Home/Compliance
pci-dss-4

PCI-DSS v4.0. Security Controls

75 controls · cross-mapped to ATT&CK techniques
Translate between regulatory language and what attackers actually do. Each control maps to MITRE ATT&CK techniques; open a control to see those techniques and whether we hold detection coverage for them.
NIST 800-53 (1246)NIST CSF (106)ISO 27001:2022 (93)PCI-DSS v4.0 (75)CIS v8.1 (62)CRI Profile (60)CSA CCM v4 (57)SOC 2 TSC (57)OWASP API (10)OWASP Mobile (10)OWASP Web (10)
Audit answer: every control + the techniques it defends + what you can detect (exportable)
▤ Generate threat-informed coverage report
⇄ Self-assessment: pick what you have, see your coverage

Controls

75 shown of 75
1
Install and Maintain Network Security Controls
high
family Network Security framework pci-dss-4
1.1
Processes and mechanisms for installing and maintaining network security controls are defined and understood
high
family Network Security framework pci-dss-4
1.2
Network security controls (NSCs) are configured and maintained
high
family Network Security framework pci-dss-4
1.3
Network access to and from the cardholder data environment is restricted
high
family Network Security framework pci-dss-4
1.4
Network connections between trusted and untrusted networks are controlled
high
family Network Security framework pci-dss-4
1.5
Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated
high
family Network Security framework pci-dss-4
10
Log and Monitor All Access to System Components and Cardholder Data
high
family Audit Logging framework pci-dss-4
10.1
Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented
high
family Audit Logging framework pci-dss-4
10.2
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events
high
family Audit Logging framework pci-dss-4
10.3
Audit logs are protected from destruction and unauthorized modifications
high
family Audit Logging framework pci-dss-4
10.4
Audit logs are reviewed to identify anomalies or suspicious activity
high
family Audit Logging framework pci-dss-4
10.5
Retain audit log history for at least 12 months
high
family Audit Logging framework pci-dss-4
10.6
Time-synchronization mechanisms support consistent time settings across all systems
high
family Audit Logging framework pci-dss-4
10.7
Failures of critical security controls are detected, reported, and responded to promptly
high
family Audit Logging framework pci-dss-4
11
Test Security of Systems and Networks Regularly
high
family Security Testing framework pci-dss-4
11.1
Processes and mechanisms for regularly testing security of systems and networks are defined and understood
high
family Security Testing framework pci-dss-4
11.2
Wireless access points are identified and monitored
high
family Security Testing framework pci-dss-4
11.3
External and internal vulnerabilities are regularly identified, prioritized, and addressed
high
family Security Testing framework pci-dss-4
11.4
External and internal penetration testing is regularly performed
high
family Security Testing framework pci-dss-4
11.5
Network intrusions and unexpected file changes are detected and responded to
high
family Security Testing framework pci-dss-4
11.6
Unauthorized changes on payment pages are detected and responded to
high
family Security Testing framework pci-dss-4
12
Support Information Security with Organizational Policies and Programs
high
family Security Policy framework pci-dss-4
12.1
A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current
high
family Security Policy framework pci-dss-4
12.10
Suspected and confirmed security incidents that could impact the CDE are responded to immediately
high
family Security Policy framework pci-dss-4
12.2
Acceptable use policies for end-user technologies are defined and implemented
high
family Security Policy framework pci-dss-4
12.3
Risks to the cardholder data environment are formally identified, evaluated, and managed
high
family Security Policy framework pci-dss-4
12.4
PCI DSS compliance is managed throughout the year
high
family Security Policy framework pci-dss-4
12.5
PCI DSS scope is documented and validated
high
family Security Policy framework pci-dss-4
12.6
Security awareness education is an ongoing activity
high
family Security Policy framework pci-dss-4
12.7
Personnel are screened to reduce risks from insider threats
high
family Security Policy framework pci-dss-4
12.8
Risk to information assets associated with third-party service provider (TPSP) relationships is managed
high
family Security Policy framework pci-dss-4
12.9
Third-party service providers (TPSPs) support their customers' PCI DSS compliance
high
family Security Policy framework pci-dss-4
2
Apply Secure Configurations to All System Components
high
family Secure Configurations framework pci-dss-4
2.1
Processes and mechanisms for applying secure configurations are defined and understood
high
family Secure Configurations framework pci-dss-4
2.2
System components are configured and managed securely
high
family Secure Configurations framework pci-dss-4
2.3
Wireless environments are configured and managed securely
high
family Secure Configurations framework pci-dss-4
3
Protect Stored Account Data
high
family Account Data Protection framework pci-dss-4
3.1
Processes and mechanisms for protecting stored account data are defined and understood
high
family Account Data Protection framework pci-dss-4
3.2
Storage of account data is kept to a minimum
high
family Account Data Protection framework pci-dss-4
3.3
Sensitive authentication data (SAD) is not stored after authorization
high
family Account Data Protection framework pci-dss-4
3.4
Access to displays of full PAN and ability to copy cardholder data are restricted
high
family Account Data Protection framework pci-dss-4
3.5
Primary account number (PAN) is secured wherever it is stored
high
family Account Data Protection framework pci-dss-4
3.6
Cryptographic keys used to protect stored account data are secured
high
family Account Data Protection framework pci-dss-4
3.7
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented
high
family Account Data Protection framework pci-dss-4
4
Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
high
family Cryptography in Transit framework pci-dss-4
4.1
Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented
high
family Cryptography in Transit framework pci-dss-4
4.2
PAN is protected with strong cryptography during transmission
high
family Cryptography in Transit framework pci-dss-4
5
Protect All Systems and Networks from Malicious Software
high
family Malware Protection framework pci-dss-4
5.1
Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood
high
family Malware Protection framework pci-dss-4
5.2
Malicious software (malware) is prevented, or detected and addressed
high
family Malware Protection framework pci-dss-4
5.3
Anti-malware mechanisms and processes are active, maintained, and monitored
high
family Malware Protection framework pci-dss-4
5.4
Anti-phishing mechanisms protect users against phishing attacks
high
family Malware Protection framework pci-dss-4
6
Develop and Maintain Secure Systems and Software
high
family Secure Development framework pci-dss-4
6.1
Processes and mechanisms for developing and maintaining secure systems and software are defined and understood
high
family Secure Development framework pci-dss-4
6.2
Bespoke and custom software are developed securely
high
family Secure Development framework pci-dss-4
6.3
Security vulnerabilities are identified and addressed
high
family Secure Development framework pci-dss-4
6.4
Public-facing web applications are protected against attacks
high
family Secure Development framework pci-dss-4
6.5
Changes to all system components are managed securely
high
family Secure Development framework pci-dss-4
7
Restrict Access to System Components and Cardholder Data by Business Need to Know
high
family Access Control framework pci-dss-4
7.1
Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood
high
family Access Control framework pci-dss-4
7.2
Access to system components and data is appropriately defined and assigned
high
family Access Control framework pci-dss-4
7.3
Access to system components and data is managed via an access control system(s)
high
family Access Control framework pci-dss-4
8
Identify Users and Authenticate Access to System Components
high
family Identity & Authentication framework pci-dss-4
8.1
Processes and mechanisms for identifying users and authenticating access to system components are defined and understood
high
family Identity & Authentication framework pci-dss-4
8.2
User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle
high
family Identity & Authentication framework pci-dss-4
8.3
User authentication for users and administrators is established and managed
high
family Identity & Authentication framework pci-dss-4
8.4
Multi-factor authentication (MFA) is implemented to secure access into the CDE
high
family Identity & Authentication framework pci-dss-4
8.5
Multi-factor authentication (MFA) systems are configured to prevent misuse
high
family Identity & Authentication framework pci-dss-4
8.6
Use of application and system accounts and associated authentication factors is strictly managed
high
family Identity & Authentication framework pci-dss-4
9
Restrict Physical Access to Cardholder Data
high
family Physical Security framework pci-dss-4
9.1
Processes and mechanisms for restricting physical access to cardholder data are defined and understood
high
family Physical Security framework pci-dss-4
9.2
Physical access controls manage entry into facilities and systems containing cardholder data
high
family Physical Security framework pci-dss-4
9.3
Physical access for personnel and visitors is authorized and managed
high
family Physical Security framework pci-dss-4
9.4
Media with cardholder data is securely stored, accessed, distributed, and destroyed
high
family Physical Security framework pci-dss-4
9.5
Point of interaction (POI) devices are protected from tampering and unauthorized substitution
high
family Physical Security framework pci-dss-4
Showing 1-75 of 75
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin