PCI Control

Unified Control

1.1.1 Maintaining Effective Security Policies

CTRL-431 Information Security Policy and Procedures

1.1.2 Assigning Requirement 1 Responsibilities

CTRL-545 Position Descriptions

1.2.1 NSC Rulesets Configuration Standards

CTRL-208 Configuration Management

1.2.2 Managing Network Connection Changes

CTRL-190 Change Management and Software Development Life Cycle

1.2.3 Maintaining Accurate Network Diagrams

CTRL-198 Network Segmentation

1.2.4 Maintaining Accurate Data-Flow Diagrams

CTRL-198 Network Segmentation

1.2.5 Regulating Business-related Tech Services

CTRL-118 Network Protocols

1.2.6 Implementing Security for Insecure Services

CTRL-118 Network Protocols

1.2.7 Biannual NSC Configuration Review

CTRL-950 Boundary Protection

1.2.8 Securing NSCs Configuration Files

CTRL-208 Configuration Management

1.3.1 CDE Inbound Traffic Restrictions

CTRL-950 Boundary Protection

1.3.2 CDE Outbound Traffic Restrictions

CTRL-950 Boundary Protection

1.3.3 NSCs Regulating Wireless Network Traffic

CTRL-950 Boundary Protection

1.4.1 Implementing NSCs in Networks

CTRL-950 Boundary Protection

1.4.2 Restrictions on Inbound Traffic

CTRL-950 Boundary Protection

1.4.3 Implementing Anti-Spoofing Measures

CTRL-1010 Anti-Spoofing Mechanisms

1.4.4 Cardholder Data Protection Measures

CTRL-950 Boundary Protection

1.4.5 Restricted IP Address Disclosure

CTRL-178 Interconnected Systems

1.5.1 Implementing Security Controls

CTRL-79 Mobile Device Management

2.1.1 Maintaining Security Policies Procedures

CTRL-353 Change Authenticators Prior To Delivery

2.1.2 Assigning Requirement 2 Responsibilities

CTRL-545 Position Descriptions

2.2.1 Maintaining Configuration Standards

CTRL-208 Configuration Management

2.2.2 Managing Vendor Default Accounts

CTRL-353 Change Authenticators Prior To Delivery

2.2.3 Managing Primary Functions Security Levels

CTRL-208 Configuration Management

2.2.4 Optimizing System Functionality

CTRL-118 Network Protocols

2.2.5 Insecure Services Risk Reduction

CTRL-118 Network Protocols

2.2.6 Preventing Misuse with Security Configuration

CTRL-208 Configuration Management

2.2.7 Encrypting Non-Console Administrative Access

CTRL-112 Encryption of Data at Rest and in Transit

2.3.1 Securing Wireless Network Installations

CTRL-121 Wireless Network

2.3.2 Changing Wireless Encryption Keys

CTRL-121 Wireless Network

3.1.1 Maintaining Security Policies Procedures

CTRL-194 Cryptography Management

3.1.2 Assigning Requirement 3 Responsibilities

CTRL-194 Cryptography Management

3.2.1 Data Retention Policies

CTRL-896 Information Management and Retention

3.3.1 SAD Erased After Authorization

CTRL-923 Removal of Direct Identifiers

3.3.1.1 Track Contents Not Retained

CTRL-923 Removal of Direct Identifiers

3.3.1.2 Card Verification Code Not Retained

CTRL-923 Removal of Direct Identifiers

3.3.1.3 PIN Not Retained Post-Authorization

CTRL-923 Removal of Direct Identifiers

3.3.2 SAD Electronic Storage Encryption

CTRL-112 Encryption of Data at Rest and in Transit

3.3.3 Additional Requirement for issuers and companies that support issuing services

CTRL-112 Encryption of Data at Rest and in Transit

3.4.1 PAN Display Limitations

CTRL-923 Removal of Direct Identifiers

3.4.2 Remote-Access Control for PAN

CTRL-110 Remote Access

3.5.1 Securing PAN through Cryptography

CTRL-923 Removal of Direct Identifiers

3.5.1.1 Keyed Hashes for PAN Security

CTRL-194 Cryptography Management

3.5.1.2 Disk-Level Encryption Guidelines

CTRL-194 Cryptography Management

3.5.1.3 Managing Disk-Level Encryption

CTRL-194 Cryptography Management

3.6.1 Cryptographic Key Protection Procedures

CTRL-194 Cryptography Management

3.6.1.1 Additional Requirement for Service Providers Only

CTRL-194 Cryptography Management

3.6.1.2 Secure Key Storage Methods

CTRL-194 Cryptography Management

3.6.1.3 Limited Access to Cryptographic Keys

CTRL-194 Cryptography Management

3.6.1.4 Minimizing Cryptographic Key Storage

CTRL-194 Cryptography Management

3.7.1 Implementing Key-Management Policies

CTRL-194 Cryptography Management

3.7.2 Secure Cryptographic Key Distribution

CTRL-194 Cryptography Management

3.7.3 Secure Cryptographic Key Management

CTRL-194 Cryptography Management

3.7.4 Cryptographic Key Management Policies

CTRL-194 Cryptography Management

3.7.5 Key-Management Policy Procedures

CTRL-194 Cryptography Management

3.7.6 Cryptographic Key-Management Procedures

CTRL-194 Cryptography Management

3.7.7 Cryptographic Key-Management Policies

CTRL-194 Cryptography Management

3.7.8 Cryptographic Key Custodian Policies

CTRL-194 Cryptography Management

3.7.9 Additional Requirement for Service Providers Only

CTRL-194 Cryptography Management

4.1.1 Maintaining Security Policies Procedures

CTRL-932 System Protection Policy and Procedures

4.1.2 Assigning Requirement 4 Responsibilities

CTRL-545 Position Descriptions

4.2.1 Safeguarding PAN via Cryptography

CTRL-112 Encryption of Data at Rest and in Transit

4.2.1.1 Maintaining Secure PAN Transmission

CTRL-435 System Inventory

4.2.1.2 Secure Wireless Network Practices

CTRL-112 Encryption of Data at Rest and in Transit

4.2.2 Securing PAN with Cryptography

CTRL-112 Encryption of Data at Rest and in Transit

5.1.1 Maintaining Security Policies Procedures

CTRL-932 System Protection Policy and Procedures

5.1.2 Assigning Requirement 5 Responsibilities

CTRL-545 Position Descriptions

5.2.1 Anti-Malware Deployment Exceptions

CTRL-822 Malicious Code Protection

5.2.2 Comprehensive Anti-Malware Solution

CTRL-822 Malicious Code Protection

5.2.3 Periodic Evaluation of not at risk System Components

CTRL-833 Logging and Monitoring

5.2.3.1 Periodic Evaluations of System Components

CTRL-822 Malicious Code Protection

5.3.1 Automatic Anti-Malware Updates

CTRL-822 Malicious Code Protection

5.3.2 Anti-Malware Solution Functions

CTRL-822 Malicious Code Protection

5.3.2.1 Periodic Malware Scan Requirements

CTRL-822 Malicious Code Protection

5.3.3 Anti-Malware Solutions for Removable Media

CTRL-822 Malicious Code Protection

5.3.4 Anti-Malware Audit Log Compliance

CTRL-833 Logging and Monitoring

5.3.5 Strict Anti-Malware Policy

CTRL-9 Privileged User Accounts

5.4.1 Automated Anti-Phishing Mechanisms

CTRL-883 Spam and Phishing Protection

6.1.1 Maintaining Security Policies Procedures

CTRL-190 Change Management and Software Development Life Cycle

6.1.2 Assigning Requirement 6 Responsibilities

CTRL-545 Position Descriptions

6.2.1 Secure Custom Software Development

CTRL-190 Change Management and Software Development Life Cycle

6.2.2 Annual Training for Software Developers

CTRL-253 Role-Based Training

6.2.3 Reviewing Custom Software Vulnerabilities

CTRL-190 Change Management and Software Development Life Cycle

6.2.3.1 Manual Code Review Process

CTRL-190 Change Management and Software Development Life Cycle

6.2.4 Preventing Software Attack Techniques

CTRL-190 Change Management and Software Development Life Cycle

6.3.1 Managing Security Vulnerabilities

CTRL-652 Vulnerability Management

6.3.2 Managing Software Inventory

CTRL-435 System Inventory

6.3.3 Implementing Security Patches/Updates

CTRL-652 Vulnerability Management

6.4.1 Securing Public-Facing Web Applications

CTRL-652 Vulnerability Management

6.4.2 Automated Web Attack Prevention

CTRL-652 Vulnerability Management

6.4.3 Managing Payment Page Scripts

CTRL-190 Change Management and Software Development Life Cycle

6.5.1 System Change Management Procedures

CTRL-190 Change Management and Software Development Life Cycle

6.5.2 PCI DSS Requirements Post Significant Change

CTRL-190 Change Management and Software Development Life Cycle

6.5.3 Separating Pre-Production Environments

CTRL-198 Network Segmentation

6.5.4 Separating Roles for Accountability

CTRL-65 Separation of Duties

6.5.5 PANs Usage in Pre-Production Environments

CTRL-1186 Sensitive Data in Non-Production Environments

6.5.6 Pre-Production System Cleanup

CTRL-190 Change Management and Software Development Life Cycle

7.1.1 Maintaining Security Policies Procedures

CTRL-1 Access Control Policy and Procedures

7.1.2 Assigning Requirement 7 Responsibilities

CTRL-545 Position Descriptions

7.2.1 Defining Access Control Model

CTRL-1 Access Control Policy and Procedures

7.2.2 User Access Based on Job

CTRL-9 Privileged User Accounts

7.2.3 Approving Required Privileges

CTRL-16 Access Provisioning

7.2.4 Reviewing User Account Privileges

CTRL-73 Review of User Privileges

7.2.5 Managing System Access Privileges

CTRL-9 Privileged User Accounts

7.2.5.1 Reviewing System Access Privileges

CTRL-73 Review of User Privileges

7.2.6 Restrictions on Cardholder Data Access

CTRL-9 Privileged User Accounts

7.3.1 User-Based Access Control System

CTRL-16 Access Provisioning

7.3.2 Access Control System Configuration

CTRL-23 Role-Based Access Control

7.3.3 Default Setting: Deny All

CTRL-16 Access Provisioning

8.1.1 Maintaining Security Policies Procedures

CTRL-319 Identification and Authentication

8.1.2 Assigning Requirement 8 Responsibilities

CTRL-545 Position Descriptions

8.2.1 Unique ID for System Access

CTRL-319 Identification and Authentication

8.2.2 Managing Shared Account Usage

CTRL-2 Shared and Temporary Accounts

8.2.3 Additional requirement for service providers only

CTRL-110 Remote Access

8.2.4 Managing User ID Modifications

CTRL-1 Access Control Policy and Procedures

8.2.5 Terminated Users Lose Access

CTRL-535 Access Termination

8.2.6 Inactive Accounts' 90-Day Removal

CTRL-535 Access Termination

8.2.7 Managing Third-Party Remote Access

CTRL-110 Remote Access

8.2.8 Re-authentication After Idle Time

CTRL-91 Session Termination

8.3.1 Multi-Factor Authentication Methods

CTRL-319 Identification and Authentication

8.3.2 Cryptography Secures System Components

CTRL-112 Encryption of Data at Rest and in Transit

8.3.3 Pre-Modification User Identity Verification

CTRL-319 Identification and Authentication

8.3.4 Limiting Invalid Authentication Attempts

CTRL-77 Unsuccessful Logon Attempts

8.3.5 Password Authentication Requirement Guidelines

CTRL-349 Password-Based Authentication

8.3.6 Password Complexity Requirements

CTRL-349 Password-Based Authentication

8.3.7 Password Reuse Restrictions

CTRL-349 Password-Based Authentication

8.3.8 User Authentication Policy Guidelines

CTRL-319 Identification and Authentication

8.3.9 Single-Factor Authentication Guidelines

CTRL-349 Password-Based Authentication

8.3.10 Additional Requirement for Service Providers Only

CTRL-349 Password-Based Authentication

8.3.10.1 Additional Requirement for Service Providers Only

CTRL-349 Password-Based Authentication

8.3.11 Secure User Authentication Measures

CTRL-319 Identification and Authentication

8.4.1 MFA Implementation for All Non-Console Access

CTRL-320 Multi-Factor Authentication

8.4.2 MFA Implementation in CDE

CTRL-320 Multi-Factor Authentication

8.4.3 MFA Implementation for Remote Access

CTRL-320 Multi-Factor Authentication

8.5.1 MFA System Implementation Guidelines

CTRL-320 Multi-Factor Authentication

8.6.1 Managing Interactive System Accounts

CTRL-1 Access Control Policy and Procedures

8.6.2 Avoid Hard-Coding Passwords

CTRL-349 Password-Based Authentication

8.6.3 Secure Password/Passphrase Management

CTRL-349 Password-Based Authentication

9.1.1 Maintaining Security Policies Procedures

CTRL-546 Physical and Environmental Protection Policy and Procedures

9.1.2 Assigning Requirement 9 Responsibilities

CTRL-545 Position Descriptions

9.2.1 CDE Systems Access Control

CTRL-255 Physical Security Controls

9.2.1.1 Monitoring Physical Access to CDE

CTRL-255 Physical Security Controls

9.2.2 Implementing Network Jack Controls

CTRL-255 Physical Security Controls

9.2.3 Restricted Physical Access to Networks

CTRL-551 Physical Access Control

9.2.4 Restricted Console Access

CTRL-255 Physical Security Controls

9.3.1 Managing Personnel Physical Access

CTRL-546 Physical and Environmental Protection Policy and Procedures

9.3.1.1 Controlling Physical Access Protocol

CTRL-551 Physical Access Control

9.3.2 Managing Visitor Access Procedures

CTRL-546 Physical and Environmental Protection Policy and Procedures

9.3.3 Visitor Badge Deactivation Protocol

CTRL-255 Physical Security Controls

9.3.4 Maintaining Visitor Log Records

CTRL-255 Physical Security Controls

9.4.1 Securing Cardholder Data Media

CTRL-499 Media Access

9.4.1.1 Secure Offline Data Storage

CTRL-503 Media Storage

9.4.1.2 Annual Offline Media Security Review

CTRL-503 Media Storage

9.4.2 Classifying Cardholder Data Sensitivity

CTRL-896 Information Management and Retention

9.4.3 Securing Offsite Cardholder Data

CTRL-506 Media Transport

9.4.4 Management Approves Data Transfers

CTRL-506 Media Transport

9.4.5 Maintaining Electronic Media Inventory

CTRL-435 System Inventory

9.4.5.1 Annual Electronic Data Inventory

CTRL-435 System Inventory

9.4.6 Secure Destruction of Cardholder Data

CTRL-511 Media Sanitization and Disposal

9.4.7 Destroying Unneeded Cardholder Data

CTRL-511 Media Sanitization and Disposal

9.5.1 Securing Payment Card Devices

CTRL-556 Tamper Protection

9.5.1.1 POI Devices Inventory Management

CTRL-435 System Inventory

9.5.1.2 Periodic Inspection of POI Devices

CTRL-556 Tamper Protection

9.5.1.2.1 Frequency of Periodic POI Device Inspections

CTRL-646 Risk Assessment

9.5.1.3 POI Device Tampering Prevention Training

CTRL-253 Role-Based Training

10.1.1 Maintaining Security Policies Procedures

CTRL-431 Information Security Policy and Procedures

10.1.2 Assigning Requirement 10 Responsibilities

CTRL-545 Position Descriptions

10.2.1 Audit Logs Activated System-Wide

CTRL-833 Logging and Monitoring

10.2.1.1 Audit Logs Track Access

CTRL-833 Logging and Monitoring

10.2.1.2 Audit Logs Track Actions

CTRL-833 Logging and Monitoring

10.2.1.3 Audit Logs Access Tracking

CTRL-833 Logging and Monitoring

10.2.1.4 Audit Logs Track Invalid Access

CTRL-833 Logging and Monitoring

10.2.1.5 Audit Logs Track Credential Changes

CTRL-833 Logging and Monitoring

10.2.1.6 Audit Logs' Functions Overview

CTRL-833 Logging and Monitoring

10.2.1.7 Tracking System-Level Object Changes

CTRL-833 Logging and Monitoring

10.2.2 Audit Logs' Recorded Details

CTRL-833 Logging and Monitoring

10.3.1 Limited Audit Log Access

CTRL-9 Privileged User Accounts

10.3.2 Audit Log Files Protection

CTRL-833 Logging and Monitoring

10.3.3 Secure Backup of Audit Logs

CTRL-300 System Backup

10.3.4 Securing Audit Logs Integrity

CTRL-833 Logging and Monitoring

10.4.1 Daily Audit Log Review

CTRL-833 Logging and Monitoring

10.4.1.1 Automated Audit Log Reviews

CTRL-833 Logging and Monitoring

10.4.2 Periodic Review of System Logs

CTRL-833 Logging and Monitoring

10.4.2.1 Periodic Log Review Frequency

CTRL-833 Logging and Monitoring

10.4.3 Addressing Review Anomalies

CTRL-833 Logging and Monitoring

10.5.1 Audit Log Retention Guidelines

CTRL-833 Logging and Monitoring

10.6.1 Synchronizing System Clocks Technology

CTRL-1063 Synchronization

10.6.2 Configuring System Time Consistency

CTRL-1063 Synchronization

10.6.3 Securing Time Synchronization Settings

CTRL-1063 Synchronization

10.7.1 Additional Requirement for Service Providers Only

CTRL-833 Logging and Monitoring

10.7.2 Managing Security Control Failures

CTRL-149 Control Assessments

10.7.3 Prompt Response to Security Failures

CTRL-149 Control Assessments

11.1.1 Maintaining Security Policy Requirements

CTRL-932 System Protection Policy and Procedures

11.1.2 Assigning Requirement 11 Responsibilities

CTRL-545 Position Descriptions

11.2.1 Managing Wireless Access Points

CTRL-121 Wireless Network

11.2.2 Maintaining Authorized Wireless Inventory

CTRL-435 System Inventory

11.3.1 Internal Vulnerability Scan Procedures

CTRL-652 Vulnerability Management

11.3.1.1 Managing Non-Critical Vulnerabilities

CTRL-652 Vulnerability Management

11.3.1.2 Authenticated Internal Vulnerability Scans

CTRL-652 Vulnerability Management

11.3.1.3 Conducting Internal Vulnerability Scans

CTRL-652 Vulnerability Management

11.3.2 Quarterly External Vulnerability Scans

CTRL-652 Vulnerability Management

11.3.2.1 Managing External Vulnerability Scans

CTRL-652 Vulnerability Management

11.4.1 Implementing Penetration Testing Methodology

CTRL-174 Penetration Testing

11.4.2 Internal Penetration Testing Guidelines

CTRL-174 Penetration Testing

11.4.3 External Penetration Testing Guidelines

CTRL-174 Penetration Testing

11.4.4 Correcting Penetration Testing Vulnerabilities

CTRL-652 Vulnerability Management

11.4.5 Segmentation Penetration Testing Guidelines

CTRL-174 Penetration Testing

11.4.6 Additional Requirement for Service Providers Only

CTRL-174 Penetration Testing

11.4.7 Additional Requirement for Multi-Tenant Service Providers Only

CTRL-174 Penetration Testing

11.5.1 Network Intrusion Detection/Prevention Techniques

CTRL-833 Logging and Monitoring

11.5.1.1 Additional Requirement for Service Providers Only

CTRL-833 Logging and Monitoring

11.5.2 Deploying Change-Detection Mechanisms

CTRL-833 Logging and Monitoring

11.6.1 Implementing Tamper-Detection Mechanism

CTRL-833 Logging and Monitoring

12.1.1 Implementing Information Security Policy

CTRL-431 Information Security Policy and Procedures

12.1.2 Annual Information Security Policy

CTRL-431 Information Security Policy and Procedures

12.1.3 Defining Information Security Responsibilities

CTRL-431 Information Security Policy and Procedures

12.1.4 Assigning Information Security Responsibility

CTRL-432 Information Security Program Leadership Role

12.2.1 Implementing End-User Technology Policies

CTRL-539 Access Agreements

12.3.1 Risk Analysis

CTRL-646 Risk Assessment

12.3.3 Annual Cryptographic Protocol Review

CTRL-435 System Inventory

12.3.4 Annual Technology Review Process

CTRL-1109 Supplier Assessments and Reviews

12.4.1 Additional Requirement for Service Providers Only

CTRL-432 Information Security Program Leadership Role

12.4.2 Additional Requirement for Service Providers Only

CTRL-1127 Performance Reviews

12.4.2.1 Additional Requirement for Service Providers Only

CTRL-1109 Supplier Assessments and Reviews

12.5.1 Maintaining PCI DSS Inventory

CTRL-435 System Inventory

12.5.2 Annual PCI DSS Scoping Validation

CTRL-149 Control Assessments

12.5.2.1 Biannual PCI DSS Scoping Validation (Service Providers Only)

CTRL-149 Control Assessments

12.5.3 Organizational Structure Change Review (Service Providers Only)

CTRL-149 Control Assessments

12.6.1 Implementing Security Awareness Program

CTRL-245 Security and Privacy Awareness Training

12.6.2 Annual Security Awareness Program

CTRL-245 Security and Privacy Awareness Training

12.6.3 Annual Security Awareness Training

CTRL-245 Security and Privacy Awareness Training

12.6.3.1 Security Awareness Training Essentials

CTRL-245 Security and Privacy Awareness Training

12.6.3.2 Security Awareness Training Requirements

CTRL-245 Security and Privacy Awareness Training

12.7.1 Pre-Hire Screening for CDE Access

CTRL-530 Personnel Screening

12.8.1 Third-Party Service Providers List

CTRL-1109 Supplier Assessments and Reviews

12.8.2 Maintaining TPSPs Security Agreements

CTRL-539 Access Agreements

12.8.3 Implementing TPSP Engagement Process

CTRL-1094 Third-Party Risk Management Policy and Procedures

12.8.4 Annual TPSPs' PCI DSS Monitoring

CTRL-1094 Third-Party Risk Management Policy and Procedures

12.8.5 Managing PCI DSS Requirements

CTRL-1094 Third-Party Risk Management Policy and Procedures

12.9.1 Additional Requirement for Service Providers Only

CTRL-1129 Third-Party Agreements

12.9.2 Additional Requirement for Service Providers Only

CTRL-1094 Third-Party Risk Management Policy and Procedures

12.10.1 Comprehensive Security Incident Plan

CTRL-423 Incident Response Plan

12.10.2 Annual Security Plan Review

CTRL-423 Incident Response Plan

12.10.3 24/7 Security Incident Response

CTRL-423 Incident Response Plan

12.10.4 Training for Security Incident Responders

CTRL-253 Role-Based Training

12.10.4.1 Periodic Training Frequency Determination

CTRL-423 Incident Response Plan

12.10.5 Security Incident Response Plan

CTRL-423 Incident Response Plan

12.10.6 Updating Security Response Plan

CTRL-423 Incident Response Plan

12.10.7 Managing Unexpected PAN Detection

CTRL-423 Incident Response Plan

A1.1.1 Multi-tenant Service Providers Protect and Separate of Data

CTRL-198 Network Segmentation

A1.1.2 Multi-tenant Service Providers Protect and Separate of Data

CTRL-198 Network Segmentation

A1.1.3 Multi-tenant Service Providers Protect and Separate of Data

CTRL-198 Network Segmentation

A1.1.4 Multi-tenant Service Providers Protect and Separate of Data

CTRL-198 Network Segmentation

A1.2.1 Multi-tenant Service Providers Facilitate Logging and Incident Response

CTRL-833 Logging and Monitoring

A1.2.2 Multi-tenant Service Providers Facilitate Logging and Incident Response

CTRL-423 Incident Response Plan

A1.2.3 Multi-tenant Service Providers Facilitate Logging and Incident Response

CTRL-423 Incident Response Plan

A2.1.1 Securing POS POI Terminals

CTRL-194 Cryptography Management

A2.1.2 Additional Requirement for Service Providers Only

CTRL-194 Cryptography Management

A2.1.3 Additional Requirement for Service Providers Only

CTRL-1094 Third-Party Risk Management Policy and Procedures

AC-01-PCIv3 Access Control Policy and Procedures

CTRL-1 Access Control Policy and Procedures

AC-02-PCIv3 User Account Management

CTRL-1 Access Control Policy and Procedures

AC-02(03)-PCIv3 Disable Accounts

CTRL-535 Access Termination

AC-02(11)-PCIv3 Unique IDs

CTRL-319 Identification and Authentication

AC-03-PCIv3 Role-based Access Controls (RBAC)

CTRL-23 Role-Based Access Control

AC-05-PCIv3 Separation of Duties

CTRL-65 Separation of Duties

AC-06-PCIv3 Least Privilege Access

CTRL-23 Role-Based Access Control

AC-06(07)-PCIv3 Review of Access Privileges

CTRL-73 Review of User Privileges

AC-07-PCIv3 Unsuccessful Logon Attempts

CTRL-77 Unsuccessful Logon Attempts

AC-11-PCIv3 Device Lock and Session Timeouts

CTRL-91 Session Termination

AC-17-PCIv3 Remote Access

CTRL-110 Remote Access

AC-18-PCIv3 Wireless Access

CTRL-121 Wireless Network

AT-01-PCIv3 Awareness and Training Policy and Procedures

CTRL-245 Security and Privacy Awareness Training

AT-02-PCIv3 Security Awareness and Privacy Training

CTRL-245 Security and Privacy Awareness Training

AT-03-PCIv3 Role-based Training

CTRL-245 Security and Privacy Awareness Training

AT-04-PCIv3 Training Records

CTRL-245 Security and Privacy Awareness Training

AU-01-PCIv3 Audit and Accountability Policy and Procedures

CTRL-814 System Integrity Policy and Procedures

AU-02-PCIv3 Event Logging in IT Systems

CTRL-833 Logging and Monitoring

AU-03-PCIv3 Informative Log Content

CTRL-833 Logging and Monitoring

AU-05-PCIv3 Response to Audit Logging Process Failures

CTRL-833 Logging and Monitoring

AU-06-PCIv3 Log Review and Reporting

CTRL-833 Logging and Monitoring

AU-08-PCIv3 Time Stamps

CTRL-1063 Synchronization

AU-09-PCIv3 Protection of Audit Information

CTRL-833 Logging and Monitoring

AU-09(02)-PCIv3 Store on Separate Physical Systems or Components

CTRL-283 Alternate Storage Site

AU-09(06)-PCIv3 Read-only Access to Audit Logs

CTRL-9 Privileged User Accounts

AU-11-PCIv3 Audit Record Retention

CTRL-896 Information Management and Retention

CA-01-PCIv3 Assessment, Authorization, and Monitoring Policy and Procedures

CTRL-814 System Integrity Policy and Procedures

CA-02-PCIv3 Control Assessments

CTRL-149 Control Assessments

CA-03-PCIv3 Third-Party Agreements

CTRL-1129 Third-Party Agreements

CA-07-PCIv3 Continuous Monitoring

CTRL-167 Continuous Monitoring

CA-08-PCIv3 Penetration Testing

CTRL-174 Penetration Testing

CM-01-PCIv3 Configuration and Change Management Policy and Procedures

CTRL-262 Change Management and Software Development Policy and Procedures

CM-03-PCIv3 Configuration Management

CTRL-190 Change Management and Software Development Life Cycle

CM-03(02)-PCIv3 Testing, Validation, and Documentation of Changes

CTRL-190 Change Management and Software Development Life Cycle

CM-04-PCIv3 Impact Analyses

CTRL-190 Change Management and Software Development Life Cycle

CM-04(01)-PCIv3 Separate Environments

CTRL-190 Change Management and Software Development Life Cycle

CM-04(02)-PCIv3 Verification of Controls

CTRL-190 Change Management and Software Development Life Cycle

CM-06-PCIv3 System Hardening through Baseline Configurations

CTRL-208 Configuration Management

CM-06(01)-PCIv3 Automated Management, Application, and Verification

CTRL-208 Configuration Management

CM-07-PCIv3 Least Functionality

CTRL-118 Network Protocols

CM-08-PCIv3 Asset Inventory

CTRL-435 System Inventory

IA-01-PCIv3 Identification and Authentication Policy and Procedures

CTRL-319 Identification and Authentication

IA-02-PCIv3 Internal Users Identification and Authentication

CTRL-319 Identification and Authentication

IA-05-PCIv3 Password Management

CTRL-349 Password-Based Authentication

IA-08-PCIv3 External Users Identification and Authentication

CTRL-319 Identification and Authentication

IR-01-PCIv3 Incident Response Policy and Procedures

CTRL-423 Incident Response Plan

IR-02-PCIv3 Incident Response Training

CTRL-23 Role-Based Access Control

IR-03-PCIv3 Incident Response Testing

CTRL-23 Role-Based Access Control

IR-04-PCIv3 Incident Handling and Reporting

CTRL-423 Incident Response Plan

IR-08-PCIv3 Incident Response Plan

CTRL-423 Incident Response Plan

IR-09-PCIv3 CHD Information Spillage

CTRL-423 Incident Response Plan

MP-01-PCIv3 Media Protection Policy and Procedures

CTRL-498 Media Protection Policy and Procedures

MP-02-PCIv3 Media Access

CTRL-499 Media Access

MP-03-PCIv3 Media Marking

CTRL-502 Media Marking

MP-04-PCIv3 Media Storage

CTRL-506 Media Transport

MP-05-PCIv3 Media Transport

CTRL-506 Media Transport

MP-06-PCIv3 Media Sanitization

CTRL-511 Media Sanitization and Disposal

PE-01-PCIv3 Physical and Environmental Policy and Procedures

CTRL-546 Physical and Environmental Protection Policy and Procedures

PE-02-PCIv3 Physical Access Authorizations

CTRL-551 Physical Access Control

PE-02(01)-PCIv3 Access by Position or Role

CTRL-551 Physical Access Control

PE-03-PCIv3 Physical Access Control

CTRL-255 Physical Security Controls

PE-06-PCIv3 Monitoring Physical Access

CTRL-423 Incident Response Plan

PE-06(03)-PCIv3 Video Surveillance

CTRL-255 Physical Security Controls

PE-08-PCIv3 Visitor Access Records

CTRL-255 Physical Security Controls

PL-01-PCIv3 Planning Policy and Procedures

CTRL-263 Contingency Planning Policy and Procedures

PL-04-PCIv3 Rules of Behavior

CTRL-539 Access Agreements

PM-01-PCIv3 Information Security Program Management Policy and Procedures

CTRL-431 Information Security Policy and Procedures

PM-02-PCIv3 Information Security Program Leadership Roles

CTRL-432 Information Security Program Leadership Role

PM-07-PCIv3 Network Architecture and Dataflow Diagrams

CTRL-198 Network Segmentation

PM-09-PCIv3 Risk Management Program and Strategy

CTRL-643 Risk Assessment Policy and Procedures

PS-01-PCIv3 Personnel Security Policy and Procedures

CTRL-528 Personnel Security Policy and Procedures

PS-02-PCIv3 Security Job and Risk Descriptions

CTRL-545 Position Descriptions

PS-03-PCIv3 Personnel Screening

CTRL-530 Personnel Screening

PS-04-PCIv3 Personnel Termination

CTRL-535 Access Termination

RA-01-PCIv3 Risk Assessment Policy and Procedures

CTRL-643 Risk Assessment Policy and Procedures

RA-03-PCIv3 Risk Assessment

CTRL-646 Risk Assessment

RA-05-PCIv3 Vulnerability Monitoring and Scanning

CTRL-652 Vulnerability Management

SA-01-PCIv3 System Development Life Cycle (SDLC) Policy and Procedures

CTRL-262 Change Management and Software Development Policy and Procedures

SA-03-PCIv3 System Development Life Cycle

CTRL-190 Change Management and Software Development Life Cycle

SA-03(02)-PCIv3 Use of Live or Operational Data

CTRL-1186 Sensitive Data in Non-Production Environments

SA-08-PCIv3 Security and Privacy Engineering Principles

CTRL-190 Change Management and Software Development Life Cycle

SA-09-PCIv3 External System Services

CTRL-1094 Third-Party Risk Management Policy and Procedures

SA-11-PCIv3 Developer Testing and Evaluation

CTRL-190 Change Management and Software Development Life Cycle

SA-11(04)-PCIv3 Manual Code Reviews

CTRL-190 Change Management and Software Development Life Cycle

SC-01-PCIv3 System Protection Policy and Procedures

CTRL-932 System Protection Policy and Procedures

SC-07-PCIv3 Boundary Protection and Firewalls

CTRL-950 Boundary Protection

SC-07(05)-PCIv3 Deny by Default; Allow by Exception

CTRL-950 Boundary Protection

SC-07(08)-PCIv3 Route Traffic to Authenticated Proxy Servers

CTRL-950 Boundary Protection

SC-07(11)-PCIv3 Restrict Incoming Communications Traffic

CTRL-950 Boundary Protection

SC-07(12)-PCIv3 Personal Firewalls

CTRL-950 Boundary Protection

SC-08-PCIv3 Transmission Confidentiality and Integrity

CTRL-112 Encryption of Data at Rest and in Transit

SC-08(01)-PCIv3 Cryptographic Protection (Transmission)

CTRL-112 Encryption of Data at Rest and in Transit

SC-12-PCIv3 Cryptographic Key Establishment and Management

CTRL-194 Cryptography Management

SC-13-PCIv3 Cryptographic Protection

CTRL-923 Removal of Direct Identifiers

SC-45-PCIv3 System Time Synchronization

CTRL-1063 Synchronization

SC-45(01)-PCIv3 Synchronization with Authoritative Time Source

CTRL-1063 Synchronization

SI-01-PCIv3 System Integrity Policy and Procedures

CTRL-814 System Integrity Policy and Procedures

SI-02-PCIv3 Flaw Remediation and Patch Management

CTRL-652 Vulnerability Management

SI-03-PCIv3 Malware and Endpoint Protection

CTRL-833 Logging and Monitoring

SI-04-PCIv3 System Monitoring

CTRL-833 Logging and Monitoring

SI-04(14)-PCIv3 Wireless Intrusion Detection

CTRL-833 Logging and Monitoring

SI-12-PCIv3 Data Handling, Retention, and Disposal

CTRL-896 Information Management and Retention

SI-19-PCIv3 De-identification

CTRL-923 Removal of Direct Identifiers

SR-01-PCIv3 Third-Party Risk Management Policy and Procedures

CTRL-1094 Third-Party Risk Management Policy and Procedures

SR-10-PCIv3 Inspection of Systems or Components

CTRL-556 Tamper Protection