12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use
|
|
0
|
52
|
February 26, 2023
|
12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity
|
|
0
|
98
|
February 26, 2023
|
12.3.7 List of company-approved products
|
|
0
|
88
|
February 26, 2023
|
12.3.6 Acceptable network locations for the technologies
|
|
0
|
44
|
February 26, 2023
|
12.3.5 Acceptable uses of the technology
|
|
0
|
35
|
February 26, 2023
|
12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices)
|
|
0
|
40
|
February 26, 2023
|
12.3.3 A list of all such devices and personnel with access
|
|
0
|
32
|
February 26, 2023
|
12.3.2 Authentication for use of the technology
|
|
0
|
35
|
February 26, 2023
|
12.3.1 Explicit approval by authorized parties
|
|
0
|
32
|
February 26, 2023
|
12.3 Develop usage policies for critical technologies and define proper use of these technologies
|
|
0
|
80
|
February 26, 2023
|
12.2 Implement a risk-assessment process that:
|
|
0
|
49
|
February 26, 2023
|
12.1.1 Review the security policy at least annually and update the policy when the environment changes
|
|
0
|
40
|
February 26, 2023
|
4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
|
|
0
|
62
|
February 9, 2023
|
12.1 Establish, publish, maintain, and disseminate a security policy
|
|
0
|
45
|
February 20, 2023
|
Requirement 12: Maintain a policy that addresses information security for all personnel
|
|
0
|
56
|
February 20, 2023
|
11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties
|
|
0
|
33
|
February 20, 2023
|
11.5.1 Implement a process to respond to any alerts generated by the change- detection solution
|
|
0
|
54
|
February 20, 2023
|
11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification
|
|
0
|
68
|
February 20, 2023
|
11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points
|
|
0
|
44
|
February 20, 2023
|
11.3.4.1 Additional requirement for service providers only: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods
|
|
0
|
39
|
February 20, 2023
|
11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify
|
|
0
|
41
|
February 20, 2023
|
11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections
|
|
0
|
53
|
February 20, 2023
|
11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification
|
|
0
|
36
|
February 20, 2023
|
11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification
|
|
0
|
35
|
February 20, 2023
|
11.3 Implement a methodology for penetration testing that includes the following:
|
|
0
|
43
|
February 20, 2023
|
11.2.3 Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel
|
|
0
|
51
|
February 20, 2023
|
11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved
|
|
0
|
102
|
February 20, 2023
|
11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1)
|
|
0
|
40
|
February 20, 2023
|
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades)
|
|
0
|
46
|
February 20, 2023
|
11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected
|
|
0
|
48
|
February 20, 2023
|