@vorionsys/security 1.0.0

package/dist/compliance/frameworks/pci-dss.js

@@ -0,0 +1,1873 @@
+/**
+ * PCI-DSS 4.0 Compliance Framework
+ *
+ * Implements Payment Card Industry Data Security Standard version 4.0
+ * for payment card security, covering all 12 requirements.
+ *
+ * Requirements:
+ * - Req 1: Network security controls
+ * - Req 2: Secure configurations
+ * - Req 3: Protect stored account data
+ * - Req 4: Protect data in transit
+ * - Req 5: Malware protection
+ * - Req 6: Secure systems development
+ * - Req 7: Restrict access
+ * - Req 8: User identification
+ * - Req 9: Physical access
+ * - Req 10: Logging and monitoring
+ * - Req 11: Security testing
+ * - Req 12: Security policies
+ *
+ * @packageDocumentation
+ */
+// =============================================================================
+// DATA CLASSIFICATION TYPES
+// =============================================================================
+/**
+ * PCI-DSS Data Classification Categories
+ */
+export const PCI_DATA_CLASSIFICATIONS = {
+    /** Cardholder Data - PAN, cardholder name, expiration date, service code */
+    CHD: 'CHD',
+    /** Sensitive Authentication Data - Full track, CVV/CVC, PIN/PIN block */
+    SAD: 'SAD',
+    /** Primary Account Number */
+    PAN: 'PAN',
+    /** Track Data (magnetic stripe) */
+    TRACK_DATA: 'TRACK_DATA',
+    /** Card Verification Value/Code */
+    CVV: 'CVV',
+    /** Personal Identification Number */
+    PIN: 'PIN',
+};
+/**
+ * PCI Data Elements Reference
+ */
+export const PCI_DATA_ELEMENTS = {
+    CHD: {
+        type: 'CHD',
+        storageAllowed: true,
+        encryptionRequired: true,
+        maxRetentionDays: null, // Business need determines
+        description: 'Cardholder data including PAN, name, expiration, service code',
+    },
+    SAD: {
+        type: 'SAD',
+        storageAllowed: false,
+        encryptionRequired: true,
+        maxRetentionDays: 0, // Never store post-authorization
+        description: 'Sensitive authentication data - must never be stored after authorization',
+    },
+    PAN: {
+        type: 'PAN',
+        storageAllowed: true,
+        encryptionRequired: true,
+        maxRetentionDays: null,
+        description: 'Primary Account Number - must be rendered unreadable',
+    },
+    TRACK_DATA: {
+        type: 'TRACK_DATA',
+        storageAllowed: false,
+        encryptionRequired: true,
+        maxRetentionDays: 0,
+        description: 'Full magnetic stripe data - never store',
+    },
+    CVV: {
+        type: 'CVV',
+        storageAllowed: false,
+        encryptionRequired: true,
+        maxRetentionDays: 0,
+        description: 'Card verification value/code - never store',
+    },
+    PIN: {
+        type: 'PIN',
+        storageAllowed: false,
+        encryptionRequired: true,
+        maxRetentionDays: 0,
+        description: 'Personal identification number - never store',
+    },
+};
+// =============================================================================
+// NETWORK SEGMENTATION TYPES
+// =============================================================================
+/**
+ * Network zone classifications for CDE segmentation
+ */
+export const NETWORK_ZONES = {
+    CDE: 'CDE',
+    CONNECTED: 'CONNECTED',
+    OUT_OF_SCOPE: 'OUT_OF_SCOPE',
+};
+/**
+ * Cardholder Data Service for secure CHD handling
+ *
+ * Implements PCI-DSS requirements for:
+ * - PAN masking (show only last 4)
+ * - PAN tokenization
+ * - Secure deletion
+ * - Audit logging (never logs full PAN)
+ */
+export class CardholderDataService {
+    tokenVault = new Map();
+    auditLog = [];
+    /**
+     * Mask a PAN showing only the last 4 digits
+     * Per PCI-DSS: Display at most first 6 and last 4 digits
+     */
+    maskPAN(pan) {
+        if (!this.isValidPANFormat(pan)) {
+            throw new Error('Invalid PAN format');
+        }
+        const cleaned = pan.replace(/\D/g, '');
+        const lastFour = cleaned.slice(-4);
+        const maskedLength = cleaned.length - 4;
+        return '*'.repeat(maskedLength) + lastFour;
+    }
+    /**
+     * Get only the last 4 digits of a PAN (safe for display/logging)
+     */
+    getLastFour(pan) {
+        if (!this.isValidPANFormat(pan)) {
+            throw new Error('Invalid PAN format');
+        }
+        return pan.replace(/\D/g, '').slice(-4);
+    }
+    /**
+     * Tokenize a PAN for secure storage
+     * Returns a token that can be used to reference the PAN
+     */
+    async tokenizePAN(pan, userId) {
+        if (!this.isValidPANFormat(pan)) {
+            this.logAccess('tokenize', '****', userId, 'failure');
+            throw new Error('Invalid PAN format');
+        }
+        const cleaned = pan.replace(/\D/g, '');
+        const token = await this.generateSecureToken();
+        const lastFour = cleaned.slice(-4);
+        // In production, this would use HSM/secure vault
+        // Never store PAN in plain text
+        const encryptedPAN = await this.encryptPAN(cleaned);
+        this.tokenVault.set(token, encryptedPAN);
+        this.logAccess('tokenize', `****${lastFour}`, userId, 'success');
+        return {
+            token,
+            lastFour,
+            firstSix: cleaned.slice(0, 6),
+            tokenizedAt: new Date(),
+        };
+    }
+    /**
+     * Detokenize to retrieve masked PAN (never returns full PAN)
+     */
+    async detokenizeForDisplay(token, userId) {
+        const encryptedPAN = this.tokenVault.get(token);
+        if (!encryptedPAN) {
+            this.logAccess('detokenize', 'unknown', userId, 'failure');
+            throw new Error('Token not found');
+        }
+        const pan = await this.decryptPAN(encryptedPAN);
+        const masked = this.maskPAN(pan);
+        this.logAccess('detokenize-display', masked, userId, 'success');
+        return masked;
+    }
+    /**
+     * Securely delete a tokenized PAN
+     * Implements cryptographic erasure
+     */
+    async secureDelete(token, userId) {
+        const existed = this.tokenVault.has(token);
+        if (existed) {
+            // Overwrite with random data before deletion
+            const randomData = await this.generateSecureToken();
+            this.tokenVault.set(token, randomData);
+            this.tokenVault.delete(token);
+            this.logAccess('secure-delete', 'token-deleted', userId, 'success');
+        }
+        else {
+            this.logAccess('secure-delete', 'token-not-found', userId, 'failure');
+        }
+        return existed;
+    }
+    /**
+     * Validate PAN format (Luhn check)
+     */
+    isValidPANFormat(pan) {
+        const cleaned = pan.replace(/\D/g, '');
+        if (cleaned.length < 13 || cleaned.length > 19) {
+            return false;
+        }
+        return this.luhnCheck(cleaned);
+    }
+    /**
+     * Get audit log entries (for compliance reporting)
+     * Never includes full PAN
+     */
+    getAuditLog(startDate, endDate) {
+        return this.auditLog.filter((entry) => {
+            if (startDate && entry.timestamp < startDate)
+                return false;
+            if (endDate && entry.timestamp > endDate)
+                return false;
+            return true;
+        });
+    }
+    /**
+     * Clear audit logs older than retention period
+     * Per PCI-DSS: Retain logs for at least 1 year, 3 months online
+     */
+    purgeOldAuditLogs(retentionDays = 365) {
+        const cutoffDate = new Date();
+        cutoffDate.setDate(cutoffDate.getDate() - retentionDays);
+        const initialLength = this.auditLog.length;
+        const filtered = this.auditLog.filter((entry) => entry.timestamp >= cutoffDate);
+        this.auditLog.length = 0;
+        this.auditLog.push(...filtered);
+        return initialLength - this.auditLog.length;
+    }
+    // Private helper methods
+    luhnCheck(pan) {
+        let sum = 0;
+        let isEven = false;
+        for (let i = pan.length - 1; i >= 0; i--) {
+            let digit = parseInt(pan[i], 10);
+            if (isEven) {
+                digit *= 2;
+                if (digit > 9) {
+                    digit -= 9;
+                }
+            }
+            sum += digit;
+            isEven = !isEven;
+        }
+        return sum % 10 === 0;
+    }
+    async generateSecureToken() {
+        // In production, use cryptographically secure random generation
+        const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+        let token = 'tok_';
+        for (let i = 0; i < 32; i++) {
+            token += chars.charAt(Math.floor(Math.random() * chars.length));
+        }
+        return token;
+    }
+    async encryptPAN(pan) {
+        // In production, use AES-256 with HSM-managed keys
+        // This is a placeholder - real implementation would use proper encryption
+        return Buffer.from(pan).toString('base64');
+    }
+    async decryptPAN(encrypted) {
+        // In production, use AES-256 with HSM-managed keys
+        return Buffer.from(encrypted, 'base64').toString('utf8');
+    }
+    logAccess(action, maskedPAN, userId, result) {
+        // CRITICAL: Never log full PAN
+        this.auditLog.push({
+            timestamp: new Date(),
+            action,
+            maskedPAN,
+            userId,
+            result,
+        });
+    }
+}
+/**
+ * PCI-DSS approved encryption configurations
+ */
+export const PCI_ENCRYPTION_REQUIREMENTS = {
+    storage: {
+        algorithm: 'AES',
+        keyLength: 256,
+        mode: 'GCM',
+        padding: 'NoPadding',
+    },
+    transmission: {
+        algorithm: 'TLS',
+        keyLength: 256,
+        mode: '1.2+',
+        padding: 'N/A',
+    },
+    keyWrapping: {
+        algorithm: 'RSA-OAEP',
+        keyLength: 2048,
+        mode: 'SHA-256',
+        padding: 'OAEP',
+    },
+};
+/**
+ * Default key management configuration
+ */
+export const DEFAULT_KEY_MANAGEMENT = {
+    keyRotationDays: 365,
+    splitKnowledge: true,
+    dualControl: true,
+    hsmRequired: true,
+    keyVersioning: true,
+    keyDestructionMethod: 'cryptographic-erasure',
+};
+/**
+ * Default CDE access control settings per PCI-DSS
+ */
+export const DEFAULT_CDE_ACCESS_CONTROL = {
+    requireMFA: true,
+    sessionTimeoutMinutes: 15,
+    maxFailedAttempts: 6,
+    lockoutDurationMinutes: 30,
+    passwordMinLength: 12,
+    passwordRequireComplexity: true,
+    passwordExpirationDays: 90,
+    passwordHistoryCount: 4,
+};
+// =============================================================================
+// COMPLIANCE VALIDATION TYPES
+// =============================================================================
+/**
+ * Self-Assessment Questionnaire types
+ */
+export const SAQ_TYPES = {
+    SAQ_A: 'SAQ-A',
+    SAQ_A_EP: 'SAQ-A-EP',
+    SAQ_B: 'SAQ-B',
+    SAQ_B_IP: 'SAQ-B-IP',
+    SAQ_C: 'SAQ-C',
+    SAQ_C_VT: 'SAQ-C-VT',
+    SAQ_P2PE: 'SAQ-P2PE',
+    SAQ_D_MERCHANT: 'SAQ-D-Merchant',
+    SAQ_D_SP: 'SAQ-D-SP',
+};
+/**
+ * PCI-DSS audit event types
+ */
+export const PCI_AUDIT_EVENT_TYPES = {
+    // User authentication
+    LOGIN_SUCCESS: 'LOGIN_SUCCESS',
+    LOGIN_FAILURE: 'LOGIN_FAILURE',
+    LOGOUT: 'LOGOUT',
+    MFA_SUCCESS: 'MFA_SUCCESS',
+    MFA_FAILURE: 'MFA_FAILURE',
+    // CHD access
+    CHD_ACCESS: 'CHD_ACCESS',
+    CHD_CREATE: 'CHD_CREATE',
+    CHD_MODIFY: 'CHD_MODIFY',
+    CHD_DELETE: 'CHD_DELETE',
+    CHD_EXPORT: 'CHD_EXPORT',
+    // Privileged actions
+    ADMIN_ACTION: 'ADMIN_ACTION',
+    CONFIG_CHANGE: 'CONFIG_CHANGE',
+    PERMISSION_CHANGE: 'PERMISSION_CHANGE',
+    USER_CREATE: 'USER_CREATE',
+    USER_MODIFY: 'USER_MODIFY',
+    USER_DELETE: 'USER_DELETE',
+    // Security events
+    SECURITY_ALERT: 'SECURITY_ALERT',
+    INTRUSION_DETECTED: 'INTRUSION_DETECTED',
+    MALWARE_DETECTED: 'MALWARE_DETECTED',
+    // Audit log actions
+    AUDIT_LOG_ACCESS: 'AUDIT_LOG_ACCESS',
+    AUDIT_LOG_CLEAR: 'AUDIT_LOG_CLEAR',
+};
+/**
+ * Default audit log retention per PCI-DSS
+ */
+export const DEFAULT_AUDIT_RETENTION = {
+    onlineRetentionDays: 90,
+    archiveRetentionDays: 365,
+    tamperEvident: true,
+    centralizedLogging: true,
+    dailyReviewRequired: true,
+};
+// =============================================================================
+// EVIDENCE COLLECTION HELPERS
+// =============================================================================
+function createLogEvidence(id, title, description, source) {
+    return {
+        id,
+        type: 'log',
+        title,
+        description,
+        source,
+        collectedAt: new Date(),
+    };
+}
+function createConfigEvidence(id, title, description, source) {
+    return {
+        id,
+        type: 'config',
+        title,
+        description,
+        source,
+        collectedAt: new Date(),
+    };
+}
+function createPolicyEvidence(id, title, description, source) {
+    return {
+        id,
+        type: 'policy',
+        title,
+        description,
+        source,
+        collectedAt: new Date(),
+    };
+}
+function createTestEvidence(id, title, description, source) {
+    return {
+        id,
+        type: 'test-result',
+        title,
+        description,
+        source,
+        collectedAt: new Date(),
+    };
+}
+// =============================================================================
+// REQUIREMENT 1: NETWORK SECURITY CONTROLS
+// =============================================================================
+const req1Controls = [
+    {
+        id: 'PCI-1.1.1',
+        name: 'Network Security Policies and Procedures',
+        description: 'All security policies and operational procedures for managing network security controls are documented, in use, and known to all affected parties.',
+        family: 'Req 1 - Network Security Controls',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-1.1.1-001', 'Network Security Policy', 'Documented network security policy covering firewall management', '/policies/network-security.md'),
+            createPolicyEvidence('pci-1.1.1-002', 'Firewall Management Procedures', 'Operational procedures for firewall rule management', '/procedures/firewall-management.md'),
+        ],
+        crossReferences: ['NIST-SC-7', 'SOC2-CC6.1'],
+        owner: 'Network Security Manager',
+    },
+    {
+        id: 'PCI-1.2.1',
+        name: 'Firewall Configuration Standards',
+        description: 'Configuration standards for network security controls are defined, implemented, and maintained.',
+        family: 'Req 1 - Network Security Controls',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-1.2.1-001', 'Firewall Configuration Standards', 'Documented standards for firewall configuration', '/config/firewall-standards.yaml'),
+            createConfigEvidence('pci-1.2.1-002', 'Current Firewall Rules', 'Export of current firewall rules for CDE', '/evidence/firewall-rules-export.json'),
+        ],
+        crossReferences: ['NIST-SC-7', 'SOC2-CC6.1'],
+        owner: 'Network Security Manager',
+        automatedTest: async () => {
+            // Verify firewall rules match documented standards
+            return true;
+        },
+    },
+    {
+        id: 'PCI-1.2.5',
+        name: 'CDE Network Segmentation',
+        description: 'The CDE is segmented from other networks using network security controls.',
+        family: 'Req 1 - Network Security Controls',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-1.2.5-001', 'Network Segmentation Diagram', 'Network diagram showing CDE segmentation', '/docs/network-segmentation-diagram.pdf'),
+            createTestEvidence('pci-1.2.5-002', 'Segmentation Test Results', 'Results of network segmentation penetration testing', '/evidence/segmentation-test-results.pdf'),
+        ],
+        crossReferences: ['NIST-SC-7', 'SOC2-CC6.1'],
+        owner: 'Network Security Manager',
+        automatedTest: async () => {
+            // Verify CDE segmentation is in place
+            return true;
+        },
+    },
+    {
+        id: 'PCI-1.3.1',
+        name: 'Inbound Traffic Restriction',
+        description: 'Inbound traffic to the CDE is restricted to only necessary traffic.',
+        family: 'Req 1 - Network Security Controls',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-1.3.1-001', 'Inbound Firewall Rules', 'Firewall rules restricting inbound CDE traffic', '/config/cde-inbound-rules.yaml'),
+        ],
+        crossReferences: ['NIST-SC-7', 'SOC2-CC6.6'],
+        owner: 'Network Security Manager',
+        automatedTest: async () => {
+            // Verify inbound traffic restrictions
+            return true;
+        },
+    },
+    {
+        id: 'PCI-1.3.2',
+        name: 'Outbound Traffic Restriction',
+        description: 'Outbound traffic from the CDE is restricted to only necessary traffic.',
+        family: 'Req 1 - Network Security Controls',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-1.3.2-001', 'Outbound Firewall Rules', 'Firewall rules restricting outbound CDE traffic', '/config/cde-outbound-rules.yaml'),
+        ],
+        crossReferences: ['NIST-SC-7', 'SOC2-CC6.6'],
+        owner: 'Network Security Manager',
+        automatedTest: async () => {
+            // Verify outbound traffic restrictions
+            return true;
+        },
+    },
+    {
+        id: 'PCI-1.4.1',
+        name: 'DMZ Implementation',
+        description: 'Network security controls are implemented between all wireless networks and the CDE.',
+        family: 'Req 1 - Network Security Controls',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-1.4.1-001', 'DMZ Configuration', 'DMZ configuration for public-facing systems', '/config/dmz-config.yaml'),
+        ],
+        crossReferences: ['NIST-SC-7'],
+        owner: 'Network Security Manager',
+    },
+    {
+        id: 'PCI-1.5.1',
+        name: 'Security Control Review',
+        description: 'Network security controls are reviewed at least every six months.',
+        family: 'Req 1 - Network Security Controls',
+        priority: 'P2',
+        implementation: 'implemented',
+        evidence: [
+            createLogEvidence('pci-1.5.1-001', 'Firewall Rule Review Records', 'Records of semi-annual firewall rule reviews', '/evidence/firewall-reviews/'),
+        ],
+        crossReferences: ['NIST-SC-7', 'SOC2-CC4.1'],
+        owner: 'Network Security Manager',
+    },
+];
+// =============================================================================
+// REQUIREMENT 2: SECURE CONFIGURATIONS
+// =============================================================================
+const req2Controls = [
+    {
+        id: 'PCI-2.1.1',
+        name: 'Vendor Default Credentials',
+        description: 'Vendor-supplied defaults are changed before installing a system on the network.',
+        family: 'Req 2 - Secure Configurations',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-2.1.1-001', 'System Hardening Standards', 'Standards requiring default credential changes', '/policies/system-hardening.md'),
+            createTestEvidence('pci-2.1.1-002', 'Default Credential Scan Results', 'Scan results verifying no default credentials', '/evidence/default-cred-scan.json'),
+        ],
+        crossReferences: ['NIST-CM-6', 'SOC2-CC6.1'],
+        owner: 'Security Engineering Manager',
+        automatedTest: async () => {
+            // Verify no default credentials exist
+            return true;
+        },
+    },
+    {
+        id: 'PCI-2.2.1',
+        name: 'Configuration Standards',
+        description: 'Configuration standards are developed for all system components consistent with industry-accepted hardening standards.',
+        family: 'Req 2 - Secure Configurations',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-2.2.1-001', 'Server Hardening Standards', 'CIS benchmark-based server hardening standards', '/config/server-hardening.yaml'),
+            createConfigEvidence('pci-2.2.1-002', 'Database Hardening Standards', 'Database security configuration standards', '/config/database-hardening.yaml'),
+        ],
+        crossReferences: ['NIST-CM-2', 'NIST-CM-6', 'SOC2-CC6.1'],
+        owner: 'Security Engineering Manager',
+    },
+    {
+        id: 'PCI-2.2.2',
+        name: 'Primary Function Separation',
+        description: 'Only one primary function is implemented per server to prevent functions that require different security levels from co-existing.',
+        family: 'Req 2 - Secure Configurations',
+        priority: 'P2',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-2.2.2-001', 'Server Role Documentation', 'Documentation of server roles and functions', '/docs/server-roles.md'),
+        ],
+        crossReferences: ['NIST-SC-2'],
+        owner: 'Infrastructure Manager',
+    },
+    {
+        id: 'PCI-2.2.4',
+        name: 'Unnecessary Services Disabled',
+        description: 'Only necessary services, protocols, daemons, and functions are enabled.',
+        family: 'Req 2 - Secure Configurations',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-2.2.4-001', 'Service Configuration', 'List of enabled services with business justification', '/config/enabled-services.yaml'),
+            createTestEvidence('pci-2.2.4-002', 'Port Scan Results', 'Scan results showing only approved ports open', '/evidence/port-scan-results.json'),
+        ],
+        crossReferences: ['NIST-CM-7', 'SOC2-CC6.1'],
+        owner: 'Security Engineering Manager',
+        automatedTest: async () => {
+            // Verify only approved services are running
+            return true;
+        },
+    },
+    {
+        id: 'PCI-2.2.5',
+        name: 'Insecure Services Security',
+        description: 'If insecure services are present, additional security features are implemented.',
+        family: 'Req 2 - Secure Configurations',
+        priority: 'P2',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-2.2.5-001', 'Insecure Service Mitigations', 'Documentation of security controls for any insecure services', '/docs/insecure-service-mitigations.md'),
+        ],
+        crossReferences: ['NIST-SC-8'],
+        owner: 'Security Engineering Manager',
+    },
+    {
+        id: 'PCI-2.3.1',
+        name: 'Wireless Environment Configuration',
+        description: 'For wireless environments connected to the CDE, all wireless vendor defaults are changed.',
+        family: 'Req 2 - Secure Configurations',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-2.3.1-001', 'Wireless Configuration Standards', 'Secure wireless configuration standards', '/config/wireless-security.yaml'),
+        ],
+        crossReferences: ['NIST-AC-18'],
+        owner: 'Network Security Manager',
+    },
+];
+// =============================================================================
+// REQUIREMENT 3: PROTECT STORED ACCOUNT DATA
+// =============================================================================
+const req3Controls = [
+    {
+        id: 'PCI-3.1.1',
+        name: 'Data Retention Policy',
+        description: 'Account data storage is kept to a minimum through data retention and disposal policies.',
+        family: 'Req 3 - Protect Stored Account Data',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-3.1.1-001', 'Data Retention Policy', 'Policy defining CHD retention periods and disposal', '/policies/data-retention.md'),
+            createLogEvidence('pci-3.1.1-002', 'Data Disposal Records', 'Records of secure data disposal', '/evidence/data-disposal-records/'),
+        ],
+        crossReferences: ['NIST-MP-6', 'SOC2-CC6.5'],
+        owner: 'Data Protection Officer',
+    },
+    {
+        id: 'PCI-3.2.1',
+        name: 'Sensitive Authentication Data Not Stored',
+        description: 'Sensitive authentication data (SAD) is not stored after authorization, even if encrypted.',
+        family: 'Req 3 - Protect Stored Account Data',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createTestEvidence('pci-3.2.1-001', 'SAD Storage Scan', 'Scan results confirming no SAD storage', '/evidence/sad-scan-results.json'),
+            createConfigEvidence('pci-3.2.1-002', 'Application Configuration', 'Application config preventing SAD storage', '/config/payment-app-config.yaml'),
+        ],
+        crossReferences: ['NIST-SC-28'],
+        owner: 'Application Security Manager',
+        automatedTest: async () => {
+            // Scan for SAD storage
+            return true;
+        },
+    },
+    {
+        id: 'PCI-3.3.1',
+        name: 'PAN Masking on Display',
+        description: 'PAN is masked when displayed, showing at most the first six and last four digits.',
+        family: 'Req 3 - Protect Stored Account Data',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createTestEvidence('pci-3.3.1-001', 'PAN Masking Verification', 'Test results verifying PAN masking in all displays', '/evidence/pan-masking-tests.json'),
+            createConfigEvidence('pci-3.3.1-002', 'Display Masking Configuration', 'Application configuration for PAN masking', '/config/pan-display-config.yaml'),
+        ],
+        crossReferences: ['NIST-SC-28'],
+        owner: 'Application Security Manager',
+        automatedTest: async () => {
+            // Verify PAN masking in UI
+            return true;
+        },
+    },
+    {
+        id: 'PCI-3.4.1',
+        name: 'PAN Rendered Unreadable',
+        description: 'PAN is rendered unreadable anywhere it is stored using strong cryptography.',
+        family: 'Req 3 - Protect Stored Account Data',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-3.4.1-001', 'Encryption Configuration', 'Configuration showing AES-256 encryption for stored PAN', '/config/pan-encryption.yaml'),
+            createTestEvidence('pci-3.4.1-002', 'Encryption Verification', 'Test results verifying PAN encryption at rest', '/evidence/encryption-verification.json'),
+        ],
+        crossReferences: ['NIST-SC-28', 'SOC2-CC6.7'],
+        owner: 'Security Engineering Manager',
+        automatedTest: async () => {
+            // Verify PAN encryption
+            return true;
+        },
+    },
+    {
+        id: 'PCI-3.5.1',
+        name: 'Cryptographic Key Access',
+        description: 'Access to cryptographic keys is restricted to the fewest number of custodians necessary.',
+        family: 'Req 3 - Protect Stored Account Data',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-3.5.1-001', 'Key Custodian Access List', 'List of authorized key custodians', '/config/key-custodians.yaml'),
+            createPolicyEvidence('pci-3.5.1-002', 'Key Management Policy', 'Policy for cryptographic key management', '/policies/key-management.md'),
+        ],
+        crossReferences: ['NIST-SC-12', 'SOC2-CC6.1'],
+        owner: 'Cryptography Manager',
+    },
+    {
+        id: 'PCI-3.6.1',
+        name: 'Key Management Procedures',
+        description: 'Procedures are defined for all key management processes.',
+        family: 'Req 3 - Protect Stored Account Data',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-3.6.1-001', 'Key Generation Procedures', 'Procedures for secure key generation', '/procedures/key-generation.md'),
+            createPolicyEvidence('pci-3.6.1-002', 'Key Rotation Procedures', 'Procedures for key rotation', '/procedures/key-rotation.md'),
+        ],
+        crossReferences: ['NIST-SC-12'],
+        owner: 'Cryptography Manager',
+    },
+    {
+        id: 'PCI-3.7.1',
+        name: 'Key Lifecycle Management',
+        description: 'Cryptographic keys used to protect stored account data are managed throughout their lifecycle.',
+        family: 'Req 3 - Protect Stored Account Data',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createLogEvidence('pci-3.7.1-001', 'Key Rotation Records', 'Records of annual key rotation', '/evidence/key-rotation-records/'),
+            createConfigEvidence('pci-3.7.1-002', 'HSM Configuration', 'Hardware security module configuration', '/config/hsm-config.yaml'),
+        ],
+        crossReferences: ['NIST-SC-12'],
+        owner: 'Cryptography Manager',
+    },
+];
+// =============================================================================
+// REQUIREMENT 4: PROTECT DATA IN TRANSIT
+// =============================================================================
+const req4Controls = [
+    {
+        id: 'PCI-4.1.1',
+        name: 'Strong Cryptography for Transmission',
+        description: 'Strong cryptography is used to protect PAN during transmission over open, public networks.',
+        family: 'Req 4 - Protect Data in Transit',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-4.1.1-001', 'TLS Configuration', 'TLS 1.2+ configuration for all external endpoints', '/config/tls-config.yaml'),
+            createTestEvidence('pci-4.1.1-002', 'SSL/TLS Scan Results', 'Scan results verifying TLS 1.2+ enforcement', '/evidence/tls-scan-results.json'),
+        ],
+        crossReferences: ['NIST-SC-8', 'NIST-SC-13', 'SOC2-CC6.7'],
+        owner: 'Security Engineering Manager',
+        automatedTest: async () => {
+            // Verify TLS 1.2+ on all endpoints
+            return true;
+        },
+    },
+    {
+        id: 'PCI-4.2.1',
+        name: 'Trusted Keys and Certificates',
+        description: 'Only trusted keys and certificates are accepted.',
+        family: 'Req 4 - Protect Data in Transit',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-4.2.1-001', 'Certificate Trust Store', 'Configuration of trusted certificate authorities', '/config/trusted-cas.yaml'),
+            createPolicyEvidence('pci-4.2.1-002', 'Certificate Management Policy', 'Policy for certificate lifecycle management', '/policies/certificate-management.md'),
+        ],
+        crossReferences: ['NIST-SC-17'],
+        owner: 'Security Engineering Manager',
+    },
+    {
+        id: 'PCI-4.2.2',
+        name: 'Certificate Validation',
+        description: 'Certificates used for PAN transmission are verified as valid and not expired.',
+        family: 'Req 4 - Protect Data in Transit',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createLogEvidence('pci-4.2.2-001', 'Certificate Monitoring', 'Certificate expiration monitoring alerts', '/evidence/cert-monitoring/'),
+        ],
+        crossReferences: ['NIST-SC-17'],
+        owner: 'Security Engineering Manager',
+        automatedTest: async () => {
+            // Check certificate validity
+            return true;
+        },
+    },
+];
+// =============================================================================
+// REQUIREMENT 5: MALWARE PROTECTION
+// =============================================================================
+const req5Controls = [
+    {
+        id: 'PCI-5.1.1',
+        name: 'Anti-Malware Deployment',
+        description: 'Anti-malware solution(s) are deployed on all systems commonly affected by malware.',
+        family: 'Req 5 - Malware Protection',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-5.1.1-001', 'EDR Deployment Status', 'Endpoint detection and response deployment coverage', '/config/edr-deployment.yaml'),
+            createLogEvidence('pci-5.1.1-002', 'EDR Agent Status', 'Status of EDR agents across all endpoints', 'EDR Console - Agent Status'),
+        ],
+        crossReferences: ['NIST-SI-3', 'SOC2-CC6.6'],
+        owner: 'Endpoint Security Manager',
+        automatedTest: async () => {
+            // Verify EDR deployment coverage
+            return true;
+        },
+    },
+    {
+        id: 'PCI-5.2.1',
+        name: 'Anti-Malware Updates',
+        description: 'Anti-malware solution(s) are kept current via automatic updates.',
+        family: 'Req 5 - Malware Protection',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-5.2.1-001', 'Auto-Update Configuration', 'Configuration for automatic signature updates', '/config/edr-updates.yaml'),
+            createLogEvidence('pci-5.2.1-002', 'Update Logs', 'Logs showing signature update frequency', 'EDR Console - Update Logs'),
+        ],
+        crossReferences: ['NIST-SI-3'],
+        owner: 'Endpoint Security Manager',
+    },
+    {
+        id: 'PCI-5.2.2',
+        name: 'Periodic Scans',
+        description: 'Periodic scans are performed on systems where real-time scanning is not performed.',
+        family: 'Req 5 - Malware Protection',
+        priority: 'P2',
+        implementation: 'implemented',
+        evidence: [
+            createLogEvidence('pci-5.2.2-001', 'Scan Schedule', 'Scheduled scan configuration and results', '/evidence/malware-scan-schedule/'),
+        ],
+        crossReferences: ['NIST-SI-3'],
+        owner: 'Endpoint Security Manager',
+    },
+    {
+        id: 'PCI-5.3.1',
+        name: 'Anti-Malware Mechanism Protection',
+        description: 'Anti-malware mechanism(s) cannot be disabled or altered by users.',
+        family: 'Req 5 - Malware Protection',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-5.3.1-001', 'Tamper Protection Config', 'Configuration preventing EDR tampering', '/config/edr-tamper-protection.yaml'),
+        ],
+        crossReferences: ['NIST-SI-3'],
+        owner: 'Endpoint Security Manager',
+        automatedTest: async () => {
+            // Verify tamper protection is enabled
+            return true;
+        },
+    },
+    {
+        id: 'PCI-5.4.1',
+        name: 'Anti-Phishing Mechanisms',
+        description: 'Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks.',
+        family: 'Req 5 - Malware Protection',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-5.4.1-001', 'Email Security Configuration', 'Email filtering and anti-phishing configuration', '/config/email-security.yaml'),
+            createPolicyEvidence('pci-5.4.1-002', 'Phishing Awareness Training', 'Phishing awareness training records', 'LMS - Phishing Training'),
+        ],
+        crossReferences: ['NIST-AT-2'],
+        owner: 'Security Awareness Manager',
+    },
+];
+// =============================================================================
+// REQUIREMENT 6: SECURE SYSTEMS DEVELOPMENT
+// =============================================================================
+const req6Controls = [
+    {
+        id: 'PCI-6.1.1',
+        name: 'Security Vulnerabilities Identified',
+        description: 'A process is defined for identifying security vulnerabilities using reputable sources.',
+        family: 'Req 6 - Secure Systems Development',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-6.1.1-001', 'Vulnerability Management Policy', 'Policy for vulnerability identification and management', '/policies/vulnerability-management.md'),
+            createConfigEvidence('pci-6.1.1-002', 'Vulnerability Feed Sources', 'Configured vulnerability intelligence sources', '/config/vuln-feeds.yaml'),
+        ],
+        crossReferences: ['NIST-RA-5', 'SOC2-CC7.1'],
+        owner: 'Vulnerability Manager',
+    },
+    {
+        id: 'PCI-6.2.1',
+        name: 'Bespoke Software Security',
+        description: 'Bespoke and custom software is developed securely using secure coding guidelines.',
+        family: 'Req 6 - Secure Systems Development',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-6.2.1-001', 'Secure Coding Standards', 'Secure coding standards based on OWASP', '/policies/secure-coding.md'),
+            createLogEvidence('pci-6.2.1-002', 'Developer Security Training', 'Developer secure coding training records', 'LMS - Developer Training'),
+        ],
+        crossReferences: ['NIST-SA-15', 'SOC2-CC8.1'],
+        owner: 'Application Security Manager',
+    },
+    {
+        id: 'PCI-6.2.2',
+        name: 'Software Development Lifecycle',
+        description: 'Software development personnel are trained in secure coding techniques.',
+        family: 'Req 6 - Secure Systems Development',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createLogEvidence('pci-6.2.2-001', 'Training Completion Records', 'Secure coding training completion', 'LMS - Secure Coding Training'),
+        ],
+        crossReferences: ['NIST-AT-3'],
+        owner: 'Application Security Manager',
+    },
+    {
+        id: 'PCI-6.3.1',
+        name: 'Security in SDLC',
+        description: 'Security is incorporated into all phases of the software development lifecycle.',
+        family: 'Req 6 - Secure Systems Development',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-6.3.1-001', 'Secure SDLC Policy', 'Policy defining security requirements in SDLC', '/policies/secure-sdlc.md'),
+            createLogEvidence('pci-6.3.1-002', 'Security Review Records', 'Records of security reviews in development', 'Jira - Security Review Tickets'),
+        ],
+        crossReferences: ['NIST-SA-3', 'SOC2-CC8.1'],
+        owner: 'Application Security Manager',
+    },
+    {
+        id: 'PCI-6.3.2',
+        name: 'Code Review',
+        description: 'All bespoke software is reviewed prior to release to production.',
+        family: 'Req 6 - Secure Systems Development',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createLogEvidence('pci-6.3.2-001', 'Code Review Records', 'Pull request code review records', 'GitHub - PR Review History'),
+            createTestEvidence('pci-6.3.2-002', 'SAST Scan Results', 'Static application security testing results', '/evidence/sast-results/'),
+        ],
+        crossReferences: ['NIST-SA-11'],
+        owner: 'Application Security Manager',
+        automatedTest: async () => {
+            // Verify code review enforcement
+            return true;
+        },
+    },
+    {
+        id: 'PCI-6.4.1',
+        name: 'Web Application Protection',
+        description: 'Public-facing web applications are protected against attacks.',
+        family: 'Req 6 - Secure Systems Development',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-6.4.1-001', 'WAF Configuration', 'Web application firewall configuration', '/config/waf-config.yaml'),
+            createLogEvidence('pci-6.4.1-002', 'WAF Block Logs', 'Web application firewall blocking logs', 'WAF Console - Block Logs'),
+        ],
+        crossReferences: ['NIST-SI-10', 'SOC2-CC6.6'],
+        owner: 'Application Security Manager',
+        automatedTest: async () => {
+            // Verify WAF is active
+            return true;
+        },
+    },
+    {
+        id: 'PCI-6.5.1',
+        name: 'Change Management',
+        description: 'Changes to system components are managed through a formal change control process.',
+        family: 'Req 6 - Secure Systems Development',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-6.5.1-001', 'Change Management Policy', 'Policy for change management procedures', '/policies/change-management.md'),
+            createLogEvidence('pci-6.5.1-002', 'Change Tickets', 'Change request records', 'ServiceNow - Change Records'),
+        ],
+        crossReferences: ['NIST-CM-3', 'SOC2-CC8.1'],
+        owner: 'Change Manager',
+    },
+];
+// =============================================================================
+// REQUIREMENT 7: RESTRICT ACCESS
+// =============================================================================
+const req7Controls = [
+    {
+        id: 'PCI-7.1.1',
+        name: 'Access Control Policy',
+        description: 'All security policies and procedures for restricting access to system components and cardholder data are documented and known.',
+        family: 'Req 7 - Restrict Access',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-7.1.1-001', 'Access Control Policy', 'Policy for access control requirements', '/policies/access-control.md'),
+        ],
+        crossReferences: ['NIST-AC-1', 'SOC2-CC6.1'],
+        owner: 'Identity Manager',
+    },
+    {
+        id: 'PCI-7.2.1',
+        name: 'Need-to-Know Access',
+        description: 'Access to system components and data is limited to only those individuals whose job requires such access.',
+        family: 'Req 7 - Restrict Access',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-7.2.1-001', 'Role Definitions', 'Documented roles with CHD access requirements', '/config/role-definitions.yaml'),
+            createLogEvidence('pci-7.2.1-002', 'Access Review Records', 'Quarterly access review documentation', '/evidence/access-reviews/'),
+        ],
+        crossReferences: ['NIST-AC-6', 'SOC2-CC6.3'],
+        owner: 'Identity Manager',
+    },
+    {
+        id: 'PCI-7.2.2',
+        name: 'Least Privilege',
+        description: 'Access is assigned based on individual job classification and function.',
+        family: 'Req 7 - Restrict Access',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-7.2.2-001', 'RBAC Configuration', 'Role-based access control configuration', '/config/rbac-config.yaml'),
+        ],
+        crossReferences: ['NIST-AC-6', 'SOC2-CC6.1'],
+        owner: 'Identity Manager',
+        automatedTest: async () => {
+            // Verify RBAC enforcement
+            return true;
+        },
+    },
+    {
+        id: 'PCI-7.2.3',
+        name: 'Default Deny',
+        description: 'Access control systems are set to "deny all" by default.',
+        family: 'Req 7 - Restrict Access',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-7.2.3-001', 'Default Deny Configuration', 'Access control system default deny settings', '/config/access-defaults.yaml'),
+        ],
+        crossReferences: ['NIST-AC-3'],
+        owner: 'Identity Manager',
+        automatedTest: async () => {
+            // Verify default deny configuration
+            return true;
+        },
+    },
+];
+// =============================================================================
+// REQUIREMENT 8: USER IDENTIFICATION
+// =============================================================================
+const req8Controls = [
+    {
+        id: 'PCI-8.1.1',
+        name: 'User Identification Policy',
+        description: 'All security policies for user identification and authentication are documented and known.',
+        family: 'Req 8 - User Identification',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-8.1.1-001', 'Authentication Policy', 'User identification and authentication policy', '/policies/authentication.md'),
+        ],
+        crossReferences: ['NIST-IA-1', 'SOC2-CC6.1'],
+        owner: 'Identity Manager',
+    },
+    {
+        id: 'PCI-8.2.1',
+        name: 'Unique User IDs',
+        description: 'All users are assigned a unique ID before allowing them to access system components or cardholder data.',
+        family: 'Req 8 - User Identification',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-8.2.1-001', 'User ID Assignment', 'Configuration enforcing unique user IDs', '/config/user-id-policy.yaml'),
+            createLogEvidence('pci-8.2.1-002', 'User Account List', 'List of all user accounts with unique IDs', 'Identity Provider - User Export'),
+        ],
+        crossReferences: ['NIST-IA-4', 'SOC2-CC6.2'],
+        owner: 'Identity Manager',
+        automatedTest: async () => {
+            // Verify no shared accounts
+            return true;
+        },
+    },
+    {
+        id: 'PCI-8.2.2',
+        name: 'Shared Account Prohibition',
+        description: 'Group, shared, or generic accounts are not used.',
+        family: 'Req 8 - User Identification',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createTestEvidence('pci-8.2.2-001', 'Shared Account Audit', 'Audit results for shared/generic accounts', '/evidence/shared-account-audit.json'),
+        ],
+        crossReferences: ['NIST-IA-2'],
+        owner: 'Identity Manager',
+        automatedTest: async () => {
+            // Check for shared accounts
+            return true;
+        },
+    },
+    {
+        id: 'PCI-8.3.1',
+        name: 'Strong Authentication',
+        description: 'Strong authentication for users and administrators is established and managed.',
+        family: 'Req 8 - User Identification',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-8.3.1-001', 'Password Policy Configuration', 'Password complexity and expiration settings', '/config/password-policy.yaml'),
+        ],
+        crossReferences: ['NIST-IA-5', 'SOC2-CC6.1'],
+        owner: 'Identity Manager',
+    },
+    {
+        id: 'PCI-8.3.6',
+        name: 'Password Complexity',
+        description: 'Passwords/passphrases meet minimum complexity requirements.',
+        family: 'Req 8 - User Identification',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-8.3.6-001', 'Password Complexity Settings', 'Password policy requiring 12+ chars with complexity', '/config/password-complexity.yaml'),
+        ],
+        crossReferences: ['NIST-IA-5'],
+        owner: 'Identity Manager',
+        automatedTest: async () => {
+            // Verify password policy enforcement
+            return true;
+        },
+    },
+    {
+        id: 'PCI-8.4.1',
+        name: 'MFA for CDE Access',
+        description: 'Multi-factor authentication is implemented for all access into the CDE.',
+        family: 'Req 8 - User Identification',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-8.4.1-001', 'MFA Configuration', 'MFA enforcement configuration for CDE access', '/config/mfa-config.yaml'),
+            createLogEvidence('pci-8.4.1-002', 'MFA Usage Logs', 'Logs showing MFA usage for CDE access', 'Identity Provider - MFA Logs'),
+        ],
+        crossReferences: ['NIST-IA-2', 'SOC2-CC6.1'],
+        owner: 'Identity Manager',
+        automatedTest: async () => {
+            // Verify MFA enforcement for CDE
+            return true;
+        },
+    },
+    {
+        id: 'PCI-8.5.1',
+        name: 'Session Timeout',
+        description: 'System sessions are timed out after 15 minutes of inactivity.',
+        family: 'Req 8 - User Identification',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-8.5.1-001', 'Session Timeout Configuration', 'Configuration for 15-minute session timeout', '/config/session-timeout.yaml'),
+        ],
+        crossReferences: ['NIST-AC-11', 'SOC2-CC6.1'],
+        owner: 'Application Security Manager',
+        automatedTest: async () => {
+            // Verify session timeout configuration
+            return true;
+        },
+    },
+    {
+        id: 'PCI-8.6.1',
+        name: 'Account Lockout',
+        description: 'User accounts are locked after no more than 10 invalid access attempts.',
+        family: 'Req 8 - User Identification',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-8.6.1-001', 'Account Lockout Policy', 'Configuration for account lockout after failed attempts', '/config/account-lockout.yaml'),
+        ],
+        crossReferences: ['NIST-AC-7'],
+        owner: 'Identity Manager',
+        automatedTest: async () => {
+            // Verify lockout configuration
+            return true;
+        },
+    },
+];
+// =============================================================================
+// REQUIREMENT 9: PHYSICAL ACCESS (DOCUMENT ONLY)
+// =============================================================================
+const req9Controls = [
+    {
+        id: 'PCI-9.1.1',
+        name: 'Physical Security Policy',
+        description: 'Physical security policies and procedures are documented and known to all affected parties.',
+        family: 'Req 9 - Physical Access',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-9.1.1-001', 'Physical Security Policy', 'Documented physical security policy', '/policies/physical-security.md'),
+        ],
+        crossReferences: ['NIST-PE-1', 'SOC2-CC6.4'],
+        owner: 'Physical Security Manager',
+        notes: 'Physical security controls documented but not automated',
+    },
+    {
+        id: 'PCI-9.2.1',
+        name: 'Facility Entry Controls',
+        description: 'Appropriate facility entry controls are in place to limit physical access.',
+        family: 'Req 9 - Physical Access',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-9.2.1-001', 'Facility Access Procedures', 'Procedures for physical access to CDE facilities', '/procedures/facility-access.md'),
+            createLogEvidence('pci-9.2.1-002', 'Badge Access Logs', 'Physical access logs for CDE areas', 'Badge System - Access Logs'),
+        ],
+        crossReferences: ['NIST-PE-2', 'NIST-PE-3', 'SOC2-CC6.4'],
+        owner: 'Physical Security Manager',
+        notes: 'Evidence collected from physical security systems',
+    },
+    {
+        id: 'PCI-9.3.1',
+        name: 'Visitor Management',
+        description: 'Procedures for authorizing and managing visitor access are defined.',
+        family: 'Req 9 - Physical Access',
+        priority: 'P2',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-9.3.1-001', 'Visitor Management Policy', 'Policy for visitor access management', '/policies/visitor-management.md'),
+        ],
+        crossReferences: ['NIST-PE-8'],
+        owner: 'Physical Security Manager',
+    },
+    {
+        id: 'PCI-9.4.1',
+        name: 'Media Protection',
+        description: 'All media with cardholder data is physically secured.',
+        family: 'Req 9 - Physical Access',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-9.4.1-001', 'Media Handling Policy', 'Policy for physical media containing CHD', '/policies/media-handling.md'),
+        ],
+        crossReferences: ['NIST-MP-2', 'NIST-MP-4', 'SOC2-CC6.5'],
+        owner: 'Physical Security Manager',
+    },
+    {
+        id: 'PCI-9.4.6',
+        name: 'Media Destruction',
+        description: 'Media is destroyed when no longer needed for business or legal reasons.',
+        family: 'Req 9 - Physical Access',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-9.4.6-001', 'Media Destruction Procedures', 'Procedures for secure media destruction', '/procedures/media-destruction.md'),
+            createLogEvidence('pci-9.4.6-002', 'Destruction Certificates', 'Certificates of media destruction', '/evidence/destruction-certificates/'),
+        ],
+        crossReferences: ['NIST-MP-6', 'SOC2-CC6.5'],
+        owner: 'Physical Security Manager',
+    },
+    {
+        id: 'PCI-9.5.1',
+        name: 'POI Device Security',
+        description: 'Point-of-interaction (POI) devices are protected from tampering and substitution.',
+        family: 'Req 9 - Physical Access',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-9.5.1-001', 'POI Device Security Policy', 'Policy for POI device protection', '/policies/poi-device-security.md'),
+        ],
+        crossReferences: ['NIST-PE-3'],
+        owner: 'Physical Security Manager',
+        notes: 'Applicable if POI devices are used',
+    },
+];
+// =============================================================================
+// REQUIREMENT 10: LOGGING AND MONITORING
+// =============================================================================
+const req10Controls = [
+    {
+        id: 'PCI-10.1.1',
+        name: 'Audit Log Policy',
+        description: 'Security policies and procedures for logging and monitoring are documented and known.',
+        family: 'Req 10 - Logging and Monitoring',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-10.1.1-001', 'Logging and Monitoring Policy', 'Policy for audit logging requirements', '/policies/logging-monitoring.md'),
+        ],
+        crossReferences: ['NIST-AU-1', 'SOC2-CC2.1'],
+        owner: 'Security Operations Manager',
+    },
+    {
+        id: 'PCI-10.2.1',
+        name: 'Audit Logs Enabled',
+        description: 'Audit logs are enabled and active for all system components.',
+        family: 'Req 10 - Logging and Monitoring',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-10.2.1-001', 'Logging Configuration', 'Configuration for comprehensive audit logging', '/config/audit-logging.yaml'),
+            createLogEvidence('pci-10.2.1-002', 'Log Collection Status', 'Status of log collection from all CDE components', 'SIEM - Collection Status'),
+        ],
+        crossReferences: ['NIST-AU-2', 'NIST-AU-3', 'SOC2-CC2.1'],
+        owner: 'Security Operations Manager',
+        automatedTest: async () => {
+            // Verify logging is enabled on all CDE systems
+            return true;
+        },
+    },
+    {
+        id: 'PCI-10.2.1.1',
+        name: 'CHD Access Logged',
+        description: 'All individual user access to cardholder data is logged.',
+        family: 'Req 10 - Logging and Monitoring',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createLogEvidence('pci-10.2.1.1-001', 'CHD Access Logs', 'Sample of CHD access audit logs', '/evidence/chd-access-logs/'),
+        ],
+        crossReferences: ['NIST-AU-3'],
+        owner: 'Security Operations Manager',
+        automatedTest: async () => {
+            // Verify CHD access logging
+            return true;
+        },
+    },
+    {
+        id: 'PCI-10.2.1.2',
+        name: 'Administrative Actions Logged',
+        description: 'All actions taken by any individual with administrative access are logged.',
+        family: 'Req 10 - Logging and Monitoring',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createLogEvidence('pci-10.2.1.2-001', 'Admin Activity Logs', 'Administrative activity audit logs', 'SIEM - Admin Activity'),
+        ],
+        crossReferences: ['NIST-AU-3'],
+        owner: 'Security Operations Manager',
+    },
+    {
+        id: 'PCI-10.2.1.3',
+        name: 'Audit Log Access Logged',
+        description: 'Access to all audit logs is logged.',
+        family: 'Req 10 - Logging and Monitoring',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createLogEvidence('pci-10.2.1.3-001', 'Audit Log Access Logs', 'Logs of access to audit log systems', 'SIEM - Audit Access Logs'),
+        ],
+        crossReferences: ['NIST-AU-9'],
+        owner: 'Security Operations Manager',
+    },
+    {
+        id: 'PCI-10.2.1.4',
+        name: 'Invalid Access Attempts Logged',
+        description: 'Invalid logical access attempts are logged.',
+        family: 'Req 10 - Logging and Monitoring',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createLogEvidence('pci-10.2.1.4-001', 'Failed Login Logs', 'Failed authentication attempt logs', 'SIEM - Authentication Failures'),
+        ],
+        crossReferences: ['NIST-AU-2'],
+        owner: 'Security Operations Manager',
+        automatedTest: async () => {
+            // Verify failed login logging
+            return true;
+        },
+    },
+    {
+        id: 'PCI-10.3.1',
+        name: 'Log Entry Content',
+        description: 'Audit logs capture all required elements for each auditable event.',
+        family: 'Req 10 - Logging and Monitoring',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-10.3.1-001', 'Log Format Configuration', 'Configuration defining required log fields', '/config/log-format.yaml'),
+        ],
+        crossReferences: ['NIST-AU-3'],
+        owner: 'Security Operations Manager',
+    },
+    {
+        id: 'PCI-10.4.1',
+        name: 'Time Synchronization',
+        description: 'Critical systems have the correct and consistent time using time-synchronization technology.',
+        family: 'Req 10 - Logging and Monitoring',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-10.4.1-001', 'NTP Configuration', 'NTP server configuration for time synchronization', '/config/ntp-config.yaml'),
+        ],
+        crossReferences: ['NIST-AU-8'],
+        owner: 'Infrastructure Manager',
+        automatedTest: async () => {
+            // Verify NTP synchronization
+            return true;
+        },
+    },
+    {
+        id: 'PCI-10.5.1',
+        name: 'Audit Log Retention',
+        description: 'Audit log history is retained for at least 12 months, with at least three months immediately available.',
+        family: 'Req 10 - Logging and Monitoring',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-10.5.1-001', 'Log Retention Configuration', 'Configuration for 12-month log retention', '/config/log-retention.yaml'),
+            createLogEvidence('pci-10.5.1-002', 'Archive Verification', 'Verification of log archive accessibility', '/evidence/log-archive-verification/'),
+        ],
+        crossReferences: ['NIST-AU-11', 'SOC2-CC2.1'],
+        owner: 'Security Operations Manager',
+    },
+    {
+        id: 'PCI-10.6.1',
+        name: 'Log Integrity',
+        description: 'Audit logs are protected from modification using integrity mechanisms.',
+        family: 'Req 10 - Logging and Monitoring',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-10.6.1-001', 'Log Integrity Configuration', 'Configuration for tamper-evident logging', '/config/log-integrity.yaml'),
+        ],
+        crossReferences: ['NIST-AU-9'],
+        owner: 'Security Operations Manager',
+        automatedTest: async () => {
+            // Verify log integrity mechanisms
+            return true;
+        },
+    },
+    {
+        id: 'PCI-10.7.1',
+        name: 'Log Review',
+        description: 'Security logs and events are reviewed at least daily to identify anomalies.',
+        family: 'Req 10 - Logging and Monitoring',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createLogEvidence('pci-10.7.1-001', 'Daily Log Review Records', 'Records of daily security log reviews', '/evidence/daily-log-reviews/'),
+            createPolicyEvidence('pci-10.7.1-002', 'Log Review Procedures', 'Procedures for daily log review', '/procedures/daily-log-review.md'),
+        ],
+        crossReferences: ['NIST-AU-6', 'SOC2-CC4.1'],
+        owner: 'Security Operations Manager',
+    },
+    {
+        id: 'PCI-10.7.2',
+        name: 'Automated Log Analysis',
+        description: 'Automated mechanisms are used to perform audit log reviews.',
+        family: 'Req 10 - Logging and Monitoring',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-10.7.2-001', 'SIEM Alert Rules', 'Automated alert rules for security events', '/config/siem-alerts.yaml'),
+        ],
+        crossReferences: ['NIST-AU-6', 'SOC2-CC7.2'],
+        owner: 'Security Operations Manager',
+        automatedTest: async () => {
+            // Verify SIEM automation is active
+            return true;
+        },
+    },
+];
+// =============================================================================
+// REQUIREMENT 11: SECURITY TESTING
+// =============================================================================
+const req11Controls = [
+    {
+        id: 'PCI-11.1.1',
+        name: 'Security Testing Policy',
+        description: 'Security testing policies and procedures are documented and known.',
+        family: 'Req 11 - Security Testing',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-11.1.1-001', 'Security Testing Policy', 'Policy for security testing requirements', '/policies/security-testing.md'),
+        ],
+        crossReferences: ['NIST-CA-2', 'SOC2-CC7.1'],
+        owner: 'Security Testing Manager',
+    },
+    {
+        id: 'PCI-11.2.1',
+        name: 'Wireless Access Point Detection',
+        description: 'Processes are in place to detect and identify authorized and unauthorized wireless access points.',
+        family: 'Req 11 - Security Testing',
+        priority: 'P2',
+        implementation: 'implemented',
+        evidence: [
+            createLogEvidence('pci-11.2.1-001', 'Wireless Scan Results', 'Quarterly wireless access point scans', '/evidence/wireless-scans/'),
+        ],
+        crossReferences: ['NIST-AC-18'],
+        owner: 'Network Security Manager',
+    },
+    {
+        id: 'PCI-11.3.1',
+        name: 'Internal Vulnerability Scans',
+        description: 'Internal vulnerability scans are performed at least quarterly.',
+        family: 'Req 11 - Security Testing',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createTestEvidence('pci-11.3.1-001', 'Internal Scan Results', 'Quarterly internal vulnerability scan results', '/evidence/internal-vuln-scans/'),
+        ],
+        crossReferences: ['NIST-RA-5', 'SOC2-CC7.1'],
+        owner: 'Vulnerability Manager',
+        automatedTest: async () => {
+            // Verify recent internal scan
+            return true;
+        },
+    },
+    {
+        id: 'PCI-11.3.2',
+        name: 'External Vulnerability Scans',
+        description: 'External vulnerability scans are performed at least quarterly by PCI SSC ASV.',
+        family: 'Req 11 - Security Testing',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createTestEvidence('pci-11.3.2-001', 'ASV Scan Results', 'Quarterly ASV scan attestations', '/evidence/asv-scans/'),
+        ],
+        crossReferences: ['NIST-RA-5', 'SOC2-CC7.1'],
+        owner: 'Vulnerability Manager',
+    },
+    {
+        id: 'PCI-11.4.1',
+        name: 'Penetration Testing',
+        description: 'External and internal penetration testing is performed at least annually.',
+        family: 'Req 11 - Security Testing',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createTestEvidence('pci-11.4.1-001', 'Penetration Test Reports', 'Annual penetration test reports', '/evidence/pentest-reports/'),
+        ],
+        crossReferences: ['NIST-CA-8', 'SOC2-CC7.1'],
+        owner: 'Security Testing Manager',
+    },
+    {
+        id: 'PCI-11.4.4',
+        name: 'Segmentation Testing',
+        description: 'Segmentation controls are verified by penetration testing at least annually.',
+        family: 'Req 11 - Security Testing',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createTestEvidence('pci-11.4.4-001', 'Segmentation Test Results', 'Annual segmentation penetration test results', '/evidence/segmentation-tests/'),
+        ],
+        crossReferences: ['NIST-SC-7'],
+        owner: 'Security Testing Manager',
+    },
+    {
+        id: 'PCI-11.5.1',
+        name: 'Change Detection',
+        description: 'Change-detection mechanisms are deployed to alert on unauthorized modifications.',
+        family: 'Req 11 - Security Testing',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-11.5.1-001', 'FIM Configuration', 'File integrity monitoring configuration', '/config/fim-config.yaml'),
+            createLogEvidence('pci-11.5.1-002', 'FIM Alerts', 'File integrity monitoring alerts', 'FIM System - Alerts'),
+        ],
+        crossReferences: ['NIST-SI-7', 'SOC2-CC6.8'],
+        owner: 'Security Operations Manager',
+        automatedTest: async () => {
+            // Verify FIM is operational
+            return true;
+        },
+    },
+    {
+        id: 'PCI-11.6.1',
+        name: 'Payment Page Integrity',
+        description: 'Change and tamper-detection mechanisms are deployed on payment pages.',
+        family: 'Req 11 - Security Testing',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-11.6.1-001', 'Payment Page Monitoring', 'Configuration for payment page integrity monitoring', '/config/payment-page-monitoring.yaml'),
+        ],
+        crossReferences: ['NIST-SI-7'],
+        owner: 'Application Security Manager',
+        automatedTest: async () => {
+            // Verify payment page integrity monitoring
+            return true;
+        },
+    },
+];
+// =============================================================================
+// REQUIREMENT 12: SECURITY POLICIES
+// =============================================================================
+const req12Controls = [
+    {
+        id: 'PCI-12.1.1',
+        name: 'Information Security Policy',
+        description: 'An overall information security policy is established, published, maintained, and disseminated.',
+        family: 'Req 12 - Security Policies',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-12.1.1-001', 'Information Security Policy', 'Master information security policy document', '/policies/information-security-policy.md'),
+        ],
+        crossReferences: ['NIST-PL-1', 'SOC2-CC1.1'],
+        owner: 'CISO',
+    },
+    {
+        id: 'PCI-12.1.2',
+        name: 'Policy Review',
+        description: 'The information security policy is reviewed at least annually and updated as needed.',
+        family: 'Req 12 - Security Policies',
+        priority: 'P2',
+        implementation: 'implemented',
+        evidence: [
+            createLogEvidence('pci-12.1.2-001', 'Policy Review Records', 'Annual policy review and approval records', '/evidence/policy-reviews/'),
+        ],
+        crossReferences: ['NIST-PL-1'],
+        owner: 'CISO',
+    },
+    {
+        id: 'PCI-12.2.1',
+        name: 'Acceptable Use Policy',
+        description: 'Acceptable use policies for end-user technologies are defined and implemented.',
+        family: 'Req 12 - Security Policies',
+        priority: 'P2',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-12.2.1-001', 'Acceptable Use Policy', 'Policy for acceptable use of technology', '/policies/acceptable-use.md'),
+        ],
+        crossReferences: ['NIST-PL-4'],
+        owner: 'Security Policy Manager',
+    },
+    {
+        id: 'PCI-12.3.1',
+        name: 'Risk Assessment',
+        description: 'A formal risk assessment is performed at least annually.',
+        family: 'Req 12 - Security Policies',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-12.3.1-001', 'Risk Assessment Report', 'Annual risk assessment documentation', '/risk/annual-risk-assessment.pdf'),
+        ],
+        crossReferences: ['NIST-RA-3', 'SOC2-CC3.2'],
+        owner: 'Risk Manager',
+    },
+    {
+        id: 'PCI-12.4.1',
+        name: 'Security Roles and Responsibilities',
+        description: 'Responsibility for information security is formally assigned.',
+        family: 'Req 12 - Security Policies',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-12.4.1-001', 'Security RACI Matrix', 'Responsibility assignment for security functions', '/governance/security-raci.md'),
+        ],
+        crossReferences: ['NIST-PM-2', 'SOC2-CC1.3'],
+        owner: 'CISO',
+    },
+    {
+        id: 'PCI-12.5.1',
+        name: 'PCI DSS Scope Documentation',
+        description: 'An inventory of system components in scope for PCI DSS is maintained.',
+        family: 'Req 12 - Security Policies',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-12.5.1-001', 'CDE Asset Inventory', 'Inventory of all systems in PCI DSS scope', '/config/cde-inventory.yaml'),
+        ],
+        crossReferences: ['NIST-CM-8'],
+        owner: 'Security Compliance Manager',
+    },
+    {
+        id: 'PCI-12.6.1',
+        name: 'Security Awareness Training',
+        description: 'A formal security awareness program is implemented.',
+        family: 'Req 12 - Security Policies',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-12.6.1-001', 'Security Awareness Program', 'Security awareness training program documentation', '/policies/security-awareness.md'),
+            createLogEvidence('pci-12.6.1-002', 'Training Completion Records', 'Employee security training completion', 'LMS - Security Training'),
+        ],
+        crossReferences: ['NIST-AT-2', 'SOC2-CC2.2'],
+        owner: 'Security Awareness Manager',
+    },
+    {
+        id: 'PCI-12.7.1',
+        name: 'Personnel Screening',
+        description: 'Potential personnel are screened prior to hire.',
+        family: 'Req 12 - Security Policies',
+        priority: 'P2',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-12.7.1-001', 'Background Check Policy', 'Policy for pre-employment screening', '/policies/background-check.md'),
+        ],
+        crossReferences: ['NIST-PS-3', 'SOC2-CC1.4'],
+        owner: 'HR Director',
+    },
+    {
+        id: 'PCI-12.8.1',
+        name: 'Third-Party Service Provider Management',
+        description: 'A list of third-party service providers with whom account data is shared is maintained.',
+        family: 'Req 12 - Security Policies',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createConfigEvidence('pci-12.8.1-001', 'TPSP Inventory', 'Inventory of third-party service providers', '/config/tpsp-inventory.yaml'),
+        ],
+        crossReferences: ['NIST-SA-9', 'SOC2-CC9.2'],
+        owner: 'Vendor Manager',
+    },
+    {
+        id: 'PCI-12.9.1',
+        name: 'Service Provider Acknowledgment',
+        description: 'Service providers acknowledge their responsibility for security of account data.',
+        family: 'Req 12 - Security Policies',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-12.9.1-001', 'TPSP Agreements', 'Service provider security agreements', '/evidence/tpsp-agreements/'),
+        ],
+        crossReferences: ['NIST-SA-9'],
+        owner: 'Vendor Manager',
+    },
+    {
+        id: 'PCI-12.10.1',
+        name: 'Incident Response Plan',
+        description: 'An incident response plan exists and is ready to be activated.',
+        family: 'Req 12 - Security Policies',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createPolicyEvidence('pci-12.10.1-001', 'Incident Response Plan', 'Documented incident response plan', '/security/incident-response-plan.md'),
+        ],
+        crossReferences: ['NIST-IR-1', 'NIST-IR-8', 'SOC2-CC7.4'],
+        owner: 'Incident Response Manager',
+    },
+    {
+        id: 'PCI-12.10.2',
+        name: 'Incident Response Testing',
+        description: 'The incident response plan is tested at least annually.',
+        family: 'Req 12 - Security Policies',
+        priority: 'P1',
+        implementation: 'implemented',
+        evidence: [
+            createLogEvidence('pci-12.10.2-001', 'IR Test Results', 'Annual incident response plan testing results', '/evidence/ir-test-results/'),
+        ],
+        crossReferences: ['NIST-IR-3', 'SOC2-CC7.4'],
+        owner: 'Incident Response Manager',
+    },
+];
+// =============================================================================
+// PCI-DSS 4.0 FRAMEWORK
+// =============================================================================
+/**
+ * Complete PCI-DSS 4.0 compliance framework
+ */
+export const pciDssFramework = {
+    id: 'pci-dss-4.0',
+    name: 'PCI-DSS 4.0',
+    version: '4.0',
+    description: 'Payment Card Industry Data Security Standard version 4.0. Provides a baseline of technical and operational requirements designed to protect payment account data.',
+    authority: 'Payment Card Industry Security Standards Council (PCI SSC)',
+    controls: [
+        ...req1Controls,
+        ...req2Controls,
+        ...req3Controls,
+        ...req4Controls,
+        ...req5Controls,
+        ...req6Controls,
+        ...req7Controls,
+        ...req8Controls,
+        ...req9Controls,
+        ...req10Controls,
+        ...req11Controls,
+        ...req12Controls,
+    ],
+    effectiveDate: new Date('2024-03-31'),
+};
+// =============================================================================
+// HELPER FUNCTIONS
+// =============================================================================
+/**
+ * Get PCI-DSS controls by requirement
+ */
+export function getPciControlsByRequirement(requirement) {
+    const prefix = `Req ${requirement} -`;
+    return pciDssFramework.controls.filter((c) => c.family.startsWith(prefix));
+}
+/**
+ * Get PCI-DSS control by ID
+ */
+export function getPciControlById(id) {
+    return pciDssFramework.controls.find((c) => c.id === id);
+}
+/**
+ * Get all PCI-DSS controls by implementation status
+ */
+export function getPciControlsByStatus(status) {
+    return pciDssFramework.controls.filter((c) => c.implementation === status);
+}
+/**
+ * Get all PCI-DSS controls by priority
+ */
+export function getPciControlsByPriority(priority) {
+    return pciDssFramework.controls.filter((c) => c.priority === priority);
+}
+/**
+ * Get all requirement families
+ */
+export function getPciRequirementFamilies() {
+    const families = new Set();
+    pciDssFramework.controls.forEach((c) => families.add(c.family));
+    return Array.from(families).sort();
+}
+/**
+ * Calculate compliance percentage by requirement
+ */
+export function getPciComplianceByRequirement() {
+    const result = new Map();
+    for (let req = 1; req <= 12; req++) {
+        const controls = getPciControlsByRequirement(req);
+        const implemented = controls.filter((c) => c.implementation === 'implemented').length;
+        const percentage = controls.length > 0 ? (implemented / controls.length) * 100 : 0;
+        result.set(req, percentage);
+    }
+    return result;
+}
+/**
+ * Validate SAQ responses
+ */
+export function validateSAQResponses(saq) {
+    const missingResponses = [];
+    const compensatingControlsWithoutJustification = [];
+    for (const response of saq.responses) {
+        if (!response.response) {
+            missingResponses.push(response.questionId);
+        }
+        if (response.response === 'compensating-control' &&
+            !response.compensatingControl) {
+            compensatingControlsWithoutJustification.push(response.questionId);
+        }
+    }
+    return {
+        valid: missingResponses.length === 0 &&
+            compensatingControlsWithoutJustification.length === 0,
+        missingResponses,
+        compensatingControlsWithoutJustification,
+    };
+}
+/**
+ * Check if ASV scan is current (within 90 days)
+ */
+export function isASVScanCurrent(scan) {
+    const ninetyDaysAgo = new Date();
+    ninetyDaysAgo.setDate(ninetyDaysAgo.getDate() - 90);
+    return scan.scanDate >= ninetyDaysAgo && scan.status === 'pass';
+}
+/**
+ * Check if penetration test is current (within 12 months)
+ */
+export function isPenTestCurrent(test) {
+    const oneYearAgo = new Date();
+    oneYearAgo.setFullYear(oneYearAgo.getFullYear() - 1);
+    return test.testDate >= oneYearAgo;
+}
+/**
+ * Create a new Cardholder Data Service instance
+ */
+export function createCardholderDataService() {
+    return new CardholderDataService();
+}
+export default pciDssFramework;
+//# sourceMappingURL=pci-dss.js.map