POS and Retail Payments
You accept credit card payments through POS systems, payment terminals, restaurants, retail stores, hospitality locations, or multiple branch offices.
PCI DSS Technical Security Assessment
PCI DSS Compliance Audit and Technical Security Assessment
OC Security Audit provides PCI DSS compliance audit and technical security assessment services for businesses that accept, process, store, or transmit payment card data. This service focuses on the security controls behind PCI DSS readiness, including firewalls, network segmentation, POS environments, e-commerce payment flows, servers, access controls, vulnerability management, logging, vendor access, and incident response readiness.
This page supports our broader PCI DSS compliance audit readiness service by focusing specifically on technical validation of the payment environment.
POSPayment terminal and store network review
WebE-commerce and payment page review
CDECardholder data environment review
RiskTechnical findings and remediation roadmap
✓
Technical validation for PCI DSS readiness: firewall rules, segmentation, POS systems, payment websites, identity controls, logs, vulnerabilities, and remediation priorities.
Technical Focus
What Is a PCI DSS Technical Security Assessment?
A PCI DSS technical security assessment reviews the systems, networks, applications, users, vendors, and security controls that support payment card processing. The goal is to determine whether the technical environment is properly segmented, hardened, monitored, patched, encrypted, and protected from unauthorized access.
This assessment is not just a documentation review. It evaluates practical security controls that protect cardholder data and payment systems, including firewall rules, POS networks, e-commerce payment pages, administrative access, server configurations, logging, vulnerability exposure, and vendor remote access.
Experience and Qualifications
Experienced PCI DSS Technical Security Review for Southern California Businesses
OC Security Audit, with 25+ years of experience under the management of Ali Hassani, has worked on dozens of networks for businesses in the Southern California, Irvine, and Los Angeles areas. With certifications such as CISSP, CCISO, MCSE, MCSA Security, MCITP, CCNA, CCNP, and more, we are professionals who help make your network and data more secure and your business better prepared for compliance expectations.
When to Use This Service
When Your Business Needs a PCI DSS Security Assessment
E-Commerce Payments
You operate an e-commerce website, online payment portal, hosted payment page, payment plugin, or payment gateway integration.
Connected Environments
You have multiple locations connected through VPN, SD-WAN, MPLS, site-to-site tunnels, cloud environments, vendors, or remote access.
Technical Validation
You need to validate firewall rules, segmentation, access control, logging, monitoring, vulnerability management, and payment system security.
Audit Preparation
You are preparing for SAQ, AOC, ROC, payment processor review, vendor review, cyber insurance review, or formal PCI assessment activity.
Scope Reduction
You want to reduce PCI DSS scope through segmentation, hosted payment pages, tokenization, vendor responsibility, and removal of unnecessary cardholder data storage.
Assessment Areas
PCI DSS Technical Areas We Review
- Firewall rules, router ACLs, cloud security groups, and network security controls.
- Cardholder data environment segmentation and traffic flow validation.
- POS network isolation, payment terminal security, and vendor remote access.
- E-commerce checkout flow, hosted payment pages, payment gateways, and third-party payment scripts.
- Server hardening, endpoint protection, patch management, and vulnerability management.
- Microsoft Entra ID, MFA, Conditional Access, Microsoft 365, and administrative access controls.
- Azure and cloud security controls that support payment workflows.
- Logging, monitoring, SIEM readiness, alerting, and incident response workflows.
- Backup security, encryption controls, data retention, and cardholder data storage locations.
Clarifying the Service
PCI DSS Audit vs. PCI DSS Security Assessment
A PCI DSS audit or formal validation determines whether an organization meets required PCI DSS validation expectations. A PCI DSS technical security assessment helps identify weaknesses before that formal process by reviewing the actual systems, configurations, access controls, logs, vulnerabilities, and payment data flows that support PCI DSS readiness.
OC Security Audit helps businesses use the security assessment as a practical preparation step. The findings can support remediation planning, evidence collection, SAQ preparation, technical validation, and audit readiness. For a complete readiness engagement, visit our PCI DSS compliance audit readiness services.
POS Security
PCI DSS POS Security Assessment
POS environments can increase PCI DSS scope when payment terminals, local networks, vendor support tools, back-office systems, wireless networks, or remote access paths are not properly isolated. OC Security Audit reviews POS network design, segmentation, terminal inventory, firewall rules, vendor access, device inspection procedures, and payment traffic flows.
- POS VLAN and network isolation review.
- Payment terminal inventory and inspection process review.
- Vendor remote access and support pathway review.
- Firewall and traffic rule validation for POS systems.
- Logging, alerting, and incident response readiness for payment locations.
Online Payments
PCI DSS E-Commerce Payment Security Assessment
For businesses that accept payments online, OC Security Audit reviews the checkout flow, payment gateway integration, hosted payment page configuration, web application security, third-party scripts, administrator access, TLS settings, logging, vulnerability exposure, and payment plugin security.
- Checkout flow and payment gateway review.
- Hosted payment page and redirect configuration review.
- Third-party script and payment plugin inventory.
- TLS, certificate, and web server security review.
- Web application vulnerability and access control review.
Evidence and Documentation
Technical Findings That Support Readiness Evidence
A strong PCI DSS review does not stop at identifying risks. OC Security Audit also helps organize technical observations into useful evidence categories so IT, security, compliance, and leadership teams can understand what needs to be fixed and what proof should be prepared.
- Network diagrams and cardholder data flow observations.
- Firewall rule review notes and segmentation findings.
- Access control, MFA, privileged access, and service account review notes.
- Vulnerability, patching, endpoint, and server hardening summaries.
- Logging, SIEM, alerting, and incident response readiness observations.
Network and Access Controls
Firewall, Segmentation, Server, Access Control, and Logging Review
PCI DSS readiness depends heavily on whether payment systems are properly separated from non-payment systems. OC Security Audit reviews firewall rules, network diagrams, router ACLs, VLAN design, VPN access, wireless separation, data center connectivity, cloud security groups, and traffic flows into and out of the cardholder data environment.
| Review Area | What We Evaluate | Business Value | Typical Risk |
|---|---|---|---|
| Firewall and Segmentation | Firewall rulebase, inbound and outbound traffic, CDE boundaries, POS isolation, remote access, and vendor paths. | Reduces PCI DSS scope and limits unauthorized access to payment systems. | Critical |
| Servers and Databases | Hardening, patching, encryption, stored data, backup exposure, administrative access, and configuration drift. | Improves protection for systems that store, process, or support payment data. | High |
| Identity and MFA | Microsoft Entra ID, MFA, Conditional Access, privileged accounts, service accounts, and access reviews. | Strengthens access control and reduces account compromise risk. | Critical |
| Logging and Monitoring | SIEM readiness, audit logs, authentication logs, firewall logs, alerting, retention, and incident response workflows. | Improves detection, investigation, and PCI DSS evidence readiness. | High |
| Vulnerability Management | Internal scans, external scans, patch status, remediation tracking, exceptions, and exposure validation. | Reduces exploitable weaknesses before payment processor or assessor review. | High |
Deliverables
PCI DSS Security Assessment Deliverables
The final deliverables are designed to help executives, CISOs, IT administrators, network administrators, system administrators, security engineers, and compliance teams understand what was reviewed, what risks were found, and what actions should be prioritized.
Technical Findings Report
Detailed findings for firewall rules, segmentation, POS systems, e-commerce systems, servers, access controls, logging, vulnerabilities, and vendor access.
Risk-Ranked Roadmap
Prioritized remediation actions based on likelihood, impact, PCI DSS relevance, technical exposure, business importance, and implementation complexity.
Evidence Checklist
Evidence preparation checklist to support the broader PCI DSS readiness process, including screenshots, policies, logs, reports, diagrams, and approvals.
- PCI DSS technical gap summary.
- Firewall and segmentation findings.
- POS security assessment observations.
- E-commerce payment security review notes.
- Server hardening and vulnerability summary.
- Access control, MFA, and privileged access findings.
- Logging and monitoring readiness summary.
- Vendor remote access and third-party risk observations.
- Evidence preparation checklist for PCI DSS readiness.
Audit-Ready Insight
Clear Reporting for IT, Security, Compliance, and Leadership
The goal is to make technical PCI DSS risks understandable and actionable. OC Security Audit organizes findings in a way that supports remediation ownership, management review, evidence preparation, and ongoing payment security improvement.
- Executive-level risk themes and technical remediation priorities.
- Security engineer-level details for firewall, server, identity, and logging improvements.
- Compliance-level evidence checklist for PCI DSS readiness support.
- Business-level explanation of why each issue matters to payment security.
FAQ
PCI DSS Security Assessment FAQ
What is a PCI DSS technical security assessment?
A PCI DSS technical security assessment reviews the systems, networks, applications, users, vendors, and security controls that protect payment card data. It helps identify technical weaknesses before a formal PCI DSS review or broader readiness process.
Is this the same as PCI DSS readiness consulting?
No. PCI DSS readiness consulting is broader and may include scope review, documentation support, gap analysis, remediation planning, and evidence preparation. This page focuses specifically on technical security assessment activities such as firewall review, segmentation, POS security, e-commerce payment security, access control, vulnerability management, and logging.
Do you review POS systems?
Yes. OC Security Audit can review POS network isolation, payment terminal inventory, firewall rules, vendor access, inspection procedures, and payment-related network traffic.
Do you review e-commerce payment systems?
Yes. OC Security Audit can review checkout flows, payment gateway integrations, hosted payment pages, web application security, payment scripts, plugins, TLS settings, and administrative access.
Can this assessment help reduce PCI DSS scope?
Yes. A technical security assessment can identify opportunities to reduce PCI DSS scope through segmentation, hosted payment pages, tokenization, outsourced payment processing, restricted access, and removal of unnecessary cardholder data storage.
What do we receive after the assessment?
Typical deliverables may include a technical findings report, risk-ranked remediation roadmap, firewall and segmentation observations, POS and e-commerce security findings, access control review notes, vulnerability summary, logging readiness summary, and evidence preparation checklist.
Next Step
Strengthen the Technical Security Behind PCI DSS Readiness
If your organization needs a deeper review of POS systems, e-commerce payment flows, firewalls, segmentation, servers, access controls, logging, vulnerabilities, or vendor access, OC Security Audit can help identify technical gaps and create a practical remediation roadmap.
Read-Only PCI DSS Technical Control Matrix
PCI DSS Technical Controls Assessment Sheet for Payment Security Reviews
This technical control matrix is designed for the PCI DSS compliance audit and technical security assessment page. It focuses on practical controls for POS environments, e-commerce payment flows, firewalls, segmentation, servers, identity, MFA, logging, vulnerability management, vendor access, governance, and evidence preparation.
240Technical assessment controls
12Technical control categories
25Maximum risk score
Network Security & Segmentation
Secure Configuration & Asset Inventory
Account Data Protection
Transmission & Encryption
Endpoint, Malware & Patch Management
Secure Software & E-Commerce
Access Control & IAM
Authentication & MFA
Physical, POS & Media Security
Logging, Monitoring & Incident Response
Testing, Scanning & Vulnerability Assessment
Governance, Vendor Risk & Evidence
| ID | Category | Technical Control / Assessment | Description | Risk Score | Impact | Occurrence | Priority | Evidence / Test Method | Owner | Frequency | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 001 | Network Security & Segmentation | Maintain firewall/security-group standards | Assess whether maintain firewall/security-group standards is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | Semiannual | Review |
| 002 | Network Security & Segmentation | Review inbound CDE traffic | Assess whether review inbound cde traffic is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | After Change | Review |
| 003 | Network Security & Segmentation | Review outbound CDE traffic | Assess whether review outbound cde traffic is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | Quarterly | Review |
| 004 | Network Security & Segmentation | Validate deny-by-default rules | Assess whether validate deny-by-default rules is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | Annual | Review |
| 005 | Network Security & Segmentation | Document CDE network diagrams | Assess whether document cde network diagrams is implemented, documented, monitored, and aligned to the payment environment. | 25 | Critical | High | Critical | Rules, diagrams, approvals, segmentation test notes | Network / Security | Monthly | Review |
| 006 | Network Security & Segmentation | Map POS VLAN boundaries | Assess whether map pos vlan boundaries is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | Semiannual | Review |
| 007 | Network Security & Segmentation | Map e-commerce payment paths | Assess whether map e-commerce payment paths is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | After Change | Review |
| 008 | Network Security & Segmentation | Review site-to-site VPN rules | Assess whether review site-to-site vpn rules is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | Quarterly | Review |
| 009 | Network Security & Segmentation | Review remote admin pathways | Assess whether review remote admin pathways is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | Annual | Review |
| 010 | Network Security & Segmentation | Review vendor remote access paths | Assess whether review vendor remote access paths is implemented, documented, monitored, and aligned to the payment environment. | 25 | Critical | High | Critical | Rules, diagrams, approvals, segmentation test notes | Network / Security | Monthly | Review |
| 011 | Network Security & Segmentation | Separate guest wireless from CDE | Assess whether separate guest wireless from cde is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | Semiannual | Review |
| 012 | Network Security & Segmentation | Separate corporate LAN from POS | Assess whether separate corporate lan from pos is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | After Change | Review |
| 013 | Network Security & Segmentation | Restrict east-west traffic | Assess whether restrict east-west traffic is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | Quarterly | Review |
| 014 | Network Security & Segmentation | Review DMZ architecture | Assess whether review dmz architecture is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | Annual | Review |
| 015 | Network Security & Segmentation | Test segmentation controls | Assess whether test segmentation controls is implemented, documented, monitored, and aligned to the payment environment. | 25 | Critical | High | Critical | Rules, diagrams, approvals, segmentation test notes | Network / Security | Monthly | Review |
| 016 | Network Security & Segmentation | Review cloud firewall policies | Assess whether review cloud firewall policies is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | Semiannual | Review |
| 017 | Network Security & Segmentation | Review router ACLs | Assess whether review router acls is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | After Change | Review |
| 018 | Network Security & Segmentation | Review NAT and port-forwarding | Assess whether review nat and port-forwarding is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | Quarterly | Review |
| 019 | Network Security & Segmentation | Review legacy firewall rules | Assess whether review legacy firewall rules is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Rules, diagrams, approvals, segmentation test notes | Network / Security | Annual | Review |
| 020 | Network Security & Segmentation | Validate firewall change records | Assess whether validate firewall change records is implemented, documented, monitored, and aligned to the payment environment. | 25 | Critical | High | Critical | Rules, diagrams, approvals, segmentation test notes | Network / Security | Monthly | Review |
| 021 | Secure Configuration & Asset Inventory | Maintain PCI asset inventory | Assess whether maintain pci asset inventory is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Inventory, baseline, config export, exception record | Systems / IT Ops | Semiannual | Review |
| 022 | Secure Configuration & Asset Inventory | Classify CDE system roles | Assess whether classify cde system roles is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Inventory, baseline, config export, exception record | Systems / IT Ops | After Change | Review |
| 023 | Secure Configuration & Asset Inventory | Remove vendor default passwords | Assess whether remove vendor default passwords is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Inventory, baseline, config export, exception record | Systems / IT Ops | Quarterly | Review |
| 024 | Secure Configuration & Asset Inventory | Disable unnecessary services | Assess whether disable unnecessary services is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Inventory, baseline, config export, exception record | Systems / IT Ops | Annual | Review |
| 025 | Secure Configuration & Asset Inventory | Apply CIS-style baselines | Assess whether apply cis-style baselines is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Inventory, baseline, config export, exception record | Systems / IT Ops | Monthly | Review |
| 026 | Secure Configuration & Asset Inventory | Review Windows hardening | Assess whether review windows hardening is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Inventory, baseline, config export, exception record | Systems / IT Ops | Semiannual | Review |
| 027 | Secure Configuration & Asset Inventory | Review Linux hardening | Assess whether review linux hardening is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Inventory, baseline, config export, exception record | Systems / IT Ops | After Change | Review |
| 028 | Secure Configuration & Asset Inventory | Review network device hardening | Assess whether review network device hardening is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Inventory, baseline, config export, exception record | Systems / IT Ops | Quarterly | Review |
| 029 | Secure Configuration & Asset Inventory | Review cloud workload hardening | Assess whether review cloud workload hardening is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Inventory, baseline, config export, exception record | Systems / IT Ops | Annual | Review |
| 030 | Secure Configuration & Asset Inventory | Review database configuration | Assess whether review database configuration is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Inventory, baseline, config export, exception record | Systems / IT Ops | Monthly | Review |
| 031 | Secure Configuration & Asset Inventory | Review POS terminal config | Assess whether review pos terminal config is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Inventory, baseline, config export, exception record | Systems / IT Ops | Semiannual | Review |
| 032 | Secure Configuration & Asset Inventory | Review admin workstation config | Assess whether review admin workstation config is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Inventory, baseline, config export, exception record | Systems / IT Ops | After Change | Review |
| 033 | Secure Configuration & Asset Inventory | Review configuration drift | Assess whether review configuration drift is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Inventory, baseline, config export, exception record | Systems / IT Ops | Quarterly | Review |
| 034 | Secure Configuration & Asset Inventory | Document approved exceptions | Assess whether document approved exceptions is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Inventory, baseline, config export, exception record | Systems / IT Ops | Annual | Review |
| 035 | Secure Configuration & Asset Inventory | Track unsupported systems | Assess whether track unsupported systems is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Inventory, baseline, config export, exception record | Systems / IT Ops | Monthly | Review |
| 036 | Secure Configuration & Asset Inventory | Review device ownership | Assess whether review device ownership is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Inventory, baseline, config export, exception record | Systems / IT Ops | Semiannual | Review |
| 037 | Secure Configuration & Asset Inventory | Review time synchronization | Assess whether review time synchronization is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Inventory, baseline, config export, exception record | Systems / IT Ops | After Change | Review |
| 038 | Secure Configuration & Asset Inventory | Review secure build process | Assess whether review secure build process is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Inventory, baseline, config export, exception record | Systems / IT Ops | Quarterly | Review |
| 039 | Secure Configuration & Asset Inventory | Review backup configuration | Assess whether review backup configuration is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Inventory, baseline, config export, exception record | Systems / IT Ops | Annual | Review |
| 040 | Secure Configuration & Asset Inventory | Review baseline evidence | Assess whether review baseline evidence is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Inventory, baseline, config export, exception record | Systems / IT Ops | Monthly | Review |
| 041 | Account Data Protection | Identify stored PAN locations | Assess whether identify stored pan locations is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Semiannual | Review |
| 042 | Account Data Protection | Validate data retention rules | Assess whether validate data retention rules is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | After Change | Review |
| 043 | Account Data Protection | Remove unnecessary card data | Assess whether remove unnecessary card data is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Quarterly | Review |
| 044 | Account Data Protection | Mask displayed PAN | Assess whether mask displayed pan is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Annual | Review |
| 045 | Account Data Protection | Restrict PAN viewing roles | Assess whether restrict pan viewing roles is implemented, documented, monitored, and aligned to the payment environment. | 25 | Critical | High | Critical | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Monthly | Review |
| 046 | Account Data Protection | Encrypt stored PAN | Assess whether encrypt stored pan is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Semiannual | Review |
| 047 | Account Data Protection | Validate tokenization use | Assess whether validate tokenization use is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | After Change | Review |
| 048 | Account Data Protection | Review hashing/truncation use | Assess whether review hashing/truncation use is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Quarterly | Review |
| 049 | Account Data Protection | Prohibit SAD storage | Assess whether prohibit sad storage is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Annual | Review |
| 050 | Account Data Protection | Scan logs for PAN | Assess whether scan logs for pan is implemented, documented, monitored, and aligned to the payment environment. | 25 | Critical | High | Critical | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Monthly | Review |
| 051 | Account Data Protection | Scan reports for PAN | Assess whether scan reports for pan is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Semiannual | Review |
| 052 | Account Data Protection | Review database exports | Assess whether review database exports is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | After Change | Review |
| 053 | Account Data Protection | Review backups for CHD | Assess whether review backups for chd is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Quarterly | Review |
| 054 | Account Data Protection | Review file shares for CHD | Assess whether review file shares for chd is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Annual | Review |
| 055 | Account Data Protection | Review data disposal process | Assess whether review data disposal process is implemented, documented, monitored, and aligned to the payment environment. | 25 | Critical | High | Critical | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Monthly | Review |
| 056 | Account Data Protection | Review encryption keys | Assess whether review encryption keys is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Semiannual | Review |
| 057 | Account Data Protection | Restrict key access | Assess whether restrict key access is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | After Change | Review |
| 058 | Account Data Protection | Review key rotation | Assess whether review key rotation is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Quarterly | Review |
| 059 | Account Data Protection | Document data flows | Assess whether document data flows is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Annual | Review |
| 060 | Account Data Protection | Validate CHD minimization | Assess whether validate chd minimization is implemented, documented, monitored, and aligned to the payment environment. | 25 | Critical | High | Critical | Data scan, DB/file review, retention and encryption evidence | Data Owner / Security | Monthly | Review |
| 061 | Transmission & Encryption | Validate TLS for payment pages | Assess whether validate tls for payment pages is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Semiannual | Review |
| 062 | Transmission & Encryption | Review certificate inventory | Assess whether review certificate inventory is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | TLS scan, cert list, gateway and DLP settings | Network / AppSec | After Change | Review |
| 063 | Transmission & Encryption | Remove weak protocols | Assess whether remove weak protocols is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Quarterly | Review |
| 064 | Transmission & Encryption | Review cipher suites | Assess whether review cipher suites is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Annual | Review |
| 065 | Transmission & Encryption | Validate gateway encryption | Assess whether validate gateway encryption is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Monthly | Review |
| 066 | Transmission & Encryption | Review API transport security | Assess whether review api transport security is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Semiannual | Review |
| 067 | Transmission & Encryption | Review VPN encryption | Assess whether review vpn encryption is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | TLS scan, cert list, gateway and DLP settings | Network / AppSec | After Change | Review |
| 068 | Transmission & Encryption | Review wireless encryption | Assess whether review wireless encryption is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Quarterly | Review |
| 069 | Transmission & Encryption | Prohibit PAN by email | Assess whether prohibit pan by email is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Annual | Review |
| 070 | Transmission & Encryption | Review DLP mail rules | Assess whether review dlp mail rules is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Monthly | Review |
| 071 | Transmission & Encryption | Review secure file transfer | Assess whether review secure file transfer is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Semiannual | Review |
| 072 | Transmission & Encryption | Review payment redirects | Assess whether review payment redirects is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | TLS scan, cert list, gateway and DLP settings | Network / AppSec | After Change | Review |
| 073 | Transmission & Encryption | Review webhook security | Assess whether review webhook security is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Quarterly | Review |
| 074 | Transmission & Encryption | Review certificate renewal | Assess whether review certificate renewal is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Annual | Review |
| 075 | Transmission & Encryption | Review HSTS settings | Assess whether review hsts settings is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Monthly | Review |
| 076 | Transmission & Encryption | Review DNS exposure | Assess whether review dns exposure is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Semiannual | Review |
| 077 | Transmission & Encryption | Review external payment endpoints | Assess whether review external payment endpoints is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | TLS scan, cert list, gateway and DLP settings | Network / AppSec | After Change | Review |
| 078 | Transmission & Encryption | Review mobile payment paths | Assess whether review mobile payment paths is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Quarterly | Review |
| 079 | Transmission & Encryption | Review third-party connection security | Assess whether review third-party connection security is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Annual | Review |
| 080 | Transmission & Encryption | Document encrypted flows | Assess whether document encrypted flows is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | TLS scan, cert list, gateway and DLP settings | Network / AppSec | Monthly | Review |
| 081 | Endpoint, Malware & Patch Management | Validate EDR coverage | Assess whether validate edr coverage is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | EDR report, patch report, remediation tickets | IT Ops / SecOps | Semiannual | Review |
| 082 | Endpoint, Malware & Patch Management | Review anti-malware policies | Assess whether review anti-malware policies is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | EDR report, patch report, remediation tickets | IT Ops / SecOps | After Change | Review |
| 083 | Endpoint, Malware & Patch Management | Review malware alert handling | Assess whether review malware alert handling is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | EDR report, patch report, remediation tickets | IT Ops / SecOps | Quarterly | Review |
| 084 | Endpoint, Malware & Patch Management | Review endpoint isolation capability | Assess whether review endpoint isolation capability is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | EDR report, patch report, remediation tickets | IT Ops / SecOps | Annual | Review |
| 085 | Endpoint, Malware & Patch Management | Control removable media | Assess whether control removable media is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | EDR report, patch report, remediation tickets | IT Ops / SecOps | Monthly | Review |
| 086 | Endpoint, Malware & Patch Management | Review POS endpoint protection | Assess whether review pos endpoint protection is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | EDR report, patch report, remediation tickets | IT Ops / SecOps | Semiannual | Review |
| 087 | Endpoint, Malware & Patch Management | Review server AV exclusions | Assess whether review server av exclusions is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | EDR report, patch report, remediation tickets | IT Ops / SecOps | After Change | Review |
| 088 | Endpoint, Malware & Patch Management | Review signature update status | Assess whether review signature update status is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | EDR report, patch report, remediation tickets | IT Ops / SecOps | Quarterly | Review |
| 089 | Endpoint, Malware & Patch Management | Review patch policy | Assess whether review patch policy is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | EDR report, patch report, remediation tickets | IT Ops / SecOps | Annual | Review |
| 090 | Endpoint, Malware & Patch Management | Track critical patches | Assess whether track critical patches is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | EDR report, patch report, remediation tickets | IT Ops / SecOps | Monthly | Review |
| 091 | Endpoint, Malware & Patch Management | Track high-risk patches | Assess whether track high-risk patches is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | EDR report, patch report, remediation tickets | IT Ops / SecOps | Semiannual | Review |
| 092 | Endpoint, Malware & Patch Management | Review emergency patching | Assess whether review emergency patching is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | EDR report, patch report, remediation tickets | IT Ops / SecOps | After Change | Review |
| 093 | Endpoint, Malware & Patch Management | Review patch exceptions | Assess whether review patch exceptions is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | EDR report, patch report, remediation tickets | IT Ops / SecOps | Quarterly | Review |
| 094 | Endpoint, Malware & Patch Management | Review vulnerability-to-patch workflow | Assess whether review vulnerability-to-patch workflow is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | EDR report, patch report, remediation tickets | IT Ops / SecOps | Annual | Review |
| 095 | Endpoint, Malware & Patch Management | Validate workstation updates | Assess whether validate workstation updates is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | EDR report, patch report, remediation tickets | IT Ops / SecOps | Monthly | Review |
| 096 | Endpoint, Malware & Patch Management | Validate server updates | Assess whether validate server updates is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | EDR report, patch report, remediation tickets | IT Ops / SecOps | Semiannual | Review |
| 097 | Endpoint, Malware & Patch Management | Validate network device updates | Assess whether validate network device updates is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | EDR report, patch report, remediation tickets | IT Ops / SecOps | After Change | Review |
| 098 | Endpoint, Malware & Patch Management | Validate application updates | Assess whether validate application updates is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | EDR report, patch report, remediation tickets | IT Ops / SecOps | Quarterly | Review |
| 099 | Endpoint, Malware & Patch Management | Review unsupported software | Assess whether review unsupported software is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | EDR report, patch report, remediation tickets | IT Ops / SecOps | Annual | Review |
| 100 | Endpoint, Malware & Patch Management | Review remediation SLAs | Assess whether review remediation slas is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | EDR report, patch report, remediation tickets | IT Ops / SecOps | Monthly | Review |
| 101 | Secure Software & E-Commerce | Review secure SDLC policy | Assess whether review secure sdlc policy is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Semiannual | Review |
| 102 | Secure Software & E-Commerce | Review code review process | Assess whether review code review process is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | After Change | Review |
| 103 | Secure Software & E-Commerce | Review SAST coverage | Assess whether review sast coverage is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Quarterly | Review |
| 104 | Secure Software & E-Commerce | Review DAST coverage | Assess whether review dast coverage is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Annual | Review |
| 105 | Secure Software & E-Commerce | Review payment page scripts | Assess whether review payment page scripts is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Monthly | Review |
| 106 | Secure Software & E-Commerce | Inventory third-party scripts | Assess whether inventory third-party scripts is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Semiannual | Review |
| 107 | Secure Software & E-Commerce | Review CSP controls | Assess whether review csp controls is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | After Change | Review |
| 108 | Secure Software & E-Commerce | Review WAF rules | Assess whether review waf rules is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Quarterly | Review |
| 109 | Secure Software & E-Commerce | Review checkout flow | Assess whether review checkout flow is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Annual | Review |
| 110 | Secure Software & E-Commerce | Review hosted payment page setup | Assess whether review hosted payment page setup is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Monthly | Review |
| 111 | Secure Software & E-Commerce | Review payment plugin security | Assess whether review payment plugin security is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Semiannual | Review |
| 112 | Secure Software & E-Commerce | Review API authentication | Assess whether review api authentication is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | After Change | Review |
| 113 | Secure Software & E-Commerce | Review application secrets | Assess whether review application secrets is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Quarterly | Review |
| 114 | Secure Software & E-Commerce | Review change approvals | Assess whether review change approvals is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Annual | Review |
| 115 | Secure Software & E-Commerce | Review production deployment controls | Assess whether review production deployment controls is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Monthly | Review |
| 116 | Secure Software & E-Commerce | Review test data handling | Assess whether review test data handling is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Semiannual | Review |
| 117 | Secure Software & E-Commerce | Review admin portal access | Assess whether review admin portal access is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | After Change | Review |
| 118 | Secure Software & E-Commerce | Review web vulnerability findings | Assess whether review web vulnerability findings is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Quarterly | Review |
| 119 | Secure Software & E-Commerce | Review file upload controls | Assess whether review file upload controls is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Annual | Review |
| 120 | Secure Software & E-Commerce | Review error handling | Assess whether review error handling is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Code review, WAF, SAST/DAST, payment flow evidence | AppSec / DevOps | Monthly | Review |
| 121 | Access Control & IAM | Maintain RBAC matrix | Assess whether maintain rbac matrix is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Semiannual | Review |
| 122 | Access Control & IAM | Review user access to CDE | Assess whether review user access to cde is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Access export, RBAC matrix, approvals, review signoff | IAM / Security | After Change | Review |
| 123 | Access Control & IAM | Review admin groups | Assess whether review admin groups is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Quarterly | Review |
| 124 | Access Control & IAM | Review database access | Assess whether review database access is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Annual | Review |
| 125 | Access Control & IAM | Review POS admin access | Assess whether review pos admin access is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Monthly | Review |
| 126 | Access Control & IAM | Review firewall admin access | Assess whether review firewall admin access is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Semiannual | Review |
| 127 | Access Control & IAM | Review cloud admin access | Assess whether review cloud admin access is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Access export, RBAC matrix, approvals, review signoff | IAM / Security | After Change | Review |
| 128 | Access Control & IAM | Review M365/Entra roles | Assess whether review m365/entra roles is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Quarterly | Review |
| 129 | Access Control & IAM | Review service accounts | Assess whether review service accounts is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Annual | Review |
| 130 | Access Control & IAM | Review shared accounts | Assess whether review shared accounts is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Monthly | Review |
| 131 | Access Control & IAM | Review dormant accounts | Assess whether review dormant accounts is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Semiannual | Review |
| 132 | Access Control & IAM | Review terminated users | Assess whether review terminated users is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Access export, RBAC matrix, approvals, review signoff | IAM / Security | After Change | Review |
| 133 | Access Control & IAM | Approve privileged access | Assess whether approve privileged access is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Quarterly | Review |
| 134 | Access Control & IAM | Review PAM controls | Assess whether review pam controls is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Annual | Review |
| 135 | Access Control & IAM | Restrict need-to-know access | Assess whether restrict need-to-know access is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Monthly | Review |
| 136 | Access Control & IAM | Review break-glass accounts | Assess whether review break-glass accounts is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Semiannual | Review |
| 137 | Access Control & IAM | Review access request workflow | Assess whether review access request workflow is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Access export, RBAC matrix, approvals, review signoff | IAM / Security | After Change | Review |
| 138 | Access Control & IAM | Review access recertification | Assess whether review access recertification is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Quarterly | Review |
| 139 | Access Control & IAM | Review contractor access | Assess whether review contractor access is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Annual | Review |
| 140 | Access Control & IAM | Review vendor identities | Assess whether review vendor identities is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Access export, RBAC matrix, approvals, review signoff | IAM / Security | Monthly | Review |
| 141 | Authentication & MFA | Require unique user IDs | Assess whether require unique user ids is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Semiannual | Review |
| 142 | Authentication & MFA | Enforce MFA for admins | Assess whether enforce mfa for admins is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | After Change | Review |
| 143 | Authentication & MFA | Enforce MFA for remote access | Assess whether enforce mfa for remote access is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Quarterly | Review |
| 144 | Authentication & MFA | Enforce MFA for CDE access | Assess whether enforce mfa for cde access is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Annual | Review |
| 145 | Authentication & MFA | Review password policy | Assess whether review password policy is implemented, documented, monitored, and aligned to the payment environment. | 25 | Critical | High | Critical | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Monthly | Review |
| 146 | Authentication & MFA | Review account lockout | Assess whether review account lockout is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Semiannual | Review |
| 147 | Authentication & MFA | Review session timeout | Assess whether review session timeout is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | After Change | Review |
| 148 | Authentication & MFA | Review SSO configuration | Assess whether review sso configuration is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Quarterly | Review |
| 149 | Authentication & MFA | Review conditional access | Assess whether review conditional access is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Annual | Review |
| 150 | Authentication & MFA | Review phishing-resistant options | Assess whether review phishing-resistant options is implemented, documented, monitored, and aligned to the payment environment. | 25 | Critical | High | Critical | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Monthly | Review |
| 151 | Authentication & MFA | Review VPN authentication | Assess whether review vpn authentication is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Semiannual | Review |
| 152 | Authentication & MFA | Review service account secrets | Assess whether review service account secrets is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | After Change | Review |
| 153 | Authentication & MFA | Rotate privileged passwords | Assess whether rotate privileged passwords is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Quarterly | Review |
| 154 | Authentication & MFA | Review password vault use | Assess whether review password vault use is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Annual | Review |
| 155 | Authentication & MFA | Review API keys | Assess whether review api keys is implemented, documented, monitored, and aligned to the payment environment. | 25 | Critical | High | Critical | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Monthly | Review |
| 156 | Authentication & MFA | Review token expiration | Assess whether review token expiration is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Semiannual | Review |
| 157 | Authentication & MFA | Review failed login alerts | Assess whether review failed login alerts is implemented, documented, monitored, and aligned to the payment environment. | 20 | Critical | High | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | After Change | Review |
| 158 | Authentication & MFA | Review inactive account disablement | Assess whether review inactive account disablement is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Quarterly | Review |
| 159 | Authentication & MFA | Review password reset process | Assess whether review password reset process is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Annual | Review |
| 160 | Authentication & MFA | Review authentication logs | Assess whether review authentication logs is implemented, documented, monitored, and aligned to the payment environment. | 25 | Critical | High | Critical | IAM settings, MFA policy, logs, conditional access evidence | IAM / Security | Monthly | Review |
| 161 | Physical, POS & Media Security | Maintain payment terminal inventory | Assess whether maintain payment terminal inventory is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | POS inventory, inspection logs, access and media records | Operations / Facilities | Semiannual | Review |
| 162 | Physical, POS & Media Security | Inspect POS devices | Assess whether inspect pos devices is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | POS inventory, inspection logs, access and media records | Operations / Facilities | After Change | Review |
| 163 | Physical, POS & Media Security | Train staff on tampering | Assess whether train staff on tampering is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | POS inventory, inspection logs, access and media records | Operations / Facilities | Quarterly | Review |
| 164 | Physical, POS & Media Security | Review POS replacement process | Assess whether review pos replacement process is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | POS inventory, inspection logs, access and media records | Operations / Facilities | Annual | Review |
| 165 | Physical, POS & Media Security | Review device serial numbers | Assess whether review device serial numbers is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | POS inventory, inspection logs, access and media records | Operations / Facilities | Monthly | Review |
| 166 | Physical, POS & Media Security | Review camera coverage | Assess whether review camera coverage is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | POS inventory, inspection logs, access and media records | Operations / Facilities | Semiannual | Review |
| 167 | Physical, POS & Media Security | Review server room access | Assess whether review server room access is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | POS inventory, inspection logs, access and media records | Operations / Facilities | After Change | Review |
| 168 | Physical, POS & Media Security | Review network closet access | Assess whether review network closet access is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | POS inventory, inspection logs, access and media records | Operations / Facilities | Quarterly | Review |
| 169 | Physical, POS & Media Security | Review visitor logs | Assess whether review visitor logs is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | POS inventory, inspection logs, access and media records | Operations / Facilities | Annual | Review |
| 170 | Physical, POS & Media Security | Review badge access logs | Assess whether review badge access logs is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | POS inventory, inspection logs, access and media records | Operations / Facilities | Monthly | Review |
| 171 | Physical, POS & Media Security | Secure printed PAN | Assess whether secure printed pan is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | POS inventory, inspection logs, access and media records | Operations / Facilities | Semiannual | Review |
| 172 | Physical, POS & Media Security | Secure removable media | Assess whether secure removable media is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | POS inventory, inspection logs, access and media records | Operations / Facilities | After Change | Review |
| 173 | Physical, POS & Media Security | Review media destruction | Assess whether review media destruction is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | POS inventory, inspection logs, access and media records | Operations / Facilities | Quarterly | Review |
| 174 | Physical, POS & Media Security | Track backup media | Assess whether track backup media is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | POS inventory, inspection logs, access and media records | Operations / Facilities | Annual | Review |
| 175 | Physical, POS & Media Security | Review shipping of devices | Assess whether review shipping of devices is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | POS inventory, inspection logs, access and media records | Operations / Facilities | Monthly | Review |
| 176 | Physical, POS & Media Security | Review branch physical controls | Assess whether review branch physical controls is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | POS inventory, inspection logs, access and media records | Operations / Facilities | Semiannual | Review |
| 177 | Physical, POS & Media Security | Review kiosk security | Assess whether review kiosk security is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | POS inventory, inspection logs, access and media records | Operations / Facilities | After Change | Review |
| 178 | Physical, POS & Media Security | Review cash wrap access | Assess whether review cash wrap access is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | POS inventory, inspection logs, access and media records | Operations / Facilities | Quarterly | Review |
| 179 | Physical, POS & Media Security | Review POS support process | Assess whether review pos support process is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | POS inventory, inspection logs, access and media records | Operations / Facilities | Annual | Review |
| 180 | Physical, POS & Media Security | Review incident escalation for tampering | Assess whether review incident escalation for tampering is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | POS inventory, inspection logs, access and media records | Operations / Facilities | Monthly | Review |
| 181 | Logging, Monitoring & Incident Response | Centralize CDE logs | Assess whether centralize cde logs is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Semiannual | Review |
| 182 | Logging, Monitoring & Incident Response | Log admin activity | Assess whether log admin activity is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | After Change | Review |
| 183 | Logging, Monitoring & Incident Response | Log authentication events | Assess whether log authentication events is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Quarterly | Review |
| 184 | Logging, Monitoring & Incident Response | Log firewall events | Assess whether log firewall events is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Annual | Review |
| 185 | Logging, Monitoring & Incident Response | Log database access | Assess whether log database access is implemented, documented, monitored, and aligned to the payment environment. | 25 | High | High | Critical | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Monthly | Review |
| 186 | Logging, Monitoring & Incident Response | Log payment application events | Assess whether log payment application events is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Semiannual | Review |
| 187 | Logging, Monitoring & Incident Response | Protect logs from changes | Assess whether protect logs from changes is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | After Change | Review |
| 188 | Logging, Monitoring & Incident Response | Review log retention | Assess whether review log retention is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Quarterly | Review |
| 189 | Logging, Monitoring & Incident Response | Review SIEM alert rules | Assess whether review siem alert rules is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Annual | Review |
| 190 | Logging, Monitoring & Incident Response | Review daily alert process | Assess whether review daily alert process is implemented, documented, monitored, and aligned to the payment environment. | 25 | High | High | Critical | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Monthly | Review |
| 191 | Logging, Monitoring & Incident Response | Review failed login monitoring | Assess whether review failed login monitoring is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Semiannual | Review |
| 192 | Logging, Monitoring & Incident Response | Review privileged changes | Assess whether review privileged changes is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | After Change | Review |
| 193 | Logging, Monitoring & Incident Response | Review file integrity monitoring | Assess whether review file integrity monitoring is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Quarterly | Review |
| 194 | Logging, Monitoring & Incident Response | Review incident response plan | Assess whether review incident response plan is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Annual | Review |
| 195 | Logging, Monitoring & Incident Response | Test IR tabletop | Assess whether test ir tabletop is implemented, documented, monitored, and aligned to the payment environment. | 25 | High | High | Critical | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Monthly | Review |
| 196 | Logging, Monitoring & Incident Response | Review breach contacts | Assess whether review breach contacts is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Semiannual | Review |
| 197 | Logging, Monitoring & Incident Response | Review forensic readiness | Assess whether review forensic readiness is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | After Change | Review |
| 198 | Logging, Monitoring & Incident Response | Review time-source alignment | Assess whether review time-source alignment is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Quarterly | Review |
| 199 | Logging, Monitoring & Incident Response | Review alert escalation | Assess whether review alert escalation is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Annual | Review |
| 200 | Logging, Monitoring & Incident Response | Review lessons learned | Assess whether review lessons learned is implemented, documented, monitored, and aligned to the payment environment. | 25 | High | High | Critical | SIEM logs, alert tickets, IR plan, tabletop records | SecOps / CISO | Monthly | Review |
| 201 | Testing, Scanning & Vulnerability Assessment | Run internal vulnerability scans | Assess whether run internal vulnerability scans is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Scan report, pentest notes, retest evidence | Security / Risk | Semiannual | Review |
| 202 | Testing, Scanning & Vulnerability Assessment | Run external vulnerability scans | Assess whether run external vulnerability scans is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Scan report, pentest notes, retest evidence | Security / Risk | After Change | Review |
| 203 | Testing, Scanning & Vulnerability Assessment | Track scan remediation | Assess whether track scan remediation is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Scan report, pentest notes, retest evidence | Security / Risk | Quarterly | Review |
| 204 | Testing, Scanning & Vulnerability Assessment | Perform segmentation testing | Assess whether perform segmentation testing is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Scan report, pentest notes, retest evidence | Security / Risk | Annual | Review |
| 205 | Testing, Scanning & Vulnerability Assessment | Perform penetration testing | Assess whether perform penetration testing is implemented, documented, monitored, and aligned to the payment environment. | 25 | High | High | Critical | Scan report, pentest notes, retest evidence | Security / Risk | Monthly | Review |
| 206 | Testing, Scanning & Vulnerability Assessment | Retest critical findings | Assess whether retest critical findings is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Scan report, pentest notes, retest evidence | Security / Risk | Semiannual | Review |
| 207 | Testing, Scanning & Vulnerability Assessment | Review ASV results if applicable | Assess whether review asv results if applicable is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Scan report, pentest notes, retest evidence | Security / Risk | After Change | Review |
| 208 | Testing, Scanning & Vulnerability Assessment | Review wireless scanning | Assess whether review wireless scanning is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Scan report, pentest notes, retest evidence | Security / Risk | Quarterly | Review |
| 209 | Testing, Scanning & Vulnerability Assessment | Review rogue device detection | Assess whether review rogue device detection is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Scan report, pentest notes, retest evidence | Security / Risk | Annual | Review |
| 210 | Testing, Scanning & Vulnerability Assessment | Review cloud exposure scans | Assess whether review cloud exposure scans is implemented, documented, monitored, and aligned to the payment environment. | 25 | High | High | Critical | Scan report, pentest notes, retest evidence | Security / Risk | Monthly | Review |
| 211 | Testing, Scanning & Vulnerability Assessment | Review web app testing | Assess whether review web app testing is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Scan report, pentest notes, retest evidence | Security / Risk | Semiannual | Review |
| 212 | Testing, Scanning & Vulnerability Assessment | Review API testing | Assess whether review api testing is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Scan report, pentest notes, retest evidence | Security / Risk | After Change | Review |
| 213 | Testing, Scanning & Vulnerability Assessment | Review credentialed scans | Assess whether review credentialed scans is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Scan report, pentest notes, retest evidence | Security / Risk | Quarterly | Review |
| 214 | Testing, Scanning & Vulnerability Assessment | Review scan authentication | Assess whether review scan authentication is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Scan report, pentest notes, retest evidence | Security / Risk | Annual | Review |
| 215 | Testing, Scanning & Vulnerability Assessment | Review vulnerability exceptions | Assess whether review vulnerability exceptions is implemented, documented, monitored, and aligned to the payment environment. | 25 | High | High | Critical | Scan report, pentest notes, retest evidence | Security / Risk | Monthly | Review |
| 216 | Testing, Scanning & Vulnerability Assessment | Review risk acceptance | Assess whether review risk acceptance is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Scan report, pentest notes, retest evidence | Security / Risk | Semiannual | Review |
| 217 | Testing, Scanning & Vulnerability Assessment | Review exploitability context | Assess whether review exploitability context is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Scan report, pentest notes, retest evidence | Security / Risk | After Change | Review |
| 218 | Testing, Scanning & Vulnerability Assessment | Validate remediation evidence | Assess whether validate remediation evidence is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Scan report, pentest notes, retest evidence | Security / Risk | Quarterly | Review |
| 219 | Testing, Scanning & Vulnerability Assessment | Review recurring test schedule | Assess whether review recurring test schedule is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Scan report, pentest notes, retest evidence | Security / Risk | Annual | Review |
| 220 | Testing, Scanning & Vulnerability Assessment | Review change-triggered testing | Assess whether review change-triggered testing is implemented, documented, monitored, and aligned to the payment environment. | 25 | High | High | Critical | Scan report, pentest notes, retest evidence | Security / Risk | Monthly | Review |
| 221 | Governance, Vendor Risk & Evidence | Maintain PCI security policy | Assess whether maintain pci security policy is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Semiannual | Review |
| 222 | Governance, Vendor Risk & Evidence | Assign PCI responsibilities | Assess whether assign pci responsibilities is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Policy, risk register, vendor docs, evidence index | Compliance / CISO | After Change | Review |
| 223 | Governance, Vendor Risk & Evidence | Maintain RACI matrix | Assess whether maintain raci matrix is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Quarterly | Review |
| 224 | Governance, Vendor Risk & Evidence | Perform targeted risk analysis | Assess whether perform targeted risk analysis is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Annual | Review |
| 225 | Governance, Vendor Risk & Evidence | Maintain risk register | Assess whether maintain risk register is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Monthly | Review |
| 226 | Governance, Vendor Risk & Evidence | Review vendor inventory | Assess whether review vendor inventory is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Semiannual | Review |
| 227 | Governance, Vendor Risk & Evidence | Collect vendor AOCs | Assess whether collect vendor aocs is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Policy, risk register, vendor docs, evidence index | Compliance / CISO | After Change | Review |
| 228 | Governance, Vendor Risk & Evidence | Review service responsibility matrix | Assess whether review service responsibility matrix is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Quarterly | Review |
| 229 | Governance, Vendor Risk & Evidence | Review contracts for security | Assess whether review contracts for security is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Annual | Review |
| 230 | Governance, Vendor Risk & Evidence | Review security awareness training | Assess whether review security awareness training is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Monthly | Review |
| 231 | Governance, Vendor Risk & Evidence | Review role-based training | Assess whether review role-based training is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Semiannual | Review |
| 232 | Governance, Vendor Risk & Evidence | Review policy acknowledgments | Assess whether review policy acknowledgments is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Policy, risk register, vendor docs, evidence index | Compliance / CISO | After Change | Review |
| 233 | Governance, Vendor Risk & Evidence | Maintain evidence index | Assess whether maintain evidence index is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Quarterly | Review |
| 234 | Governance, Vendor Risk & Evidence | Review SAQ support evidence | Assess whether review saq support evidence is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Annual | Review |
| 235 | Governance, Vendor Risk & Evidence | Review remediation roadmap | Assess whether review remediation roadmap is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Monthly | Review |
| 236 | Governance, Vendor Risk & Evidence | Review management approvals | Assess whether review management approvals is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Semiannual | Review |
| 237 | Governance, Vendor Risk & Evidence | Review metrics dashboard | Assess whether review metrics dashboard is implemented, documented, monitored, and aligned to the payment environment. | 16 | High | Medium | High | Policy, risk register, vendor docs, evidence index | Compliance / CISO | After Change | Review |
| 238 | Governance, Vendor Risk & Evidence | Review audit trail of changes | Assess whether review audit trail of changes is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Quarterly | Review |
| 239 | Governance, Vendor Risk & Evidence | Review compliance calendar | Assess whether review compliance calendar is implemented, documented, monitored, and aligned to the payment environment. | 12 | Medium | Medium | Medium | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Annual | Review |
| 240 | Governance, Vendor Risk & Evidence | Review executive reporting | Assess whether review executive reporting is implemented, documented, monitored, and aligned to the payment environment. | 20 | High | High | High | Policy, risk register, vendor docs, evidence index | Compliance / CISO | Monthly | Review |
Sample Technical Assessment Report
Sample PCI DSS Technical Security Assessment Report for IT Perfection
This is a hypothetical sample report showing how OC Security Audit could summarize technical PCI DSS assessment results for a company with complex payment operations. The report is based on the technical control areas used on this page, including POS security, e-commerce payment security, firewall and segmentation review, access control, MFA, logging, vulnerability management, vendor access, governance, and evidence preparation.
This sample supports the PCI DSS technical security assessment page and is intentionally focused on technical validation. For the broader PCI DSS readiness process, visit the main PCI DSS compliance audit readiness service.
25Connected business locations
800Employees
3Redundant data centers
34POS payment locations
2Payment websites
50PCI-related servers
Executive Snapshot
Technical Security Position
IT Perfection has a broad payment environment with 25 connected locations, 34 point-of-sale payment locations, two public payment websites, three redundant data centers, and 50 PCI-related servers. The sample assessment found that the organization has several mature security practices, but payment scope, segmentation, stored cardholder data validation, MFA consistency, vendor access, and evidence quality require focused remediation.
10Sample findings summarized
3Critical priorities
90Day remediation roadmap
Report Scope
Technical Control Areas Reviewed
- Firewall rulebase, segmentation, POS VLANs, VPN tunnels, data center connectivity, and vendor access pathways.
- Cardholder data storage, encryption, backup exposure, retention, masking, and data minimization.
- Identity, MFA, Microsoft Entra ID, privileged access, administrative workstations, and service accounts.
- E-commerce checkout flows, hosted payment pages, payment gateway integrations, third-party scripts, TLS, and WAF controls.
- Logging, monitoring, SIEM coverage, vulnerability scanning, patching, retesting, and evidence preparation.
Control Scorecard
Sample Technical Control Category Results
The table below summarizes sample results from the PCI DSS technical control matrix for IT Perfection. Scores are presented for demonstration purposes and reflect the type of risk-based reporting that can help executives, CISOs, IT administrators, network administrators, security engineers, and compliance teams prioritize remediation.
| Technical Category | Risk Score | Readiness Estimate | Priority | Recommended Focus |
|---|---|---|---|---|
| Network Security & Segmentation | 240 | 62% | High | Firewall rule cleanup, POS VLAN isolation, segmentation validation, vendor access restriction. |
| Secure Configuration & Asset Inventory | 220 | 76% | Medium | Asset inventory reconciliation, baseline hardening, configuration drift review. |
| Account Data Protection | 250 | 58% | Critical | Stored PAN discovery, backup review, data retention cleanup, encryption verification. |
| Transmission & Encryption | 200 | 81% | Medium | TLS/certificate validation, secure payment redirects, encrypted API review. |
| Endpoint, Malware & Patch Management | 210 | 73% | High | EDR coverage validation, patch remediation, unsupported software review. |
| Secure Software & E-Commerce | 230 | 64% | High | Payment page script inventory, WAF review, web application testing, plugin security. |
| Access Control & IAM | 240 | 69% | High | RBAC cleanup, privileged access review, service account governance. |
| Authentication & MFA | 250 | 61% | Critical | MFA enforcement, conditional access tuning, remote access authentication review. |
| Physical, POS & Media Security | 180 | 78% | Medium | POS inspection logs, terminal inventory, media handling evidence. |
| Logging, Monitoring & Incident Response | 240 | 67% | High | SIEM coverage, log retention, alert escalation, tabletop testing. |
| Testing, Scanning & Vulnerability Assessment | 230 | 63% | High | Authenticated scans, segmentation tests, retesting evidence, vulnerability SLAs. |
| Governance, Vendor Risk & Evidence | 190 | 72% | Medium | Vendor AOCs, responsibility matrix, evidence index, executive reporting. |
Risk Register
Sample Prioritized Technical Findings
The sample risk register uses technical assessment findings rather than general PCI DSS readiness language. Each finding is connected to systems, configurations, access paths, logs, evidence, or technical controls that support payment security.
| Finding ID | Sample Finding | Category | Severity | Risk Score | Likelihood | Impact | Owner | Target |
|---|---|---|---|---|---|---|---|---|
| IPF-PCI-001 | POS segmentation is inconsistent across 11 of 34 payment locations. | Network Security & Segmentation | Critical | 25 | High | Critical | Network Security | 30 Days |
| IPF-PCI-002 | Stored cardholder data locations require validation across database exports, file shares, and backups. | Account Data Protection | Critical | 25 | High | Critical | Data Owner / Security | 30 Days |
| IPF-PCI-003 | MFA is not consistently enforced for all remote administrative access pathways into payment-supporting systems. | Authentication & MFA | Critical | 25 | High | Critical | IAM / Security | 30 Days |
| IPF-PCI-004 | Legacy firewall rules lack business justification and owner approval. | Network Security & Segmentation | High | 20 | High | High | Network Security | 45 Days |
| IPF-PCI-005 | Two e-commerce checkout flows require additional third-party script inventory and CSP review. | Secure Software & E-Commerce | High | 20 | Medium | High | AppSec / Web Team | 45 Days |
| IPF-PCI-006 | Centralized logging is incomplete for several payment application and database events. | Logging, Monitoring & Incident Response | High | 20 | Medium | High | SecOps | 45 Days |
| IPF-PCI-007 | Vulnerability remediation SLAs are documented but not consistently measured with retest evidence. | Testing, Scanning & Vulnerability Assessment | High | 20 | Medium | High | Security / IT Ops | 60 Days |
| IPF-PCI-008 | Vendor security responsibility evidence is incomplete for POS support and payment gateway providers. | Governance, Vendor Risk & Evidence | Medium | 16 | Medium | High | Vendor Risk | 60 Days |
| IPF-PCI-009 | POS terminal inspection procedures exist but are not consistently documented at all locations. | Physical, POS & Media Security | Medium | 12 | Medium | Medium | Operations | 60 Days |
| IPF-PCI-010 | Configuration baseline exceptions need clearer owner approval and expiration dates. | Secure Configuration & Asset Inventory | Medium | 12 | Medium | Medium | Systems / IT Ops | 90 Days |
Detailed Report Sections
Sample Category Drilldown Reports
Each section below represents an example of how OC Security Audit may organize technical assessment observations after reviewing firewall rules, POS systems, payment websites, server configurations, identity controls, logs, vulnerability records, and supporting evidence.
Network Security & Segmentation 62% technical control readiness
IT Perfection’s assessment results for network security & segmentation were reviewed against the technical control matrix used on this PCI DSS technical security assessment page. The sample score reflects implementation consistency, evidence quality, monitoring maturity, and remediation urgency across payment-supporting systems.
240Aggregate risk score
62%Readiness estimate
HighPriority level
- Firewall rule cleanup, POS VLAN isolation, segmentation validation, vendor access restriction.
- Recommended evidence includes screenshots, configuration exports, ticket records, approval records, scan outputs, logs, diagrams, and remediation validation notes.
- Recommended owner group: Network / Security.
Secure Configuration & Asset Inventory 76% technical control readiness
IT Perfection’s assessment results for secure configuration & asset inventory were reviewed against the technical control matrix used on this PCI DSS technical security assessment page. The sample score reflects implementation consistency, evidence quality, monitoring maturity, and remediation urgency across payment-supporting systems.
220Aggregate risk score
76%Readiness estimate
MediumPriority level
- Asset inventory reconciliation, baseline hardening, configuration drift review.
- Recommended evidence includes screenshots, configuration exports, ticket records, approval records, scan outputs, logs, diagrams, and remediation validation notes.
- Recommended owner group: Security / Compliance.
Account Data Protection 58% technical control readiness
IT Perfection’s assessment results for account data protection were reviewed against the technical control matrix used on this PCI DSS technical security assessment page. The sample score reflects implementation consistency, evidence quality, monitoring maturity, and remediation urgency across payment-supporting systems.
250Aggregate risk score
58%Readiness estimate
CriticalPriority level
- Stored PAN discovery, backup review, data retention cleanup, encryption verification.
- Recommended evidence includes screenshots, configuration exports, ticket records, approval records, scan outputs, logs, diagrams, and remediation validation notes.
- Recommended owner group: Security / Compliance.
Transmission & Encryption 81% technical control readiness
IT Perfection’s assessment results for transmission & encryption were reviewed against the technical control matrix used on this PCI DSS technical security assessment page. The sample score reflects implementation consistency, evidence quality, monitoring maturity, and remediation urgency across payment-supporting systems.
200Aggregate risk score
81%Readiness estimate
MediumPriority level
- TLS/certificate validation, secure payment redirects, encrypted API review.
- Recommended evidence includes screenshots, configuration exports, ticket records, approval records, scan outputs, logs, diagrams, and remediation validation notes.
- Recommended owner group: Security / Compliance.
Endpoint, Malware & Patch Management 73% technical control readiness
IT Perfection’s assessment results for endpoint, malware & patch management were reviewed against the technical control matrix used on this PCI DSS technical security assessment page. The sample score reflects implementation consistency, evidence quality, monitoring maturity, and remediation urgency across payment-supporting systems.
210Aggregate risk score
73%Readiness estimate
HighPriority level
- EDR coverage validation, patch remediation, unsupported software review.
- Recommended evidence includes screenshots, configuration exports, ticket records, approval records, scan outputs, logs, diagrams, and remediation validation notes.
- Recommended owner group: Security / Compliance.
Secure Software & E-Commerce 64% technical control readiness
IT Perfection’s assessment results for secure software & e-commerce were reviewed against the technical control matrix used on this PCI DSS technical security assessment page. The sample score reflects implementation consistency, evidence quality, monitoring maturity, and remediation urgency across payment-supporting systems.
230Aggregate risk score
64%Readiness estimate
HighPriority level
- Payment page script inventory, WAF review, web application testing, plugin security.
- Recommended evidence includes screenshots, configuration exports, ticket records, approval records, scan outputs, logs, diagrams, and remediation validation notes.
- Recommended owner group: Security / Compliance.
Access Control & IAM 69% technical control readiness
IT Perfection’s assessment results for access control & iam were reviewed against the technical control matrix used on this PCI DSS technical security assessment page. The sample score reflects implementation consistency, evidence quality, monitoring maturity, and remediation urgency across payment-supporting systems.
240Aggregate risk score
69%Readiness estimate
HighPriority level
- RBAC cleanup, privileged access review, service account governance.
- Recommended evidence includes screenshots, configuration exports, ticket records, approval records, scan outputs, logs, diagrams, and remediation validation notes.
- Recommended owner group: Security / Compliance.
Authentication & MFA 61% technical control readiness
IT Perfection’s assessment results for authentication & mfa were reviewed against the technical control matrix used on this PCI DSS technical security assessment page. The sample score reflects implementation consistency, evidence quality, monitoring maturity, and remediation urgency across payment-supporting systems.
250Aggregate risk score
61%Readiness estimate
CriticalPriority level
- MFA enforcement, conditional access tuning, remote access authentication review.
- Recommended evidence includes screenshots, configuration exports, ticket records, approval records, scan outputs, logs, diagrams, and remediation validation notes.
- Recommended owner group: Security / Compliance.
Physical, POS & Media Security 78% technical control readiness
IT Perfection’s assessment results for physical, pos & media security were reviewed against the technical control matrix used on this PCI DSS technical security assessment page. The sample score reflects implementation consistency, evidence quality, monitoring maturity, and remediation urgency across payment-supporting systems.
180Aggregate risk score
78%Readiness estimate
MediumPriority level
- POS inspection logs, terminal inventory, media handling evidence.
- Recommended evidence includes screenshots, configuration exports, ticket records, approval records, scan outputs, logs, diagrams, and remediation validation notes.
- Recommended owner group: Security / Compliance.
Logging, Monitoring & Incident Response 67% technical control readiness
IT Perfection’s assessment results for logging, monitoring & incident response were reviewed against the technical control matrix used on this PCI DSS technical security assessment page. The sample score reflects implementation consistency, evidence quality, monitoring maturity, and remediation urgency across payment-supporting systems.
240Aggregate risk score
67%Readiness estimate
HighPriority level
- SIEM coverage, log retention, alert escalation, tabletop testing.
- Recommended evidence includes screenshots, configuration exports, ticket records, approval records, scan outputs, logs, diagrams, and remediation validation notes.
- Recommended owner group: Security / Compliance.
Testing, Scanning & Vulnerability Assessment 63% technical control readiness
IT Perfection’s assessment results for testing, scanning & vulnerability assessment were reviewed against the technical control matrix used on this PCI DSS technical security assessment page. The sample score reflects implementation consistency, evidence quality, monitoring maturity, and remediation urgency across payment-supporting systems.
230Aggregate risk score
63%Readiness estimate
HighPriority level
- Authenticated scans, segmentation tests, retesting evidence, vulnerability SLAs.
- Recommended evidence includes screenshots, configuration exports, ticket records, approval records, scan outputs, logs, diagrams, and remediation validation notes.
- Recommended owner group: Security / Compliance.
Governance, Vendor Risk & Evidence 72% technical control readiness
IT Perfection’s assessment results for governance, vendor risk & evidence were reviewed against the technical control matrix used on this PCI DSS technical security assessment page. The sample score reflects implementation consistency, evidence quality, monitoring maturity, and remediation urgency across payment-supporting systems.
190Aggregate risk score
72%Readiness estimate
MediumPriority level
- Vendor AOCs, responsibility matrix, evidence index, executive reporting.
- Recommended evidence includes screenshots, configuration exports, ticket records, approval records, scan outputs, logs, diagrams, and remediation validation notes.
- Recommended owner group: Security / Compliance.
Remediation Roadmap
Sample 30 / 60 / 90-Day Technical Action Plan
30
Critical Exposure Reduction
Validate PCI scope, tighten POS segmentation, enforce MFA on remote administrative access, restrict high-risk firewall pathways, and start stored cardholder data discovery.
60
Control Strengthening
Complete access reviews, clean legacy firewall rules, update vendor access controls, centralize missing logs, refresh payment website security controls, and document exceptions.
90
Evidence and Retesting
Retest segmentation, validate vulnerability remediation, update diagrams, finalize evidence index, verify ownership records, and prepare technical evidence for broader PCI DSS readiness activity.
Example Handoff Package
Sample Report Deliverables for IT Perfection
A final technical handoff package for a company like IT Perfection may include the executive summary, technical control scorecard, risk register, firewall and segmentation notes, POS security observations, e-commerce payment security review, identity and MFA review, logging and monitoring summary, vulnerability remediation tracker, vendor evidence tracker, and a 30/60/90-day remediation roadmap.