1. Updated by JS on Sep. 26, 2020
PCI DSS version 3.2.1 Relevant Requirements
4
4.1
The organizastion shall determine external and internal issues that are relevant to its
purpose and that affect its ability to acheive the intended outcome(s) of its SMS.
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources
for security vulnerability information, and assign a risk ranking (for example, as “high,”
“medium,” or “low”) to newly discovered security vulnerabilities.
10.6.2 Review logs of all other system components periodically based on the organization’s
policies and risk management strategy, as determined by the organization’s annual risk
assessment.
12.2 Implement a risk assessment process, that:
•Is performed at least annually and upon significant changes to the environment (for
example, acquisition, merger, relocation, etc.),
•Identifies critical assets, threats, and vulnerabilities, and
•Results in a formal, documented analysis of risk.
Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO
27005 and NIST SP 800-30.
4.2
a) The organization shall determine:
the interested parties that are releant to the SMS and services;
b) the relevant requirements of these interested parties.
4.3
the organization shall determine the boundaries and applicability of the SMS to
establish its scope. (※1. DOCUMENT※）
When determining the scope, the organization shall consider
12.8 Maintain and implement policies and procedures to manage service providers with
whom cardholder data is shared, or that could affect the security of cardholder data, as
follows:
a) the external and internal issues referred to in 4.1(Understanding the orgamization and
its context)
-
b) the requirements referred to in 4.2 (Understanding the needs and expectations of
interested parties)
-
c) the services delivered by the organization 12.4.1 Overall accountability for maintaining PCI DSS compliance
4.4
Mapping ISO20000(Service Mamagement System) to PCI DSS v3.2.1
ISO20000-1: 2018 Clauses modified adjusting to PCI DSS
Context of the organization
Understanding the orgamization and its context
12.9 Additional testing procedure for service provider assessments only: Review service
provider’s policies and procedures and observe templates used for written agreement to
confirm the service provider acknowledges in writing to customers that the service provider
will maintain all applicable PCI DSS requirements to the extent the service provider
possesses or otherwise stores, processes, or transmits cardholder data on behalf of the
customer, or to the extent that they could impact the security of the customer’s cardholder
data environment.
Determing the scope of the SM system
SM System (Including each SM Process)
Understanding the needs and expectations of interested parties

2. The orgaization shall establish, implement, maintain and countinually improve an SMS.
Including the pcesses needed and their interactions, in accordance with the
-
5
5.1
Top management shall demonstrate leadership and commitment with respect to the -
a) ensuring that the SM policy and SM objectives are established and are compatible with
the strategic direction of the organization; 【General management practice in ITIL 4】
12.4.1 Additional requirement for service providers only: Executive management shall
establish responsibility for the protection of cardholder data and a PCI DSS compliance
program to include:
•Overall accountability for maintaining PCI DSS compliance
•Defining a charter for a PCI DSS compliance program and communication to executive
management
A3.1.1 Executive management shall establish responsibility for the protection of cardholder
data and a PCI DSS compliance program to
include:
・ Overall accountability for maintaining PCI DSS compliance
・ Defining a charter for a PCI DSS compliance program
・ Providing updates to executive management and board of directors on PCI DSS
compliance initiatives and issues, including remediation activities, at least annually
b) ensuring the integration of the SM Plan is created (※2. DOCUMENT※）,
implemented and maintained in order to support the SM policy, and the achievement of
the SM objectives and service requirements;
-
c) ensuring that apprpriate levels of authority are assigned for making decisions related to
the SMS and the services;
d) enduring that what constitues value for the organization and its customers is
determined;e) ensuring there is control of other parties involved in the service lifecycle;
f) ensuring the integration of the SMS requirements into the organization's business
processes;e) ensuring there is control of other parties involved in the service lifecycle;
f) ensuring the integration of the SMS requirements into the organization's business
processes;g) ensuring that the resources needed for the SMS and the services are available;
h) communicating the importance of effective service management; achieving the sercice
management objectives, delivering value and conforming to the SMS requirements;i) ensuring that the SMS achieves its intended outcomes;
j) directing and supporting persons to contribute to the effectiveness of the SMS and the
services;k) promoting continual improvement of the SMS and the services;
l) supporting other relevant management roles to demonstrate their leadership as it
applies to their areas of responsibility.
5.2
Leadership
12.4.a Verify that Infosecurity policy and procedures clearly define Infosecurity
responsibilities for all personnel.
12.5.1 Verify that responsibility for establishing, documenting and distributing security
policies and procedures is formally assigned.
Policy
Leadership and commitment

3. 5.2.1 Establishing the SM policy
top management shall establish a SM policy that
a) is appropriate to the purpose of the organiation
b) provides a framework for setting SM objectives 2.2 Develop configuration standards for all system components. Assure that these
standards address all known security vulnerabilities and are consistent with industry-
accepted system hardening standards.
Sources of industry-accepted system hardening standards may include, but are not limited
to:
•Center for Internet Security (CIS)
•International organization for Standardization (ISO)
•SysAdmin Audit Network Security (SANS) Institute
•National Institute of Standards Technology (NIST)
6.5 Address common coding vulnerabilities in software-development processes as follows:
•Train developers at least annually in up-to-date secure coding techniques, including how to
avoid common coding vulnerabilities.
•Develop applications based on secure coding guidelines.
Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best
practices when this version of PCI DSS was published. However, as industry best practices
for vulnerability management are updated (for example, the OWASP Guide, SANS CWE
Top 25, CERT Secure Coding, etc.), the current best practices must be used for these
c) includes a commitment to satisfy applicable requirements
d) includes a commitment to Continual Improvement of the SMS and the services.
5.2.2 Communicating the SM policy -
The SM policy shall -
12.4.1 Additional requirement for service providers only: Executive management shall
establish responsibility for the protection of cardholder data and a PCI DSS compliance
program to include:
•Overall accountability for maintaining PCI DSS compliance
•Defining a charter for a PCI DSS compliance program and communication to executive
management
12.4.1 Additional requirement for service providers only: Executive management shall
establish responsibility for the protection of cardholder data and a PCI DSS compliance
program to include:
•Overall accountability for maintaining PCI DSS compliance
•Defining a charter for a PCI DSS compliance program and communication to executive
management

4. a) be available as documented information（※3. DOCUMENT※） 1.5 Ensure that security policies and operational procedures for managing firewalls are
documented
2.5 Ensure that security policies and operational procedures for managing vendor defaults
and other security parameters are documented
3.7 Ensure that security policies and operational procedures for protecting stored
cardholder data are documented
4.3 Ensure that security policies and operational procedures for encrypting transmissions of
cardholder data are documented
5.4 Ensure that security policies and operational procedures for protecting systems against
malware are documented
6.7 Ensure that security policies and operational procedures for developing and maintaining
secure systems and applications are documented
7.3 Ensure that security policies and operational procedures for restricting access to
cardholder data are documented
8.8 Ensure that security policies and operational procedures for identification and
authentication are documented
9.10 Ensure that security policies and operational procedures for restricting physical access
b) be communicated within the organization
c) be avaibale to interested parties, as appropriate.
5.3
12.1 Examine the information security policy and verify that the policy is published and
disseminated to all relevant personnel (including vendors and business partners)
12.6.2 Require personnel to acknowledge at least annually that they have read and
understood the security policy and procedures.
Oranizational roles, responsibilities, and authorities（※4. DOCUMENT※）【ITIL2011: N/A】 【ITIL4: Organizational Change Management practice; General management
practice】

5. top management shall ensure that the responsibilities and authorities for roles relevant
to the SMS and the service are assigned and communicated within the organization.
Top management shall assign the responsibility and authority for:
1.1.6 Documentation of business justification and approval for use of all services, protocols,
and ports allowed, including documentation of security features implemented for those
protocols considered to be insecure.
6.4.5.a Examine documented change-control procedures and verify procedures are defined
for:
•Documentation of impact.
•Documented change approval by authorized parties.
7.1.a Examine written policy for access control, and verify that the policy incorporates 7.1.1
through 7.1.4 as follows:
•Defining access needs and privilege assignments for each role.
•Restriction of access to privileged user IDs to least privileges necessary to perform job
responsibilities.
•Assignment of access based on individual personnel’s job classification and function.
•Documented approval (electronically or in writing) by authorized parties for all access,
including listing of specific privileges approved.
8.1.2 For a sample of privileged user IDs and general user IDs, examine associated
authorizations and observe system settings to verify each user ID and privileged user ID
has been implemented with only the privileges specified on the documented approval.
12.3.1 Verify that the usage policies include processes for explicit approval from authorized
parties to use the technologies.
12.4.1 Defining a charter for a PCI DSS compliance program and communication to
executive management
12.5 Examine information security policies and procedures to verify:
•The formal assignment of information security to a Chief Security Officer or other security-
knowledgeable member of management.
•The following information security responsibilities are specifically and formally assigned:
12.5.1 Verify that responsibility for establishing, documenting and distributing security
policies and procedures is formally assigned.
12.5.2 Verify that responsibility for monitoring and analyzing security alerts and distributing
information to appropriate information security and business unit management personnel is
formally assigned.
12.5.3 Verify that responsibility for establishing, documenting, and distributing security
incident response and escalation procedures is formally assigned.
12.5.4 Verify that responsibility for administering (adding, deleting, and modifying) usera) ensuring that the SMS conforms to the requirements of this doc
b) reporting on the performance of the SMS and the services to top management. 12.5 Examine information security policies and procedures to verify:
•The formal assignment of information security to a Chief Security Officer or other security-
knowledgeable member of management.
•The following information security responsibilities are specifically and formally assigned:
6
6.1 Actions to address risks and oppourtunities
Planning

6. 6.1.1 When planning for the SMS, the organization shall consider the issues referred to in
4.1 and the requirements referred to in 4.2 and determine the risks and opportunities
that need to be addressed to
-
a) give assurance that the SMS can achieve its intended outcomes -
b) prevent, or reduce, undesired effects -
c) achieve Continual Improvement of the SMS and the services. -
6.1.2 The organization shall determine and document (※5. DOCUMENT※） -
a) risks related to
1) the organization
2) not meeting the service requirements
3) the involvement of other parties in the service lifecycle;
b) the impact on customers of risks and opportunities for the SMS and the services
c) risk acceptance "Criteria"
d) approach to be taken for the management of risks.
6.1.3 The organization shall plan -
a) actions to address these risks and opportunities and their priorities; -
b) how to -
1) integrate and implement the actions into its SMS processes; -
2) evaluate the effectiveness of these actions -
6.2 SM objectives and planning to achieve them -
6.2.1 Establish SM objectives （※6. DOCUMENT※） -
The orgaization shall establish SM objectives at relevant functions and levels. The SM
objectives shall
-
a) be consistent with the SM Policy -
b) be measurable -
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources
for security vulnerability information, and assign a risk ranking (for example, as “high”,
“medium”, or “low”) to newly discovered security vulnerabilities.
10.6.2 Review logs of all other system components periodically based on the organization’s
policies and risk management strategy, as determined by the organization’s annual risk
assessment.
10.8.1 Additional requirement for service providers only: Respond to failures of any critical
security controls in a timely manner. Processes for responding to failures in security
controls must include:
•Performing a risk assessment to determine whether further actions are required as a result
of the security failure
12.2 Implement a risk assessment process, that:
•Is performed at least annually and upon significant changes to the environment (for
example, acquisition, merger, relocation, etc.),
•Identifies critical assets, threats, and vulnerabilities, and
•Results in a formal, documented analysis of risk.
Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO
27005 and NIST SP 800-30.
A2.2 Review the documented Risk Mitigation and Migration Plan to verify it includes:
•Description of usage, including what data is being transmitted, types and number of

7. c) take into account applicable requirements 2.2 Develop configuration standards for all system components. Assure that these
standards address all known security vulnerabilities and are consistent with industry-
accepted system hardening standards.
Sources of industry-accepted system hardening standards may include, but are not limited
to:
•Center for Internet Security (CIS)
•International organization for Standardization (ISO)
•SysAdmin Audit Network Security (SANS) Institute
•National Institute of Standards Technology (NIST)
6.5 Address common coding vulnerabilities in software-development processes as follows:
•Train developers at least annually in up-to-date secure coding techniques, including how to
avoid common coding vulnerabilities.
•Develop applications based on secure coding guidelines.
Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best
practices when this version of PCI DSS was published. However, as industry best practices
for vulnerability management are updated (for example, the OWASP Guide, SANS CWE
Top 25, CERT Secure Coding, etc.), the current best practices must be used for these
requirements.
d) be monitored -
e) be communicated -
f) be updated as appropriate 6.4.6 For a sample of significant changes, examine change records, interview personnel,
and observe the affected systems/networks to verify that applicable PCI DSS requirements
were implemented and documentation updated as part of the change.
11.3.4.1 & A.3.2.1 Validation of PCI DSS scope should be performed as frequently as
possible to ensure PCI DSS scope remains up to date and aligned with changing business
objectives.
12.1.1 Verify that the information security policy is reviewed at least annually and updated
as needed to reflect changes to business objectives or the risk environment.
12.2 Implement a risk assessment process, that:
•Is performed at least annually and upon significant changes to the environment (for
example, acquisition, merger, relocation, etc.)6.2.2
When planning how to achieve the SM objective management shall determine;
a) what will be done
b) what resource will be required
c) who will be responsible
d) what it will be completed
e) how the results will be evaluated
Plan to achieve objectives (※7. DOCUMENT※）
12.5 Assign to an individual or team the following information security management
responsibilities:
12.6.2 Require personnel to acknowledge at least annually that they have read and
understood the security policy and procedures.
12.8.2 Observe written agreements and confirm they include an acknowledgement by
service providers that they are responsible for the security of cardholder data the service
providers possess or otherwise store, process or transmit on behalf of the customer, or to
the extent that
they could impact the security of the customer’s cardholder data environment.
12.9 Additional requirement for service providers only: Service providers acknowledge in
writing to customers that they are responsible for the security of cardholder data the service
provider possesses or otherwise stores, processes, or transmits on behalf of the customer,

8. 6.3 Plan the SMS -
the organization shall create (※8. DOCUMENT※), implement and maintain a SM
plan. Planning shall take into consideration the SM policy, SM objectives, risks and
oppportunities, service requirements and requirements specified in this docs.
-
a) list of services; -
b) known limitations that can impact the SMS and the services. -
c) obligations such as relevant policies, standards, legal, regulatory and contractual
requirements, and how these obligations apply to the SMS and the services
12.8.2 Observe written agreements and confirm they include an acknowledgement by
service providers that they are responsible for the security of cardholder data the service
providers possess or otherwise store, process or transmit on behalf of the customer, or to
the extent that
they could impact the security of the customer’s cardholder data environment.
12.8.3 Ensure there is an established process for engaging service providers including
proper due diligence prior to engagement.
12.9 Additional requirement for service providers only: Service providers acknowledge in
writing to customers that they are responsible for the security of cardholder data the service
provider possesses or otherwise stores, processes, or transmits on behalf of the customer,
or to the extent that they could impact the security of the customer’s cardholder data
environment.
12.10.1.a Verify that the incident response plan includes:
Analysis of legal requirements for reporting compromises (for example, California Bill
d) authorities and responsibilities for the SMS and the services 12.4.a Verify that Infosecurity policy and procedures clearly define Infosecurity
responsibilities for all personnel.
12.5.1 Verify that responsibility for establishing, documenting and distributing security
policies and procedures is formally assigned.
e) human, technical, informatwion and financial resources necessary to operate the SMS
and the services
N/A
f) approach to be taken for working with other parties involved in the service lifecycle 12.8.2 Observe written agreements and confirm they include an acknowledgement by
service providers that they are responsible for the security of cardholder data the service
providers possess or otherwise store, process or transmit on behalf of the customer, or to
the extent that
they could impact the security of the customer’s cardholder data environment.
12.9 Additional requirement for service providers only: Service providers acknowledge in
writing to customers that they are responsible for the security of cardholder data the service
provider possesses or otherwise stores, processes, or transmits on behalf of the customer,
g) technology used to support the SMS -

9. h) how the effectiveness of the SMS and the services will be measured, audited, reported
and improved.
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources
for security vulnerability information, and assign a risk ranking (for example, as “high,”
“medium,” or “low”) to newly discovered security vulnerabilities.
11.2.3.b Review scan reports and verify that the scan process includes rescans until:
For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.
For internal scans, all “high risk” vulnerabilities
Other planning activities shall maintain alignment with the SM plan. -
7
7.1
The organization shall determine and provide the human, technical, information and
financial resources needed for the establishment, implementation, maintenance and
continual improvement of the SMS and the operation of the services to meet the
service requirements and achieve the SM objectives.
12.5 Examine information security policies and procedures to verify:
The formal assignment of information security to a Chief Security Officer or other
security-knowledgeable member of management.
The following information security responsibilities are specifically and formally assigned:
7.2
the organization shall -
a) determine the Necessary Competence of person doing work under its control that
afffects the performance and effectiveness of the SMS and the services
b) ensure that these persons are competent on the basis of approproate education,
training, or experience
c) where applicable, take actions to acquire the necessary competence, and evaluate the
effectiveness of the actions taken
12.6.1.b Verify that personnel attend security awareness training upon hire and at least
annually.
d) retain Appropriate Documented Info as Evidence of competence（※10.
DOCUMENT※）
12.6.2 Verify that the security awareness program requires personnel to acknowledge, in
writing or electronically, at least annually that they have read and understand the
information security policy.
Note applicable actions can include, for example, the provision of training to, the mentoring
of, or the re-assignment of currently employed persons; or the hiring or contracting of
competent persons.
-
7.3
ES1.1# List all other assessors involved in the assessment. If there were none, mark as Not
Applicable. (add rows as needed)
Assessor name:Assessor PCI credentials: (QSA, PA-QSA, etc.)
2.2.4.a Interview system administrators and/or security managers to verify that they have
knowledge of common security parameter settings for system components.
6.3.2.b Code changes are reviewed by individuals who are knowledgeable in code-review
techniques and secure coding practices.
11.2.1 Scans must be performed by qualified personnel.
11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor
(ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC).
11.3.1.b Verify that the test was performed by a qualified internal resource or qualified
external third party, and if applicable, organizational independence of the tester exists (not
required to be a QSA or ASV).
12.6 Implement a formal security awareness program to make all personnel aware of the
cardholder data security policy and procedures.
12.6.2 Require personnel to acknowledge at least annually that they have read and
understood the security policy and procedures.
Resources（※9. DOCUMENT※）
Competence 【ITIL2011: N/A】【ITIL4: Workforce & Talent Management practice; General management practice】
Awareness（※11.DOCUMENT※）
Support of the SMS

10. Persons doing work under the organization's control shall be aware of -
a) the SM policy -
b) the SM objectives -
c) the services releavant to their work -
d) their contribution to the effectiveness of the SMS, including the benefits of improved
performance
-
e) the implications of NC with the SMS requirements. 12.9 Additional requirement for service providers only: Service providers acknowledge in
writing to customers that they are responsible for the security of cardholder data the service
provider possesses or otherwise stores, processes, or transmits on behalf of the customer,
or to the extent that they could impact the security of the customer’s cardholder data
environment.
12.10.1.a Verify that the incident response plan includes:
Analysis of legal requirements for reporting compromises (for example, California Bill
1386,
which requires notification of affected consumers in the event of an actual or suspected7.4
The organization shall determine the internal and external communications
relevant to the SMS and the services （※12. DOCUMENT※) including
a) on what it will communicate
b) when to communicate
c) with whom to communicate
d) how to communicate
e) who will be responsible for the communication.
7.5
7.5.1
The organiation's SMS shall include
a) documented Info requiremed by this doc
b) documented Info determined by the organization as being necessary for the
effectiveness of the SMS.
Notes the extent of documented info for an SMS can differ from one organization to another
the size of organization and its type of activities, processes, products and services, and
resources
the complexity of processes and their interactions
the competence of persons
7.5.2 Creating and updating -
General
Documented Information （※DOCUMENT※）
Communications
-
12.10.1.a
•Communication strategies.
Verify that the incident response plan includes:
・Roles, responsibilities, and communication strategies in the event of a compromise
including notification of the payment brands, at a minimum.
Provide the name of the assessor who attests that the incident response plan was verified
to include:
•Roles and responsibilities.
•Communication strategies.
•Requirement for notification of the payment brands.
•Specific incident response procedures.
•Business recovery and continuity procedures.
•Data back-up processes.
•Analysis of legal requirements for reporting compromises.
•Coverage for all critical system components.
•Responses for all critical system components.
•Reference or inclusion of incident response procedures from the payment brands.

11. When creating and updating documented Info the organization shall ensure -
a) identification and description(e.g. a title, date, author, or reference number) (※
13. DOCUMENT※）
ES#4.9 documentation reviewed
b) format(e.g. language, software version, graphics or diagrams)and media(e,g, hardcopy
or paper, electronic)
-
c) review and approval for suitability and adequacy. -
7.5.3 Control of documented information -
7.5.3.1 documented info required by the SMS and by this doc shall be controlled to ensure -
a) it is available and suitable for use, where and when it is needed 1.5 Ensure that security policies and operational procedures for managing firewalls are
documented, in use, and known to all affected parties.
2.5 Ensure that security policies and operational procedures for managing vendor defaults
and other security parameters are documented, in use, and known to all affected parties.
3.7 Ensure that security policies and operational procedures for protecting stored
cardholder data are documented, in use, and known to all affected parties.
4.3 Ensure that security policies and operational procedures for encrypting transmissions of
cardholder data are documented, in use, and known to all affected parties.
5.4 Ensure that security policies and operational procedures for protecting systems against
malware are documented, in use, and known to all affected parties.
6.7 Ensure that security policies and operational procedures for developing and maintaining
secure systems and applications are documented, in use, and known to all affected parties.
7.3 Ensure that security policies and operational procedures for restricting access to
cardholder data are documented, in use, and known to all affected parties.
8.8 Ensure that security policies and operational procedures for identification and
authentication are documented, in use, and known to all affected parties.
b) it is adequetely protected (e,g, from loss of confidentiality, improper use, or loss of -
7.5.3.2 For the control of documented info, the organization shall address the following
activities, as applicable
-
a) distribution, access, retreival and use
b) storage and preservation, including preservation of readability
c) control of changes(e.g.version control) 1.1.3 Current diagram that shows all cardholder data flows across systems and networks.
6.4.6 Upon completion of a significant change, all relevant PCI DSS requirements must be
implemented on all new or changed systems and networks, and documentation updated as
applicable.
d) retention and disposition -
documented info of external origin determined by the organization to be necessary for
the planning and operation of the SMS shall be identified, as appropriate, and
-
Note access can imply a decision regarding the permission to view the documented Info
only, or the permission and authority to view and change the documented info.
-
7.5.4 SMS documented information (※DOCUMENT※） -
the documented information for the SMS shall include -
a) scope of the SMS in 4.3 (Determing the scope of the SM system); -
9.10 Ensure that security policies and operational procedures for restricting physical access

12. b) policy and objectives for service management
c) SM Plan
d) change management policy, information security policy and service continuity plans
e) processes of the organization's SMS
f) service requirements
g) service catalogues
h) service level agreements(SLA)
i) contracts with external suppliers
j) agreements with internal suppliers or customers acting as asupplier
k) procedures that are required by this doc -
12.9 Additional requirement for service providers only: Service providers acknowledge in
writing to customers that they are responsible for the security of cardholder data the service
provider possesses or otherwise stores, processes, or transmits on behalf of the customer,
or to the extent that they could impact the security of the customer’s cardholder data
environment.
1.1.1 A formal process for approving and testing all network connections and changes to
the firewall and router configurations.
1.5 Ensure that security policies and operational procedures for managing firewalls are
documented, in use, and known to all affected parties.
2.5 Ensure that security policies and operational procedures for managing vendor defaults
and other security parameters are documented, in use, and known to all affected parties.
3.7 Ensure that security policies and operational procedures for protecting stored
cardholder data are documented, in use, and known to all affected parties.
4.3 Ensure that security policies and operational procedures for encrypting transmissions of
cardholder data are documented, in use, and known to all affected parties.
5.4 Ensure that security policies and operational procedures for protecting systems against
malware are documented, in use, and known to all affected parties.
6.4.5.a Examine documented change control procedures and verify procedures are defined
for:
Documentation of impact
Documented change approval by authorized parties
Functionality testing to verify that the change does not adversely impact the security of
the system
Back-out procedures
6.4.5.3 Functionality testing to verify that the change does not adversely impact the security
of the system.
6.7 Ensure that security policies and operational procedures for developing and maintaining
secure systems and applications are documented, in use, and known to all affected parties.
7.3 Ensure that security policies and operational procedures for restricting access to
cardholder data are documented, in use, and known to all affected parties.
8.8 Ensure that security policies and operational procedures for identification and

13. l) records required to demonstrate evidence (※14. DOCUMENT) of conformity to the
requirements of this doc and the organization's SMS.
1.1.1.a Examine documented procedures to verify there is a formal process for testing and
approval of all:
Network connections and
Changes to firewall and router configurations
3.1.c For a sample of system components that store cardholder data:
Examine files and system records to verify that the data stored does not exceed the
requirements defined in the data retention policy
Observe the deletion mechanism to verify data is deleted securely.
6.4.5.a Examine documented change control procedures and verify procedures are defined
for:
Documentation of impact
Documented change approval by authorized parties
7.1 Examine written policy for access control, and verify that the policy incorporates 7.1.1
through 7.1.4 as follows:
Defining access needs and privilege assignments for each role
Restriction of access to privileged user IDs to least privileges necessary to perform job
responsibilities
Assignment of access based on individual personnel’s job classification and function
Documented approval (electronically or in writing) by authorized parties for all access,
including listing of specific privileges approved.
8.1.2 For a sample of privileged user IDs and general user IDs, examine associated
authorizations and observe system settings to verify each user ID and privileged user ID
has been implemented with only the privileges specified on the documented approval.
12.3.1 Verify that the usage policies include processes for explicit approval from authorized
parties to use the technologies.7.6
The organization shall determine （※15. DOCUMENT※） and maintain the
knowledge necessary to support the operation of the SMS and the services.
The knowledge is specific to the organization, its SMS, services and interested parties.
Knowledge is used and shared to support the achivement of the intended outcome and
the operation of the SMS and the services.
2.2.4.a Interview system administrators and/or security managers to verify that they have
knowledge of common security parameter settings for system components.
6.3.2.a Examine written software-development procedures and interview responsible
personnel to verify that all custom application code changes must be reviewed (using either
manual or automated processes) as follows:
Code changes are reviewed by individuals other than the originating code author, and by
individuals who are knowledgeable in code-review techniques and secure coding practices.
8
8.1
the organization shall plan, implement and control the processes needed to meet
requirements, and to implement the actions determined in 6.1(Actions to address Risks
and Opportunities) by
-
a) establishing performance "Criteria" for the processes based on requirements; -
Knowledge 【ITIL2011: Knowledge Management process】 【ITIL4: Knowledge Management : General management practice】
Operation planning and control
Operation

14. b) implementing control of the processes in accordance with performance "Criteria" 10.6.2 Review logs of all other system components periodically based on the organization’s
policies and risk management strategy, as determined by the organization’s annual risk
assessment.
10.8.1 Additional requirement for service providers only: Respond to failures of any critical
security controls in a timely manner. Processes for responding to failures in security
controls must include:
•Performing a risk assessment to determine whether further actions are required as a result
of the security failure
12.2 Implement a risk assessment process, that:
•Is performed at least annually and upon significant changes to the environment (for
example, acquisition, merger, relocation, etc.),
•Identifies critical assets, threats, and vulnerabilities, and
•Results in a formal, documented analysis of risk.
Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO
27005 and NIST SP 800-30.
A2.2 Review the documented Risk Mitigation and Migration Plan to verify it includes:
•Description of usage, including what data is being transmitted, types and number of
systems that use and/or support SSL/early TLS, type of environment;c) keeping documented info to the extent necessary to have confidence that the
processes have been carried out as planned (※16.DOCUMENT※)
-
the organiation shall control planned changed to the SMS and review the
consequences of unintended changes, taking action to mitigate any adverse effects, as
necessary.
6.4.5.a Examine documented change-control procedures and verify procedures are defined
for:
•Documentation of impact.
•Documented change approval by authorized parties.
•Functionality testing to verify that the change does not adversely impact the security of the
system.
•Back-out procedures.
The organization shall ensure that outsourced processed are controlled. 12.8 Maintain and implement policies and procedures to manage service providers with
whom cardholder data is shared, or that could affect the security of cardholder data, as
follows:
12.8.1 Maintain a list of service providers including a description of the service provided.
12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least
annually.
8.2
8.2.1 Service delivery -
The organization shall operate the SMS ensuring co-ordination of the activities and the
resources. The organization shall perform the activities required to deliver services.
-
8.2.2 Plan and services -
Service portfolio 【ITIL2011: Service Portfolio Management Process】【ITIL4: Portfolio Management Practice: General management practic】

15. The service requirements for existing services, new services and changes to
services shall be determined and documented.（※17. DOCUMENT※）
The organization shall determine the criticality of services based on the needs of the
organization, customers, users and other interested parties. The organization shall
determine and manage dependencies and duplication between services.
The organization shall propose changes where needed to align the services with the
SM Policy, SM objectives and service requirements, taking into consideration known
limitations and risks.
The organization shall prioritize requests for change and proposals for new or changed
services to align with business needs and SM objectives, taking into consideration
N/A
8.2.3 Control of parties involved in the service lifecycle
8.2.3.1 The organization shall retain accountability for the requirements specified in this doc
and the delivery of the services regardless of which party is involved in performinng
activities to support the service lifecycle.
The organization shall determine and apply "Criteria" or the evaluation and selection of
other parties involved in the service lifecycle. Other parties can be an externail supplier,
and internal supplier or a customer acting as a supplies.
Other parties shall not provide or operate all services, service components or
processes within the scope of the SMS.
The organiztion shall determine and document （※18. DOCUMENT※）
a) services that are provided or operated by other parties
b) service components that are provided or operated by other parties
c) processes, or parts of processes, in the organization's SMS that are operated by
other parties.
The organization shall integrate services, service components and processes in the
SMS that are provided or operated by the organization or other parties to meet the
service lifecycle including the planning, design, transition, delivery and improvement of
services.
8.2.3.2 The organization shall define and apply relevant controls for other parties from the
following
-
a) measurement and evaluation of process performance 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources
for security vulnerability information, and assign a risk ranking (for example, as “high,”
“medium,” or “low”) to newly discovered security vulnerabilities.
11.2.3.b Review scan reports and verify that the scan process includes rescans until:
For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.
For internal scans, all “high risk” vulnerabilities
b) measurement and evaluation of the effectiveness of services and service components
in meeting the service requirements.
-
8.2.4
12.8.1 Verify that a list of service providers is maintained and includes a description of the
service provided.
on what it will communicate

16. The organization shall create （※19.DOCUMENT※）and maintain one or more
service catalogues. The service catalogue shall include information for the
organization, customers, users and other interesed parties to describe the services,
their intended ourcomes and dependencies between the serices.
The orgaization shall provde access to appropriate parts of the service catalogue to its
cusomers, users and other interested parties.
12.8.1 Verify that a list of service providers is maintained and includes a description of the
service provided.
8.2.5
The organization shall ensure that assets used to deliver services are managed to
meet the service requirements and the obligations in 6.3 c (Plan the SMS obligations).
8.2.6 Configuration management
【ITIL2011: Service Asset Management & Configuration Management process 】
【ITIL4: Configuration Management practice: Service management practice】
The types of CI shall be defined. Services shall be classified as CIs.
Configuration information shall be recorded (※21.DOCUMENT※） to a level of
detail appropriate to the criticality and type of services. Access to configuration
information shall be controlled. The configuraiton information recorded for each CI shall
a) unique indetification
b) type of CI
c) description of the CI -
d) relationship with other CIs -
e) status -
CI shall be controlled. Changes to CIs shall be traceable and auditable to maintain the
integrity of the configuration information. The configuration information shall be updated
following the deployment of changes to CIs.
At planned intervals, the organization shall verify the accuracy of the configuration
information. Where deficiencies are found, the organization shall take necessary
actions.
Configuration information shall be made available for other SM activities as
-
8.3
8.3.1 General
The organization may use suppliers to
a) provide or operate services.
b) provide or operate service components
12.8.2 Observe written agreements and confirm they include an acknowledgement by
service providers that they are responsible for the security of cardholder data the service
providers possess or otherwise store, process or transmit on behalf of the customer, or to
the extent that they could impact the security of the customer’s cardholder data
environment.
12.8.1 Verify that a list of service providers is maintained and includes a description of the
service provided.
12.8.3 Ensure there is an established process for engaging service providers including
proper due diligence prior to engagement.
12.9 Additional requirement for service providers only: Service providers acknowledge in
writing to customers that they are responsible for the security of cardholder data the service
provider possesses or otherwise stores, processes, or transmits on behalf of the customer,
or to the extent that they could impact the security of the customer’s cardholder data
environment.
Relationship and agreement
Asses management (※20.DOCUMENT※）
【ITIL2011: Service Asset Management & Configuration Management process】 【ITIL4: IT Asset Management; Service management practice】
2.4 Maintain an inventory of system components that are in scope for PCI DSS.
9.9.1 Maintain an up-to-date list of devices. The list should include the following:
Make, model of device
Location of device (for example, the address of the site or facility where the device is
located)
Device serial number or other method of unique identification.
12.3 Develop usage policies for critical technologies and define proper use of these
technologies.
12.3.3 A list of all such devices and personnel with access

17. c) operate processes, or parts of processes, that are in the organization's SMS.
Figure 2 illustrate the usage, agreements and relationships between business
relationship management, service level management and supplier management.
8.3.2
The costomers, users and other interested parties of the services shall be
idenfified and documented. （※22.DOCUMENT※）The organization shall have one
or more designated individuals responsible for managing customer relationships and
maintainning custmer satisfaction.
The organization shall establish arrangements for communicating with its customers
and other interested parties. The coomunitation shall promote understanding of the
evolving business enviroment in which the services operates and shall enable the
organization to respond to new or changed service requirements.
At planned intervals, the organization shall review the performance trends and the
outcomes of the services.
At planned intervals, the organization shall measure satisfaction with the service based
on a representative sample of customers. The results shall be analysed, reviewed to
identify opportunities for improvement and reported.
Service complaints shall be recorded, managed to closure and reported. Where a
service complaint is not resolved thru the normal channels, a method of escalation
shall be provided,
12.8.1 Verify that a list of service providers is maintained and includes a description of the
service provided.
8.3.3
The organization and the customer shall agree the services to be delivered.
For each service delivered, the organization shall establish one or more SLAs based
on the documented service requirements（※23.DOCUMENT※）. The SLAs shall
include service level targes, workload limits and exceptions.
At planned intervals, the organization shall monitor, review and report （※
24..DOCUMENT※）on
12.8.2 Observe written agreements and confirm they include an acknowledgement by
service providers that they are responsible for the security of cardholder data the service
providers possess or otherwise store, process or transmit on behalf of the customer, or to
the extent that
they could impact the security of the customer’s cardholder data environment.
12.9 Additional requirement for service providers only: Service providers acknowledge in
writing to customers that they are responsible for the security of cardholder data the service
provider possesses or otherwise stores, processes, or transmits on behalf of the customer,
or to the extent that they could impact the security of the customer’s cardholder data
environment.
12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts.
a) performance against service level targets N/A
b) actual and periodic changes in workload compared to workload limits in the N/A
8.3.4
8.3.4.1 Management of external suppliers -
The organization shall have one or more designated individuals responsible for
managing the relationship, contracts and performance of external suppliers.
For each external supplier, the organization shall agree a documented contract. The
contract shall include or contain a reference to
-
environment.
12.10.1.a Verify that the incident response plan includes:
Analysis of legal requirements for reporting compromises (for example, California Bill
1386,
Supplier management 【Supplier management process】【ITIL4: Supplier management practice; General management practice】
SLM 【ITIL2011: SLM process】 【ITIL4: SLM practice; Service management practice】
Business relationship management
【ITIL2011: Business relationship management process】 【ITIL4: Relationship Management; General management practice】 【ITIL4: Business Analysis Practice; Service
management practice】

18. a) scope of the serviecs, service components, processes or parts of processes to be
provided or operated by the external supplier
12.8.1 Verify that a list of service providers is maintained and includes a description of the
service provided.
b) requirements to be met by the external supplier
c) service level targets or other contractual obligations
d) authorities and responsibilities of the organization and the external supplier.
The organiazation shall assess the alignment of service level targets or other
contractual obligations ofr the external supplier against SLAs with customers, and
manage identified risks.
The orgaization shall define and manage the interfaces with the external supplier.
At planned intervals, the organization shall monitor the performance of the external
supplier. Where service level targets or other contractual obligations are not met, the
organization shall ensure that opportunities for improvement are identified.
At planned intervals, the organization shall review the contract against current service
requirements. Changes indetified for the contract shall be assessed for the impact of
the change on the SMS and the services before the change is approved.
Disputes between the organization and the external supplier shall be recorded and
8.3.4.2 Manamgenet of internal suppliers and customers acting as a supplier
For each internal supplier or custmer actinng as a supplier, the organization shall
develop, agree and maintain a documented agreement（※25.DOCUMENT※） to
define the service level targets, other commitments, activities and interfaces
between the parties.
At plannned intervals, the organization shall monitor the performance of the internal
supplier or the customer acting as a supplier. Where service level targets or other
8.4
8.4.1 Budgeting and accounting for services
The organization shall budget and account for services or groups of services in
accordance with its financial management policies and proecsses.
Costs shall be budgeted to enable effective financial control and decision-making for
services.
At planned intervals, the organization shall monitor and report （※
26.DOCUMENT※）on atual costs agaist the budget, review the financial
8.4.2
At planned intervals, the organization shall
a) determine current demand and forecast future demand for services
b) monitor and report （※27.DOCUMENT※）on demand and consumption of
services.8.4.3
The capacity requirements for human, technical, information and financial resources
shall be determined（※28.DOCUMENT※）, documented and maintained taking
into consideration the service and performance requirements.
The organization shall plan capacity to include
Capacity managementt 【ITIL2011: Capacity Management Process】 【ITIL4: Capacity management practice; Service management practice】
Demand management 【ITIL2011: Demand Management Process】【ITIL4: N/A】
12.4.a Verify that Infosecurity policy and procedures clearly define Infosecurity
responsibilities for all personnel.
12.5 Assign to an individual or team the following information security management
responsibilities:
12.5.1 Verify that responsibility for establishing, documenting and distributing security
policies and procedures is formally assigned.
12.8.2 Observe written agreements and confirm they include an acknowledgement by
service providers that they are responsible for the security of cardholder data the service
providers possess or otherwise store, process or transmit on behalf of the customer, or to
the extent that
they could impact the security of the customer’s cardholder data environment.
12.8.3 Ensure there is an established process for engaging service providers including
proper due diligence prior to engagement.
12.9 Additional requirement for service providers only: Service providers acknowledge in
writing to customers that they are responsible for the security of cardholder data the service
provider possesses or otherwise stores, processes, or transmits on behalf of the customer,
or to the extent that they could impact the security of the customer’s cardholder data
environment.
12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts.
Supply and demand 【ITIL2011: Demand Management Process】【ITIL4: N/A】
9.1.1 Use either video cameras or access control mechanisms (or both) to monitor
individual physical access to sensitive areas. Review collected data and correlate with other
entries. Store for at least three months, unless otherwise restricted by law.
10.7 Retain audit trail history for at least one year, with a minimum of three months
immediately available for analysis (for example, online, archived, or restorable from
12.1.1 Verify that the information security policy is reviewed at least annually and updated
as needed to reflect changes to business objectives or the risk environment.
11.3.4.1 & A.3.2.1 Validation of PCI DSS scope should be performed as frequently as
possible to ensure PCI DSS scope remains up to date and aligned with changing business
objectives.
N/A

19. a) current and forecast capacity based on demand for services
b) expected impact on capaity of agreed service level targets, requirements for service
c) timescales and threshholds for changes to service capacity. -
The organization shall provide sufficient capacity to meet agreed capacity and
performance requirements. The organization shall monitor capacity usage, analyse
capacity and performance data and identify opportunities to improve performance.
-
8.5
8.5.1
8.5.1.1 change management policy
A change mangement policy shall be established and documented （※
29.DOCUMENT※）to define
a) service components and other items that are under the cotrol of change management
b) categories of change, including emergency change, and how they are to be managed
c) "Criteria" to determine changes with the potential to have a major impact on customers
or services.
8.5.1.2 Change management initiation
Requests for change, includiing proposals to add, remove or transfer services
（RFP), shall be recorded （※30.DOCUMENT※）and classfied.
The organization shall use service design and transition in 8.5.2 (Service design and
transition).for:
a) new services with the potential to have a major impact on customers or other services
as determined by the change management policy
b) changes to services with the potential to have a major impact on cuotmers or other
services as determined by the change management policy
c) categories of change that are to be managed by service design and transition
according to the change management policy
d) removal of a service
e) transfer of an exsiting service from a cusomter or other party ot the organization.
Assessing, approving, scheduling and reviewing of new or changed services in the
scope of 8.5.2 shall be managed through the change management activities in 8.5.1.3.
Requests for change not being managed through 8.5.2 shall be managed through the
change management activities in 8.5.1.3 (Change management activities).
8.5.1.3 Change management activities
Change management 【ITIL2011: Change Management Process】 【ITIL4: Change Control practice； Service management practice】
6.4.5.a Examine documented change control procedures and verify procedures are defined
for:
Documentation of impact
Documented change approval by authorized parties
Functionality testing to verify that the change does not adversely impact the security of
the system
Back-out procedures
6.4.5.3 Functionality testing to verify that the change does not adversely impact the security
of the system.
6.7 Ensure that security policies and operational procedures for developing and maintaining
secure systems and applications are documented, in use, and known to all affected parties.
1.1.1 A formal process for approving and testing all network connections and changes to
the firewall and router configurations.
6.3.2.a Examine written software development procedures and interview responsible
personnel to verify that all custom application code changes must be reviewed (using either
manual or automated processes) as follows:
12.11 Additional requirement for service providers only: Perform reviews at least quarterly
to confirm personnel are following security policies and operational procedures. Reviews
must cover the following processes:
•Change management processes
A2.2 Review the documented Risk Mitigation and Migration Plan to verify it includes:
•Description of change control processes that are implemented to ensure SSL/early TLS is
not implemented into new environments
immediately available for analysis (for example, online, archived, or restorable from
backup).
Service design, build and transition 【ITIL2011: Design Coordination Process】 【ITIL4: Service Design practice; Service management practice】

20. The organization and intertested parties shall make decisions on the approval and
priority of requests for change Decision-making shall take into consideration the risks,
business benefits, feasibility and financial impact. Decision making shall also consider
potential impacts of the change on
a) existing services
b) customers, users and other interested parties
c) poicies and plans required by this doc
d) capacity, service availability, service continuity and information security
e) other requests for change, releases and plans for deployment.
Approved changes shall be repared, verified and, where possible, tested, Proposed
deployment dates and other deployment details for approved changes shall be
communicated to interested parties.
The activities to reverse or remedy an unsuccessful change shall be planned and,
where possible, tested. Unsuccessful changes shall be inveistigated and agreed
actions taken.
The organization shall review changes for effectiveness and take actions agreed with
intered parties.
At planned intervals, request for change records (RFC) （※31.DOCUMENT※）
shall be analysed to detect trends. The resultes and conclusions drawn from
analysis shall be recorded（※32.DOCUMENT※） and reviewed to identify8.5.2
8.5.2.1 Plan new or changed services -
Planning shall use the service requirements for the new or changed services
determined in 8.2.2 (Plan and services) and shall include or contain a reference to
-
a) authorities and reponsibilities for design, build and transition activities
b) activities to be performed by the organization or other parties with their timesales
c) human, technical, informatwion and financial resources N/A
d) dependencies on other services 12.8.1 Verify that a list of service providers is maintained and includes a description of the
service provided.
e) testing needed for the new or changed services 1.1.1 A formal process for approving and testing all network connections and changes to
the firewall and router configurations.
6.4.5.a Examine documented change control procedures and verify procedures are defined
for:
Functionality testing to verify that the change does not adversely impact the security of
the system
6.4.5.3 Functionality testing to verify that the change does not adversely impact the security
f) service acceptance "Criteria" N/A
Service design and transition 【ITIL2011: Design Coordination process】 【ITIL4: Service Design practice; Service management practice】
12.4.a Verify that Infosecurity policy and procedures clearly define Infosecurity
responsibilities for all personnel.
12.5.1 Verify that responsibility for establishing, documenting and distributing security
policies and procedures is formally assigned.

21. g) intended outcomes from delivering the new or changed services, expressed in
measureable terms.
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources
for security vulnerability information, and assign a risk ranking (for example, as “high,”
“medium,” or “low”) to newly discovered security vulnerabilities.
11.2.3.b Review scan reports and verify that the scan process includes rescans until:
For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.
For internal scans, all “high risk” vulnerabilities
h) impact on the SMS, other services, planned changes, customers, users and other
interested parties.
6.4.5.1 Verify that documentation of impact is included in the change control documentation
for each sampled change.
A3.1.2.a Examine information security policies and procedures to verify that processes are
specifically defined for the following:
Business-impact analysis to determine potential PCI DSS impacts for strategic business
decisions
For services that are to be removed, the planning shall additionally include the dates
for the removal of the services and the activities for archiving, disposal or transfer of
data, documented information and service components.
For services that are to be transferred, the planning shall additionally include the date
for the transfer of the services and the activities for the transfer of data, documented
information（※33.DOCUMENT※), knowlege and service components.
The CIs affected by new or changed services shall be managed through configuration
management.
-
8.5.2.2
The new or changed service shall be designed and documented （※
34.DOCUMENT※）to meet the service requirements determined in 8.2.2(Plan and
services). The design shall include relevant items from the following
-
a) authorities and responsibilities of the parties involved in the delivery of the new or
changed services
12.4.a Verify that Infosecurity policy and procedures clearly define Infosecurity
responsibilities for all personnel.
12.5.1 Verify that responsibility for establishing, documenting and distributing security
policies and procedures is formally assigned.
b) requirements for changes to human, technical, information and financial resources N/A
Design 【ITIL2011: Transition Planning & Support process】 【ITIL4: Transition Planning & Support ; General management practice】

22. c) requirements for appropriate education, training and experience 2.2.4.a Interview system administrators and/or security managers to verify that they have
knowledge of common security parameter settings for system components.
6.3.2.b Code changes are reviewed by individuals who are knowledgeable in code-review
techniques and secure coding practices.
11.2.1 Scans must be performed by qualified personnel.
11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor
(ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC).
11.3.1.b Verify that the test was performed by a qualified internal resource or qualified
external third party, and if applicable, organizational independence of the tester exists (not
required to be a QSA or ASV).
12.6 Implement a formal security awareness program to make all personnel aware of the
cardholder data security policy and procedures.
12.6.2 Require personnel to acknowledge at least annually that they have read and
understood the security policy and procedures.
d) new or changed SLAs, contracts and other documented agreements （※
35.DOCUMENT※）that support the services
12.8.2 Observe written agreements and confirm they include an acknowledgement by
service providers that they are responsible for the security of cardholder data the service
providers possess or otherwise store, process or transmit on behalf of the customer, or to
the extent that
they could impact the security of the customer’s cardholder data environment.
12.9 Additional requirement for service providers only: Service providers acknowledge in
writing to customers that they are responsible for the security of cardholder data the service
provider possesses or otherwise stores, processes, or transmits on behalf of the customer,
or to the extent that they could impact the security of the customer’s cardholder data
environment.
12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts.
e) changes to the SMS including new or changed policies, plans, processes, procedures,
measures and knowleged
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources
for security vulnerability information, and assign a risk ranking (for example, as “high,”
“medium,” or “low”) to newly discovered security vulnerabilities.
11.2.3.b Review scan reports and verify that the scan process includes rescans until:
For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.
For internal scans, all “high risk” vulnerabilities
f) impact on other services 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources
for security vulnerability information, and assign a risk ranking (for example, as “high,”
“medium,” or “low”) to newly discovered security vulnerabilities.
Note: Risk rankings should be based on industry best practices as well as consideration of
potential impact.
6.4.5.1 Verify that documentation of impact is included in the change control documentation
for each sampled change.
A3.1.2.a Examine information security policies and procedures to verify that processes are
specifically defined for the following:
Business-impact analysis to determine potential PCI DSS impacts for strategic business
decisions

23. g) updates to the service catalogue. 12.8 Maintain and implement policies and procedures to manage service providers with
whom cardholder data is shared, or that could affect the security of cardholder data, as
follows:
8.5.2.3
The new or change services shall be built and tested to verify that they meet the
service requirements, conform to the documented design （※36.DOCUMENT※）
and meet the agreed service acceptance "Criteria". If the service acceptance
"Criteria" are not met, the organization and interested parties shall make a decision on
necessary actions and deployment.
"Release and deployment management" shall be used to deploy approved new or
changed services into the live environement.
Following the completion of the transition activities, the organization shall report to
interested parties on the achievements against the intended ourcomes.
1.1.1 A formal process for approving and testing all network connections and changes to
the firewall and router configurations.
8.5.3
The organization shall define the types of release, including emergency release, their
frequency and how they are to be managed.
The organization shall plan the deployement of new or changed services and service
components into the live environment. Planning shall be co-ordinated with change
management and include refrences to the related requests for change, known errors or
problems which are being closed through the release. Planning shall include the dates
for deployment of each release, deliverables and mehtods of deployment.
The release shall be verified against documented acceptance "Criteria" （※
37.DOCUMENT※）and approved before deployment. If the acceptance "Criteria" are
not met, the organiation and interested parties shall make a decision on necessary
actions and deployment.
Before deployment of a release into the live environement, a baseline of the affected
CIs shall be taken.
The release shall be deployed into the live environment so that the integrity of the
services and service components is maintained.
The success or faulure of releases shall be monitored and analysed. Measurements
shall include incidents released to a release in the period following deployment of a
release. The results and conclusions drawn from the analysis shall be recorded
（※38.DOCUMENT※）and reviewed to identify opportunities for improvement.
Information about the sucess or failure of releases and future release dates shall be
made available for other SMactivities as appropriate.
1.1.1 A formal process for approving and testing all network connections and changes to
the firewall and router configurations.
6.4.5.a Examine documented change control procedures and verify procedures are defined
for:
Documentation of impact
Documented change approval by authorized parties
Functionality testing to verify that the change does not adversely impact the security of
the system
Back-out procedures
6.4.5.3 Functionality testing to verify that the change does not adversely impact the security
of the system.
8.6
8.6.1
Incidents shall be -
Build and transition 【ITIL2011: Transition Planning & Support process】 【ITIL4: Transition Planning & Support ; General management practice】
Release and deployment management 【ITIL2011: Release and deployment process】【ITIL4: Release practice; Service management practice】 【ITIL4: Deployment Management;
Incident management 【ITIL2011: Incident Management process】【ITIIL4: Service management process】
Resolution and fulfilment

24. a) recorded and classified （※39.DOCUMENT※）
b) prioritized taking into consideation impact and urgency
c) escalated if needed
d) resolved
e) closed
Records of incidents shall be updated with actions taken
The organization shall determine "Criteria" to indentify a major incident. Major incidents
shall be classified and managed according to a documented procedure. Top
management shall be kept informed of major incidents. The organization shall assign
responsibility for manageing each major incident. After the incident has been resolved,
the major incident shall be reported and reviewed to identify opportunities for
improvement.
8.6.2
Service request shall be -
a) recorded and classified（※40.DOCUMENT※）
b) prioritized taking into consideation impact and urgency
c) fulfilled
d) closed
Records of service reuests shall be updated with actions taken.
Instructions for the fulfilment of service requests shall be made available to persons
involved in service request fulfilment.
8.6.3
The organization shall analyse data trends on incidents to identify problems. The
organization shall undertake root cause analysis and determine potential actions to
prevent the occurenence or recurrence of incidents.
-
Problems shall be -
Service request management 【ITIL2011:Service request management process】【ITIL4: Service request management Practice; Serice management practice】
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources
for security vulnerability information, and assign a risk ranking (for example, as “high,”
“medium,” or “low”) to newly discovered security vulnerabilities.
6.2.b For a sample of system components and related software, compare the list of security
patches installed on each system to the most recent vendor security-patch list, to
verify the following:
That applicable critical vendor-supplied security patches are installed within one month of
release.
All applicable vendor-supplied security patches are installed within an appropriate time
frame (for example, within three months).
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources
for security vulnerability information, and assign a risk ranking (for example, as “high,”
“medium,” or “low”) to newly discovered security vulnerabilities.
6.2.b For a sample of system components and related software, compare the list of security
patches installed on each system to the most recent vendor security-patch list, to
verify the following:
That applicable critical vendor-supplied security patches are installed within one month of
release.
All applicable vendor-supplied security patches are installed within an appropriate time
frame (for example, within three months).10.6.1.b Observe processes and interview personnel to verify that the following are
reviewed at least daily:
10.8.b Examine detection and alerting processes and interview personnel to verify that
processes are implemented for all critical security controls, and that failure of a critical
security control results
in the generation of an alert.
11.1.2 Implement incident response procedures in the event unauthorized wireless access
points are detected.
11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent
intrusions into the network. Monitor all traffic at the perimeter of the cardholder data
environment as well as at critical points in the cardholder data environment, and alert
personnel to suspected compromises.
12.5.3 Verify that responsibility for establishing, documenting, and distributing security
incident response and escalation procedures is formally assigned
12.10 Implement an incident response plan. Be prepared to respond immediately to a
system breach.
12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts.
Problem management 【ITIL2011: Problem management process】【ITIL4: Problem management practice; Service management practice】

25. a) recorded and classified（※41.DOCUMENT※）
b) prioritized
c) escalated if needed
d) resolved if possible
e) closed
Recorded of problems shall be updated with actions taken. Changes needed for
problem resolution shall be managed according to the change management policy.
1.1.1 A formal process for approving and testing all network connections and changes to
the firewall and router configurations.
6.4.5.a Examine documented change control procedures and verify procedures are defined
for:
Documentation of impact
Documented change approval by authorized parties
Functionality testing to verify that the change does not adversely impact the security of
the system
Back-out procedures
6.4.5.3 Functionality testing to verify that the change does not adversely impact the security
Where the root cause has been indentified, but the problem has not been permanently
resolved, the organization shall determine actions to reduce or eliminate the impact of
the problem on the services. Known erorrs shall be recorded. Up-to-date information on
known errors and problem resolutions shall be made available for other SMactivities as
appropriate.
N/A
At planned intervals, the effectiveness of problem resolution shall be monitored,
reviewed and reported.
N/A
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources
for security vulnerability information, and assign a risk ranking (for example, as “high,”
“medium,” or “low”) to newly discovered security vulnerabilities.
6.2.b For a sample of system components and related software, compare the list of security
patches installed on each system to the most recent vendor security-patch list, to verify the
following:
That applicable critical vendor-supplied security patches are installed within one month of
release.
All applicable vendor-supplied security patches are installed within an appropriate time
frame (for example, within three months).
10.6.1.b Observe processes and interview personnel to verify that the following are
reviewed at least daily:
10.8.b Examine detection and alerting processes and interview personnel to verify that
processes are implemented for all critical security controls, and that failure of a critical
security control results
in the generation of an alert.
11.1.2 Implement incident response procedures in the event unauthorized wireless access
points are detected.
11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent
intrusions into the network. Monitor all traffic at the perimeter of the cardholder data
environment as well as at critical points in the cardholder data environment, and alert
personnel to suspected compromises.
12.5.3 Verify that responsibility for establishing, documenting, and distributing security
incident response and escalation procedures is formally assigned
12.10 Implement an incident response plan. Be prepared to respond immediately to a
system breach.

26. 8.7
8.7.1
At planned intervals, the risks to service availability shall be assessed and
documented. （※42.DOCUMENT※）The organization shall determine the service
availability requirements and targets. The agreed requreiments shall take into
consideration relevant business requirements, service requirements, SLAs and risks.
N/A
Service availability requirements and targets shall be documented and
maintained. （※43.DOCUMENT※）
N/A
Service availability shall be monitored, the results recorded and compared with the
targets. Unplanned non-availability shall be monitored, the resultes recorded （※
42.DOCUMENT※）and compared with the targets. Unplanned non-availability shall be
investigated and necessary actions taken.
N/A
Note Risks identified in 6.1 (Actions to address Risks and Opportunities) can provide input to
the risks for service availability, service continuity and information security.
N/A
8.7.2
At planned intervals, the risks to service continuity shall be assessed and
documented.（※44.DOCUMENT※） The organization shall determine the service
continuity requirements. The agreed requirements shall take into consideration relevant
business requirements, service requirements, SLAs and risks.
-
8.7.3
8..7.3. Information sercurity policy -
Service availability management 【ITIL2011: Availability Management Process】 【ITIL4: Availability Mnagement Practice; Service management practices】
Service continuity management 【ITIL2011: N/A】 【ITIL4: Service Continuing Management Practice: General management practices】
Information security management 【ITIL2011: Information Security Management Process】 【ITIL4: Information Security Management Practice; General management practices】
Service assuarance

27. Management with appropriate authority shall approve and information security policy
relevant to the organization. The information security policy shall be documented
（※45.DOCUMENT※） and take into consideration the service requirements and the
obligations in 6.3 c (Plan the SMS - reguratory).
1.1.1.a Examine documented procedures to verify there is a formal process for testing and
approval of all:
•Network connections, and
•Changes to firewall and router configurations.
3.1.a Examine the data-retention and disposal policies, procedures and processes to verify
they include the following for all cardholder data (CHD) storage:
3.5 Examine key-management policies and procedures to verify processes are specified to
protect keys used for encryption of cardholder data against disclosure and misuse and
include at least the following:
4.2.a If end-user messaging technologies are used to send cardholder data, observe
processes for sending PAN and examine a sample of outbound transmissions as they
occur to verify that PAN is rendered unreadable or secured with strong cryptography
whenever it is sent via end-user messaging technologies.
5.3.c Describe how processes were observed to verify that anti-virus software cannot be
disabled or altered by users, unless specifically authorized by management on a case-by-
case basis for a limited time period.
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources
for security vulnerability information, and assign a risk ranking (for example, as “high,”
“medium,” or “low”) to newly discovered security vulnerabilities.
6.3 Develop internal and external software applications (including web-based administrative
access to applications) securely, as follows:
•In accordance with PCI DSS (for example, secure authentication and logging).
•Based on industry standards and/or best practices.
•Incorporate information security throughout the software development life cycle.
6.4 Examine policies and procedures to verify the following are defined:
•Development/test environments are separate from production environments with access
control in place to enforce separation.
6.4.2 Observe processes and interview personnel assigned to development/test
environments and personnel assigned to production environments to verify that separation
of duties is in place between development/test environments and the production
environment.
6.4.3.a Observe testing processes and interview personnel to verify procedures are in place
to ensure production data (live PANs) are not used for testing or development.
8.1.a Review procedures and confirm they define processes for each of the items below atThe information security policy shall be made available as appropriate. The
organization shall communicate the importance of conforming to the information
security policy and its applicability to the SMS and the services to appropriate persons
within
-

28. a) the organization A3.1.3 PCI DSS compliance roles and responsibilities must be specifically defined and
formally assigned to one or more personnel, including at least the following:
Managing PCI DSS business-as-usual activities
Managing annual PCI DSS assessments
Managing continuous validation of PCI DSS requirements (for example: daily, weekly,
quarterly, etc. as applicable per requirement)
Managing business-impact analysis to determine potential PCI DSS impacts for strategic
business decisions
b) customers and users 12.9 Additional testing procedure for service provider assessments only: Review service
provider’s policies and procedures and observe templates used for written agreements to
confirm the service provider acknowledges in writing to customers that the service provider
will maintain all applicable PCI DSS requirements to the extent the service provider
possesses or otherwise stores, processes, or transmits cardholder data on behalf of the
customer, or to the extent that they could impact the
security of the customer’s cardholder data environment.
c) external suppliers, internal suppliers and other intested parties. 12.1 Examine the information security policy and verify that the policy is published and
disseminated to all relevant personnel (including vendors and business partners).
8.7.3.2 Information security controls -
At planned intervals, the information security risks to the SMS and the services
shall be assessed and documented.（※46.DOCUMENT※） Informaton security
controls shall be determinedm implemented and operated to support the information
security policy and address identified information security risks. Decisions about
information security controls shall be documented.（※47.DOCUMENT※）
12.2.b Review risk-assessment documentation to verify that the risk-assessment process is
performed at least annually and upon significant changes to the environment.
A3.3.3 Perform reviews at least quarterly to verify BAU activities are being followed.
Reviews must be performed by personnel assigned to the PCI DSS compliance program
(as identified in A3.1.3), and include the following:
Confirmation that all BAU (Business As Usual)activities (e.g., A3.2.2, A3.2.6, and A3.3.1)
are being performed
Confirmation that personnel are following security policies and operational procedures
(for example, daily log reviews, firewall rule-set reviews, configuration standards for new
systems,
etc.)
Documenting how the reviews were completed, including how all BAU activities were
verified as being in place.
Collection of documented evidence as required for the annual PCI DSS assessment
Review and sign-off of results by personnel assigned responsibility for the PCI DSS
compliance program (as identified in A3.1.3)
Retention of records and documentation for at least 12 months, covering all BAU
activities
The organization shall agree and implement information security controls to address
information security risks related to external organizations.
12.2 Implement a risk-assessment process that:
Is performed at least annually and upon significant changes to the environment (for

29. The organiation shall monitor and review the effectiveness of information security
controls and take necessary actions.
8.7.3.3 Information security incidents -
Information security incidents shall be -
a) recorded （※47.DOCUMENT※） and classified
b) prioritized taking into consideration the information security risk
c) escalated if needed
d) resolved
e) closed
The organization shall analyse the information security incidents by type, volume and
impact on the SMS, services and interested parties. Information security shall be
reported and reviewed to identify opportunities for improvement.
Note The ISO27000 series specifies requirements and provides guidance to support the
implementation and operation of an information security management system,
ISO27013 provides guidance on the integration of ISO27001 and ISO20000-1(This
document).
-
9
9.1
The organization shall determine -
a) what needs to be monitored and measured for the SMS and the services
Performance evaluation
Monitoring, Measurement, Analysis and Evaluation（※48.DOCUMENT※）
【ITIL2011: Event Management process】【ITIL4: Monitoring and event management practice: Service management practice】
1.1.7.a Verify that firewall and router configuration standards require review of firewall and
10.6.1.b Observe processes and interview personnel to verify that the following are
reviewed at least daily:
10.8.b Examine detection and alerting processes and interview personnel to verify that
processes are implemented for all critical security controls, and that failure of a critical
security control results
in the generation of an alert.
11.1.2 Implement incident response procedures in the event unauthorized wireless access
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources
for security vulnerability information, and assign a risk ranking (for example, as “high,”
“medium,” or “low”) to newly discovered security vulnerabilities.
6.2.b For a sample of system components and related software, compare the list of security
patches installed on each system to the most recent vendor security-patch list, to verify the
following:
That applicable critical vendor-supplied security patches are installed within one month of
release.
All applicable vendor-supplied security patches are installed within an appropriate time
frame (for example, within three months).
example, acquisition, merger, relocation, etc.),
Identifies critical assets, threats, and vulnerabilities, and
Results in a formal, documented analysis of risk.
A3.3.1.1 Respond to failures of any critical security controls in a timely manner.
Processes for responding to failures in security controls must include:
Restoring security functions
Identifying and documenting the duration (date and time start to end) of the security
failure
Identifying and documenting cause(s) of failure, including root cause, and documenting
remediation required to address root cause
Identifying and addressing any security issues that arose during the failure
Performing a risk assessment to determine whether further actions are required as a
result of the security failure
Implementing controls to prevent cause of failure from reoccurring
Resuming monitoring of security controls PCI DSS Reference: Requirements

30. b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to
ensure valid results
c) when the monitoring and measuring shall be performed
d) when the results from monitoring and measurement shall be analysed and evaluated.
The organization shall retain appropriate documented info （※49.DOCUMENT※） as
evidence of the results
10.7.a Procedures for retaining audit logs for at least one year, with a minimum of three
months immediately available online.
The organization shall evaluate the SMS performance against the SM objectives and
evaluate the effectiveness of the SMS. The organization shall evaluate the effetiveness
of the services agaist the service requirements.
-
9.2 Internal Audit （※50. DOCUMENT※）
9.2.1 The organization shall conduct internal audits at planned ientervals to privide info on
whether the SMS.
a) conforms to
1) the organization's own requirements for its SMS
2) the requirements of this doc
b) is effectively implemented and maintained.
9.2.2 The organization shall
a) plan, establish, implement and maintain an audit programme(s) including the
frequency, methods, responsibilities, planning requirements and reporting, which shall
take into consideration
1) the importance of the processes concerned
2) changes affecting the organization
3) the results of previous audits
b) define the audit "Criteria" and scope for each audit
router rule sets at least every six months.
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources
for security vulnerability information, and assign a risk ranking (for example, as “high,”
“medium,” or “low”) to newly discovered security vulnerabilities.
10.6.1 Review the following at least daily:
All security events
Logs of all system components that store, process, or transmit CHD and/or SAD
Logs of all critical system components
Logs of all servers and system components that perform security functions (for example,
firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication
servers, e-commerce redirection servers, etc.).
10.4 Examine configuration standards and processes to verify that time-synchronization
technology is implemented and kept current per PCI DSS Requirements 6.1 and 6.2.
10.6.2 Review logs of all other system components periodically based on the organization’s
policies and risk management strategy, as determined by the organization’s annual risk
assessment.
11.2.3.b Review scan reports and verify that the scan process includes rescans until:
For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.
For internal scans, all “high risk” vulnerabilities
12.2 Implement a risk assessment process, that:
•Is performed at least annually and upon significant changes to the environment (for
(N/A - Internal audit is not mandate for PCI DSS version 3.2.1)

31. c) select auditors and conduct audits to ensure objectivity and the impartiality of the audits
process
d) ensure that the results of the audits are reported to relevant management
e) retain documented info （※51.DOCUMENT※）as evidence of the implementation of
the audit programme(s) and the audit results
9.3
Top management shall review the organization's SMS and the services, at planned
intervals, to ensure their continuing suitability, adequacy and effectiveness.
The management review shall include consideration of
a) the status of actions from previous management reviews
b) changes in external and internal issues that are relevant to the SMS N/A
c) Info on the SMS performance and effectiveness of the SMS, including trends in -
1) NC and corrective actions 6.3.2 Review custom code prior to release to production or customers in order to identify
any potential coding vulnerability (using either manual or automated processes) to include
at least the following:
•Code changes are reviewed by individuals other than the originating code author, and by
individuals knowledgeable about code review techniques and secure coding practices.
•Code reviews ensure code is developed according to secure coding guidelines.
•Appropriate corrections are implemented prior to release.
•Code review results are reviewed and approved by management prior to release.
2) monitoring and measurement evaluation results
3) audit results
d) Opportunities for Continual Improvement (OFI) 【ITIL2011:N/A】 【ITIL4: Service
Continuity management practice; Service management practice 】
-
-
5.1.2 For systems considered to be not commonly affected by malicious software, perform
periodic evaluations to identify and evaluate evolving malware threats in order to confirm
whether such systems continue to not require anti-virus software.
6.1 Establish a process to identify security vulnerabilities, using reputable outside sources
for security vulnerability information, and assign a risk ranking (for example, as “high,”
“medium,” or “low”) to newly discovered security vulnerabilities.
10.6.1 Review the following at least daily:
•All security events
•Logs of all system components that store, process, or transmit CHD and/or SAD
•Logs of all critical system components
•Logs of all servers and system components that perform security functions (for example,
firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication
servers, e-commerce redirection servers, etc.).
11.2.3.b Review scan reports and verify that the scan process includes rescans until:
For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.
For internal scans, all “high risk” vulnerabilities
Management Review (※DOCUMENT※）

32. e) feedback from customers and other interested parties 12.1.1 Verify that the information security policy is reviewed at least annually and updated
as needed to reflect changes to business objectives or the risk environment.
11.3.4.1 & A.3.2.1 Validation of PCI DSS scope should be performed as frequently as
possible to ensure PCI DSS scope remains up to date and aligned with changing business
objectives.
f) adherence to and suitability of the SM policy and other policies required by this doc -
g) achievement of SM objectives -
h) performance of the services -
i) performance of other parties involved in the delivery of the services -
j) current and forcast human, technical, informatiion and financial resource levels, and
human and technical resource capabilities. 【ITIL2011: Financial Service
Management process】 【ITIL4: Service Financial Management; General
12.10.6 Develop a process to modify and evolve the incident response plan according to
lessons learned and to incorporate industry developments.
k) resultes of risk assessment and the effectiveness of actions taken to address risks and
opportunities 【ITIL2011: N/A】【(ITIL4: Risk Management: General management
practices】
A3.1.1 Executive management shall establish responsibility for the protection of cardholder
data and a PCI DSS compliance program to
include:
・ Providing updates to executive management and board of directors on PCI DSS
compliance initiatives and issues, including remediation activities, at least annually
l) current and forecast human, technical, information and financial resource levels, and
human and technical resource capabilities
N/A
The outputs of the management review shall include decisions related to continual
improvement opportunities and any need for changes to the SMS and the services.
N/A
The organization shall retain documented information（※52.DOCUMENT※） as
evidence of the resultes of management reviews.
N/A
9.4 Service reporting N/A
The organization shall determine reporting requirements and their purpose. N/A
Reports on the performance and effectiveness of the SMS and the services shall be
produced using information from the SMS activities and delivey of the sercices. Service
reporting shall include trends.
N/A
The organization shall make decisions and take actions based on the findings in
service reports. The agreed actions shall be communicated to interested parties.
N/A
note The reports that are required are specified in the relevant clauses of this document.
Additional reports can also be produced.
N/A
10
10.1
10.1.1 When a non NC occures, the ornigazaition shall
a) react to the NC, and as applicable
1) take action to control and correct it
Improvement
6.3.2 Review custom code prior to release to production or customers in order to identify
any potential coding vulnerability (using either manual or automated processes) to include
at least the following:
NC and Corrective Action （※53.DOCUMENT※）【ITIL2011: N/A】 【ITIL4: Continual improvement practice; General management practices】

33. 2) deal with the consequences 12.4.1 Additional requirement for service providers only: Executive management shall
establish responsibility for the protection of cardholder data and a PCI DSS compliance
program to include:
•Overall accountability for maintaining PCI DSS compliance
•Defining a charter for a PCI DSS compliance program and communication to executive
management
A3.1.1 Executive management shall establish responsibility for the protection of cardholder
data and a PCI DSS compliance program to
include:
・ Overall accountability for maintaining PCI DSS compliance
・ Defining a charter for a PCI DSS compliance program
・ Providing updates to executive management and board of directors on PCI DSS
compliance initiatives and issues, including remediation activities, at least annually
b) evaluate the need for action to eliminate the causes of the NC, in order that it does not
recur or occur elsewhere, by
1) reviewing the NC
2) determining the causes of the NC
3) determining if similar NC exist, or can potentially occur
c) implement any action needed
d) review the effectiveness of any corrective action taken
e) make changes to the SMS, if necessary 12.1.1 Verify that the information security policy is reviewed at least annually and updated
as needed to reflect changes to business objectives or the risk environment.
11.3.4.1 & A.3.2.1 Validation of PCI DSS scope should be performed as frequently as
possible to ensure PCI DSS scope remains up to date and aligned with changing business
objectives.
10.1.2 The organization shall retain documented info as evidence （※54.DOCUMENT※）of -
a) the nature of the NC and any subsequent actions taken CAP of the PCI DSS on-site assessment
b) the results of any corrective action. CAR of the PCI DSS on-site assessment
10.2
The organizaion shall -
the organization shall continually improve the suitability, adequency and effectiveness
of the SMS and the services.
The organization shall determine evaluation "Criteria" to be applied to the opportunities
for improvement when making decisions on their approval. Evaluation "Criteria" shall
include alignment of the improvement with SM objectives.
Continual Improvement
10.8.1.a Examine documented policies and procedures and interview personnel to verify
processes are defined and implemented to respond to a security control failure, and
include:
Identifying and documenting cause(s) of failure, including root cause, and documenting
remediation required to address root cause
Performing a risk assessment to determine whether further actions are required as a
result of the security failure
Implementing controls to prevent cause of failure from reoccurring
A3.1.3 PCI DSS compliance roles and responsibilities must be specifically defined and
formally assigned to one or more personnel, including at least the following:
Managing PCI DSS business-as-usual activities
Managing annual PCI DSS assessments
Managing continuous validation of PCI DSS requirements (for example: daily, weekly,
quarterly, etc. as applicable per requirement)
Managing business-impact analysis to determine potential PCI DSS impacts for strategic
business decisions