to users and verify they include:\nx    Guidance on selecting strong authentication credentials\nx    Guidance for how users should protect their authentication credentials.\nx    Instructions for users not to reuse previously used passwords\nx    Instructions to change passwords if there is any suspicion the password could be compromised.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 8.4.b', '8.4 Document and communicate authentication policies and procedures to all users including:\nx    Guidance on selecting strong authentication credentials\nx    Guidance for how users should protect their authentication credentials\nx    Instructions not to reuse previously used passwords\nx    Instructions to change passwords if there is any suspicion the password could be compromised.', 'not tested', 'Do authentication procedures and policies include the following? \n\n. Guidance on selecting strong authentication credentials \n\n. Guidance for how users should protect their authentication credentials\n\n. Instructions not to reuse previously used passwords \n\n. Instructions that users should change passwords if there is any suspicion the password could be compromised', '8.4.b Review authentication policies and procedures that are distributed to users and verify they include:\nx    Guidance on selecting strong authentication credentials\nx    Guidance for how users should protect their authentication credentials.\nx    Instructions for users not to reuse previously used passwords\nx    Instructions to change passwords if there is any suspicion the password could be compromised.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.4.c', '8.4 Document and communicate authentication policies and procedures to all users including:\nx    Guidance on selecting strong authentication credentials\nx    Guidance for how users should protect their authentication credentials\nx    Instructions not to reuse previously used passwords\nx    Instructions to change passwords if there is any suspicion the password could be compromised.', 'not tested', 'Are users familiar with authentication policies and procedures?', '8.4.c Interview a sample of users to verify that they are familiar with authentication policies and procedures.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.5.a', '8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:\nx   Generic user IDs are disabled or removed.\nx   Shared user IDs do not exist for system administration and other critical functions.\nx   Shared and generic user IDs are not used to administer any system components.', 'not tested', 'Will a review of the user / account list for system components verify the following:\n\n. Generic user IDs and accounts are disabled or removed\n\n. No shared user IDs exist for system administration activities and other critical functions\n\n. Shared and generic user IDs are not used to administer in any system components?', '8.5.a For a sample of system components, examine user ID lists to verify the following:\nx   Generic user IDs are disabled or removed.\nx   Shared user IDs for system administration activities and other critical functions do not exist.\nx   Shared and generic user IDs are not used to administer any system components.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.5.b', '8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:\nx   Generic user IDs are disabled or removed.\nx   Shared user IDs do not exist for system administration and other critical functions.\nx   Shared and generic user IDs are not used to administer any system components.', 'not tested', 'Do documented authentication policies / procedures explicitly prohibit the use of group and shared IDs and/or passwords or other authentication methods?', '8.5.b Examine authentication policies and procedures to verify that use of group and shared IDs and/or passwords or other authentication methods are explicitly prohibited.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.5.c', '8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:\nx   Generic user IDs are disabled or removed.\nx   Shared user IDs do not exist for system administration and other critical functions.\nx   Shared and generic user IDs are not used to administer any system components.', 'not tested', 'System administrators never distribute group and shared IDs and/or passwords, even if they are requested.  Is this true?', '8.5.c Interview system administrators to verify that group and shared IDs and/or passwords or other authentication methods are not distributed, even if requested.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.6.a', '8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows:\nx    Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.\nx    Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.', 'not tested', 'Do documented authentication policies and procedures for using authentication mechanisms such as physical security tokens, smart cards, and certificates include:\n\n. Authentication mechanisms assigned to an individual account and not shared among multiple accounts\n\n. Physical and/or logical controls are defined to ensure only the intended account can use that mechanism to gain access.', '8.6.a Examine authentication policies and procedures to verify that procedures for using authentication mechanisms such as physical security tokens, smart cards, and certificates are defined and include:\nx    Authentication mechanisms are assigned to an individual account and not shared among multiple accounts.\nx    Physical and/or logical controls are defined to ensure only the intended account can use that mechanism to gain access.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.6.b', '8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows:\nx    Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.\nx    Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.', 'not tested', 'Are authentication mechanisms assigned to an individual account and not shared among multiple accounts?', '8.6.b Interview security personnel to verify authentication mechanisms are assigned to an account and not shared among multiple accounts.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.6.c', '8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows:\nx    Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.\nx    Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.', 'not tested', 'Are authentication mechanisms configured to ensure that only the intended account can use the mechanism to gain access?', '8.6.c Examine system configuration settings and/or physical controls, as applicable, to verify that controls are implemented to ensure only the intended account can use that mechanism to gain access.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 8.8', '8.8 Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties.', 'not tested', 'Are security policies and operational procedures for identification and authentication documented, in use and known to all affected parties?', '8.8 Examine documentation and interview personnel to verify\nthat security policies and operational procedures for identification and authentication are:\nx    Documented,\nx    In use, and\nx    Known to all affected parties.', '', '', 'Jumping Point | Badge & ID'], ['PCI DSS v3.2.1 Req. § 9.1', '9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.', 'not tested', 'Do physical security controls exist for each computer room, data center, and other physical areas with systems in the cardholder data environment?', '9.1 Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment.\nx    Verify that access is controlled with badge readers or other devices including authorized badges and lock and key.\nx    Observe a system administrator’s attempt to log into consoles for randomly selected systems in the cardholder data environment and verify that they are “locked” to prevent unauthorized use.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.1.1.a', '9.1.1 Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.\n\nNote: “Sensitive areas” refers to any\ndata center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of- sale terminals are present, such as the cashier areas in a retail store.', 'not tested', 'Are video cameras and/or access-control mechanisms in place to monitor individual physical access to sensitive areas (such as data center, server room, or any area that houses systems that store, process, or transmit cardholder data)?', '9.1.1.a Verify that either video cameras or access control mechanisms (or both) are in place to monitor the entry/exit points to sensitive areas.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.1.1.b', '9.1.1 Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.\n\nNote: “Sensitive areas” refers to any\ndata center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of- sale terminals are present, such as the cashier areas in a retail store.', 'not tested', 'Are video cameras and/or access-control mechanisms protected from tampering or disabling?', '9.1.1.b Verify that either video cameras or access control mechanisms (or both) are protected from tampering or disabling.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.1.1.c', '', 'not tested', 'Are video cameras and/or access control mechanisms monitored and is data from cameras or other mechanisms stored for at least 3 months?', '9.1.1.c Verify that data from video cameras and/or access control mechanisms is reviewed, and that data is stored for at least three months.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.1.2', '9.1.2 Implement physical and/or logical controls to restrict access to publicly accessible network jacks.\n\nFor example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.', 'not tested', 'Are physical and/or logical controls in place to restrict access to publicly accessible network jacks?', '9.1.2 Interview responsible personnel and observe locations of publicly accessible network jacks to verify that physical and/or logical controls are in place to restrict access to publicly accessible network jacks.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 9.1.3', '9.1.3 Restrict physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines.', 'not tested', 'Is physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines appropriately restricted?', '9.1.3 Verify that physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines is appropriately restricted.', '', '', 'Network | All'], ['PCI DSS v3.2.1 Req. § 9.3.a', '9.3 Control physical access for onsite personnel to sensitive areas as follows:\nx    Access must be authorized and based on individual job function.\nx    Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.', 'not tested', 'Is physical access to sensitive areas controlled for onsite personnel with access authorized and based on individual job function?', '9.3.a For a sample of onsite personnel with physical access to sensitive areas, interview responsible personnel and observe access control lists to verify that:\nx    Access to the sensitive area is authorized.\nx    Access is required for the individual’s job function.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.3.b', '9.3 Control physical access for onsite personnel to sensitive areas as follows:\nx    Access must be authorized and based on individual job function.\nx    Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.', 'not tested', 'Is physical access to sensitive areas revoked immediately upon termination?', '9.3.b Observe personnel accessing sensitive areas to verify that all personnel are authorized before being granted access.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.3.c', '9.3 Control physical access for onsite personnel to sensitive areas as follows:\nx    Access must be authorized and based on individual job function.\nx    Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.', 'not tested', 'Are all physical access mechanisms, such as keys, access cards, etc., returned or disabled upon termination?', '9.3.c Select a sample of recently terminated employees and review access control lists to verify the personnel do not have physical access to sensitive areas.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.4', '9.4 Implement procedures to identify and authorize visitors.\nProcedures should include the following:', 'not tested', 'Is visitor identification and access handled appropriately?', '9.4 Verify that visitor authorization and access controls are in place as follows:', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.4.1.a', '9.4.1 Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained.', 'not tested', 'Are visitors authorized before they are granted access to, and escorted at all times within, areas where cardholder data is processed or maintained?', '9.4.1.a Identify the documented procedures examined to verify that visitors must be authorized before they are granted access to, and escorted at all times within, areas where cardholder data is processed or maintained.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.4.1.b', '9.4.1 Visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained.', 'not tested', 'Do you confirm that a visitor badge does not permit unescorted access to physical areas where cardholder data is processed or maintained?', '9.4.1.b Observe the use of visitor badges or other identification to verify that a physical token badge does not permit unescorted access to physical areas where cardholder data is processed or maintained.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.4.4.a', '9.4.4 A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.\nDocument the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log.\nRetain this log for a minimum of three months, unless otherwise restricted by law.', 'not tested', 'Is a visitor log in use to record physical access to the facility as well as to computer rooms and data centers where cardholder data is stored or transmitted?', '9.4.4.a Verify that a visitor log is in use to record physical access to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.4.4.b', '9.4.4 A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.\nDocument the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log.\nRetain this log for a minimum of three months, unless otherwise restricted by law.', 'not tested', 'Does the visitor log contain the visitor’s name, the firm represented, and the onsite personnel authorizing physical access?', '9.4.4.b Verify that the log contains:\n\nx  The visitor’s name,\nx  The firm represented, and\nx  The onsite personnel authorizing physical access.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.4.4.c', '9.4.4 A visitor log is used to maintain a physical audit trail of visitor activity to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.\nDocument the visitor’s name, the firm represented, and the onsite personnel authorizing physical access on the log.\nRetain this log for a minimum of three months, unless otherwise restricted by law.', 'not tested', 'Is the visitor log retained for at least three months?', '9.4.4.c Verify that the log is retained for at least three months.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.5', '9.5 Physically secure all media.', 'not tested', 'Do documented procedures require that all media, including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes, is physically secured ?  For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.', '9.5 Verify that procedures for protecting cardholder data include controls for physically securing all media (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes).', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.5.1', '9.5.1 Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.', 'not tested', 'Are media back-ups stored in a secure location, preferably in an off-site facility, such as an alternate or backup site, or a commercial storage facility?', '9.5.1 Verify that the storage location security is reviewed at least annually to confirm that backup media storage is secure.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.6', '9.6 Maintain strict control over the internal or external distribution of any kind of media, including the following:', 'not tested', 'Do documented policies controlling the distribution of media cover all distributed media including that distributed to individuals?', '9.6 Verify that a policy exists to control distribution of media, and that the policy covers all distributed media including that distributed to individuals.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 9.6.1', '9.6.1 Classify media so the sensitivity of the data can be determined.', 'not tested', 'Is media classified so that sensitivity of the data can be determined?', '9.6.1 Verify that all media is classified so the sensitivity of the data can be determined.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.6.2.a', '9.6.2 Send the media by secured courier or other delivery method that can be accurately tracked.', 'not tested', 'Is media sent by secured courier or other delivery method that can be accurately tracked?', '9.6.2.a Interview personnel and examine records to verify that all media sent outside the facility is logged and sent via secured courier or other delivery method that can be tracked.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.6.2.b', '9.6.2 Send the media by secured courier or other delivery method that can be accurately tracked.', 'not tested', 'Are tracking details documented for media sent off-site?', '9.6.2.b Select a recent sample of several days of offsite tracking logs for all media, and verify tracking details are documented.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.6.3', '9.6.3 Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals).', 'not tested', 'Is management approval obtained prior to moving media especially when media is distributed to individuals?', '9.6.3 Select a recent sample of several days of offsite tracking logs for all media. From examination of the logs and interviews with responsible personnel, verify proper management authorization is obtained whenever media is moved from a secured area (including when media is distributed to individuals).', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.7', '9.7 Maintain strict control over the storage and accessibility of media.', 'not tested', 'Do documented policies for controlling storage and maintenance of all media require periodic media inventories?', '9.7 Obtain and examine the policy for controlling storage and maintenance of all media and verify that the policy requires periodic media inventories.', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 9.7.1', '9.7.1 Properly maintain inventory logs of all media and conduct media inventories at least annually.', 'not tested', 'Are inventory logs of all media properly maintained and inventoried at least annually?', '9.7.1 Review media inventory logs to verify that logs are maintained and media inventories are performed at least annually.', '', '', 'Data Center | TOMS-AWS'], ['PCI DSS v3.2.1 Req. § 9.8', '9.8 Destroy media when it is no longer needed for business or legal reasons as follows:', 'not tested', 'Do documented media destruction policies cover all media and include requirements for:\n\n. Hard-copy materials must be crosscut shredded\n\n. Storage containers used for materials that are to be destroyed must be secured\n\n. Cardholder data on electronic media must be rendered unrecoverable via a secure wipe program or by physically destroying the media?', '9.8 Examine the periodic media destruction policy and verify that it covers all media and defines requirements for the following:\nx    Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard- copy materials cannot be reconstructed.\nx    Storage containers used for materials that are to be destroyed must be secured.\nx    Cardholder data on electronic media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).', '', '', 'IT Security | All'], ['PCI DSS v3.2.1 Req. § 9.8.2', '9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.', 'not tested', 'Is cardholder data on electronic media rendered unrecoverable (e.g. via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise by physically destroying the media), so that cardholder data cannot be reconstructed', '9.8.2 Verify that cardholder data on electronic media is rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).', '', '', 'Data Center | TOMS-AWS']]
2
3from docx import Document
4def double_column():
5	table.add_row()
6	table.add_row()
7	for i in range(3,4):
8		a_merge = table.cell(-1,i)  	
9		b_merge = table.cell(-1,i+1)
10		a_merge.merge(b_merge)
11		a_merge = table.cell(-2,i)  	
12		b_merge = table.cell(-2,i+1)
13		a_merge.merge(b_merge)
14
15	for i in range(0,3):   
16		a_merge = table.cell(-2,i)
17		b_merge = table.cell(-1,i)
18		a_merge.merge(b_merge)
19	for i in range(5,8):  
20		a_merge = table.cell(-2,i)
21		b_merge = table.cell(-1,i)
22		a_merge.merge(b_merge)
23
24	for i in range(0,2):
25		a_merge = table.cell(-1,i)  	
26		b_merge = table.cell(-1,i+1)
27		a_merge.merge(b_merge)
28	for i in range(5,7):
29		a_merge = table.cell(-1,i)  	
30		b_merge = table.cell(-1,i+1)
31		a_merge.merge(b_merge)
32
33
34
35from docx.shared import Cm, Inches
36doc = Document()
37
38table = doc.add_table(rows = 2, cols = 8)
39table.style = 'Table Grid'
40columns_name = ["PCI DSS Requirements and Testing Procedures","Reporting Instruction","Reporting Details: Assessor’s Response","Summary of Assessment Findings(check one)","In Place","In Place w/ CCW","N/A","Not Tested","Not in place"]
41
42for i in range(0,3):   # merging of rows
43	a_merge = table.cell(0,i)
44	b_merge = table.cell(1,i)
45	a_merge.merge(b_merge)
46for i in range(3,7):
47	a_merge = table.cell(0,i)  	#merging the columns
48	b_merge = table.cell(0,i+1)
49	a_merge.merge(b_merge)
50
51#writing the column names into table
52counter = 0
53for cell in table.rows[0].cells:
54	if counter<4:
55		cell.text = columns_name[counter]
56	else:
57		break
58	counter+=1
59
60for cell in table.rows[1].cells:
61	if counter>6:
62		cell.text = columns_name[counter-3]
63	counter+=1
64
65last_control = ''     #variable for checking repetation
66for c_control in raw_data:
67	string = c_control[0]
68	print(c_control[0])
69	if (string[-1].isdigit()):
70		if not (last_control == c_control[0]):
71			top_control = c_control[0]
72			table.add_row()
73			for i in range(0,2):
74				a_merge = table.cell(-1,i)  	
75				b_merge = table.cell(-1,i+1)
76				a_merge.merge(b_merge)
77			table.cell(-1,0).text = c_control[1]
78
79			double_column()
80
81			table.cell(-1,0).text = c_control[4]
82			table.cell(-2,4).text = c_control[3]
83			table.cell(-1,4).text = c_control[5]
84			table.cell(-1,5).text = c_control[7]
85			temp = '  ' + c_control[6]
86			table.cell(-1,5).text += temp
87
88
89			last_control = c_control[0]
90		else:
91			temp1 = '\n' + c_control[7]
92			table.cell(-1,5).text += temp1
93			temp = '  ' + c_control[6]
94			table.cell(-1,5).text += temp
95
96			last_control = c_control[0]
97			
98	else:
99		if top_control in c_control[0] and 'a' in c_control[0]:
100			if not (last_control ==c_control[0]):					
101				table.add_row()
102				for i in range(0,2):
103					a_merge = table.cell(-1,i)  	
104					b_merge = table.cell(-1,i+1)
105					a_merge.merge(b_merge)		
106				table.cell(-1,0).text = c_control[1]   #description
107				double_column()
108				table.cell(-1,0).text = c_control[4]	# testing_procedure
109				table.cell(-2,4).text = c_control[3]	# attestation
110				table.cell(-1,4).text = c_control[5]	# instructions
111				table.cell(-1,5).text = c_control[7]	# profile name
112				temp = '  ' + c_control[6]
113				table.cell(-1,5).text += temp			# roc_comments
114				last_control = c_control[0]
115			else:
116				temp1 = '\n' + c_control[7]
117				table.cell(-1,5).text += temp1
118				temp = '  ' + c_control[6]
119				table.cell(-1,5).text += temp
120				last_control = c_control[0]
121		else:
122			if not (last_control == c_control[0]):
123				double_column()
124				table.cell(-1,0).text = c_control[4]  
125				table.cell(-2,4).text = c_control[3]  
126				table.cell(-1,4).text = c_control[5]
127				table.cell(-1,5).text = c_control[7]
128				temp = '  ' + c_control[6]
129				table.cell(-1,5).text += temp
130			else:
131				temp1 = '\n' + c_control[7]
132				table.cell(-1,5).text += temp1
133				temp = '  ' + c_control[6]
134				table.cell(-1,5).text += temp
135				last_control = c_control[0]
136				
137doc.save('testing.docx')