{"id": "pcidss_4_ocp4", "policy": "PCI-DSS", "title": "Payment Card Industry - Data Security Standard (PCI-DSS)", "source": "https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf", "definition_location": "/aptdata/openscap/scap-security-guide/controls/pcidss_4_ocp4.yml", "controls": [{"id": "1.1.1", "levels": ["base"], "notes": "Examine documentation and interview personnel to verify that security policies and\noperational procedures identified in Requirement 1 are managed in accordance with all\nelements specified in this requirement.", "title": "All security policies and operational procedures that are identified in Requirement 1 are Documented, Kept up to date, In use and Known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1.2", "levels": ["base"], "notes": "Examine documentation and interview personnel to verify that day-to-day responsibilities\nfor performing all the activities in Requirement 1 are documented, assigned and understood\nby the assigned personnel.", "title": "Roles and responsibilities for performing activities in Requirement 1 are documented, assigned, and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.1", "levels": ["base"], "notes": "", "title": "Processes and mechanisms for installing and maintaining network security controls are defined and understood.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["1.1.1", "1.1.2"]}, {"id": "1.2.1", "levels": ["base"], "notes": "Examples of NSCs covered by these configuration standards include, but are not limited to,\nfirewalls, routers configured with access control lists, and cloud virtual networks. The\nobjective of this requirement is to ensure the way that NSCs are configured and operate\nare defined and consistently applied. While the tooling and standards can be automated,\nthe review of allowed accesses should be manual as different sites may have different\npolicies.", "title": "Configuration standards for NSC rulesets are Defined, Implemented and Maintained.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.2", "levels": ["base"], "notes": "Changes to network connections and NSCs cannot result in misconfiguration, implementation\nof insecure services, or unauthorized network connections. Changes to network connections\ninclude the addition, removal, or modification of a connection. Changes to NSC\nconfigurations include those related to the component itself as well as those affecting\nhow it performs its security function. A formal change control process should be in place.", "title": "All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.3", "levels": ["base"], "notes": "A representation of the boundaries between the CDE, all trusted networks, and all\nuntrusted networks, is maintained and available. A current network diagram(s) or other\ntechnical or topological solution that identifies network connections and devices can be\nused to meet this requirement.", "title": "An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.4", "levels": ["base"], "notes": "", "title": "An accurate data-flow diagram(s) is maintained", "description": "An accurate data-flow diagram(s) is maintained that meets the following:\n  - Shows all account data flows across systems and networks\n  - Updated as needed upon changes to the environment", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.5", "levels": ["base"], "notes": "", "title": "All services, protocols, and ports allowed are identified, approved, and have a defined business need.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.6", "levels": ["base"], "notes": "The specific risks associated with the use of insecure services,\nprotocols, and ports are understood, assessed, and appropriately\nmitigated.", "title": "Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.7", "levels": ["base"], "notes": "", "title": "Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.", "description": "NSC configurations that allow or restrict access to trusted networks are verified\nperiodically to ensure that only authorized connections with a current business\njustification are permitted.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2.8", "levels": ["base"], "notes": "", "title": "Configuration files for NSCs are secured from unauthorized access and kept consistent with active network configurations.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.2", "levels": ["base"], "notes": "", "title": "Network Security Controls (NSCs) are configured and maintained.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["1.2.1", "1.2.2", "1.2.3", "1.2.4", "1.2.5", "1.2.6", "1.2.7", "1.2.8"]}, {"id": "1.3.1", "levels": ["base"], "notes": "", "title": "Inbound traffic to the CDE is restricted to only traffic that is necessary", "description": "Inbound traffic to the CDE is restricted as follows:\n- To only traffic that is necessary.\n- All other traffic is specifically denied.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.3.2", "levels": ["base"], "notes": "It appears there is no rule in the project to restrict outbound traffic on the firewall.\nPerhaps a rule to automates this would do more harm than good. Probably a manual\nassessment is more reasonable here.", "title": "Outbound traffic from the CDE is restricted to only traffic that is necessary", "description": "Outbound traffic from the CDE is restricted as follows:\n- To only traffic that is necessary.\n- All other traffic is specifically denied.", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.3.3", "levels": ["base"], "notes": "", "title": "NSCs are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE.", "description": "NSCs are installed between all wireless networks and the CDE, regardless of whether the\nwireless network is a CDE, such that:\n- All wireless traffic from wireless networks into the CDE is denied by default.\n- Only wireless traffic with an authorized business purpose is allowed into the CDE.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.3", "levels": ["base"], "notes": "", "title": "Network access to and from the cardholder data environment is restricted.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["1.3.1", "1.3.2", "1.3.3"]}, {"id": "1.4.1", "levels": ["base"], "notes": "Trusted and untrusted networks are expected to be different for each environment.\nBut loopback traffic is assumed to be trusted and even necessary for some services.\nThis requirement is complements 1.2.1 and 1.3.1 requirements.", "title": "NSCs are implemented between trusted and untrusted networks.", "description": "Unauthorized traffic cannot traverse network boundaries between trusted and untrusted\nnetworks.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.4.2", "levels": ["base"], "notes": "", "title": "Inbound traffic from untrusted networks to trusted networks is restricted.", "description": "Inbound traffic from untrusted networks to trusted networks is restricted to:\n- Communications with system components that are authorized to provide publicly accessible\nservices, protocols, and ports.\n- Stateful responses to communications initiated by system components in a trusted network.\n- All other traffic is denied.", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.4.3", "levels": ["base"], "notes": "Anti-spoofing and blocking forged IP addresses is outside the scope\nof the OpenShift Container Platform.", "title": "Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted network.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.4.4", "levels": ["base"], "notes": "This requirement is not intended to apply to storage of account data in volatile memory\nbut does apply where memory is being treated as persistent storage (for example, RAM\ndisk). Account data can only be stored in volatile memory during the time necessary to\nsupport the associated business process (for example, until completion of the related\npayment card transaction).", "title": "System components that store cardholder data are not directly accessible from untrusted networks.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.4.5", "levels": ["base"], "notes": "Protection from IP address disclosure can be handled by solutions\noutside of OpenShift.", "title": "The disclosure of internal IP addresses and routing information is limited to only authorized parties.", "description": "Internal network information is protected from unauthorized disclosure.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.4", "levels": ["base"], "notes": "", "title": "Network connections between trusted and untrusted networks are controlled.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.4.5"]}, {"id": "1.5.1", "levels": ["base"], "notes": "This control depends on the context in which OpenShift is used. If\nOpenShift is used to host the CDE, then devices used to connext to\nthe CDE and the security controls they implement fall outside the\nscope of OpenShift. If OpenShift is being used to interact with a\nCDE, then implementing network segmentation and access control for\nOpenShift network functionality may be required.", "title": "Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE", "description": "Security controls are implemented on any computing devices, including company- and\nemployee-owned devices, that connect to both untrusted networks (including the Internet)\nand the CDE as follows:\n- Specific configuration settings are defined to prevent threats being introduced into the\nentity's network.\n- Security controls are actively running.\n- Security controls are not alterable by users of the computing devices unless\nspecifically documented and authorized by management on a case-by-case basis for a limited\nperiod.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "1.5", "levels": ["base"], "notes": "", "title": "Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["1.5.1"]}, {"id": "2.1.1", "levels": ["base"], "notes": "Examine documentation and interview personnel to verify that security policies and\noperational procedures identified in Requirement 2 are managed in accordance with all\nelements specified in this requirement.", "title": "All security policies and operational procedures that are identified in Requirement 2 are Documented, Kept up to date, In use and Known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.1.2", "levels": ["base"], "notes": "Examine documentation and interview personnel to verify that day-to-day responsibilities\nfor performing all the activities in Requirement 2 are documented, assigned and understood\nby the assigned personnel.", "title": "Roles and responsibilities for performing activities in Requirement 2 are documented, assigned, and understood.", "description": "Day-to-day responsibilities for performing all the activities in Requirement 2 are\nallocated. Personnel are accountable for successful, continuous operation of these\nrequirements.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.1", "levels": ["base"], "notes": "", "title": "Processes and mechanisms for applying secure configurations to all system components are defined and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["2.1.1", "2.1.2"]}, {"id": "2.2.1", "levels": ["base"], "notes": "The Compliance Operator provides an automated way of checking for a secure configuration\nof OpenShift according to known security standards, as well as automatically remediating\ndeviations from the target configuration.\nIts usage is recommended to ensure appropriate configuration and is set and prevent drift.\n\nSystem components outside of OpenShift cannot be checked by the Compliance Operator.\n\nThis control is also addressed by applying the OpenShift CIS recommendations.", "title": "Configuration standards are developed, implemented, and maintained", "description": "Configuration standards are developed, implemented, and maintained to:\n- Cover all system components.\n- Address all known security vulnerabilities.\n- Be consistent with industry-accepted system hardening standards or vendor hardening\nrecommendations.\n- Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1.\n- Be applied when new systems are configured and verified as in place before or\nimmediately after a system component is connected to a production environment.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["var_event_record_qps=50"], "controls": ["cis_ocp:all:level_2"]}, {"id": "2.2.2", "levels": ["base"], "notes": "The Openshift Platform doesn't come with any hardcoded credentials or passwords.\nAuthenticators are uniquely created at deployment-time, including credentials\nfor an admin user (called `kubeadmin`) which is meant for bootstrapping purposes.\nIt is recommended for deployers to delete this account in favor of using an IdP\nand setting up appropriate permissions via RBAC roles.", "title": "Vendor default accounts are managed", "description": "Vendor default accounts are managed as follows:\n- If the vendor default account(s) will be used, the default password is changed per\nRequirement 8.3.6.\n- If the vendor default account(s) will not be used, the account is removed or disabled.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.2.3", "levels": ["base"], "notes": "OpenShift nodes run RHEL CoreOS by default, which contains only the\nnecessary services, protocols and daemons needed to run OpenShift and\ncontainers. OpenShift provides the means to separate application\nworkloads within the cluster onto separate hosts and containers. It\nis the responsibility of the organization to appropriately separate\ntheir applications into relevant containers to meet this control.", "title": "Primary functions requiring different security levels are managed", "description": "Primary functions requiring different security levels are managed as follows:\n- Only one primary function exists on a system component\nOR\n- Primary functions with differing security levels that exist on the same system component\nare isolated from each other\nOR\n- Primary functions with differing security levels on the same system component are all\nsecured to the level required by the function with the highest security need.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.2.4", "levels": ["base"], "notes": "The OpenShift Container Platform uses RHEL CoreOS by default. In itself, it's\na minimal operating system with the sole purpose of running OpenShift. Therefore\nit doesn't contain extra packages or functionality; only the minimal that's meant\nto run OpenShift. RHCOS is the recommended operating system for OpenShift.", "title": "Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled", "description": "System components cannot be compromised by exploiting unnecessary functionality present in\nthe system component.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.2.5", "levels": ["base"], "notes": "OpenShift does not require any insecure services, protocols or daemons for\nproper functioning. The deployment comes with TLS enabled by default with\nstrong ciphers and an appropriate version enabled.", "title": "If any insecure services, protocols, or daemons are present, business justification is documented and the risk is reduced.", "description": "If any insecure services, protocols, or daemons are present:\n- Business justification is documented.\n- Additional security features are documented and implemented that reduce the risk of\nusing insecure services, protocols, or daemons.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.2.6", "levels": ["base"], "notes": "While it's possible to manually configure the security settings\nin the Openshift Container Platform, the Compliance Operator provides\nan automated way of checking for a secure configuration and automatically\nremediating issues according to known security standards. Its usage\nis recommended to ensure appropriate configuration is set and prevent\ndrift.\n\nAdditionaly, as part of 2.2.1, the CIS recommendations for OpenShift are applied in order\nto prevent system misconfiguration and misuse.", "title": "System security parameters are configured to prevent misuse.", "description": "System components cannot be compromised because of incorrect security parameter\nconfiguration.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.2.7", "levels": ["base"], "notes": "Related to requirement 12.3.3.", "title": "All non-console administrative access is encrypted using strong cryptography.", "description": "Cleartext administrative authorization factors cannot be read or intercepted from any\nnetwork transmissions. This includes administrative access via browser-based interfaces\nand application programming interfaces (APIs).", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.2", "levels": ["base"], "notes": "", "title": "System components are configured and managed securely", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["var_event_record_qps=50"], "controls": ["2.2.1", "2.2.2", "2.2.3", "2.2.4", "2.2.5", "2.2.6", "2.2.7"]}, {"id": "2.3.1", "levels": ["base"], "notes": "The OpenShift Container Platform doesn't manage wireless encryptions keys nor wireless\naccess points passwords.", "title": "For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure.", "description": "For wireless environments connected to the CDE or transmitting account data, all wireless\nvendor defaults are changed at installation or are confirmed to be secure, including but\nnot limited to:\n- Default wireless encryption keys.\n- Passwords on wireless access points.\n- SNMP defaults.\n- Any other security-related wireless vendor defaults.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["wireless_disable_interfaces"], "rules": [], "controls": []}, {"id": "2.3.2", "levels": ["base"], "notes": "The OpenShift Container Platform doesn't manage wireless encryptions keys nor wireless\naccess points passwords.", "title": "For wireless environments connected to the CDE or transmitting account data, wireless encryption keys are changed", "description": "For wireless environments connected to the CDE or transmitting account\ndata, wireless encryption keys are changed", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "2.3", "levels": ["base"], "notes": "", "title": "Wireless environments are configured and managed securely.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["2.3.1", "2.3.2"]}, {"id": "3.1.1", "levels": ["base"], "notes": "Examine documentation and interview personnel to verify that security policies and\noperational procedures identified in Requirement 3 are managed in accordance with all\nelements specified in this requirement.", "title": "All security policies and operational procedures that are identified in Requirement 3 are Documented, Kept up to date, In use and Known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.1.2", "levels": ["base"], "notes": "Examine documentation and interview personnel to verify that day-to-day responsibilities\nfor performing all the activities in Requirement 3 are documented, assigned and understood\nby the assigned personnel.", "title": "Roles and responsibilities for performing activities in Requirement 3 are documented, assigned, and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.1", "levels": ["base"], "notes": "", "title": "Processes and mechanisms for protecting stored account data are defined and understood.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["3.1.1", "3.1.2"]}, {"id": "3.2.1", "levels": ["base"], "notes": "OpenShift does not directly manage any account data. It is up to the application handling\naccount data to appropriately store and dispose of this data.", "title": "Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes.", "description": "Account data storage is kept to a minimum through implementation of data retention and\ndisposal policies, procedures, and processes that include at least the following:\n- Coverage for all locations of stored account data.\n- Coverage for any sensitive authentication data (SAD) stored prior to completion of\nauthorization.\n- Limiting data storage amount and retention time to that which is required for legal or\nregulatory, and/or business requirements.\n- Specific retention requirements for stored account data that defines length of retention\nperiod and includes a documented business justification.\n- Processes for secure deletion or rendering account data unrecoverable when no longer\nneeded per the retention policy.\n- A process for verifying, at least once every three months, that stored account data\nexceeding the defined retention period has been securely deleted or rendered unrecoverable.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.2", "levels": ["base"], "notes": "", "title": "Storage of account data is kept to a minimum.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["3.2.1"]}, {"id": "3.3.1.1", "levels": ["base"], "notes": "OpenShift does not directly manage any track data. It is up to the application to\nappropriately store and dispose of this data.", "title": "The full contents of any track are not retained upon completion of the authorization process.", "description": "This requirement is not eligible for the customized approach. In the normal course of\nbusiness, the following data elements from the track may need to be retained:\n- Cardholder name.\n- Primary account number (PAN).\n- Expiration date.\n- Service code.\nTo minimize risk, store securely only these data elements as needed for business.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.3.1.2", "levels": ["base"], "notes": "OpenShift does not directly manage any card verification code. It is up to the\napplication to appropriately store and dispose of this data.", "title": "The card verification code is not retained upon completion of the authorization process.", "description": "This requirement is not eligible for the customized approach. The card verification code\nis the three- or four-digit number printed on the front or back of a payment card used\nto verify card-not-present transactions.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.3.1.3", "levels": ["base"], "notes": "OpenShift does not directly manage any cardc PIN or PIN block. It is up to the\napplication to appropriately dispose of this data.", "title": "The personal identification number (PIN) and the PIN block are not retained upon completion of the authorization process.", "description": "This requirement is not eligible for the customized approach. PIN blocks are encrypted\nduring the natural course of transaction processes, but even if an entity encrypts the\nPIN block again, it is still not allowed to be stored after the completion of the\nauthorization process.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.3.1", "levels": ["base"], "notes": "Proper design of the application by the payment entity can accommodate this requirement as\na processing mandate, restricting in-memory process for this data and taking care not to\nwrite to file storage from within the container or pod.", "title": "SAD is not retained after authorization, even if encrypted. All sensitive authentication data received is rendered unrecoverable upon completion of the authorization process.", "description": "This requirement is not eligible for the customized approach. This requirement does not\napply to issuers and companies that support issuing services (where SAD is needed for a\nlegitimate issuing business need) and have a business justification to store the sensitive\nauthentication data. Refer to Requirement 3.3.3 for additional requirements specifically\nfor issuers. Sensitive authentication data includes the data cited in Requirements 3.3.1.1\nthrough 3.3.1.3.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["3.3.1.1", "3.3.1.2", "3.3.1.3"]}, {"id": "3.3.2", "levels": ["base"], "notes": "OpenShift does not directly manage any SAD. It is up to the application to\nappropriately store and dispose of this data.", "title": "SAD that is stored electronically prior to completion of authorization is encrypted using strong cryptography.", "description": "This requirement is not eligible for the customized approach. Whether SAD is permitted to\nbe stored prior to authorization is determined by the organizations that manage compliance\nprograms (for example, payment brands and acquirers). Contact the organizations of\ninterest for any additional criteria. This requirement applies to all storage of SAD, even\nif no PAN is present in the environment. Refer to Requirement 3.2.1 for an additional\nrequirement that applies if SAD is stored prior to completion of authorization. This\nrequirement does not apply to issuers and companies that support issuing services where\nthere is a legitimate issuing business justification to store SAD. Refer to Requirement\n3.3.3 for requirements specifically for issuers. This requirement does not replace how PIN\nblocks are required to be managed, nor does it mean that a properly encrypted PIN block\nneeds to be encrypted again.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.3.3", "levels": ["base"], "notes": "OpenShift does not directly manage any SAD. It is up to the application to\nappropriately store and dispose of this data.", "title": "Additional requirement for issuers and companies that support issuing services and store sensitive authentication data.", "description": "Additional requirement for issuers and companies that support issuing services and store\nsensitive authentication data: Any storage of sensitive authentication data is:\n- Limited to that which is needed for a legitimate issuing business need and is secured.\n- Encrypted using strong cryptography. This bullet is a best practice until until\n31 March 2025, after which it will be required as part of Requirement 3.3.3 and must be\nfully considered during a PCI DSS assessment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.3", "levels": ["base"], "notes": "", "title": "Sensitive authentication data (SAD) is not stored after authorization.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["3.3.1.1", "3.3.1.2", "3.3.1.3", "3.3.1", "3.3.2", "3.3.3"]}, {"id": "3.4.1", "levels": ["base"], "notes": "OpenShift doesn't directly handle PANs.\nHandling and masking the PAN is resposibility of the application installed.", "title": "PAN is masked when displayed (the BIN and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the BIN and last four digits of the PAN.", "description": "PAN displays are restricted to the minimum number of digits necessary to meet a defined\nbusiness need. This requirement does not supersede stricter requirements in place for\ndisplays of cardholder data \u2014 for example, legal or payment brand requirements for\npoint-of-sale (POS) receipts. This requirement relates to protection of PAN where it is\ndisplayed on screens, paper receipts, printouts, etc., and is not to be confused with\nRequirement 3.5.1 for protection of PAN when stored, processed, or transmitted.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.4.2", "levels": ["base"], "notes": "OpenShift doesn't directly handle PANs.\nHandling and masking the PAN is resposibility of the application installed.\nAccess control, storage at rest and transport medium are to be managed by the application.", "title": "When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need.", "description": "PAN cannot be copied or relocated by unauthorized personnel using remote-access\ntechnologies. Storing or relocating PAN onto local hard drives, removable electronic\nmedia, and other storage devices brings these devices into scope for PCI DSS.\nThis requirement is a best practice until 31 March 2025, after which it will be required\nand must be fully considered during a PCI DSS assessment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.4", "levels": ["base"], "notes": "", "title": "Access to displays of full PAN and ability to copy PAN is restricted.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["3.4.1", "3.4.2"]}, {"id": "3.5.1.1", "levels": ["base"], "notes": "OpenShift doesn't directly handle PANs.\nHandling and masking the PAN is resposibility of the workload / application installed.", "title": "Hashes used to render PAN unreadable (per the first bullet of Requirement 3.5.1) are keyed cryptographic hashes of the entire PAN, with associated key-management processes and procedures in accordance with Requirements 3.6 and 3.7.", "description": "This requirement applies to PANs stored in primary storage (databases, or flat files\nsuch as text files spreadsheets) as well as non-primary storage (backup, audit logs,\nexception, or troubleshooting logs) must all be protected. This requirement does not\npreclude the use of temporary files containing cleartext PAN while encrypting and\ndecrypting PAN. This requirement is considered a best practice until 31 March 2025,\nafter which it will be required and must be fully considered during a PCI DSS\nassessment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.5.1.2", "levels": ["base"], "notes": "This requirement is about ensuring PANs are also masked when disk-level and partition-level\nencryption is used.\nHandling and masking the PAN is resposibility of the workload / application installed.", "title": "If disk-level or partition-level encryption (rather than file-, column-, or field-level database encryption) is used to render PAN unreadable, it is implemented only on removable electronic media or complemented by another mechanism that meets Requirement 3.5.1", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.5.1.3", "levels": ["base"], "notes": "Disk-level encryption is a node configuration, but it can be managed by the NBDE\nTang Server Operator to automatically unlock LUKS-encrypted volumes and rotate keys.\n\nIn case where card holder data may be stored on worker nodes disks, OpenShift Container\nPlatform can help to partially\ncomply with this requirement by providing several means of fully encrypting disks.\n* Using RHEL core crypto components which are FIPS certified\n* Or using cloud provider techniques, such as EBS encryption for AWS case.\nFor this requirement, we also check etcd is encrypted, so that secrets, but also routes\nand oauth configurations are secured.\n\nConcerning Full Disk Encryption:\nFull Disk Encryption can be enabled on OpenShift by installing the cluster with FIPS mode\nenabled.\nOpenShift Container Platform uses certain FIPS Validated / Modules in Process modules\nwithin RHEL and RHCOS for the operating system components that it uses.\nSee RHEL core crypto components and\nhttps://docs.openshift.com/container-platform/latest/installing/installing-fips.html for\nfurther information.\nWhen installing the cluster, The public ssh key is passed to the Red Hat Enterprise Linux\nCoreOS (RHCOS) nodes through their Ignition config files and is used to authenticate SSH\naccess to the nodes. The key is added to the ~/.ssh/authorized_keys list for the core user\non each node, which enables password-less authentication.\n\nThe management of the private key is up to the customer.\nLUKS/dm-crypt (used by the FIPS mode) provides full-disk encryption that fulfills\nrequirement 3.4.1.\nAccess to the stored data is only possible via a decryption password that must be entered\nwhen the disk is mounted .\nThe disk can be encrypted using a TPM v2, a secure cryptoprocessor contained\nwithin a server; or a Tang server, a network-bound disk encryption (NBDE).\n\nThe NBDE Tang Server Operator can provide automatic unlocking of LUKS-encrypted volumes\nand key rotation.", "title": "If disk-level or partition-level encryption is used (rather than file-, column-, or field--level database encryption) to render PAN unreadable, it is managed.", "description": "If disk-level or partition-level encryption is used (rather than file-, column-, or\nfield--level database encryption) to render PAN unreadable, it is managed as follows:\n- Logical access is managed separately and independently of native operating system\nauthentication and access control mechanisms.\n- Decryption keys are not associated with user accounts.\n- Authentication factors (passwords, passphrases, or cryptographic keys) that allow\naccess to unencrypted data are stored securely.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.5.1", "levels": ["base"], "notes": "", "title": "PAN is rendered unreadable anywhere it is stored", "description": "PAN is rendered unreadable anywhere it is stored by using any of the following approaches:\n- One-way hashes based on strong cryptography of the entire PAN.\n- Truncation (hashing cannot be used to replace the truncated segment of PAN).\n  - If hashed and truncated versions of the same PAN, or different truncation formats of\n  the same PAN, are present in an environment, additional controls are in place such that\n  the different versions cannot be correlated to reconstruct the original PAN.\n- Indexes tokens.\n- Strong cryptography with associated key-management processes and procedures.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["3.5.1.1", "3.5.1.2", "3.5.1.3"]}, {"id": "3.5", "levels": ["base"], "notes": "", "title": "Primary account number (PAN) is secured wherever it is stored.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["3.5.1.1", "3.5.1.2", "3.5.1.3", "3.5.1"]}, {"id": "3.6.1.1", "levels": ["base"], "notes": "This requirement largely depends on the solution chosen by the customer to protect card\nholder data at rest.\n* When Full Disk Encryption is done using AWS EBS encryption, the algorithm used is\n  AES-256.\n  Your data key is stored on disk with your encrypted data, but not before EBS encrypts it\n  with your KMS key.\n  Your data key never appears on disk in plaintext.\n  The same data key is shared by snapshots of the volume and any subsequent volumes\n  created from those snapshots.\n  See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html\n* When Full Disk Encryption is done using LUKS with TPM2, full disk encryption utilities\n  such as dm-crypt and\n  BitLocker encrypt disks with a TPM bind key, and then store the TPM bind key in the TPM\n  (Trusted Platform Module),\n  which is a secure element attached to the motherboard of the node.\n  The main benefit of this method is that there is no external dependency, and the node is\n  able to decrypt its own\n  disks at boot time without any external interaction.\n* When Full Disk Encryption is done using LUKS with Tang, the booting node attempts to\n  contact a predefined set\n  of Tang servers by performing a cryptographic handshake. If it can reach the required\n  number of Tang servers,\n  the node can construct its disk decryption key and unlock the disks to continue booting.\nSee https://docs.openshift.com/container-platform/4.9/security/network_bound_disk_encryption/nbde-about-disk-encryption-technology.html", "title": "Additional requirement for service providers only: A documented description of the cryptographic architecture is maintained", "description": "Additional requirement for service providers only: A documented description of the\ncryptographic architecture is maintained that includes:\n- Details of all algorithms, protocols, and keys used for the protection of stored\naccount data, including key strength and expiry date.\n- Preventing the use of the same cryptographic keys in production and test environments.\nThis bullet is a best practice until 31 March 2025, after which it will be required as\npart of Requirement 3.6.1.1 and must be fully considered during a PCI DSS assessment.\n- Description of the key usage for each key.\n- Inventory of any hardware security modules (HSMs), key management systems (KMS), and\nother secure cryptographic devices (SCDs) used for key management, including type and\nlocation of devices, as outlined in Requirement 12.3.4.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.6.1.2", "levels": ["base"], "notes": "", "title": "Secret and private keys used to encrypt/decrypt stored account data are stored in secure forms.", "description": "Secret and private keys used to encrypt/decrypt stored account data are stored in one\n(or more) of the following forms at all times:\n- Encrypted with a key-encrypting key that is at least as strong as the data-encrypting\nkey, and that is stored separately from the data-encrypting key.\n- Within a secure cryptographic device (SCD), such as a hardware security module (HSM)\nor PTS-approved point-of-interaction device.\n- As at least two full-length key components or key shares, in accordance with an\nindustry-accepted method.\nSecret and private keys are stored in a secure form that prevents unauthorized retrieval\nor access. It is not required that public keys be stored in one of these forms.\nCryptographic keys stored as part of a key management system (KMS) that employs SCDs are\nacceptable. A cryptographic key that is split into two parts does not meet this\nrequirement. Secret or private keys stored as key components or key shares must be\ngenerated via one of the following", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.6.1.3", "levels": ["base"], "notes": "This requirement largely depends on the solution chosen by the customer to protect card\nholder data at rest.\n* When Full Disk Encryption is done using AWS EBS encryption, the data key, used for\n  volume encryption, is generated\n  by AWS KMS, encrypted with the Key Encryption Key that lies in the KMS and stored with\n  the volume metadata, by EBS.\n  It is the payment entity's responsibility to limit the access to this key by ensuring\n  that Grant requests to decrypt\n  the data key using the KEK (Key Encryption Key) is given only to the need to know users\n  or AWS resources.\n  See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html\n* When Full Disk Encryption is done using LUKS with TPM2, the TPM bind key, which is used\nto decrypt the data key is\n  stored in the TPM (Trusted Platform Module), on the motherboard of the node.\n  It is therefore not shared with anyone.\n* When Full Disk Encryption is done using LUKS with Tang, Tang server does not store the\nencryption key directly,\n  and never interacts with it. The metadata needed to decrypt the volume is stored on the\n  disk but can only be\n  unlocked and used when the node can correctly establish the handshake with the Tang\n  server. The data key is therefore not shared with anyone.", "title": "Access to cleartext cryptographic key components is restricted to the fewest number of custodians necessary.", "description": "Access to cleartext cryptographic key components is restricted to necessary personnel.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.6.1.4", "levels": ["base"], "notes": "This requirement depends on the solution chosen by the customer to protect card holder\ndata at rest:\n* When Full Disk Encryption is done using AWS EBS encryption, the data key is stored in\n  the volume's metadata only.\n  The KEK is stored in the AWS KMS only.\n* When Full Disk Encryption is done using LUKS with TPM2, the TPM bind key is stored in\n  the TPM (Trusted Platform Module) only.\n  The encrypted data key is stored on the MBR of the disk only.\n* When Full Disk Encryption is done using LUKS with Tang, the encryption key is not stored\n  to disk. Only the provisioning metadata is. A POST to the Tang server would allow the\n  node to recompute the encryption key from this metadata.\n  See https://github.com/latchset/tang", "title": "Cryptographic keys are stored in the fewest possible locations.", "description": "Cryptographic keys are retained only where necessary.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.6.1", "levels": ["base"], "notes": "", "title": "Procedures are defined and implemented to protect cryptographic keys used to protect stored account data against disclosure and misuse.", "description": "Procedures are defined and implemented to protect cryptographic keys used to protect\nstored account data against disclosure and misuse that include:\n- Access to keys is restricted to the fewest number of custodians necessary.\n- Key-encrypting keys are at least as strong as the data-encrypting keys they protect.\n- Key-encrypting keys are stored separately from data-encrypting keys.\n- Keys are stored securely in the fewest possible locations and forms.", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["3.6.1.1", "3.6.1.2", "3.6.1.3", "3.6.1.4"]}, {"id": "3.6", "levels": ["base"], "notes": "The cryptographic keys created and managed by OpenShift are secured by default.\nHowever, the keys created and managed by the application should be secured by the application\nand the organization's processes.", "title": "Cryptographic keys used to protect stored account data are secured.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["3.6.1.1", "3.6.1.2", "3.6.1.3", "3.6.1.4", "3.6.1"]}, {"id": "3.7.1", "levels": ["base"], "notes": "Although some key management processes rely on OpenShift Container Platform and its\nunderlying components for Full Disk Encryption, the responsibility for documentation and\nimplementation of key-management processes and procedures for cryptographic keys used for\nencryption of cardholder data is still on the payment service and its\noperations team in order to cover all aspects of cardholder data protection.", "title": "Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to protect stored account data.", "description": "Strong cryptographic keys are generated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.7.2", "levels": ["base"], "notes": "", "title": "Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data.", "description": "Cryptographic keys are secured during distribution.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.7.3", "levels": ["base"], "notes": "TPM", "title": "Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to protect stored account data.", "description": "Cryptographic keys are secured when stored.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.7.4", "levels": ["base"], "notes": "It is the responsibility of the payment entity's operations team to rotate the\nencryption keys when they expire, according to the solution chosen for full disk\nencryption:\n* AWS EBS Encryption: Operations team creates a snapshot of the volume and then uses\n  the snapshot to create a new, encrypted copy of the volume. While creating the new volume,\n  a new encryption key is specified.\n* LUKS encryption with TPM2: The TPM secret cannot be modified after disk creation.\n* LUKS encryption with Tang: The operations performs the Tang Keys rotation as described in\n  https://access.redhat.com/solutions/4074891", "title": "Key management policies and procedures are implemented for cryptographic key changes for keys that have reached the end of their cryptoperiod, as defined by the associated application vendor or key owner, and based on industry best practices and guidelines.", "description": "Key management policies and procedures are implemented for cryptographic key changes for\nkeys that have reached the end of their cryptoperiod, as defined by the associated\napplication vendor or key owner, and based on industry best practices and guidelines,\nincluding the following:\n- A defined cryptoperiod for each key type in use.\n- A process for key changes at the end of the defined cryptoperiod.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.7.5", "levels": ["base"], "notes": "It is the responsibility of the payment entity's operations team to retire or\nreplace weakened keys", "title": "Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary.", "description": "Key management policies procedures are implemented to include the retirement, replacement,\nor destruction of keys used to protect stored account data, as deemed necessary when:\n- The key has reached the end of its defined cryptoperiod.\n- The integrity of the key has been weakened, including when personnel with knowledge of a\ncleartext key component leaves the company, or the role for which the key component was\nknown.\n- The key is suspected of or known to be compromised.\n- Retired or replaced keys are not used for encryption operations.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.7.6", "levels": ["base"], "notes": "Manual clear-text cryptographic key-management operations are not used in the context of\nOpenshift Container Platform", "title": "Where manual cleartext cryptographic key-management operations are performed by personnel, key-management policies and procedures are implemented include managing these operations using split knowledge and dual control.", "description": "Cleartext secret or private keys cannot be known by anyone. Operations involving cleartext\nkeys cannot be carried out by a single person. This control is applicable for manual\nkey-management operations or where key management is not controlled by the encryption\nproduct. A cryptographic key that is simply split into two parts does not meet this\nrequirement. Secret or private keys stored as key components or key shares must be\ngenerated via one of the following", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.7.7", "levels": ["base"], "notes": "This requirement depends on the solution chosen by the payment entity to protect card holder\ndata at rest:\n* When Full Disk Encryption is done using AWS EBS encryption, the authorizations on the\n  cryptographic keys are managed in AWS IAM by the payment entity operating the service.\n* When Full Disk Encryption is done using LUKS with TPM2, no substitution of cryptographic\n  keys is possible after disk creation.\n* When Full Disk Encryption is done using LUKS with Tang, the access to the Tang server,\n  where the Tang Keys Rotation process can be handled, are the responsibility of the payment\n  entity operating the service.", "title": "Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys.", "description": "Cryptographic keys cannot be substituted by unauthorized personnel.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.7.8", "levels": ["base"], "notes": "This requirement is not applicable to the OpenShift Container Platform\nas it instead pertains to the practices and documentation from the\npayment entity. The platform may not generate the entity's policies\nand security practices.", "title": "Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities.", "description": "Key custodians are knowledgeable about their responsibilities in relation to cryptographic\noperations and can access assistance and guidance when required.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.7.9", "levels": ["base"], "notes": "", "title": "Additional requirement for service providers only: Where a service provider shares cryptographic keys with its customers for transmission or storage of account data, guidance on secure transmission, storage and updating of such keys is documented and distributed to the service provider\u2019s customers.", "description": "Customers are provided with appropriate key management guidance whenever they receive\nshared cryptographic keys. This requirement applies only when the entity being assessed is\na service provider.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "3.7", "levels": ["base"], "notes": "", "title": "Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["3.7.1", "3.7.2", "3.7.3", "3.7.4", "3.7.5", "3.7.6", "3.7.7", "3.7.8", "3.7.9"]}, {"id": "4.1.1", "levels": ["base"], "notes": "", "title": "All security policies and operational procedures that are identified in Requirement 4 are Documented, Kept up to date, In use and Known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.1.2", "levels": ["base"], "notes": "Examine documentation and interview personnel to verify that day-to-day responsibilities\nfor performing all the activities in Requirement 4 are documented, assigned and understood\nby the assigned personnel.", "title": "Roles and responsibilities for performing activities in Requirement 4 are documented, assigned, and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.1", "levels": ["base"], "notes": "", "title": "Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["4.1.1", "4.1.2"]}, {"id": "4.2.1.1", "levels": ["base"], "notes": "OpenShift doesn't directly handle PANs, the management of keys and certificates\nprotecting them is responsibility of the payment application.", "title": "An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained.", "description": "All keys and certificates used to protect PAN during transmission are identified and\nconfirmed as trusted. This requirement is a best practice until 31 March 2025, after\nwhich it will be required and must be fully considered during a PCI DSS assessment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.2.1.2", "levels": ["base"], "notes": "OpenShift doesn't manage wireless environments nor their security configurations.", "title": "Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission.", "description": "Cleartext PAN cannot be read or intercepted from wireless network transmissions.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.2.1", "levels": ["base"], "notes": "OpenShift provides mechanisms to securely transmit PAN over open public networks, but\nthe application is still responsible for leveraging and implementing strong\ncryptography when transmitting PAN.", "title": "Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks.", "description": "Strong cryptography and security protocols are implemented as follows to safeguard PAN\nduring transmission over open, public networks:\n- Only trusted keys and certificates are accepted.\n- Certificates used to safeguard PAN during transmission over open, public networks are\nconfirmed as valid and are not expired or revoked. This bullet is a best practice until\n31 March 2025, after which it will be required as part of Requirement 4.2.1 and must be\nfully considered during a PCI DSS assessment.\n- The protocol in use supports only secure versions or configurations and does not support\nfallback to, or use of insecure versions, algorithms, key sizes, or implementations.\n- The encryption strength is appropriate for the encryption methodology in use.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["4.2.1.1", "4.2.1.2"]}, {"id": "4.2.2", "levels": ["base"], "notes": "OpenShift doesn't directly handle PANs, the application is responsible for appropriately\nsecuring PAN.", "title": "PAN is secured with strong cryptography whenever it is sent via end-user messaging technologies.", "description": "Cleartext PAN cannot be read or intercepted from transmissions using end-user messaging\ntechnologies. This requirement also applies if a customer, or other third-party, requests\nthat PAN is sent to them via end-user messaging technologies. There could be occurrences\nwhere an entity receives unsolicited cardholder data via an insecure communication channel\nthat was not intended for transmissions of sensitive data. In this situation, the entity\ncan choose to either include the channel in the scope of their CDE and secure it according\nto PCI DSS or delete the cardholder data and implement measures to prevent the channel\nfrom being used for cardholder data.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "4.2", "levels": ["base"], "notes": "", "title": "PAN is protected with strong cryptography during transmission.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["4.2.1.1", "4.2.1.2", "4.2.1", "4.2.2"]}, {"id": "5.1.1", "levels": ["base"], "notes": "The responsibility for documentation, maintenance, use and dissemination of the security\npolicies and procedures is on the payment service and its operations team.", "title": "All security policies and operational procedures that are identified in Requirement 5 are Documented, Kept up to date, In use and Known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.1.2", "levels": ["base"], "notes": "The responsibility for documentation, maintenance, use and dissemination of the security\npolicies and procedures is on the payment service and its operations team.", "title": "Roles and responsibilities for performing activities in Requirement 5 are documented, assigned, and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.1", "levels": ["base"], "notes": "", "title": "Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["5.1.1", "5.1.2"]}, {"id": "5.2.1", "levels": ["base"], "notes": "There are many options of anti-malware and the criteria for any adopted solution or\napproach relies on each site policy. Technologies are supported but manual assessment is\nrequired.\n\nOpenShift container platforms may install the OpenShift File\nIntegrity Operator [1] which monitors file system integrity on the host.\nThis may allow for the detection of threats on the hosts which attempt\nto modify the file system in malicious ways. Additionally, there exist\nseveral solutions to scan for container vulnerabilities which are indispensible\nfrom any deployment. One such example is Red Hat Quay [2] which supports\nimage verification and continuous security scanning of container images.\nAnother option is Red Hat Advanced Cluster Security [3] which provides a complete solution\nto build, deploy, and run containerized workloads with more security.\n\n[1] https://docs.openshift.com/container-platform/latest/security/file_integrity_operator/file-integrity-operator-understanding.html\n[2] https://docs.openshift.com/container-platform/latest/security/container_security/security-registries.html\n[3] https://www.redhat.com/en/resources/advanced-cluster-security-for-kubernetes-datasheet", "title": "An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.", "description": "Automated mechanisms are implemented to prevent systems from becoming an attack vector for\nmalware.", "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["acs_sensor_exists", "container_security_operator_exists", "file_integrity_exists"], "rules": [], "controls": []}, {"id": "5.2.2", "levels": ["base"], "notes": "It is the payment entity's responsibility to ensure that the chosen anti-malware solutions\ncover the required malware types.", "title": "The deployed anti-malware solution(s) detects all known types of malware and removes, blocks, or contains all known types of malware.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.2.3.1", "levels": ["base"], "notes": "", "title": "The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.", "description": "Systems not known to be at risk from malware are re-evaluated at a frequency that\naddresses the entity's risk. This requirement is a best practice until 31 March 2025,\nafter which it will be required and must be fully considered during a PCI DSS\nassessment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.2.3", "levels": ["base"], "notes": "It is the payment entity's responsibility to identify and evaluate whether any system\ncomponent is at risk of a malware attack.", "title": "Any system components that are not at risk for malware are evaluated periodically.", "description": "Any system components that are not at risk for malware are evaluated periodically to\ninclude the following:\n- A documented list of all system components not at risk for malware.\n- Identification and evaluation of evolving malware threats for those system components.\n- Confirmation whether such system components continue to not require anti-malware\nprotection.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["5.2.3.1"]}, {"id": "5.2", "levels": ["base"], "notes": "Related measures are covered by 1.2.6, 1.4.5 and 3.4.2.", "title": "Malicious software (malware) is prevented, or detected and addressed.", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["5.2.1", "5.2.2", "5.2.3.1", "5.2.3"]}, {"id": "5.3.1", "levels": ["base"], "notes": "", "title": "The anti-malware solution(s) is kept current via automatic updates.", "description": "Anti-malware mechanisms can detect and address the latest malware threats.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.3.2.1", "levels": ["base"], "notes": "", "title": "If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.", "description": "Scans by the malware solution are performed at a frequency that addresses the entity's\nrisk. This requirement applies to entities conducting periodic malware scans to meet\nRequirement 5.3.2. This requirement is a best practice until 31 March 2025, after which\nit will be required and must be fully considered during a PCI DSS assessment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.3.2", "levels": ["base"], "notes": "", "title": "The anti-malware solution(s) performs periodic scans and active or real-time scans or performs continuous behavioral analysis of systems or processes.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["5.3.2.1"]}, {"id": "5.3.3", "levels": ["base"], "notes": "", "title": "For removable electronic media, the anti-malware solution(s) performs automatic scans of when the media is inserted, connected, or logically mounted, or Performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.3.4", "levels": ["base"], "notes": "", "title": "Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1.", "description": "Historical records of anti-malware actions are immediately available and retained for at\nleast 12 months.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.3.5", "levels": ["base"], "notes": "", "title": "Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period.", "description": "Anti-malware mechanisms cannot be modified by unauthorized personnel.Anti-malware\nsolutions may be temporarily disabled only if there is a legitimate technical need, as\nauthorized by management on a case-by-case basis. If anti-malware protection needs to be\ndisabled for a specific purpose, it must be formally authorized. Additional security\nmeasures may also need to be implemented for the period during which anti-malware\nprotection is not active.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "5.3", "levels": ["base"], "notes": "The requirements in this section depend on the malware solution deployed as part of 5.2.1.", "title": "Anti-malware mechanisms and processes are active, maintained, and monitored.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["5.3.1", "5.3.2.1", "5.3.2", "5.3.3", "5.3.4", "5.3.5"]}, {"id": "5.4.1", "levels": ["base"], "notes": "", "title": "Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.", "description": "Mechanisms are in place to protect against and mitigate risk posed by phishing attacks.\nThis requirement applies to the automated mechanism. It is not intended that the systems\nand services providing such automated mechanisms (such as email servers) are brought into\nscope for PCI DSS. The focus of this requirement is on protecting personnel with access to\nsystem components in-scope for PCI DSS. Meeting this requirement for technical and\nautomated controls to detect and protect personnel against phishing is not the same as\nRequirement 12.6.3.1 for security awareness training. Meeting this requirement does not\nalso meet the requirement for providing personnel with security awareness training, and\nvice versa. This requirement is a best practice until 31 March 2025, after which it will\nbe required and must be fully considered during a PCI DSS assessment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["firewalld_loopback_traffic_restricted", "sysctl_net_ipv4_conf_all_log_martians"], "rules": [], "controls": []}, {"id": "5.4", "levels": ["base"], "notes": "", "title": "Anti-phishing mechanisms protect users against phishing attacks.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["5.4.1"]}, {"id": "6.1.1", "levels": ["base"], "notes": "The responsibility for documentation, maintenance, use and dissemination of the processes\nand mechanisms for developing and maintaining secure systems and software is on the\npayment entity and its operations team.", "title": "All security policies and operational procedures that are identified in Requirement 6 are Documented, Kept up to date, In use and Known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.1.2", "levels": ["base"], "notes": "The responsibility for documentation, maintenance, use and dissemination of the processes\nand mechanisms for developing and maintaining secure systems and software is on the\npayment entity and its operations team.", "title": "Roles and responsibilities for performing activities in Requirement 6 are documented, assigned, and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.1", "levels": ["base"], "notes": "", "title": "Processes and mechanisms for developing and maintaining secure systems and software are defined and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["6.1.1", "6.1.2"]}, {"id": "6.2.1", "levels": ["base"], "notes": "", "title": "Bespoke and custom software are developed securely.", "description": "Bespoke and custom software are developed securely, as follows:\n- Based on industry standards and/or best practices for secure development.\n- In accordance with PCI DSS (for example, secure authentication and logging).\n- Incorporating consideration of information security issues during each stage of the\nsoftware development lifecycle.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.2.2", "levels": ["base"], "notes": "", "title": "Software development personnel working on bespoke and custom software are trained at least once every 12 months", "description": "Software development personnel working on bespoke and custom software are trained at least\nonce every 12 months as follows:\n- On software security relevant to their job function and development languages.\n- Including secure software design and secure coding techniques.\n- Including, if security testing tools are used, how to use the tools for detecting\nvulnerabilities in software.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.2.3.1", "levels": ["base"], "notes": "", "title": "If manual code reviews are performed for bespoke and custom software prior to release to production code changes co-reviewed and approved.", "description": "If manual code reviews are performed for bespoke and custom software prior to release\nto production code changes are:\n- Reviewed by individuals other than the originating code author, and who are\nknowledgeable about code-review techniques and secure coding practices.\n- Reviewed and approved by management prior to release.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.2.3", "levels": ["base"], "notes": "", "title": "Bespoke and custom software is reviewed prior to being released into production or to customers, to identify and correct potential coding vulnerabilities.", "description": "Bespoke and custom software is reviewed prior to being released into production or to\ncustomers, to identify and correct potential coding vulnerabilities, as follows:\n- Code reviews ensure code is developed according to secure coding guidelines.\n- Code reviews look for both existing and emerging software vulnerabilities.\n- Appropriate corrections are implemented prior to release.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["6.2.3.1"]}, {"id": "6.2.4", "levels": ["base"], "notes": "", "title": "Software engineering techniques or other methods are defined and in use by software development personnel to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.2", "levels": ["base"], "notes": "OpenShift is developed and maintained following secure software development practices:\nhttps://www.redhat.com/en/topics/security/red-hat-sdl\nBut this requirement applies only to software developed for or by the entity for the\nentity's own use. This does not apply to third-party software.", "title": "Bespoke and custom software are developed securely.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["6.2.1", "6.2.2", "6.2.3.1", "6.2.3", "6.2.4"]}, {"id": "6.3.1", "levels": ["base"], "notes": "The payment entity needs to establish its own process of monitoring for vulnerabilities for\nthe systems in use, including bespoke and custom software.", "title": "Security vulnerabilities are identified and managed", "description": "Security vulnerabilities are identified and managed as follows:\n- New security vulnerabilities are identified using industry-recognized sources for\nsecurity vulnerability information, including alerts from international and national\ncomputer emergency response teams (CERTs).\n- Vulnerabilities are assigned a risk ranking based on industry best practices and\nconsideration of potential impact.\n- Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk\nor critical to the environment.\n- Vulnerabilities for bespoke and custom, and third-party software (for example operating\nsystems and databases) are covered.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.3.2", "levels": ["base"], "notes": "", "title": "An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.", "description": "Known vulnerabilities in third-party software components cannot be exploited in bespoke\nand custom software.This requirement is a best practice until 31 March 2025, after which\nit will be required and must be fully considered during a PCI DSS assessment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.3.3", "levels": ["base"], "notes": "The OpenShift Container Platform provides the capability of updating\nboth the Kubernetes/OCP layer, as well as the Operating System (Red Hat\nCoreOS) layer in an ubiquitous manner with over-the-air updates using\nthe OpenShift Update Service (OSUS) [1]. This service can also be installed\nin clusters without internet connectivity [2].\n\n[1] https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html/updating_clusters/understanding-openshift-updates-1#update-service-about_understanding-openshift-updates\n[2] https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html/updating_clusters/performing-a-cluster-update#updating-restricted-network-cluster-OSUS", "title": "All system components are protected from known vulnerabilities by installing applicable security patches/updates.", "description": "All system components are protected from known vulnerabilities by installing\napplicable security patches/updates as follows:\n- Critical or high-security patches/updates (identified according to the risk ranking\nprocess at Requirement 6.3.1) are installed within one month of release.\n- All other applicable security patches/updates are installed within an appropriate time\nframe as determined by the entity (for example, within three months of release).", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.3", "levels": ["base"], "notes": "", "title": "Security vulnerabilities are identified and addressed.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["6.3.1", "6.3.2", "6.3.3"]}, {"id": "6.4.1", "levels": ["base"], "notes": "It is up to the payment entity how they protect their public facing appilcations.\nDepending on the approach taken OpenShift can provide support, see req. 6.4.2, for more details.", "title": "For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks.", "description": "For public-facing web applications, new threats and vulnerabilities are addressed on an\nongoing basis and these applications are protected against known attacks as follows:\n- Reviewing public-facing web applications via manual or automated application\nvulnerability security assessment tools or methods as follows:\n  - At least once every 12 months and after significant changes.\n  \u2013 By an entity that specializes in application security.\n  \u2013 Including, at a minimum, all common software attacks in Requirement 6.2.4.\n  \u2013 All vulnerabilities are ranked in accordance with requirement 6.3.1.\n  \u2013 All vulnerabilities are corrected.\n  \u2013 The application is re-evaluated after the corrections\nOR\n- Installing an automated technical solution(s) that continually detects and prevents\nweb-based attacks as follows:\n  - Installed in front of public-facing web applications to detect and prevent web-based\n  attacks.\n  - Actively running and up to date as applicable.\n  - Generating audit logs.\n  - Configured to either block web-based attacks or generate an alert that is immediately\n  investigated.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.4.2", "levels": ["base"], "notes": "Support for Web Application Firewall in OCP is still in development:\nhttps://www.redhat.com/en/blog/creating-web-application-firewall-red-hat-openshift\n\nWhile Container Security Operator (CSO) is not focused on protecting web-applications it\ncan scan installed workflows and applications for known vulnerabilities.\nhttps://access.redhat.com/documentation/en-us/red_hat_quay/3/html/red_hat_quay_operator_features/container-security-operator-setup\n\nSecurity Profiles Operators can also be used to contain an attack when an application\nis compromised.\nhttps://docs.openshift.com/container-platform/latest/security/security_profiles_operator/spo-overview.html", "title": "For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.4.3", "levels": ["base"], "notes": "", "title": "All payment page scripts that are loaded and executed in the consumer's browser are managed", "description": "All payment page scripts that are loaded and executed in the consumer's browser are\nmanaged as follows:\n- A method is implemented to confirm that each script is authorized.\n- A method is implemented to assure the integrity of each script.\n- An inventory of all scripts is maintained with written justification as to why each is\nnecessary.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.4", "levels": ["base"], "notes": "", "title": "Public-facing web applications are protected against attacks.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["6.4.1", "6.4.2", "6.4.3"]}, {"id": "6.5.1", "levels": ["base"], "notes": "", "title": "Changes to all system components in the production environment are made according to established procedures.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.5.2", "levels": ["base"], "notes": "", "title": "Upon completion of a significant change, all applicable PCI DSS requirements are confirmed to be in place on all new or changed systems and networks, and documentation is updated as applicable.", "description": "All system components are verified after a significant change to be compliant with the\napplicable PCI DSS requirements.These significant changes should also be captured and\nreflected in the entity's annual PCI DSS scope confirmation activity per Requirement\n12.5.2.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.5.3", "levels": ["base"], "notes": "", "title": "Pre-production environments are separated from production environments and the separation is enforced with access controls.", "description": "Pre-production environments cannot introduce risks and vulnerabilities into production\nenvironments.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.5.4", "levels": ["base"], "notes": "", "title": "Roles and functions are separated between production and pre-production environments to provide accountability such that only reviewed and approved changes are deployed.", "description": "Job roles and accountability that differentiate between pre-production and production\nactivities are defined and managed to minimize the risk of unauthorized, unintentional,\nor inappropriate actions. In environments with limited personnel where individuals perform\nmultiple roles or functions, this same goal can be achieved with additional procedural\ncontrols that provide accountability. For example, a developer may also be an administrator\nthat uses an administrator-level account with elevated privileges in the development\nenvironment and, for their developer role, they use a separate account with user-level\naccess to the production environment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.5.5", "levels": ["base"], "notes": "", "title": "Live PANs are not used in pre-production environments, except where those environments are included in the CDE and protected in accordance with all applicable PCI DSS requirements.", "description": "Live PANs cannot be present in pre-production environments outside the CDE.s", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.5.6", "levels": ["base"], "notes": "", "title": "Test data and test accounts are removed from system components before the system goes into production.", "description": "Test data and test accounts cannot exist in production environments.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "6.5", "levels": ["base"], "notes": "", "title": "Changes to all system components are managed securely.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["6.5.1", "6.5.2", "6.5.3", "6.5.4", "6.5.5", "6.5.6"]}, {"id": "7.1.1", "levels": ["base"], "notes": "Examine documentation and interview personnel to verify that security policies and\noperational procedures identified in Requirement 7 are managed in accordance with all\nelements specified in this requirement.", "title": "All security policies and operational procedures that are identified in Requirement 7 are Documented, Kept up to date, In use and Known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "7.1.2", "levels": ["base"], "notes": "Examine documentation and interview personnel to verify that day-to-day responsibilities\nfor performing all the activities in Requirement 7 are documented, assigned and understood\nby the assigned personnel.", "title": "Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "7.1", "levels": ["base"], "notes": "", "title": "Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["7.1.1", "7.1.2"]}, {"id": "7.2.1", "levels": ["base"], "notes": "The OpenShift Container Platform comes with the Kubernetes RBAC\nfeature enabled by default. This feature ensures that only if a\nuser or a system account has the appropriate permission, it's able\nto operate on specific system objects. By reviewing the existing\nRole and ClusterRole objects, one is able to see the resources\nthat are accessible for a certain role, as well as the \"verbs\" or\noperations that the role can execute on that resource.", "title": "An access control model is defined and includes granting access", "description": "An access control model is defined and includes granting access as follows:\n- Appropriate access depending on the entity's business and access needs.\n- Access to system components and data resources that is based on users' job\nclassification and functions.\n- The least privileges required (for example, user, administrator) to perform a job\nfunction.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "7.2.2", "levels": ["base"], "notes": "Only the payment entity can assess whether the access privileges granted to users are\nappropriate.", "title": "Access is assigned to users, including privileged users, based on job classification and function, and least privileges necessary to perform job responsibilities.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "7.2.3", "levels": ["base"], "notes": "Only the payment entity can assess whether the access privileges granted to users are\nappropriate and documented.", "title": "Required privileges are approved by authorized personnel.", "description": "Access privileges cannot be granted to users without appropriate, documented\nauthorization.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "7.2.4", "levels": ["base"], "notes": "Only the payment entity can assess whether the access privileges granted to users are\nappropriate and documented.", "title": "All user accounts and related access privileges, including third-party/vendor accounts, are reviewed", "description": "All user accounts and related access privileges, including third-party/vendor accounts,\nare reviewed as follows:\n- At least once every six months.\n- To ensure user accounts and access remain appropriate based on job function.\n- Any inappropriate access is addressed.\n- Management acknowledges that access remains appropriate.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "7.2.5.1", "levels": ["base"], "notes": "The check for assignment of least privileges and requirement of use requires human\nand manual analysis.", "title": "All access by application and system accounts and related access privileges are reviewed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "7.2.5", "levels": ["base"], "notes": "General access are restricted by 2.2.6 and 8.2 section.", "title": "All application and system accounts and related access privileges are assigned and managed.", "description": "All application and system accounts and related access privileges are assigned and managed\nas follows:\n- Based on the least privileges necessary for the operability of the system or application.\n- Access is limited to the systems, applications, or processes that specifically require\ntheir use.", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["7.2.5.1"]}, {"id": "7.2.6", "levels": ["base"], "notes": "The payment entity is responsible implementing and managing access to card holder data.", "title": "All user access to query repositories of stored cardholder data is restricted", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "7.2", "levels": ["base"], "notes": "", "title": "Access to system components and data is appropriately defined and assigned.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["7.2.1", "7.2.2", "7.2.3", "7.2.4", "7.2.5.1", "7.2.5", "7.2.6"]}, {"id": "7.3.1", "levels": ["base"], "notes": "The OpenShift Container Platform has RBAC enabled by default. With this\nfeature, any requests to the API is denied unless an explicit\nRole or ClusterRule is bound to the entity making the request.\n\nAll objects in Kubernetes/OpenShift are bound to RBAC permissions.", "title": "An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.", "description": "Access rights and privileges are managed via mechanisms intended for that purpose.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "7.3.2", "levels": ["base"], "notes": "The OpenShift Container Platform has RBAC enabled by default,\nand it is enforced at all times.\nThere is no permissive mode for Openshift RBAC.", "title": "The access control system(s) is configured to enforce permissions assigned to individuals, applications, and systems based on job classification and function.", "description": "Individual account access rights and privileges to systems, applications, and data are\nonly inherited from group membership.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "7.3.3", "levels": ["base"], "notes": "The OpenShift Container Platform has RBAC enabled by default. With this\nfeature, any requests to the API is denied unless an explicit\nRole or ClusterRule is bound to the entity making the request.", "title": "The access control system(s) is set to \"deny all\" by default.", "description": "Access rights and privileges are prohibited unless expressly permitted.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "7.3", "levels": ["base"], "notes": "", "title": "Access to system components and data is managed via an access control system(s).", "description": null, "rationale": null, "automated": "no", "status": "planned", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["7.3.1", "7.3.2", "7.3.3"]}, {"id": "8.1.1", "levels": ["base"], "notes": "", "title": "All security policies and operational procedures that are identified in Requirement 8 are Documented, Kept up to date, In use and Known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.1.2", "levels": ["base"], "notes": "", "title": "Roles and responsibilities for performing activities in Requirement 8 are documented, assigned, and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.1", "levels": ["base"], "notes": "", "title": "Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["8.1.1", "8.1.2"]}, {"id": "8.2.1", "levels": ["base"], "notes": "Openshift should be configured to work with an external third-party identity provider.\nThrough the chosen identity provider, unique identifiers can be setup for each user.\nSee more at https://docs.openshift.com/container-platform/latest/authentication/understanding-identity-provider.html\n\nHowever, the payment entity's processes and responsible personal still need to be examined\nto check whether each user is uniquely associated with an individual.", "title": "All users are assigned a unique ID before access to system components or cardholder data is allowed.", "description": "All actions by all users are attributable to an individual. This requirement is not\nintended to apply to user accounts within point-of-sale terminals that have access to only\none card number at a time to facilitate a single transaction (such as IDs used by cashiers\non point-of-sale terminals).", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["no_direct_root_logins", "account_unique_id", "account_unique_name", "accounts_no_uid_except_zero", "accounts_root_gid_zero", "group_unique_id", "group_unique_name", "audit_rules_immutable_login_uids"], "rules": [], "controls": []}, {"id": "8.2.2", "levels": ["base"], "notes": "Access tokens that are issued by OpenShift upon authentication should only be used by the\nperson for whom it was issued.", "title": "Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis, and are managed.", "description": "- Account use is prevented unless needed for an exceptional circumstance.\n- Use is limited to the time needed for the exceptional circumstance.\n- Business justification for use is documented.\n- Use is explicitly approved by management.\n- Individual user identity is confirmed before access to an account is granted.\n- Every action taken is attributable to an individual user.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["no_direct_root_logins"], "rules": [], "controls": []}, {"id": "8.2.3", "levels": ["base"], "notes": "The payment entity itself is also required to not use group, shared, or generic IDs,\npasswords, or other authentication methods. Access tokens that are issued by\nOpenShift upon authentication should only be used by the person\nfor whom it was issued.", "title": "Additional requirement for service providers only: Service providers with remote access to customer premises use unique authentication factors for each customer premises.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.2.4", "levels": ["base"], "notes": "Only the payment entity can assess whether the access privileges granted to users are\nappropriate and documented, and properly reflected in the configured identity provider.", "title": "Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.2.5", "levels": ["base"], "notes": "Revocation of access for terminated users are performed by the third-party\nidentity provider. Additionally, OpenShift nor the identity provider cannot by itself\ndetermine the users associated with an individual.", "title": "Access for terminated users is immediately revoked.", "description": "The accounts of terminated users cannot be used.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.2.6", "levels": ["base"], "notes": "Removal or disabling of inactive user accounts within 90 days are handled with the\nidentity provider.\nAll user IDs, including those handled by third parties to access, support, or maintain\nsystem components via remote access, are handled externally to OpenShift.", "title": "Inactive user accounts are removed or disabled within 90 days of inactivity.", "description": "Inactive user accounts cannot be used.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.2.7", "levels": ["base"], "notes": "Similar to how accounts for employees are managed, accounts for third parties are also\nmanaged by the configured identity provider, and under responsibility of the payment\nentity.", "title": "Accounts used by third parties to access, support, or maintain system components via remote access are managed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.2.8", "levels": ["base"], "notes": "Session timeouts can be enabled with OpenShift to limit the amount of\ntime that a session can be active. However, the payment entity also needs to control the\nuser's and administrator's idle session timeouts on their payment applications as well.", "title": "If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session.", "description": "A user session cannot be used except by the authorized user. This requirement is not\nintended to apply to user accounts on point-of-sale terminals that have access to only one\ncard number at a time to facilitate a single transaction (such as IDs used by cashiers on\npoint-of-sale terminals). This requirement is not meant to prevent legitimate activities\nfrom being performed while the console/PC is unattended.", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["var_oauth_inactivity_timeout=15m0s"], "controls": []}, {"id": "8.2", "levels": ["base"], "notes": "For this control to be satisfiable an identity provider must be used and the kubeadmin user\nneeds to be removed.", "title": "User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["var_oauth_inactivity_timeout=15m0s"], "controls": ["8.2.1", "8.2.2", "8.2.3", "8.2.4", "8.2.5", "8.2.6", "8.2.7", "8.2.8"]}, {"id": "8.3.1", "levels": ["base"], "notes": "The type of authenticators to be used (for example, password or passphrase,\ntoken device or smart card, or biometrics) are managed externally\nto OpenShift by the identity provider", "title": "All user access to system components for users and administrators is authenticated.", "description": "All user access to system components for users and administrators is authenticated via at\nleast one of the following authentication factors:\n- Something you know, such as a password or passphrase.\n- Something you have, such as a token device or smart card.\n- Something you are, such as a biometric element.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.3.2", "levels": ["base"], "notes": "The protection of the authentication credentials such as rendering the passwords and\npassphrases unreadable during transmission and the storage of credentials on system\ncomponents is the responsibility of the third-party identity provider.\n\nIf LDAP is used as the identity provider, we do not allow it to run with the\n'insecure' flag on.", "title": "Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.", "description": "Cleartext authentication factors cannot be obtained, derived, or reused from the\ninterception of communications or from stored data.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.3.3", "levels": ["base"], "notes": "Modification of authentication credentials is handled by the third-party identity provider.\nAll access to modify parameters for authentication tokens or for generating keys  within\nOpenShift is managed with RBAC and requires prior authentication before the user is\nauthorized to act.", "title": "User identity is verified before modifying any authentication factor.", "description": "Unauthorized individuals cannot gain system access by impersonating the identity of an\nauthorized user.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.3.4", "levels": ["base"], "notes": "Account lockout for failed attempts are managed by the identity provider as all\nauthentication attempts that occur prior to granting access from OpenShift.\nEstablishing a threshold for limiting repeated failed attempts are configured with\nthe chosen identity provider.\n\nIn this control we do not allow usage of htpasswd as the identity provider, as it\ndoesn't provide user lockout feature.", "title": "Invalid authentication attempts are limited.", "description": "- Locking out the user ID after not more than 10 attempts.\n- Setting the lockout duration to a minimum of 30 minutes or until the user's identity is\nconfirmed.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.3.5", "levels": ["base"], "notes": "Parameters for authenticators such as password length, maximum password\nage, minimum password age, password history, and requirements to change\nthe password on first use are handled by the third-party identity provider.", "title": "If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user.", "description": "- Set to a unique value for first-time use and upon reset.\n- Forced to be changed immediately after the first use.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.3.6", "levels": ["base"], "notes": "Parameters for authenticators such as password length, maximum password\nage, minimum password age, password history, and requirements to change\nthe password on first use are handled by the third-party identity provider.", "title": "If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity.", "description": "- A minimum length of 12 characters (or IF the system does not support 12 characters, a\nminimum length of eight characters).\n- Contain both numeric and alphabetic characters.\nA guessed password/passphrase cannot be verified by either an online or offline brute\nforce attack.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.3.7", "levels": ["base"], "notes": "Parameters for authenticators such as password length, maximum password\nage, minimum password age, password history, and requirements to change\nthe password on first use are handled by the third-party identity provider.", "title": "Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.", "description": "A previously used password cannot be used to gain access to an account for at least 12\nmonths.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.3.8", "levels": ["base"], "notes": "", "title": "Authentication policies and procedures are documented and communicated to all users.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.3.9", "levels": ["base"], "notes": "Parameters for authenticators such as password length, maximum password\nage, minimum password age, password history, and requirements to change\nthe password on first use are handled by the third-party identity provider.", "title": "If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) they should have a limited lifetime.", "description": "If passwords/passphrases are used as the only authentication factor for user access (i.e.,\nin any single-factor authentication implementation) then either:\n- Passwords/passphrases are changed at least once every 90 days,\nOR\n- The security posture of accounts is dynamically analyzed, and real-time access to\nresources is automatically determined accordingly.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.3.10.1", "levels": ["base"], "notes": "Parameters for authenticators such as password length, maximum password\nage, minimum password age, password history, and requirements to change\nthe password on first use are handled by the third-party identity provider.", "title": "Additional requirement for service providers only: If passwords/passphrases are used as the only authentication factor for customer user access (i.e., in any single-factor authentication implementation) they should have a limited lifetime.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.3.10", "levels": ["base"], "notes": "", "title": "Additional requirement for service providers only: If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data (i.e., in any single-factor authentication implementation) then guidance is provided to customer users.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["8.3.10.1"]}, {"id": "8.3.11", "levels": ["base"], "notes": "The type of authenticators to be used (for example, password or passphrase,\ntoken device or smart card, or biometrics) are managed externally\nto OpenShift by the identity provider", "title": "Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used, factors are not shared among multiple users and the usage is controlled.'", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.3", "levels": ["base"], "notes": "For this control to be satisfiable an identity provider must be used and the kubeadmin user\nneeds to be removed.", "title": "Strong authentication for users and administrators is established and managed.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["8.3.1", "8.3.2", "8.3.3", "8.3.4", "8.3.5", "8.3.6", "8.3.7", "8.3.8", "8.3.9", "8.3.10.1", "8.3.10", "8.3.11"]}, {"id": "8.4.1", "levels": ["base"], "notes": "", "title": "MFA is implemented for all non-console access into the CDE for personnel with administrative access.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.4.2", "levels": ["base"], "notes": "", "title": "MFA is implemented for all access into the CDE.", "description": "Access into the CDE cannot be obtained by the use of a single authentication factor.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.4.3", "levels": ["base"], "notes": "", "title": "MFA is implemented for all remote network access originating from outside the entity's network that could access or impact the CDE.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.4", "levels": ["base"], "notes": "Multi-factor authenticators are managed externally to OpenShift by the identity provider", "title": "Multi-factor authentication (MFA) is implemented to secure access into the CDE.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["8.4.1", "8.4.2", "8.4.3"]}, {"id": "8.5.1", "levels": ["base"], "notes": "", "title": "MFA systems are properly implemented.", "description": "- The MFA system is not susceptible to replay attacks.\n- MFA systems cannot be bypassed by any users, including administrative users unless\nspecifically documented, and authorized by management on an exception basis, for a limited\ntime period.\n- At least two different types of authentication factors are used.\n- Success of all authentication factors is required before access is granted.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.5", "levels": ["base"], "notes": "Multi-factor authenticators are managed externally to OpenShift by the identity provider", "title": "Multi-factor authentication (MFA) systems are configured to prevent misuse.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["8.5.1"]}, {"id": "8.6.1", "levels": ["base"], "notes": "All user IDs, including those handled by third parties to access, support, or maintain\nsystem components via remote access, are handled externally to OpenShift.", "title": "If accounts used by systems or applications can be used for interactive login, they are managed.", "description": "- Interactive use is prevented unless needed for an exceptional circumstance.\n- Interactive use is limited to the time needed for the exceptional circumstance.\n- Business justification for interactive use is documented.\n- Interactive use is explicitly approved by management.\n- Individual user identity is confirmed before access to account is granted.\n- Every action taken is attributable to an individual user.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["securetty_root_login_console_only"], "rules": [], "controls": []}, {"id": "8.6.2", "levels": ["base"], "notes": "OpenShift can be integrated with a Vault to manage secrets.", "title": "Passwords/passphrases for any application and system accounts that can be used for interactive login are not hard coded in scripts, configuration/property files, or bespoke and custom source code.", "description": "Passwords/passphrases used by application and system accounts cannot be used by\nunauthorized personnel.", "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.6.3", "levels": ["base"], "notes": "Parameters for authenticators such as password length, maximum password\nage, minimum password age, password history, and requirements to change\nthe password on first use are handled by the third-party identity provider.", "title": "Passwords/passphrases for any application and system accounts are protected against misuse.", "description": "- Passwords/passphrases are changed periodically (at the frequency defined in the entity's\ntargeted risk analysis, which is performed according to all elements specified in\nRequirement 12.3.1) and upon suspicion or confirmation of compromise.\n- Passwords/passphrases are constructed with sufficient complexity appropriate for how\nfrequently the entity changes the passwords/passphrases.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "8.6", "levels": ["base"], "notes": "", "title": "Use of application and system accounts and associated authentication factors is strictly managed.", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["8.6.1", "8.6.2", "8.6.3"]}, {"id": "9.1.1", "levels": ["base"], "notes": "", "title": "All security policies and operational procedures that are identified in Requirement 9 are Documented, Kept up to date, In use and Known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.1.2", "levels": ["base"], "notes": "", "title": "Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.1", "levels": ["base"], "notes": "", "title": "Processes and mechanisms for restricting physical access to cardholder data are defined and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["9.1.1", "9.1.2"]}, {"id": "9.2.1.1", "levels": ["base"], "notes": "", "title": "Individual physical access to sensitive areas within the CDE is monitored with either video cameras or physical access control mechanisms (or both).", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.2.1", "levels": ["base"], "notes": "", "title": "Appropriate facility entry controls are in place to restrict physical access to systems in the CDE.", "description": "System components in the CDE cannot be physically accessed by unauthorized personnel.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["9.2.1.1"]}, {"id": "9.2.2", "levels": ["base"], "notes": "", "title": "Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility.", "description": "Unauthorized devices cannot connect to the entity's network from public areas within the\nfacility.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.2.3", "levels": ["base"], "notes": "", "title": "Physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the facility is restricted", "description": "Physical networking equipment cannot be accessed by unauthorized personnel.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.2.4", "levels": ["base"], "notes": "", "title": "Access to consoles in sensitive areas is restricted via locking when not in use.", "description": "Physical consoles within sensitive areas cannot be used by unauthorized personnel.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.2", "levels": ["base"], "notes": "", "title": "Physical access controls manage entry into facilities and systems containing cardholder data.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["9.2.1.1", "9.2.1", "9.2.2", "9.2.3", "9.2.4"]}, {"id": "9.3.1.1", "levels": ["base"], "notes": "", "title": "Physical access to sensitive areas within the CDE for personnel is controlled", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.3.1", "levels": ["base"], "notes": "", "title": "Procedures are implemented for authorizing and managing physical access of personnel to the CDE.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["9.3.1.1"]}, {"id": "9.3.2", "levels": ["base"], "notes": "", "title": "Procedures are implemented for authorizing and managing visitor access to the CDE.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.3.3", "levels": ["base"], "notes": "", "title": "Visitor badges or identification are surrendered or deactivated before visitors leave the facility or at the date of expiration.", "description": "Visitor identification or badges cannot be reused after expiration.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.3.4", "levels": ["base"], "notes": "", "title": "A visitor log is used to maintain a physical record of visitor activity within the facility and within sensitive areas.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.3", "levels": ["base"], "notes": "", "title": "Physical access for personnel and visitors is authorized and managed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["9.3.1.1", "9.3.1", "9.3.2", "9.3.3", "9.3.4"]}, {"id": "9.4.1.1", "levels": ["base"], "notes": "", "title": "Offline media backups with cardholder data are stored in a secure location.", "description": "Offline backups cannot be accessed by unauthorized personnel.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.4.1.2", "levels": ["base"], "notes": "", "title": "The security of the offline media backup location(s) with cardholder data is reviewed at least once every 12 months.", "description": "The security controls protecting offline backups are verified periodically by\ninspection.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.4.1", "levels": ["base"], "notes": "Openshift uses the Kubernetes persistent volume (PV) framework, which allows separation\nbetween storage provisioners and consumers.\nThe payment entity needs to ensure that they are using persistent storages for which\nthey have control over its location and physical access.", "title": "All media with cardholder data is physically secured.", "description": "Media with cardholder data cannot be accessed by unauthorized personnel.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["9.4.1.1", "9.4.1.2"]}, {"id": "9.4.2", "levels": ["base"], "notes": "", "title": "All media with cardholder data is classified in accordance with the sensitivity of the data.", "description": "Media are classified and protected appropriately.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.4.3", "levels": ["base"], "notes": "", "title": "Media with cardholder data sent outside the facility is secured.", "description": "Media is secured and tracked when transported outside the facility.\n- Media sent outside the facility is logged.\n- Media is sent by secured courier or other delivery method that can be accurately\ntracked.\n- Offsite tracking logs include details about media location.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.4.4", "levels": ["base"], "notes": "", "title": "Management approves all media with cardholder data that is moved outside the facility (including when media is distributed to individuals).", "description": "Media cannot leave a facility without the approval of accountable personnel. Individuals\napproving media movements should have the appropriate level of management authority to\ngrant this approval. However, it is not specifically required that such individuals have\n\"manager\" as part of their title.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.4.5.1", "levels": ["base"], "notes": "", "title": "Inventories of electronic media with cardholder data are conducted at least once every 12 months.", "description": "Media inventories are verified periodically.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.4.5", "levels": ["base"], "notes": "", "title": "Inventory logs of all electronic media with cardholder data are maintained.", "description": "Accurate inventories of stored electronic media are maintained.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["9.4.5.1"]}, {"id": "9.4.6", "levels": ["base"], "notes": "", "title": "Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.4.7", "levels": ["base"], "notes": "", "title": "Electronic media with cardholder data is destroyed when no longer needed for business or legal reasons.", "description": "- The electronic media is destroyed.\n- The cardholder data is rendered unrecoverable so that it cannot be reconstructed.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.4", "levels": ["base"], "notes": "", "title": "Media with cardholder data is securely stored, accessed, distributed, and destroyed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["9.4.1.1", "9.4.1.2", "9.4.1", "9.4.2", "9.4.3", "9.4.4", "9.4.5.1", "9.4.5", "9.4.6", "9.4.7"]}, {"id": "9.5.1.1", "levels": ["base"], "notes": "", "title": "An up-to-date list of POI devices is maintained.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.5.1.2.1", "levels": ["base"], "notes": "", "title": "The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.", "description": "POI devices are inspected at a frequency that addresses the entity's risk.\nThis requirement is a best practice until 31 March 2025, after which it will be\nrequired and must be fully considered during a PCI DSS assessment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.5.1.2", "levels": ["base"], "notes": "", "title": "POI device surfaces are periodically inspected to detect tampering and unauthorized substitution.", "description": "Point of Interaction Devices cannot be tampered with, substituted without authorization,\nor have skimming attachments installed without timely detection.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["9.5.1.2.1"]}, {"id": "9.5.1.3", "levels": ["base"], "notes": "", "title": "Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "9.5.1", "levels": ["base"], "notes": "", "title": "POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["9.5.1.1", "9.5.1.2.1", "9.5.1.2", "9.5.1.3"]}, {"id": "9.5", "levels": ["base"], "notes": "", "title": "Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["9.5.1.1", "9.5.1.2.1", "9.5.1.2", "9.5.1.3", "9.5.1"]}, {"id": "10.1.1", "levels": ["base"], "notes": "", "title": "All security policies and operational procedures that are identified in Requirement 10 are Documented, Kept up to date, In use and Known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.1.2", "levels": ["base"], "notes": "", "title": "Roles and responsibilities for performing activities in Requirement 10 are documented, assigned, and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.1", "levels": ["base"], "notes": "", "title": "Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["10.1.1", "10.1.2"]}, {"id": "10.2.1.1", "levels": ["base"], "notes": "All user and/or service account accesses to OpenShift components are logged. However, the payment entity still is responsible for logging events for access to applications within workloads hosted in containers in OpenShift.", "title": "Audit logs capture all individual user access to cardholder data.", "description": "Records of all individual user access to cardholder data are captured.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.2.1.2", "levels": ["base"], "notes": "All actions taken by individual with root or administrative privileges to OpenShift and Red Hat CoreOS are logged. However, the payment entity still is responsible for logging events for access to applications within workloads hosted in containers in OpenShift.", "title": "Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.", "description": "Records of all actions performed by individuals with elevated privileges are captured.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.2.1.3", "levels": ["base"], "notes": "Access to audit trails relative to OpenShift are made available at the OS level with administrator accounts. Red Hat CoreOS can be configured to log access to the journal or log file. For better protection of audit trails, including improved access controls, it is recommended to direct logs to an external log server or Security Information Event Management (SIEM) solution.", "title": "Audit logs capture all access to audit logs.", "description": "Records of all access to audit logs are captured.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.2.1.4", "levels": ["base"], "notes": "Unauthorized attempts to access system components or run unauthorized commands against\nOpenShift are logged.", "title": "Audit logs capture all invalid logical access attempts.", "description": "Records of all invalid access attempts are captured.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.2.1.5", "levels": ["base"], "notes": "", "title": "Audit logs capture all changes to identification and authentication credentials.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.2.1.6", "levels": ["base"], "notes": "Stopping the mechanisms for log creation in OpenShift requires stopping the OpenShift\nControl Plane itself, which would have the effect of preventing any further access for\nany users to the API, CLI, or Web UI.\nAuditing within OpenShift cannot be reconfigured or stopped without reconfiguring\nOpenShift.\nAny attempt to reconfigure OpenShift will be logged.", "title": "Audit logs capture the initialization of new audit logs, and starting, stopping, or pausing of the existing audit logs.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.2.1.7", "levels": ["base"], "notes": "Creation and deletion of system levels objects is logged by OpenShift and by Red Hat CoreOS.", "title": "Audit logs capture all creation and deletion of system-level objects.", "description": "Records of alterations that indicate a system has been modified from its intended\nfunctionality are captured.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.2.1", "levels": ["base"], "notes": "", "title": "Audit logs are enabled and active for all system components and cardholder data.", "description": "Records of all activities affecting system components and cardholder data are captured.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7"]}, {"id": "10.2.2", "levels": ["base"], "notes": "The logs generated by OpenShift and Red Hat CoreOS include all the data required.", "title": "Audit logs record sufficient details for each auditable event.", "description": "- User identification.\n- Type of event.\n- Date and time.\n- Success and failure indication.\n- Origination of event.\n- Identity or name of affected data, system component, resource, or service (for example,\n  name and protocol).", "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["var_openshift_audit_profile=WriteRequestBodies"], "controls": []}, {"id": "10.2", "levels": ["base"], "notes": "", "title": "Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.", "description": null, "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": ["var_openshift_audit_profile=WriteRequestBodies"], "controls": ["10.2.1.1", "10.2.1.2", "10.2.1.3", "10.2.1.4", "10.2.1.5", "10.2.1.6", "10.2.1.7", "10.2.1", "10.2.2"]}, {"id": "10.3.1", "levels": ["base"], "notes": "Access to audit logs is limited to the cluster-admin role. Ensure that only those\nuser with a job-related need have the cluster-admin role.", "title": "Read access to audit logs files is limited to those with a job-related need.", "description": "Stored activity records cannot be accessed by unauthorized personnel.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.3.2", "levels": ["base"], "notes": "Limited access to the audit trails on OpenShift hosts provides minimal protection from unauthorized modification. Use of an external log collector or SIEM solution may provide improved protections against unauthorized modifications by adding additional features such as file integrity monitoring, digital signing, or Write Once, Read Many (WORM) storage.", "title": "Audit log files are protected to prevent modifications by individuals.", "description": "Stored activity records cannot be modified by personnel.", "rationale": null, "automated": "no", "status": "planned", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.3.3", "levels": ["base"], "notes": "Although the technologies in general allow to send logs to a centralized server, some\nparameters for this configuration are specific to each site policy and therefore the\nrequirement demands manual assessment.", "title": "Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.", "description": "Stored activity records are secured and preserved in a central location to prevent\nunauthorized modification.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.3.4", "levels": ["base"], "notes": "", "title": "File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.", "description": "Stored activity records cannot be modified without an alert being generated.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.3", "levels": ["base"], "notes": "", "title": "Audit logs are protected from destruction and unauthorized modifications.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["10.3.1", "10.3.2", "10.3.3", "10.3.4"]}, {"id": "10.4.1.1", "levels": ["base"], "notes": "", "title": "Automated mechanisms are used to perform audit log reviews.", "description": "Potentially suspicious or anomalous activities are identified via a repeatable and\nconsistent mechanism. This requirement is a best practice until 31 March 2025, after\nwhich it will be required and must be fully considered during a PCI DSS assessment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.4.1", "levels": ["base"], "notes": "", "title": "The audit logs are reviewed at least once daily.", "description": "- All security events.\n- Logs of all system components that store, process, or transmit CHD and/or SAD.\n- Logs of all critical system components.\n- Logs of all servers and system components that perform security functions (for example,\n  network security controls, intrusion-detection systems/intrusion-prevention systems\n  (IDS/IPS), authentication servers).", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["10.4.1.1"]}, {"id": "10.4.2.1", "levels": ["base"], "notes": "", "title": "The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1", "description": "Log reviews for lower-risk system components are performed at a frequency that addresses\nthe entity's risk. This requirement is a best practice until 31 March 2025, after which\nit will be required and must be fully considered during a PCI DSS assessment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.4.2", "levels": ["base"], "notes": "", "title": "Logs of all other system components (those not specified in Requirement 10.4.1) are reviewed periodically.", "description": "Potentially suspicious or anomalous activities for other system components (not included\nin 10.4.1) are reviewed in accordance with the entity's identified risk. This requirement\nis applicable to all other in-scope system components not included in Requirement 10.4.1.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["10.4.2.1"]}, {"id": "10.4.3", "levels": ["base"], "notes": "", "title": "Exceptions and anomalies identified during the review process are addressed.", "description": "Suspicious or anomalous activities are addressed.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.4", "levels": ["base"], "notes": "", "title": "Audit logs are reviewed to identify anomalies or suspicious activity.", "description": null, "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["10.4.1.1", "10.4.1", "10.4.2.1", "10.4.2", "10.4.3"]}, {"id": "10.5.1", "levels": ["base"], "notes": "Log retention in OpenShift is not time based, the default configuration rotates 10 log\nfiles of 100 MB each, allowing up to 1GB of retention.\n\nTo implement time based audit log retention configure log forwarding to a third party\nstorage, for example Elasticsearch or LokiStack.", "title": "Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.", "description": "Historical records of activity are available immediately to support incident response and\nare retained for at least 12 months.", "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.5", "levels": ["base"], "notes": "", "title": "Audit log history is retained and available for analysis.", "description": null, "rationale": null, "automated": "no", "status": "supported", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["10.5.1"]}, {"id": "10.6.1", "levels": ["base"], "notes": "By default OpenShift uses a public Network Time Protocol (NTP) server.\nHowever, additional configuration is needed to use a local enterprise NTP server,\nor in disconnected environments.", "title": "System clocks and time are synchronized using time-synchronization technology.", "description": "Common time is established across all systems. Keeping time-synchronization technology\ncurrent includes managing vulnerabilities and patching the technology according to PCI DSS\nRequirements 6.3.1 and 6.3.3.", "rationale": null, "automated": "no", "status": "inherently met", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.6.2", "levels": ["base"], "notes": "OpenShift is configured to use a public ntppool.org which is good and reliable, but\nultimately is not enterprise grade.\nThe notion of central time server implies that an exclusive NTP server is deployed to\nserve the cluster.\n\nNTP configuration is done at the node level, except when using Precision Time Protocol\n(PTP), for which PTP Operator can be used. PTP can only be used on bare metal deployments.\nhttps://docs.openshift.com/container-platform/latest/networking/ptp/about-ptp.html", "title": "Systems are configured to the correct and consistent time.", "description": "- One or more designated time servers are in use.\n- Only the designated central time server(s) receives time from external sources.\n- Time received from external sources is based on International Atomic Time or Coordinated\n  Universal Time (UTC).\n- The designated time server(s) accept time updates only from specific industry-accepted\n  external sources.\n- Where there is more than one designated time server, the time servers peer with one\n  another to keep accurate time.\n- Internal systems receive time information only from designated central time server(s).", "rationale": null, "automated": "no", "status": "planned", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["service_chronyd_enabled", "var_multiple_time_servers=generic", "chronyd_specify_remote_server"], "rules": [], "controls": []}, {"id": "10.6.3", "levels": ["base"], "notes": "As NTP is configured directly on the node the audit should also be configured there.", "title": "Time synchronization settings and data are protected.", "description": "- Access to time data is restricted to only personnel with a business need.\n- Any changes to time settings on critical systems are logged, monitored, and reviewed.", "rationale": null, "automated": "no", "status": "planned", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": ["audit_rules_time_watch_localtime", "audit_rules_time_settimeofday", "audit_rules_time_clock_settime", "audit_rules_time_stime", "audit_rules_time_adjtimex", "chronyd_run_as_chrony_user"], "rules": [], "controls": []}, {"id": "10.6", "levels": ["base"], "notes": "", "title": "Time-synchronization mechanisms support consistent time settings across all systems.", "description": null, "rationale": null, "automated": "no", "status": "planned", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["10.6.1", "10.6.2", "10.6.3"]}, {"id": "10.7.1", "levels": ["base"], "notes": "", "title": "Additional requirement for service providers only: Failures of critical security control systems are detected, alerted, and addressed promptly.", "description": "It includes but is not limited to failure of the following critical security control\nsystems:\n- Network security controls.\n- IDS/IPS.\n- FIM.\n- Anti-malware solutions.\n- Physical access controls.\n- Logical access controls.\n- Audit logging mechanisms.\n- Segmentation controls (if used).", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.7.2", "levels": ["base"], "notes": "", "title": "Failures of critical security control systems are detected, alerted, and addressed promptly.", "description": "It includes but is not limited to failure of the following critical security control\nsystems:\n- Network security controls.\n- IDS/IPS.\n- Change-detection mechanisms.\n- Anti-malware solutions.\n- Physical access controls.\n- Logical access controls.\n- Audit logging mechanisms.\n- Segmentation controls (if used).\n- Audit log review mechanisms.\n- Automated security testing tools (if used).", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.7.3", "levels": ["base"], "notes": "", "title": "Failures of any critical security controls systems are responded to restore security functions, ensure documentation, address security issues and prevent other failures.", "description": "It includes but is not limited to:\n- Restoring security functions.\n- Identifying and documenting the duration (date and time from start to end) of the\n  security failure.\n- Identifying and documenting the cause(s) of failure and documenting required\n  remediation.\n- Identifying and addressing any security issues that arose during the failure.\n- Determining whether further actions are required as a result of the security failure.\n- Implementing controls to prevent the cause of failure from reoccurring.\n- Resuming monitoring of security controls.", "rationale": null, "automated": "no", "status": "manual", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "10.7", "levels": ["base"], "notes": "", "title": "Failures of critical security control systems are detected, reported, and responded to promptly.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["10.7.1", "10.7.2", "10.7.3"]}, {"id": "11.1.1", "levels": ["base"], "notes": "Examine documentation and interview personnel to verify that security policies and\noperational procedures identified in Requirement 11 are managed in accordance with all\nelements specified in this requirement.", "title": "All security policies and operational procedures that are identified in Requirement 11 are Documented, Kept up to date, In use and Known to all affected parties.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.1.2", "levels": ["base"], "notes": "Examine documentation and interview personnel to verify that day-to-day responsibilities\nfor performing all the activities in Requirement 11 are documented, assigned and\nunderstood by the assigned personnel.", "title": "Roles and responsibilities for performing activities in Requirement 11 are documented, assigned, and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.1", "levels": ["base"], "notes": "", "title": "Processes and mechanisms for regularly testing security of systems and networks are defined and understood.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["11.1.1", "11.1.2"]}, {"id": "11.2.1", "levels": ["base"], "notes": "", "title": "Authorized and unauthorized wireless access points are managed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.2.2", "levels": ["base"], "notes": "", "title": "An inventory of authorized wireless access points is maintained, including a documented business justification.", "description": "Unauthorized wireless access points are not mistaken for authorized wireless access\npoints.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.2", "levels": ["base"], "notes": "OpenShift doesn't manage wireless environments nor their security configurations.", "title": "Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["11.2.1", "11.2.2"]}, {"id": "11.3.1.1", "levels": ["base"], "notes": "", "title": "All other applicable vulnerabilities (those not ranked as high-risk or critical per the entity's vulnerability risk rankings defined at Requirement 6.3.1) are managed", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.3.1.2", "levels": ["base"], "notes": "", "title": "Internal vulnerability scans are performed via authenticated scanning.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.3.1.3", "levels": ["base"], "notes": "", "title": "Internal vulnerability scans are performed after any significant change.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.3.1", "levels": ["base"], "notes": "", "title": "Internal vulnerability scans are performed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["11.3.1.1", "11.3.1.2", "11.3.1.3"]}, {"id": "11.3.2.1", "levels": ["base"], "notes": "", "title": "External vulnerability scans are performed after any significant change.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.3.2", "levels": ["base"], "notes": "The scans are to be performed by a PCI SCC Approved Scanning Vendor", "title": "External vulnerability scans are performed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["11.3.2.1"]}, {"id": "11.3", "levels": ["base"], "notes": "This control is about the payment entity keeping keeping processes and personnel to conduct\nvulnerability scans.", "title": "External and internal vulnerabilities are regularly identified, prioritized, and addressed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["11.3.1.1", "11.3.1.2", "11.3.1.3", "11.3.1", "11.3.2.1", "11.3.2"]}, {"id": "11.4.1", "levels": ["base"], "notes": "", "title": "A penetration testing methodology is defined, documented, and implemented by the entity.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.4.2", "levels": ["base"], "notes": "", "title": "Internal penetration testing is performed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.4.3", "levels": ["base"], "notes": "", "title": "External penetration testing is performed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.4.4", "levels": ["base"], "notes": "", "title": "Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.4.5", "levels": ["base"], "notes": "", "title": "If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.4.6", "levels": ["base"], "notes": "", "title": "Additional requirement for service providers only: If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.4.7", "levels": ["base"], "notes": "", "title": "Additional requirement for multi-tenant service providers only: Multi-tenant service providers support their customers for external penetration testing per Requirement 11.4.3 and 11.4.4.", "description": "Multi-tenant service providers support their customers' need for technical testing either\nby providing access or evidence that comparable technical testing has been undertaken.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.4", "levels": ["base"], "notes": "", "title": "External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["11.4.1", "11.4.2", "11.4.3", "11.4.4", "11.4.5", "11.4.6", "11.4.7"]}, {"id": "11.5.1.1", "levels": ["base"], "notes": "The policy is not explicit about any specific solution. The solution might vary\ndepending on site policies.", "title": "Additional requirement for service providers only: Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.", "description": "Mechanisms are in place to detect and alert/prevent covert communications with\ncommand-and-control systems. Alerts generated by these mechanisms are responded to by\npersonnel, or by automated means that ensure that such communications are blocked. This\nrequirement applies only when the entity being assessed is a service provider. This\nrequirement is a best practice until 31 March 2025, after which it will be required and\nmust be fully considered during a PCI DSS assessment.", "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.5.1", "levels": ["base"], "notes": "", "title": "Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["11.5.1.1"]}, {"id": "11.5", "levels": ["base"], "notes": "", "title": "Network intrusions and unexpected file changes are detected and responded to.", "description": null, "rationale": null, "automated": "yes", "status": "automated", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["11.5.1.1", "11.5.1"]}, {"id": "11.5.2", "levels": ["base"], "notes": "Once configured the File Integrity Operator (FIO) can detect unexpected changes in the node\nfilesystem.", "title": "A change-detection mechanism (for example, file integrity monitoring tools) is deployed.", "description": null, "rationale": null, "automated": "no", "status": "partial", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.6.1", "levels": ["base"], "notes": "", "title": "A change- and tamper-detection mechanism is deployed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "11.6", "levels": ["base"], "notes": "OpenShift does not directly handle payment pages.", "title": "Unauthorized changes on payment pages are detected and responded to.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["11.6.1"]}, {"id": "12.1.1", "levels": ["base"], "notes": "", "title": "An overall information security policy is established, published, maintained and disseminated to all relevant personnel, as well as to relevant vendors and business partners.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.1.2", "levels": ["base"], "notes": "", "title": "The information security policy is updated and reviewed at least once every 12 months.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.1.3", "levels": ["base"], "notes": "", "title": "The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities.", "description": "Personnel understand their role in protecting the entity's cardholder data.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.1.4", "levels": ["base"], "notes": "", "title": "Responsibility for information security is formally assigned to a Chief Information Security Officer or other information security knowledgeable member of executive management.", "description": "A designated member of executive management is responsible for information security.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.1", "levels": ["base"], "notes": "", "title": "A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["12.1.1", "12.1.2", "12.1.3", "12.1.4"]}, {"id": "12.2.1", "levels": ["base"], "notes": "", "title": "Acceptable use policies for end-user technologies are documented and implemented.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.2", "levels": ["base"], "notes": "", "title": "Acceptable use policies for end-user technologies are defined and implemented.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["12.2.1"]}, {"id": "12.3.1", "levels": ["base"], "notes": "", "title": "Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a targeted risk analysis that is documented.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.3.2", "levels": ["base"], "notes": "", "title": "A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.3.3", "levels": ["base"], "notes": "Related to requirement 2.2.7.", "title": "Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.3.4", "levels": ["base"], "notes": "The technical requirement related to this is 6.3.3.", "title": "Hardware and software technologies in use are reviewed at least once every 12 months.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.3", "levels": ["base"], "notes": "", "title": "Risks to the cardholder data environment are formally identified, evaluated, and managed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["12.3.1", "12.3.2", "12.3.3", "12.3.4"]}, {"id": "12.4.1", "levels": ["base"], "notes": "", "title": "Additional requirement for service providers only: Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.4.2.1", "levels": ["base"], "notes": "", "title": "Additional requirement for service providers only: Reviews conducted in accordance with Requirement 12.4.2 are documented.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.4.2", "levels": ["base"], "notes": "", "title": "Additional requirement for service providers only: Reviews are performed at least once every three months to confirm that personnel are performing their tasks in accordance with all security policies and operational procedures.", "description": "Reviews are performed by personnel other than those responsible for performing the given\ntask.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["12.4.2.1"]}, {"id": "12.4", "levels": ["base"], "notes": "", "title": "PCI DSS compliance is managed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["12.4.1", "12.4.2.1", "12.4.2"]}, {"id": "12.5.1", "levels": ["base"], "notes": "", "title": "An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.", "description": "All system components in scope for PCI DSS are identified and known.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.5.2.1", "levels": ["base"], "notes": "", "title": "Additional requirement for service providers only: PCI DSS scope is documented and confirmed by the entity at least once every six months and upon significant change to the in-scope environment. At a minimum, the scoping validation includes all the elements specified in Requirement 12.5.2.", "description": "The accuracy of PCI DSS scope is verified to be continuously accurate by comprehensive\nanalysis and appropriate technical measures. This requirement applies only when the\nentity being assessed is a service provider. This requirement is a best practice until\n31 March 2025, after which it will be required and must be fully considered during a\nPCI DSS assessment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.5.2", "levels": ["base"], "notes": "", "title": "PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["12.5.2.1"]}, {"id": "12.5.3", "levels": ["base"], "notes": "", "title": "Additional requirement for service providers only: Significant changes to organizational structure result in a documented (internal) review of the impact to PCI DSS scope and applicability of controls, with results communicated to executive management.", "description": "PCI DSS scope is confirmed after significant organizational change. This requirement\napplies only when the entity being assessed is a service provider. This requirement is a\nbest practice until 31 March 2025, after which it will be required and must be fully\nconsidered during a PCI DSS assessment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.5", "levels": ["base"], "notes": "", "title": "PCI DSS scope is documented and validated.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["12.5.1", "12.5.2.1", "12.5.2", "12.5.3"]}, {"id": "12.6.1", "levels": ["base"], "notes": "", "title": "A formal security awareness program is implemented to make all personnel aware of the entity's information security policy and procedures, and their role in protecting the cardholder data.", "description": "Personnel are knowledgeable about the threat landscape, their responsibility for the\noperation of relevant security controls, and are able to access assistance and guidance\nwhen required.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.6.2", "levels": ["base"], "notes": "", "title": "The security awareness program is updated and reviewed at least once every 12 months.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.6.3.1", "levels": ["base"], "notes": "", "title": "Security awareness training includes awareness of threats and vulnerabilities that could impact the security of the CDE.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.6.3.2", "levels": ["base"], "notes": "", "title": "Security awareness training includes awareness about the acceptable use of end-user technologies in accordance with Requirement 12.2.1.", "description": "Personnel are knowledgeable about their responsibility for the security and operation of\nend-user technologies and are able to access assistance and guidance when required. This\nrequirement is a best practice until 31 March 2025, after which it will be required and\nmust be fully considered during a PCI DSS assessment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.6.3", "levels": ["base"], "notes": "", "title": "Personnel receive security awareness training upon hire and at least once every 12 months via multiple methods of communication.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["12.6.3.1", "12.6.3.2"]}, {"id": "12.6", "levels": ["base"], "notes": "", "title": "Security awareness education is an ongoing activity.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["12.6.1", "12.6.2", "12.6.3.1", "12.6.3.2", "12.6.3"]}, {"id": "12.7.1", "levels": ["base"], "notes": "", "title": "Potential personnel who will have access to the CDE are screened, within the constraints of local laws, prior to hire to minimize the risk of attacks from internal sources.", "description": "The risk related to allowing new members of staff access to the CDE is understood and\nmanaged. For those potential personnel to be hired for positions such as store cashiers,\nwho only have access to one card number at a time when facilitating a transaction, this\nrequirement is a recommendation only.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.7", "levels": ["base"], "notes": "", "title": "Personnel are screened to reduce risks from insider threats.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["12.7.1"]}, {"id": "12.8.1", "levels": ["base"], "notes": "", "title": "A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided.", "description": "Records are maintained of TPSPs and the services provided. The use of a PCI DSS compliant\nTPSP does not make an entity PCI DSS compliant, nor does it remove the entit's\nresponsibility for its own PCI DSS compliance.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.8.2", "levels": ["base"], "notes": "", "title": "Written agreements with TPSPs are maintained", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.8.3", "levels": ["base"], "notes": "", "title": "An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.", "description": "The capability, intent, and resources of a prospective TPSP to adequately protect account\ndata are assessed before the TPSP is engaged.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.8.4", "levels": ["base"], "notes": "", "title": "A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months.", "description": "The PCI DSS compliance status of TPSPs is verified periodically. Where an entity has an\nagreement with a TPSP for meeting PCI DSS requirements on behalf of the entity (for\nexample, via a firewall service), the entity must work with the TPSP to make sure the\napplicable PCI DSS requirements are met. If the TPSP does not meet those applicable\nPCI DSS requirements, then those requirements are also \"not in place\" for the entity.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.8.5", "levels": ["base"], "notes": "", "title": "Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity.", "description": "Records detailing the PCI DSS requirements and related system components for which each\nTPSP is solely or jointly responsible, are maintained and reviewed periodically.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.8", "levels": ["base"], "notes": "", "title": "Risk to information assets associated with third-party service provider (TPSP) relationships is managed.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["12.8.1", "12.8.2", "12.8.3", "12.8.4", "12.8.5"]}, {"id": "12.9.1", "levels": ["base"], "notes": "", "title": "Additional requirement for service providers only: TPSPs acknowledge in writing to\ncustomers that they are responsible for the security of account data the TPSP possesses or\notherwise stores, processes, or transmits on behalf of the customer, or to the extent that\nthey could impact the security of the customer's CDE.", "description": "TPSPs formally acknowledge their security responsibilities to their customers. This\nrequirement applies only when the entity being assessed is a service provider. The exact\nwording of an acknowledgment will depend on the agreement between the two parties, the\ndetails of the service being provided, and the responsibilities assigned to each party.\nThe acknowledgment does not have to include the exact wording provided in this\nrequirement.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.9.2", "levels": ["base"], "notes": "", "title": "Additional requirement for service providers only: TPSPs support their customers' requests\nfor information to meet Requirements 12.8.4 and 12.8.5.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.9", "levels": ["base"], "notes": "", "title": "Third-party service providers (TPSPs) support their customers' PCI DSS compliance.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["12.9.1", "12.9.2"]}, {"id": "12.10.1", "levels": ["base"], "notes": "", "title": "An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.10.2", "levels": ["base"], "notes": "", "title": "At least once every 12 months, the security incident response plan is reviewed, updated, and tested.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.10.3", "levels": ["base"], "notes": "", "title": "Specific personnel are designated to be available on a 24/7 basis to respond to suspected or confirmed security incidents.", "description": "Incidents are responded to immediately where appropriate.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.10.4.1", "levels": ["base"], "notes": "", "title": "The frequency of periodic training for incident response personnel is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.", "description": "Incident response personnel are trained at a frequency that addresses the entity's risk.\nThis requirement is a best practice until 31 March 2025, after which it will be required\nand must be fully considered during a PCI DSS assessment.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.10.4", "levels": ["base"], "notes": "", "title": "Personnel responsible for responding to suspected and confirmed security incidents are appropriately and periodically trained on their incident response responsibilities.", "description": "Personnel are knowledgeable about their role and responsibilities in incident response and\nare able to access assistance and guidance when required.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["12.10.4.1"]}, {"id": "12.10.5", "levels": ["base"], "notes": "", "title": "The security incident response plan includes monitoring and responding to alerts from security monitoring systems.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.10.6", "levels": ["base"], "notes": "", "title": "The security incident response plan is modified and evolved according to lessons learned and to incorporate industry developments.", "description": "The effectiveness and accuracy of the incident response plan is reviewed and updated after\neach invocation.", "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.10.7", "levels": ["base"], "notes": "", "title": "Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expected.", "description": null, "rationale": null, "automated": "no", "status": "not applicable", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "12.10", "levels": ["base"], "notes": "", "title": "Suspected and confirmed security incidents that could impact the CDE are responded to immediately.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["12.10.1", "12.10.2", "12.10.3", "12.10.4.1", "12.10.4", "12.10.5", "12.10.6", "12.10.7"]}, {"id": "A1.1.1", "levels": ["base"], "notes": "", "title": "Logical separation is implemented.", "description": "- The provider cannot access its customers' environments without authorization.\n- Customers cannot access the provider's environment without authorization.", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A1.1.2", "levels": ["base"], "notes": "", "title": "Controls are implemented such that each customer only has permission to access its own cardholder data and CDE.", "description": "Customers cannot access other customers' environments.", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A1.1.3", "levels": ["base"], "notes": "", "title": "Controls are implemented such that each customer can only access resources allocated to them.", "description": "Customers cannot impact resources allocated to other customers.", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A1.1.4", "levels": ["base"], "notes": "", "title": "The effectiveness of logical separation controls used to separate customer environments is confirmed at least once every six months via penetration testing.", "description": "Segmentation of customer environments from other environments is periodically validated to\nbe effective. The testing of adequate separation between customers in a multi-tenant\nservice provider environment is in addition to the penetration tests specified in\nRequirement 11.4.6. This requirement is a best practice until 31 March 2025, after which\nit will be required and must be fully considered during a PCI DSS assessment.", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A1.1", "levels": ["base"], "notes": "", "title": "Multi-tenant service providers protect and separate all customer environments and data.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["A1.1.1", "A1.1.2", "A1.1.3", "A1.1.4"]}, {"id": "A1.2.1", "levels": ["base"], "notes": "", "title": "Audit log capability is enabled for each customer's environment that is consistent with PCI DSS Requirement 10.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A1.2.2", "levels": ["base"], "notes": "", "title": "Processes or mechanisms are implemented to support and/or facilitate prompt forensic investigations in the event of a suspected or confirmed security incident for any customer.", "description": "Forensic investigation is readily available to all customers in the event of a suspected\nor confirmed security incident.", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A1.2.3", "levels": ["base"], "notes": "", "title": "Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A1.2", "levels": ["base"], "notes": "", "title": "Multi-tenant service providers facilitate logging and incident response for all customers.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["A1.2.1", "A1.2.2", "A1.2.3"]}, {"id": "A2.1.1", "levels": ["base"], "notes": "Related to requirements 2.2.7 and 3.5.1.1.\nService level settings for web servers such as Apache and NGINX should also be checked.", "title": "Where POS POI terminals at the merchant or payment acceptance location use SSL and/or early TLS, the entity confirms the devices are not susceptible to any known exploits for those protocols.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A2.1.2", "levels": ["base"], "notes": "", "title": "Additional requirement for service providers only: All service providers with existing connection points to POS POI terminals that use SSL and/or early TLS as defined in A2.1 have a formal Risk Mitigation and Migration Plan in place.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A2.1.3", "levels": ["base"], "notes": "", "title": "Additional requirement for service providers only: All service providers provide a secure service offering.", "description": "This requirement is not eligible for the customized approach. This requirement applies\nonly when the entity being assessed is a service provider.", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A2.1", "levels": ["base"], "notes": "", "title": "POI terminals using SSL and/or early TLS are confirmed as not susceptible to known SSL/TLS exploits.", "description": "Appendix A2: Additional PCI DSS Requirements for Entities Using SSL/Early TLS for\nCard-Present POS POI Terminal Connections.", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["A2.1.1", "A2.1.2", "A2.1.3"]}, {"id": "A3.1.1", "levels": ["base"], "notes": "PCI DSS Reference: Requirement 12", "title": "Responsibility is established by executive management for the protection of account data and a PCI DSS compliance program.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.1.2", "levels": ["base"], "notes": "PCI DSS Reference: Requirements 1-12", "title": "A formal PCI DSS compliance program is in place.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.1.3", "levels": ["base"], "notes": "PCI DSS Reference: Requirement 12", "title": "PCI DSS compliance roles and responsibilities are specifically defined and formally assigned to one or more personnel.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.1.4", "levels": ["base"], "notes": "PCI DSS Reference: Requirement 12", "title": "Up-to-date PCI DSS and/or information security training is provided at least once every 12 months to personnel with PCI DSS compliance responsibilities (as identified in A3.1.3).", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.1", "levels": ["base"], "notes": "", "title": "A PCI DSS compliance program is implemented.", "description": "Appendix A3: Designated Entities Supplemental Validation (DESV)", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["A3.1.1", "A3.1.2", "A3.1.3", "A3.1.4"]}, {"id": "A3.2.1", "levels": ["base"], "notes": "PCI DSS Reference: Scope of PCI DSS Requirements, Requirement 12.", "title": "PCI DSS scope is documented and confirmed for accuracy at least once every three months and upon significant changes to the in-scope environment.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.2.2.1", "levels": ["base"], "notes": "PCI DSS Reference: Scope of PCI DSS Requirements; Requirements 1-12", "title": "Upon completion of a change, all relevant PCI DSS requirements are confirmed to be implemented on all new or changed systems and networks, and documentation is updated as applicable.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.2.2", "levels": ["base"], "notes": "PCI DSS Reference: Scope of PCI DSS Requirements; Requirements 1-12", "title": "PCI DSS scope impact for all changes to systems or networks is determined, including additions of new systems and new network connections.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["A3.2.2.1"]}, {"id": "A3.2.3", "levels": ["base"], "notes": "PCI DSS Reference: Requirement 12", "title": "Changes to organizational structure result in a formal (internal) review of the impact to PCI DSS scope and applicability of controls.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.2.4", "levels": ["base"], "notes": "PCI DSS Reference: Requirement 11", "title": "If segmentation is used, PCI DSS scope is confirmed.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.2.5.1", "levels": ["base"], "notes": "PCI DSS Reference: Scope of PCI DSS Requirements.", "title": "Data discovery methods are confirmed.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.2.5.2", "levels": ["base"], "notes": "", "title": "Response procedures are implemented to be initiated upon the detection of cleartext PAN outside the CDE.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.2.5", "levels": ["base"], "notes": "PCI DSS Reference: Scope of PCI DSS Requirements.", "title": "A data-discovery methodology is implemented.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["A3.2.5.1", "A3.2.5.2"]}, {"id": "A3.2.6.1", "levels": ["base"], "notes": "PCI DSS Reference: Requirement 12", "title": "Response procedures are implemented to be initiated upon the detection of attempts to remove cleartext PAN from the CDE via an unauthorized channel, method, or process.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.2.6", "levels": ["base"], "notes": "PCI DSS Reference: Scope of PCI DSS Requirements, Requirement 12", "title": "Mechanisms are implemented for detecting and preventing cleartext PAN from leaving the CDE via an unauthorized channel, method, or process.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["A3.2.6.1"]}, {"id": "A3.2", "levels": ["base"], "notes": "", "title": "PCI DSS scope is documented and validated.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["A3.2.1", "A3.2.2.1", "A3.2.2", "A3.2.3", "A3.2.4", "A3.2.5.1", "A3.2.5.2", "A3.2.5", "A3.2.6.1", "A3.2.6"]}, {"id": "A3.3.1.2", "levels": ["base"], "notes": "PCI DSS Reference: Requirements 1-12\nIf you noticed, this requirement should be A3.3.1.1 instead of A3.3.1.2 but it was kept\nthis way to be aligned to the policy.", "title": "Failures of any critical security control systems are responded to promptly.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.3.1", "levels": ["base"], "notes": "PCI DSS Reference: Requirement 12", "title": "Failures of critical security control systems are detected, alerted, and addressed promptly.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["A3.3.1.2"]}, {"id": "A3.3.2", "levels": ["base"], "notes": "PCI DSS Reference: Requirements 2, 6, 12.", "title": "Hardware and software technologies are reviewed at least once every 12 months to confirm whether they continue to meet the organization's PCI DSS requirements.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.3.3", "levels": ["base"], "notes": "PCI DSS Reference: Requirements 1-12.", "title": "Reviews are performed at least once every three months to verify BAU activities are being followed.", "description": "Reviews are performed by personnel assigned to the PCI DSS compliance program (as\nidentified in A3.1.3).", "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.3", "levels": ["base"], "notes": "", "title": "PCI DSS is incorporated into business-as-usual (BAU) activities.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["A3.3.1.2", "A3.3.1", "A3.3.2", "A3.3.3"]}, {"id": "A3.4.1", "levels": ["base"], "notes": "PCI DSS Reference: Requirement 7.", "title": "User accounts and access privileges to in-scope system components are reviewed at least once every six months to ensure user accounts and access privileges remain appropriate based on job function, and that all access is authorized.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.4", "levels": ["base"], "notes": "", "title": "Logical access to the cardholder data environment is controlled and managed.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["A3.4.1"]}, {"id": "A3.5.1", "levels": ["base"], "notes": "PCI DSS Reference: Requirement 10, 12.", "title": "A methodology is implemented for the prompt identification of attack patterns and undesirable behavior across systems.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": []}, {"id": "A3.5", "levels": ["base"], "notes": "", "title": "Suspicious events are identified and responded to.", "description": null, "rationale": null, "automated": "no", "status": "pending", "mitigation": null, "artifact_description": null, "status_justification": null, "fixtext": null, "check": null, "tickets": null, "original_title": null, "related_rules": [], "rules": [], "controls": ["A3.5.1"]}], "levels": [{"id": "base", "inherits_from": null}]}