bmad-plus 0.7.4 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (294) hide show
  1. package/CHANGELOG.md +450 -407
  2. package/LICENSE +21 -0
  3. package/README.md +555 -446
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +576 -426
  31. package/readme-international/README.es.md +578 -518
  32. package/readme-international/README.fr.md +576 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
  46. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
  47. package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
  48. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
  49. package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
  50. package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
  51. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
  52. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
  53. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
  54. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
  55. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
  56. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
  57. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
  58. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
  59. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
  60. package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
  61. package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
  62. package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
  63. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
  64. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  65. package/src/bmad-plus/module-help.csv +10 -10
  66. package/src/bmad-plus/module.yaml +283 -280
  67. package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
  68. package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
  69. package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
  70. package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
  71. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  111. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  112. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  113. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  114. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  115. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  116. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  117. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  118. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  119. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  120. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  121. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  122. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  123. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  124. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  125. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  126. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  127. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  128. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  129. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  130. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  131. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  132. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  133. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  134. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  135. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  136. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  137. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  138. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  139. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  140. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  141. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  142. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  143. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  144. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  145. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  146. package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
  147. package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
  148. package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
  149. package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
  150. package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
  151. package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
  152. package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
  153. package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
  154. package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
  155. package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
  156. package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
  157. package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
  158. package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
  159. package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
  160. package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
  161. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  162. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  163. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  164. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  165. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  166. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  167. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  168. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  169. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  170. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  171. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  172. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  173. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  174. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  175. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  176. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  177. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  178. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  179. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  180. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  181. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  182. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  183. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  184. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  185. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  186. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  187. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  188. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  189. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  190. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  191. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  192. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  193. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  194. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  195. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  196. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  197. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  198. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  199. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  200. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  201. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  202. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  203. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  204. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  205. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  206. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  207. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  208. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  209. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  210. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  211. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  212. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  213. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  214. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  215. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  216. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  217. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  218. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  219. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  220. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  221. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  222. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  223. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  224. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  225. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  226. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  227. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  228. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  229. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  230. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  231. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  232. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  233. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  234. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  235. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  236. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  237. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  238. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  239. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  240. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  241. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  242. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  243. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  244. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  245. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  246. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  247. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  248. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  249. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  250. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  251. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  252. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  253. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  254. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  255. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  256. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  257. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  258. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  259. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  260. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  261. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  262. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  263. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  264. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  265. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  266. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  267. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  268. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  269. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  270. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  271. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  272. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  273. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  274. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  275. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  276. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  277. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  278. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  279. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  280. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  281. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  282. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  283. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  284. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  285. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  286. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  287. package/tools/cli/commands/autoconfig.js +498 -489
  288. package/tools/cli/commands/doctor.js +222 -175
  289. package/tools/cli/commands/install.js +739 -739
  290. package/tools/cli/commands/memory.js +194 -194
  291. package/tools/cli/commands/scan.js +360 -350
  292. package/tools/cli/commands/uninstall.js +96 -96
  293. package/tools/cli/commands/update.js +174 -174
  294. package/tools/cli/i18n.js +763 -763
@@ -1,366 +1,366 @@
1
- # PCI DSS v4.0.1 — All 12 Requirements
2
-
3
- Source: PCI DSS v4.0.1 (PCI Security Standards Council, June 2024)
4
- https://www.pcisecuritystandards.org/document_library/
5
-
6
- ---
7
-
8
- ## GOAL 1: Build and Maintain a Secure Network and Systems
9
-
10
- ### Requirement 1 — Install and Maintain Network Security Controls
11
-
12
- Network security controls (NSCs) — firewalls, routers, cloud security groups — prevent unauthorised network access to and from the CDE.
13
-
14
- | Sub-Req | Description | Evidence for QSA |
15
- |---------|-------------|-----------------|
16
- | 1.1 | NSC policies and procedures are defined, implemented, and maintained | Policy docs, network diagrams, change records |
17
- | 1.2 | NSC configurations restrict traffic to only what is necessary | Firewall/router ruleset review, deny-all default |
18
- | 1.2.1 | Configuration standards for NSCs are defined | Documented baseline standards |
19
- | 1.2.2 | NSC configuration changes are managed via change control | Change tickets, approval records |
20
- | 1.2.3 | Network diagrams are current and accurate | Dated network diagram showing CDE boundaries |
21
- | 1.2.4 | Data-flow diagrams for all account data flows are current | Data flow diagrams (DFDs) |
22
- | 1.2.5 | All allowed services/ports are documented with business justification | Firewall rule documentation |
23
- | 1.2.6 | Security features for each service are documented and implemented | Config baselines per service |
24
- | 1.2.7 | NSC configurations are reviewed at least every 6 months | Review records with dates and approvers |
25
- | 1.3 | Inbound and outbound network traffic is restricted to only that necessary | Egress filtering, deny-all-else rules |
26
- | 1.3.1 | Inbound traffic to CDE restricted to authorised sources and services | Firewall rules reviewed |
27
- | 1.3.2 | Outbound traffic from CDE restricted to authorised destinations | Egress rules documented |
28
- | 1.3.3 | NSCs installed between wireless networks and CDE | Wireless-to-CDE firewall rules |
29
- | 1.4 | Network connections between trusted and untrusted networks controlled | DMZ architecture, traffic inspection |
30
- | 1.4.1 | NSCs between trusted/untrusted networks inspect and filter traffic | Stateful inspection, IDS/IPS |
31
- | 1.4.2 | Inbound traffic from untrusted networks: no direct routes to CDE | No direct routing; proxy/DMZ required |
32
- | 1.4.3 | Anti-spoofing measures to detect and block forged source IP addresses | Anti-spoofing ACLs, RFC 3704 filtering |
33
- | 1.4.4 | Unauthorised traffic (cardholder data) blocked from entering untrusted networks | DLP rules or network controls |
34
- | 1.4.5 | Internal IP addresses not disclosed to unauthorised parties | NAT, private RFC 1918 space |
35
- | 1.5 | Risks from device connectivity to untrusted networks are managed | Endpoint security controls |
36
- | 1.5.1 | Security controls for devices connecting to both untrusted and trusted networks | MDM/endpoint policy, split tunnelling controls |
37
-
38
- **Common gaps**: Stale firewall rules never reviewed; no egress filtering; flat network (no CDE isolation); wireless networks not separated from CDE.
39
-
40
- ---
41
-
42
- ### Requirement 2 — Apply Secure Configurations to All System Components
43
-
44
- Default credentials and unnecessary services must be eliminated before deployment.
45
-
46
- | Sub-Req | Description | Evidence for QSA |
47
- |---------|-------------|-----------------|
48
- | 2.1 | Processes for managing vendor defaults and other security parameters | Hardening policy, config standards |
49
- | 2.2 | System configuration standards are developed and implemented | CIS Benchmark or equivalent; per platform standard |
50
- | 2.2.1 | System configuration standards address all known security vulnerabilities | Vuln scan results mapped to standards |
51
- | 2.2.2 | Vendor default accounts managed before deploying systems | Default creds disabled/renamed; evidence of removal |
52
- | 2.2.3 | Primary functions needing different security levels are on separate components | Server isolation, role separation |
53
- | 2.2.4 | Only necessary functions, ports, protocols, and services are enabled | Port scan results; services audit |
54
- | 2.2.5 | If insecure protocols are used, business justification and additional controls documented | Protocol exception log |
55
- | 2.2.6 | System security parameters are configured to prevent misuse | Config hardening evidence |
56
- | 2.2.7 | All non-console administrative access is encrypted | SSH, HTTPS, TLS for all admin access |
57
- | 2.3 | Wireless environments are configured and managed securely | Wi-Fi config review, WPA3 or WPA2-Enterprise |
58
- | 2.3.1 | Default wireless vendor defaults changed at installation | AP config records |
59
- | 2.3.2 | Wireless encryption keys changed when anyone with key knowledge leaves | Key rotation procedure and evidence |
60
-
61
- **Common gaps**: Vendor default passwords left unchanged; unnecessary services (Telnet, FTP) still enabled; no documented hardening standards.
62
-
63
- ---
64
-
65
- ## GOAL 2: Protect Account Data
66
-
67
- ### Requirement 3 — Protect Stored Account Data
68
-
69
- Minimise storage of account data; never store SAD post-authorisation; protect PAN wherever stored.
70
-
71
- | Sub-Req | Description | Evidence for QSA |
72
- |---------|-------------|-----------------|
73
- | 3.1 | Processes for protecting stored account data are defined and implemented | Data retention policy |
74
- | 3.2 | Account data storage minimised | Data retention schedules; deletion procedures |
75
- | 3.2.1 | SAD not retained after authorisation | Scan results proving no SAD in storage; code review |
76
- | 3.3 | SAD is not retained after authorisation | Confirmed by system scans and application review |
77
- | 3.3.1 | SAD not stored (full magnetic stripe, CAV2/CVV2/CVC2/CID, PIN/PIN block) | Application code review; database scans |
78
- | 3.3.2 | SAD stored prior to authorisation is encrypted | Encryption evidence for pre-auth data |
79
- | 3.3.3 | Encryption keys for pre-auth SAD are managed securely | Key management docs |
80
- | 3.4 | PAN is protected wherever it is stored | Encryption, masking, or tokenisation evidence |
81
- | 3.4.1 | PAN is unreadable anywhere it is stored | AES-256 encryption; tokenisation proof; masking |
82
- | 3.4.2 | Copies of PAN only on authorised removable media | Media inventory and controls |
83
- | 3.5 | PAN is secured with strong cryptography | Encryption algorithm and key management review |
84
- | 3.5.1 | Primary account numbers protected with strong cryptography | AES-256 or equivalent; no DES/RC4 |
85
- | 3.6 | Cryptographic keys used for PAN encryption are secured | Key management policy and procedures |
86
- | 3.6.1 | Key management procedures and processes for cryptographic keys | Key custodian assignments; split knowledge |
87
- | 3.7 | Key management procedures and processes are implemented | Key rotation, key-encrypting keys, key retirement |
88
- | 3.7.1 | Key management policies cover the full key lifecycle | Generated, distributed, stored, retired |
89
- | 3.7.2 | Key storage is secure | HSM, encrypted key store |
90
- | 3.7.3 | Key access restricted to fewest custodians necessary | Dual control; split knowledge |
91
- | 3.7.4 | Key retirement/replacement policy documented and followed | Rotation records |
92
- | 3.7.5 | Key compromises managed per documented procedure | Incident response for key compromise |
93
- | 3.7.6 | Manual keys use split knowledge and dual control | Evidence of two-person key operations |
94
- | 3.7.7 | Informal key substitution prevented | Formal key management only |
95
- | 3.7.8 | Key custodians acknowledge their responsibilities | Signed custodian agreements |
96
- | 3.7.9 | Where key management services are used, they meet Req 3.6–3.7 | CSP KMS compliance evidence |
97
-
98
- **Common gaps**: CVV stored in database; PAN in log files; no key rotation; encryption with weak algorithms (MD5, SHA-1 for integrity); keys stored alongside encrypted data.
99
-
100
- ---
101
-
102
- ### Requirement 4 — Protect Cardholder Data with Strong Cryptography During Transmission
103
-
104
- PAN transmitted over open, public networks must be encrypted using strong cryptography.
105
-
106
- | Sub-Req | Description | Evidence for QSA |
107
- |---------|-------------|-----------------|
108
- | 4.1 | Processes for protecting PAN in transit are defined and implemented | Cryptography policy |
109
- | 4.2 | PAN protected during transmission over open, public networks | TLS 1.2+ config; certificate review |
110
- | 4.2.1 | Strong cryptography used to safeguard PAN in transit | TLS 1.2 or 1.3; no SSL, TLS 1.0, 1.1 |
111
- | 4.2.1.1 | Certificate inventory maintained | Certificate management tool or inventory |
112
- | 4.2.1.2 | Wireless networks transmitting PAN use strong cryptography | Wi-Fi encryption: WPA2-Enterprise or WPA3 |
113
- | 4.2.2 | PAN not sent by unprotected end-user messaging (email, chat) | DLP policy; email encryption controls |
114
-
115
- **Common gaps**: Legacy TLS 1.0/1.1 still enabled; expired SSL certificates; PAN sent via plain email; no certificate inventory.
116
-
117
- ---
118
-
119
- ## GOAL 3: Maintain a Vulnerability Management Program
120
-
121
- ### Requirement 5 — Protect All Systems and Networks from Malicious Software
122
-
123
- Anti-malware controls protect against viruses, ransomware, spyware, and other threats.
124
-
125
- | Sub-Req | Description | Evidence for QSA |
126
- |---------|-------------|-----------------|
127
- | 5.1 | Processes for malware protection are defined | Anti-malware policy |
128
- | 5.2 | Anti-malware solution(s) deployed on all applicable components | AV deployment inventory; management console |
129
- | 5.2.1 | Anti-malware solution deployed on all components subject to malware | Coverage report; exceptions documented |
130
- | 5.2.2 | Anti-malware solution detects all known types of malware | Vendor capability matrix |
131
- | 5.2.3 | Systems not commonly affected by malware are evaluated periodically | Periodic risk analysis; documented exceptions |
132
- | 5.3 | Anti-malware solution maintained and monitored | Definition update logs; scan results |
133
- | 5.3.1 | Anti-malware solution kept current | Auto-update policy; current definition proof |
134
- | 5.3.2 | Anti-malware performs periodic scans and active/real-time scanning | Scan schedule; real-time protection enabled |
135
- | 5.3.3 | Anti-malware solution for removable media | USB scanning policy; endpoint config |
136
- | 5.3.4 | Anti-malware solution logs maintained and monitored | Log retention; SIEM integration |
137
- | 5.3.5 | Anti-malware mechanisms cannot be disabled by users | Admin-only uninstall; tamper protection enabled |
138
- | 5.4 | Anti-phishing mechanisms protect users (**NEW in v4.0**) | Anti-phishing filter; email gateway config |
139
- | 5.4.1 | Automated technical solution detects and protects against phishing | Email security gateway; URL filtering; DMARC/DKIM/SPF |
140
-
141
- **Common gaps**: AV not covering Linux/Unix systems; definitions not auto-updated; users can disable AV; no phishing protections (new v4.0 requirement).
142
-
143
- ---
144
-
145
- ### Requirement 6 — Develop and Maintain Secure Systems and Software
146
-
147
- Vulnerabilities must be identified and addressed through patching and secure development practices.
148
-
149
- | Sub-Req | Description | Evidence for QSA |
150
- |---------|-------------|-----------------|
151
- | 6.1 | Security vulnerability identification and management processes defined | Vuln management policy |
152
- | 6.2 | Bespoke and custom software is developed securely | SDLC policy; code review process |
153
- | 6.2.1 | Bespoke software developed based on secure coding guidelines | Coding standards; training records |
154
- | 6.2.2 | Software development personnel trained on secure coding techniques | Annual training records |
155
- | 6.2.3 | Code review performed before production release | Code review records; SAST scan results |
156
- | 6.2.4 | Software engineering techniques to prevent common vulnerabilities | OWASP Top 10 addressed; DAST results |
157
- | 6.3 | Security vulnerabilities identified and addressed | Patch management policy |
158
- | 6.3.1 | Security vulnerabilities managed using ranking | CVSS or internal risk ranking; patch SLAs |
159
- | 6.3.2 | Inventory of bespoke and custom software maintained | Software inventory/SBOM |
160
- | 6.3.3 | All system components protected from known vulnerabilities | Patch management; current patch evidence |
161
- | 6.4 | Public-facing web applications protected from attacks | WAF or application review |
162
- | 6.4.1 | Public-facing web apps protected against web-based attacks | WAF in blocking mode; annual app testing |
163
- | 6.4.2 | Automated technical solution deployed for public-facing web apps | WAF config; active monitoring |
164
- | 6.4.3 | All payment page scripts managed and authorised (**NEW v4.0**) | Script inventory; integrity controls |
165
- | 6.5 | Changes to system components managed securely | Change management policy |
166
- | 6.5.1 | Changes to system components via formal change control | Change tickets; approval evidence |
167
- | 6.5.2 | Post-change security verification | Test results; UAT sign-off |
168
- | 6.5.3 | Pre-production environments are separate from production | Environment separation proof |
169
- | 6.5.4 | Roles and functions are separated between production and pre-production | Access control evidence |
170
- | 6.5.5 | Live PANs not used in pre-production/testing | Anonymised test data confirmation |
171
- | 6.5.6 | Test data/accounts removed before production | Pre-prod cleanup checklist |
172
-
173
- **Common gaps**: No SDLC/secure coding policy; live PANs in test environments; WAF in detection-only mode; payment page scripts not inventoried (v4.0 new).
174
-
175
- ---
176
-
177
- ## GOAL 4: Implement Strong Access Control Measures
178
-
179
- ### Requirement 7 — Restrict Access to System Components and Cardholder Data by Business Need to Know
180
-
181
- | Sub-Req | Description | Evidence for QSA |
182
- |---------|-------------|-----------------|
183
- | 7.1 | Access control processes and procedures defined | Access control policy |
184
- | 7.2 | Access to system components and cardholder data is restricted | Role-based access matrix; IAM configuration |
185
- | 7.2.1 | All users have access based on least privilege and need-to-know | Access review results |
186
- | 7.2.2 | Access assigned based on job classification and function | Role definitions; access request records |
187
- | 7.2.3 | Privilege access approved by authorised personnel | Approval workflow records |
188
- | 7.2.4 | User accounts and access privileges reviewed at least every 6 months | Access review logs with dates |
189
- | 7.2.5 | Application/system accounts managed by policy | Service account inventory; access controls |
190
- | 7.2.6 | Query access to CHD repositories restricted to defined applications | DB access controls; application-level auth |
191
- | 7.3 | Access to system components and data is managed | IAM system; access control enforcement |
192
- | 7.3.1 | Access control system in place to restrict access to CDE | IAM/PAM tool deployment evidence |
193
- | 7.3.2 | Access control system configured to enforce least privilege | ACL review; deny-by-default configuration |
194
- | 7.3.3 | Access control system is kept current | Review and update cycle evidence |
195
-
196
- **Common gaps**: Shared accounts; no access recertification; over-privileged service accounts; no need-to-know principle enforced for database access.
197
-
198
- ---
199
-
200
- ### Requirement 8 — Identify Users and Authenticate Access to System Components
201
-
202
- Every user must have a unique ID; strong authentication required for CDE access.
203
-
204
- | Sub-Req | Description | Evidence for QSA |
205
- |---------|-------------|-----------------|
206
- | 8.1 | User identification and authentication processes defined | Authentication policy |
207
- | 8.2 | User IDs and authentication credentials managed | IAM system; unique account verification |
208
- | 8.2.1 | All users have a unique ID | Account audit; no shared accounts |
209
- | 8.2.2 | Group, shared, or generic accounts managed only in exceptional circumstances | Exceptions with justification documented |
210
- | 8.2.3 | Additional authentication for accounts used by third parties/vendors | MFA for vendor access |
211
- | 8.2.4 | User accounts added/modified/deleted only through formal process | Identity lifecycle management records |
212
- | 8.2.5 | Access for terminated users is immediately revoked | Offboarding checklist; IAM de-provisioning evidence |
213
- | 8.2.6 | Inactive accounts disabled within 90 days | Account review; automated disable policy |
214
- | 8.2.7 | Accounts used for system/application functions managed appropriately | Service account policy compliance |
215
- | 8.2.8 | Sessions inactive more than 15 minutes require re-authentication | Session timeout config |
216
- | 8.3 | Strong authentication established and managed | MFA configuration evidence |
217
- | 8.3.1 | All user access into CDE uses MFA (**Extended in v4.0**) | MFA deployment proof for ALL CDE access |
218
- | 8.3.2 | MFA for all access into the CDE from outside | Remote access MFA (VPN, RDP, etc.) |
219
- | 8.3.4 | Invalid authentication attempts limited | Account lockout policy (max 10 attempts) |
220
- | 8.3.5 | Passwords/passphrases set to meet minimum requirements | Password policy config: min 12 chars, complexity |
221
- | 8.3.6 | Passwords changed every 90 days (or with compensating control/risk analysis) | Password policy; expiry settings |
222
- | 8.3.7 | Individuals not allowed to submit new password same as any of last 4 | Password history settings |
223
- | 8.3.8 | Authentication policies communicated to users | Training records; policy acknowledgements |
224
- | 8.3.9 | Passwords for users not using MFA changed at least every 90 days | Password expiry config |
225
- | 8.3.10 | Guidance for changing passwords provided to users at specified intervals | Comms records |
226
- | 8.4 | MFA implemented for all access into the CDE | MFA for all privileged and standard user access |
227
- | 8.4.1 | MFA for all non-console admin access to CDE | Admin MFA config |
228
- | 8.4.2 | MFA for all access into the CDE (**Key new v4.0 change**) | MFA required for everyone accessing CDE |
229
- | 8.5 | MFA systems configured to prevent misuse | Anti-MFA-bypass controls |
230
- | 8.6 | Use of application/system accounts managed | Automated or manual interactive use controls |
231
-
232
- **Common gaps**: Shared admin accounts; weak passwords (< 12 chars); no MFA for all CDE access (key v4.0 gap); accounts not disabled within 90 days of inactivity; no session timeout.
233
-
234
- ---
235
-
236
- ### Requirement 9 — Restrict Physical Access to Cardholder Data
237
-
238
- Physical controls prevent unauthorised access to systems, media, and facilities in the CDE.
239
-
240
- | Sub-Req | Description | Evidence for QSA |
241
- |---------|-------------|-----------------|
242
- | 9.1 | Processes for restricting physical access defined | Physical security policy |
243
- | 9.2 | Physical access controls for appropriate facility entry | Badge access logs; visitor records |
244
- | 9.2.1 | Individual physical access controls to sensitive areas | Badge reader logs; CCTV |
245
- | 9.2.2 | Visitor management procedure implemented | Visitor log; escort policy |
246
- | 9.2.3 | Physical access to wireless access points, gateways, and handheld devices controlled | Device location inventory; lock-down evidence |
247
- | 9.2.4 | Physical access to CDE systems via publicly accessible network jacks controlled | Port lock-out; network access control |
248
- | 9.3 | Physical access for personnel and visitors authorised and managed | Access management records |
249
- | 9.3.1 | Physical access controls for personnel with physical access | Access list; revocation process |
250
- | 9.3.2 | Physical access for visitors authorised and revoked | Visitor badge records |
251
- | 9.4 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Media inventory; destruction records |
252
- | 9.4.1 | Physical media containing CHD secured | Locked storage; media inventory |
253
- | 9.4.2 | Physical media containing CHD classified | Classification labels on media |
254
- | 9.4.3 | Physical media distributed externally via tracked courier or secure methods | Courier receipts; chain of custody |
255
- | 9.4.4 | Management approval for all media moved outside facility | Approval records |
256
- | 9.4.5 | External media inventory controlled and audited | Media audit logs |
257
- | 9.4.6 | Hard-copy materials with CHD destroyed cross-cut or confetti-shred | Destruction vendor certificates |
258
- | 9.4.7 | Electronic media destroyed or rendered unrecoverable when no longer needed | Secure wipe / degauss / physical destroy records |
259
- | 9.5 | Point-of-interaction (POI) devices protected from tampering and skimming | POI device inspection programme |
260
- | 9.5.1 | POI device surface inspected to detect tampering or substitution | Inspection schedule; checklist records |
261
-
262
- **Common gaps**: No visitor log; POI devices not regularly inspected; media not tracked or destroyed per policy; physical access not revoked for terminated staff.
263
-
264
- ---
265
-
266
- ## GOAL 5: Regularly Monitor and Test Networks
267
-
268
- ### Requirement 10 — Log and Monitor All Access to System Components and Cardholder Data
269
-
270
- | Sub-Req | Description | Evidence for QSA |
271
- |---------|-------------|-----------------|
272
- | 10.1 | Audit log processes defined | Log management policy |
273
- | 10.2 | Audit logs implemented to support detection of anomalies | SIEM or log management platform |
274
- | 10.2.1 | Audit logs capture all individual user access to CHD | Log samples showing user activity |
275
- | 10.2.2 | Audit logs capture all actions by root or admin | Privileged access logs |
276
- | 10.2.3 | Audit logs capture all access to audit logs | Audit-of-audit trail |
277
- | 10.2.4 | Audit logs capture invalid logical access attempts | Failed login logs |
278
- | 10.2.5 | Audit logs capture use of identification and authentication mechanisms | Auth logs; MFA event logs |
279
- | 10.2.6 | Audit logs capture initialisation, stopping, or pausing of logs | Log service event logs |
280
- | 10.2.7 | Audit logs capture creation/deletion of system-level objects | System event logs |
281
- | 10.3 | Audit logs are protected from destruction and modification | Log integrity controls; write-once storage |
282
- | 10.3.1 | Log files protected to prevent modifications | Immutable log storage; SIEM ingestion |
283
- | 10.3.2 | Audit log files protected from unauthorised access | Access controls on log infrastructure |
284
- | 10.3.3 | Audit logs are promptly backed up to a central log server | Syslog/SIEM centralisation evidence |
285
- | 10.3.4 | File integrity monitoring or change detection on audit logs | FIM solution monitoring log files |
286
- | 10.4 | Audit logs reviewed to identify anomalies or suspicious activity | Log review process |
287
- | 10.4.1 | Automated log review mechanisms used (**NEW in v4.0**) | SIEM alert rules; automated review evidence |
288
- | 10.4.2 | Logs for all system components reviewed daily | Review schedules; SIEM alert evidence |
289
- | 10.4.3 | Exceptions and anomalies addressed promptly | Ticket records tied to log alerts |
290
- | 10.5 | Audit log history retained for at least 12 months with last 3 months immediately available | Retention policy; log storage capacity |
291
- | 10.6 | Time synchronisation technology in use | NTP configuration; stratum 1/2 sync |
292
- | 10.7 | Failures of critical security controls detected and addressed (**NEW in v4.0**) | Monitoring for AV, FW, IDS failures |
293
- | 10.7.2 | Failures detected and responded to promptly | Alert/ticketing evidence |
294
-
295
- **Common gaps**: Logs not centralised to SIEM; retention under 12 months; no automated review (v4.0 new); time not synchronised across all CDE components; critical security control failures not monitored.
296
-
297
- ---
298
-
299
- ### Requirement 11 — Test Security of Systems and Networks Regularly
300
-
301
- | Sub-Req | Description | Evidence for QSA |
302
- |---------|-------------|-----------------|
303
- | 11.1 | Security testing processes defined | Testing policy |
304
- | 11.2 | Wireless access points managed | Wireless AP inventory; rogue AP detection |
305
- | 11.2.1 | Authorised and unauthorised wireless access points managed | Quarterly wireless scans; rogue detection alerts |
306
- | 11.2.2 | Wireless scan inventory reconciled quarterly | Scan results vs inventory |
307
- | 11.3 | External and internal vulnerabilities assessed | Vulnerability scanning programme |
308
- | 11.3.1 | Internal vulnerability scans run at least every 3 months | Scan reports showing quarterly cadence |
309
- | 11.3.2 | External vulnerability scans run at least every 3 months by an ASV | ASV scan reports; passing results |
310
- | 11.3.3 | All exploitable vulnerabilities remediated and re-scanned | Remediation evidence; re-scan passing results |
311
- | 11.4 | External and internal penetration testing is performed | Penetration test reports |
312
- | 11.4.1 | Penetration testing methodology defined | Pen test scope document |
313
- | 11.4.2 | Internal penetration testing at least annually and after changes | Annual pen test report |
314
- | 11.4.3 | External penetration testing at least annually and after changes | External pen test report |
315
- | 11.4.4 | Exploitable vulnerabilities from pen testing remediated and re-tested | Remediation tracking; re-test confirmation |
316
- | 11.4.5 | Network segmentation verified by penetration testing at least every 6 months | Segmentation pen test report |
317
- | 11.5 | Network intrusion detection/prevention techniques used | IDS/IPS deployment evidence |
318
- | 11.5.1 | Intrusion detection/prevention used to detect and/or prevent intrusions | IDS/IPS alert logs; tuning records |
319
- | 11.5.2 | Change detection mechanism deployed on CDE | FIM solution alerts; change records |
320
- | 11.6 | Unauthorised changes on payment pages detected and responded to (**NEW v4.0**) | Script integrity monitoring |
321
- | 11.6.1 | Change and tamper detection mechanism for payment pages deployed | HTTP header monitoring; script hash verification |
322
-
323
- **Common gaps**: ASV scans failing (not "clean"); penetration testing not truly internal + external; segmentation not tested; no FIM; payment page integrity not monitored (v4.0 new).
324
-
325
- ---
326
-
327
- ## GOAL 6: Maintain an Information Security Policy
328
-
329
- ### Requirement 12 — Support Information Security with Organizational Policies and Programs
330
-
331
- | Sub-Req | Description | Evidence for QSA |
332
- |---------|-------------|-----------------|
333
- | 12.1 | Comprehensive information security policy defined, published, and maintained | Security policy doc; annual review |
334
- | 12.2 | Targeted risk analysis process defined for flexible requirements | TRA template; completed TRAs |
335
- | 12.3 | Risks to CHD and cardholder data environment managed | Risk management programme |
336
- | 12.3.1 | Targeted risk analysis for each PCI DSS requirement with customised approach | TRA documentation per requirement |
337
- | 12.3.2 | TRA performed for flexible-frequency requirements | Documented TRAs for each flexible req |
338
- | 12.3.3 | Cryptographic cipher suites and protocols reviewed and documented at least once every 12 months | Crypto inventory; annual review records |
339
- | 12.3.4 | Hardware and software technologies reviewed at least once every 12 months | Tech lifecycle review records |
340
- | 12.4 | PCI DSS compliance managed throughout the year | Compliance programme; quarterly review |
341
- | 12.4.2 | Reviews confirming personnel follow security policies performed at least quarterly | Quarterly compliance review records |
342
- | 12.5 | PCI DSS scope documented and validated | Scope documentation; annual review |
343
- | 12.5.1 | Inventory of system components in scope for PCI DSS maintained | CDE system inventory |
344
- | 12.5.2 | PCI DSS scope verified at least every 12 months and after major changes | Annual scope review; post-change assessment |
345
- | 12.6 | Security awareness education implemented | Security awareness programme; training records |
346
- | 12.6.1 | Security awareness programme in place | Programme documentation |
347
- | 12.6.2 | Security awareness programme reviewed at least every 12 months | Review records |
348
- | 12.6.3 | Personnel acknowledge at least annually they have read and understood security policy | Signed acknowledgements |
349
- | 12.7 | Personnel are screened before granting access to CDE | Background check policy; records |
350
- | 12.8 | Third-party service providers (TPSPs) with CHD access are managed | TPSP inventory; compliance monitoring |
351
- | 12.8.1 | List of all TPSPs maintained | TPSP register |
352
- | 12.8.2 | Written agreements with TPSPs acknowledging PCI DSS responsibility | Signed agreements |
353
- | 12.8.3 | Established process for engaging TPSPs | TPSP due diligence process |
354
- | 12.8.4 | TPSP PCI DSS compliance status monitored at least annually | Annual TPSP compliance confirmation; AOC |
355
- | 12.8.5 | Information about which PCI DSS requirements managed by each TPSP | Responsibility matrix |
356
- | 12.9 | TPSPs support customers' PCI DSS compliance | TPSP acknowledgement of responsibility |
357
- | 12.10 | Suspected and confirmed security incidents responded to immediately | Incident response plan; test records |
358
- | 12.10.1 | Incident response plan created and ready | Documented IR plan |
359
- | 12.10.2 | IR plan reviewed and tested at least annually | Annual tabletop or drill evidence |
360
- | 12.10.3 | Specific personnel designated for 24/7 incident response | On-call roster; contact list |
361
- | 12.10.4 | IR personnel trained appropriately | Annual training records |
362
- | 12.10.5 | Alerts from security monitoring systems included in IR plan | IR plan references monitoring alerts |
363
- | 12.10.6 | IR plan updated when new threats or lessons learned | Version history; update records |
364
- | 12.10.7 | Incident response procedures for discovery of stored PAN in unexpected location | PAN discovery procedure |
365
-
366
- **Common gaps**: Security policy not reviewed annually; no TPSP register or compliance monitoring; incident response plan never tested; personnel not acknowledging policy; no TRA process.
1
+ # PCI DSS v4.0.1 — All 12 Requirements
2
+
3
+ Source: PCI DSS v4.0.1 (PCI Security Standards Council, June 2024)
4
+ https://www.pcisecuritystandards.org/document_library/
5
+
6
+ ---
7
+
8
+ ## GOAL 1: Build and Maintain a Secure Network and Systems
9
+
10
+ ### Requirement 1 — Install and Maintain Network Security Controls
11
+
12
+ Network security controls (NSCs) — firewalls, routers, cloud security groups — prevent unauthorised network access to and from the CDE.
13
+
14
+ | Sub-Req | Description | Evidence for QSA |
15
+ |---------|-------------|-----------------|
16
+ | 1.1 | NSC policies and procedures are defined, implemented, and maintained | Policy docs, network diagrams, change records |
17
+ | 1.2 | NSC configurations restrict traffic to only what is necessary | Firewall/router ruleset review, deny-all default |
18
+ | 1.2.1 | Configuration standards for NSCs are defined | Documented baseline standards |
19
+ | 1.2.2 | NSC configuration changes are managed via change control | Change tickets, approval records |
20
+ | 1.2.3 | Network diagrams are current and accurate | Dated network diagram showing CDE boundaries |
21
+ | 1.2.4 | Data-flow diagrams for all account data flows are current | Data flow diagrams (DFDs) |
22
+ | 1.2.5 | All allowed services/ports are documented with business justification | Firewall rule documentation |
23
+ | 1.2.6 | Security features for each service are documented and implemented | Config baselines per service |
24
+ | 1.2.7 | NSC configurations are reviewed at least every 6 months | Review records with dates and approvers |
25
+ | 1.3 | Inbound and outbound network traffic is restricted to only that necessary | Egress filtering, deny-all-else rules |
26
+ | 1.3.1 | Inbound traffic to CDE restricted to authorised sources and services | Firewall rules reviewed |
27
+ | 1.3.2 | Outbound traffic from CDE restricted to authorised destinations | Egress rules documented |
28
+ | 1.3.3 | NSCs installed between wireless networks and CDE | Wireless-to-CDE firewall rules |
29
+ | 1.4 | Network connections between trusted and untrusted networks controlled | DMZ architecture, traffic inspection |
30
+ | 1.4.1 | NSCs between trusted/untrusted networks inspect and filter traffic | Stateful inspection, IDS/IPS |
31
+ | 1.4.2 | Inbound traffic from untrusted networks: no direct routes to CDE | No direct routing; proxy/DMZ required |
32
+ | 1.4.3 | Anti-spoofing measures to detect and block forged source IP addresses | Anti-spoofing ACLs, RFC 3704 filtering |
33
+ | 1.4.4 | Unauthorised traffic (cardholder data) blocked from entering untrusted networks | DLP rules or network controls |
34
+ | 1.4.5 | Internal IP addresses not disclosed to unauthorised parties | NAT, private RFC 1918 space |
35
+ | 1.5 | Risks from device connectivity to untrusted networks are managed | Endpoint security controls |
36
+ | 1.5.1 | Security controls for devices connecting to both untrusted and trusted networks | MDM/endpoint policy, split tunnelling controls |
37
+
38
+ **Common gaps**: Stale firewall rules never reviewed; no egress filtering; flat network (no CDE isolation); wireless networks not separated from CDE.
39
+
40
+ ---
41
+
42
+ ### Requirement 2 — Apply Secure Configurations to All System Components
43
+
44
+ Default credentials and unnecessary services must be eliminated before deployment.
45
+
46
+ | Sub-Req | Description | Evidence for QSA |
47
+ |---------|-------------|-----------------|
48
+ | 2.1 | Processes for managing vendor defaults and other security parameters | Hardening policy, config standards |
49
+ | 2.2 | System configuration standards are developed and implemented | CIS Benchmark or equivalent; per platform standard |
50
+ | 2.2.1 | System configuration standards address all known security vulnerabilities | Vuln scan results mapped to standards |
51
+ | 2.2.2 | Vendor default accounts managed before deploying systems | Default creds disabled/renamed; evidence of removal |
52
+ | 2.2.3 | Primary functions needing different security levels are on separate components | Server isolation, role separation |
53
+ | 2.2.4 | Only necessary functions, ports, protocols, and services are enabled | Port scan results; services audit |
54
+ | 2.2.5 | If insecure protocols are used, business justification and additional controls documented | Protocol exception log |
55
+ | 2.2.6 | System security parameters are configured to prevent misuse | Config hardening evidence |
56
+ | 2.2.7 | All non-console administrative access is encrypted | SSH, HTTPS, TLS for all admin access |
57
+ | 2.3 | Wireless environments are configured and managed securely | Wi-Fi config review, WPA3 or WPA2-Enterprise |
58
+ | 2.3.1 | Default wireless vendor defaults changed at installation | AP config records |
59
+ | 2.3.2 | Wireless encryption keys changed when anyone with key knowledge leaves | Key rotation procedure and evidence |
60
+
61
+ **Common gaps**: Vendor default passwords left unchanged; unnecessary services (Telnet, FTP) still enabled; no documented hardening standards.
62
+
63
+ ---
64
+
65
+ ## GOAL 2: Protect Account Data
66
+
67
+ ### Requirement 3 — Protect Stored Account Data
68
+
69
+ Minimise storage of account data; never store SAD post-authorisation; protect PAN wherever stored.
70
+
71
+ | Sub-Req | Description | Evidence for QSA |
72
+ |---------|-------------|-----------------|
73
+ | 3.1 | Processes for protecting stored account data are defined and implemented | Data retention policy |
74
+ | 3.2 | Account data storage minimised | Data retention schedules; deletion procedures |
75
+ | 3.2.1 | SAD not retained after authorisation | Scan results proving no SAD in storage; code review |
76
+ | 3.3 | SAD is not retained after authorisation | Confirmed by system scans and application review |
77
+ | 3.3.1 | SAD not stored (full magnetic stripe, CAV2/CVV2/CVC2/CID, PIN/PIN block) | Application code review; database scans |
78
+ | 3.3.2 | SAD stored prior to authorisation is encrypted | Encryption evidence for pre-auth data |
79
+ | 3.3.3 | Encryption keys for pre-auth SAD are managed securely | Key management docs |
80
+ | 3.4 | PAN is protected wherever it is stored | Encryption, masking, or tokenisation evidence |
81
+ | 3.4.1 | PAN is unreadable anywhere it is stored | AES-256 encryption; tokenisation proof; masking |
82
+ | 3.4.2 | Copies of PAN only on authorised removable media | Media inventory and controls |
83
+ | 3.5 | PAN is secured with strong cryptography | Encryption algorithm and key management review |
84
+ | 3.5.1 | Primary account numbers protected with strong cryptography | AES-256 or equivalent; no DES/RC4 |
85
+ | 3.6 | Cryptographic keys used for PAN encryption are secured | Key management policy and procedures |
86
+ | 3.6.1 | Key management procedures and processes for cryptographic keys | Key custodian assignments; split knowledge |
87
+ | 3.7 | Key management procedures and processes are implemented | Key rotation, key-encrypting keys, key retirement |
88
+ | 3.7.1 | Key management policies cover the full key lifecycle | Generated, distributed, stored, retired |
89
+ | 3.7.2 | Key storage is secure | HSM, encrypted key store |
90
+ | 3.7.3 | Key access restricted to fewest custodians necessary | Dual control; split knowledge |
91
+ | 3.7.4 | Key retirement/replacement policy documented and followed | Rotation records |
92
+ | 3.7.5 | Key compromises managed per documented procedure | Incident response for key compromise |
93
+ | 3.7.6 | Manual keys use split knowledge and dual control | Evidence of two-person key operations |
94
+ | 3.7.7 | Informal key substitution prevented | Formal key management only |
95
+ | 3.7.8 | Key custodians acknowledge their responsibilities | Signed custodian agreements |
96
+ | 3.7.9 | Where key management services are used, they meet Req 3.6–3.7 | CSP KMS compliance evidence |
97
+
98
+ **Common gaps**: CVV stored in database; PAN in log files; no key rotation; encryption with weak algorithms (MD5, SHA-1 for integrity); keys stored alongside encrypted data.
99
+
100
+ ---
101
+
102
+ ### Requirement 4 — Protect Cardholder Data with Strong Cryptography During Transmission
103
+
104
+ PAN transmitted over open, public networks must be encrypted using strong cryptography.
105
+
106
+ | Sub-Req | Description | Evidence for QSA |
107
+ |---------|-------------|-----------------|
108
+ | 4.1 | Processes for protecting PAN in transit are defined and implemented | Cryptography policy |
109
+ | 4.2 | PAN protected during transmission over open, public networks | TLS 1.2+ config; certificate review |
110
+ | 4.2.1 | Strong cryptography used to safeguard PAN in transit | TLS 1.2 or 1.3; no SSL, TLS 1.0, 1.1 |
111
+ | 4.2.1.1 | Certificate inventory maintained | Certificate management tool or inventory |
112
+ | 4.2.1.2 | Wireless networks transmitting PAN use strong cryptography | Wi-Fi encryption: WPA2-Enterprise or WPA3 |
113
+ | 4.2.2 | PAN not sent by unprotected end-user messaging (email, chat) | DLP policy; email encryption controls |
114
+
115
+ **Common gaps**: Legacy TLS 1.0/1.1 still enabled; expired SSL certificates; PAN sent via plain email; no certificate inventory.
116
+
117
+ ---
118
+
119
+ ## GOAL 3: Maintain a Vulnerability Management Program
120
+
121
+ ### Requirement 5 — Protect All Systems and Networks from Malicious Software
122
+
123
+ Anti-malware controls protect against viruses, ransomware, spyware, and other threats.
124
+
125
+ | Sub-Req | Description | Evidence for QSA |
126
+ |---------|-------------|-----------------|
127
+ | 5.1 | Processes for malware protection are defined | Anti-malware policy |
128
+ | 5.2 | Anti-malware solution(s) deployed on all applicable components | AV deployment inventory; management console |
129
+ | 5.2.1 | Anti-malware solution deployed on all components subject to malware | Coverage report; exceptions documented |
130
+ | 5.2.2 | Anti-malware solution detects all known types of malware | Vendor capability matrix |
131
+ | 5.2.3 | Systems not commonly affected by malware are evaluated periodically | Periodic risk analysis; documented exceptions |
132
+ | 5.3 | Anti-malware solution maintained and monitored | Definition update logs; scan results |
133
+ | 5.3.1 | Anti-malware solution kept current | Auto-update policy; current definition proof |
134
+ | 5.3.2 | Anti-malware performs periodic scans and active/real-time scanning | Scan schedule; real-time protection enabled |
135
+ | 5.3.3 | Anti-malware solution for removable media | USB scanning policy; endpoint config |
136
+ | 5.3.4 | Anti-malware solution logs maintained and monitored | Log retention; SIEM integration |
137
+ | 5.3.5 | Anti-malware mechanisms cannot be disabled by users | Admin-only uninstall; tamper protection enabled |
138
+ | 5.4 | Anti-phishing mechanisms protect users (**NEW in v4.0**) | Anti-phishing filter; email gateway config |
139
+ | 5.4.1 | Automated technical solution detects and protects against phishing | Email security gateway; URL filtering; DMARC/DKIM/SPF |
140
+
141
+ **Common gaps**: AV not covering Linux/Unix systems; definitions not auto-updated; users can disable AV; no phishing protections (new v4.0 requirement).
142
+
143
+ ---
144
+
145
+ ### Requirement 6 — Develop and Maintain Secure Systems and Software
146
+
147
+ Vulnerabilities must be identified and addressed through patching and secure development practices.
148
+
149
+ | Sub-Req | Description | Evidence for QSA |
150
+ |---------|-------------|-----------------|
151
+ | 6.1 | Security vulnerability identification and management processes defined | Vuln management policy |
152
+ | 6.2 | Bespoke and custom software is developed securely | SDLC policy; code review process |
153
+ | 6.2.1 | Bespoke software developed based on secure coding guidelines | Coding standards; training records |
154
+ | 6.2.2 | Software development personnel trained on secure coding techniques | Annual training records |
155
+ | 6.2.3 | Code review performed before production release | Code review records; SAST scan results |
156
+ | 6.2.4 | Software engineering techniques to prevent common vulnerabilities | OWASP Top 10 addressed; DAST results |
157
+ | 6.3 | Security vulnerabilities identified and addressed | Patch management policy |
158
+ | 6.3.1 | Security vulnerabilities managed using ranking | CVSS or internal risk ranking; patch SLAs |
159
+ | 6.3.2 | Inventory of bespoke and custom software maintained | Software inventory/SBOM |
160
+ | 6.3.3 | All system components protected from known vulnerabilities | Patch management; current patch evidence |
161
+ | 6.4 | Public-facing web applications protected from attacks | WAF or application review |
162
+ | 6.4.1 | Public-facing web apps protected against web-based attacks | WAF in blocking mode; annual app testing |
163
+ | 6.4.2 | Automated technical solution deployed for public-facing web apps | WAF config; active monitoring |
164
+ | 6.4.3 | All payment page scripts managed and authorised (**NEW v4.0**) | Script inventory; integrity controls |
165
+ | 6.5 | Changes to system components managed securely | Change management policy |
166
+ | 6.5.1 | Changes to system components via formal change control | Change tickets; approval evidence |
167
+ | 6.5.2 | Post-change security verification | Test results; UAT sign-off |
168
+ | 6.5.3 | Pre-production environments are separate from production | Environment separation proof |
169
+ | 6.5.4 | Roles and functions are separated between production and pre-production | Access control evidence |
170
+ | 6.5.5 | Live PANs not used in pre-production/testing | Anonymised test data confirmation |
171
+ | 6.5.6 | Test data/accounts removed before production | Pre-prod cleanup checklist |
172
+
173
+ **Common gaps**: No SDLC/secure coding policy; live PANs in test environments; WAF in detection-only mode; payment page scripts not inventoried (v4.0 new).
174
+
175
+ ---
176
+
177
+ ## GOAL 4: Implement Strong Access Control Measures
178
+
179
+ ### Requirement 7 — Restrict Access to System Components and Cardholder Data by Business Need to Know
180
+
181
+ | Sub-Req | Description | Evidence for QSA |
182
+ |---------|-------------|-----------------|
183
+ | 7.1 | Access control processes and procedures defined | Access control policy |
184
+ | 7.2 | Access to system components and cardholder data is restricted | Role-based access matrix; IAM configuration |
185
+ | 7.2.1 | All users have access based on least privilege and need-to-know | Access review results |
186
+ | 7.2.2 | Access assigned based on job classification and function | Role definitions; access request records |
187
+ | 7.2.3 | Privilege access approved by authorised personnel | Approval workflow records |
188
+ | 7.2.4 | User accounts and access privileges reviewed at least every 6 months | Access review logs with dates |
189
+ | 7.2.5 | Application/system accounts managed by policy | Service account inventory; access controls |
190
+ | 7.2.6 | Query access to CHD repositories restricted to defined applications | DB access controls; application-level auth |
191
+ | 7.3 | Access to system components and data is managed | IAM system; access control enforcement |
192
+ | 7.3.1 | Access control system in place to restrict access to CDE | IAM/PAM tool deployment evidence |
193
+ | 7.3.2 | Access control system configured to enforce least privilege | ACL review; deny-by-default configuration |
194
+ | 7.3.3 | Access control system is kept current | Review and update cycle evidence |
195
+
196
+ **Common gaps**: Shared accounts; no access recertification; over-privileged service accounts; no need-to-know principle enforced for database access.
197
+
198
+ ---
199
+
200
+ ### Requirement 8 — Identify Users and Authenticate Access to System Components
201
+
202
+ Every user must have a unique ID; strong authentication required for CDE access.
203
+
204
+ | Sub-Req | Description | Evidence for QSA |
205
+ |---------|-------------|-----------------|
206
+ | 8.1 | User identification and authentication processes defined | Authentication policy |
207
+ | 8.2 | User IDs and authentication credentials managed | IAM system; unique account verification |
208
+ | 8.2.1 | All users have a unique ID | Account audit; no shared accounts |
209
+ | 8.2.2 | Group, shared, or generic accounts managed only in exceptional circumstances | Exceptions with justification documented |
210
+ | 8.2.3 | Additional authentication for accounts used by third parties/vendors | MFA for vendor access |
211
+ | 8.2.4 | User accounts added/modified/deleted only through formal process | Identity lifecycle management records |
212
+ | 8.2.5 | Access for terminated users is immediately revoked | Offboarding checklist; IAM de-provisioning evidence |
213
+ | 8.2.6 | Inactive accounts disabled within 90 days | Account review; automated disable policy |
214
+ | 8.2.7 | Accounts used for system/application functions managed appropriately | Service account policy compliance |
215
+ | 8.2.8 | Sessions inactive more than 15 minutes require re-authentication | Session timeout config |
216
+ | 8.3 | Strong authentication established and managed | MFA configuration evidence |
217
+ | 8.3.1 | All user access into CDE uses MFA (**Extended in v4.0**) | MFA deployment proof for ALL CDE access |
218
+ | 8.3.2 | MFA for all access into the CDE from outside | Remote access MFA (VPN, RDP, etc.) |
219
+ | 8.3.4 | Invalid authentication attempts limited | Account lockout policy (max 10 attempts) |
220
+ | 8.3.5 | Passwords/passphrases set to meet minimum requirements | Password policy config: min 12 chars, complexity |
221
+ | 8.3.6 | Passwords changed every 90 days (or with compensating control/risk analysis) | Password policy; expiry settings |
222
+ | 8.3.7 | Individuals not allowed to submit new password same as any of last 4 | Password history settings |
223
+ | 8.3.8 | Authentication policies communicated to users | Training records; policy acknowledgements |
224
+ | 8.3.9 | Passwords for users not using MFA changed at least every 90 days | Password expiry config |
225
+ | 8.3.10 | Guidance for changing passwords provided to users at specified intervals | Comms records |
226
+ | 8.4 | MFA implemented for all access into the CDE | MFA for all privileged and standard user access |
227
+ | 8.4.1 | MFA for all non-console admin access to CDE | Admin MFA config |
228
+ | 8.4.2 | MFA for all access into the CDE (**Key new v4.0 change**) | MFA required for everyone accessing CDE |
229
+ | 8.5 | MFA systems configured to prevent misuse | Anti-MFA-bypass controls |
230
+ | 8.6 | Use of application/system accounts managed | Automated or manual interactive use controls |
231
+
232
+ **Common gaps**: Shared admin accounts; weak passwords (< 12 chars); no MFA for all CDE access (key v4.0 gap); accounts not disabled within 90 days of inactivity; no session timeout.
233
+
234
+ ---
235
+
236
+ ### Requirement 9 — Restrict Physical Access to Cardholder Data
237
+
238
+ Physical controls prevent unauthorised access to systems, media, and facilities in the CDE.
239
+
240
+ | Sub-Req | Description | Evidence for QSA |
241
+ |---------|-------------|-----------------|
242
+ | 9.1 | Processes for restricting physical access defined | Physical security policy |
243
+ | 9.2 | Physical access controls for appropriate facility entry | Badge access logs; visitor records |
244
+ | 9.2.1 | Individual physical access controls to sensitive areas | Badge reader logs; CCTV |
245
+ | 9.2.2 | Visitor management procedure implemented | Visitor log; escort policy |
246
+ | 9.2.3 | Physical access to wireless access points, gateways, and handheld devices controlled | Device location inventory; lock-down evidence |
247
+ | 9.2.4 | Physical access to CDE systems via publicly accessible network jacks controlled | Port lock-out; network access control |
248
+ | 9.3 | Physical access for personnel and visitors authorised and managed | Access management records |
249
+ | 9.3.1 | Physical access controls for personnel with physical access | Access list; revocation process |
250
+ | 9.3.2 | Physical access for visitors authorised and revoked | Visitor badge records |
251
+ | 9.4 | Media with cardholder data is securely stored, accessed, distributed, and destroyed | Media inventory; destruction records |
252
+ | 9.4.1 | Physical media containing CHD secured | Locked storage; media inventory |
253
+ | 9.4.2 | Physical media containing CHD classified | Classification labels on media |
254
+ | 9.4.3 | Physical media distributed externally via tracked courier or secure methods | Courier receipts; chain of custody |
255
+ | 9.4.4 | Management approval for all media moved outside facility | Approval records |
256
+ | 9.4.5 | External media inventory controlled and audited | Media audit logs |
257
+ | 9.4.6 | Hard-copy materials with CHD destroyed cross-cut or confetti-shred | Destruction vendor certificates |
258
+ | 9.4.7 | Electronic media destroyed or rendered unrecoverable when no longer needed | Secure wipe / degauss / physical destroy records |
259
+ | 9.5 | Point-of-interaction (POI) devices protected from tampering and skimming | POI device inspection programme |
260
+ | 9.5.1 | POI device surface inspected to detect tampering or substitution | Inspection schedule; checklist records |
261
+
262
+ **Common gaps**: No visitor log; POI devices not regularly inspected; media not tracked or destroyed per policy; physical access not revoked for terminated staff.
263
+
264
+ ---
265
+
266
+ ## GOAL 5: Regularly Monitor and Test Networks
267
+
268
+ ### Requirement 10 — Log and Monitor All Access to System Components and Cardholder Data
269
+
270
+ | Sub-Req | Description | Evidence for QSA |
271
+ |---------|-------------|-----------------|
272
+ | 10.1 | Audit log processes defined | Log management policy |
273
+ | 10.2 | Audit logs implemented to support detection of anomalies | SIEM or log management platform |
274
+ | 10.2.1 | Audit logs capture all individual user access to CHD | Log samples showing user activity |
275
+ | 10.2.2 | Audit logs capture all actions by root or admin | Privileged access logs |
276
+ | 10.2.3 | Audit logs capture all access to audit logs | Audit-of-audit trail |
277
+ | 10.2.4 | Audit logs capture invalid logical access attempts | Failed login logs |
278
+ | 10.2.5 | Audit logs capture use of identification and authentication mechanisms | Auth logs; MFA event logs |
279
+ | 10.2.6 | Audit logs capture initialisation, stopping, or pausing of logs | Log service event logs |
280
+ | 10.2.7 | Audit logs capture creation/deletion of system-level objects | System event logs |
281
+ | 10.3 | Audit logs are protected from destruction and modification | Log integrity controls; write-once storage |
282
+ | 10.3.1 | Log files protected to prevent modifications | Immutable log storage; SIEM ingestion |
283
+ | 10.3.2 | Audit log files protected from unauthorised access | Access controls on log infrastructure |
284
+ | 10.3.3 | Audit logs are promptly backed up to a central log server | Syslog/SIEM centralisation evidence |
285
+ | 10.3.4 | File integrity monitoring or change detection on audit logs | FIM solution monitoring log files |
286
+ | 10.4 | Audit logs reviewed to identify anomalies or suspicious activity | Log review process |
287
+ | 10.4.1 | Automated log review mechanisms used (**NEW in v4.0**) | SIEM alert rules; automated review evidence |
288
+ | 10.4.2 | Logs for all system components reviewed daily | Review schedules; SIEM alert evidence |
289
+ | 10.4.3 | Exceptions and anomalies addressed promptly | Ticket records tied to log alerts |
290
+ | 10.5 | Audit log history retained for at least 12 months with last 3 months immediately available | Retention policy; log storage capacity |
291
+ | 10.6 | Time synchronisation technology in use | NTP configuration; stratum 1/2 sync |
292
+ | 10.7 | Failures of critical security controls detected and addressed (**NEW in v4.0**) | Monitoring for AV, FW, IDS failures |
293
+ | 10.7.2 | Failures detected and responded to promptly | Alert/ticketing evidence |
294
+
295
+ **Common gaps**: Logs not centralised to SIEM; retention under 12 months; no automated review (v4.0 new); time not synchronised across all CDE components; critical security control failures not monitored.
296
+
297
+ ---
298
+
299
+ ### Requirement 11 — Test Security of Systems and Networks Regularly
300
+
301
+ | Sub-Req | Description | Evidence for QSA |
302
+ |---------|-------------|-----------------|
303
+ | 11.1 | Security testing processes defined | Testing policy |
304
+ | 11.2 | Wireless access points managed | Wireless AP inventory; rogue AP detection |
305
+ | 11.2.1 | Authorised and unauthorised wireless access points managed | Quarterly wireless scans; rogue detection alerts |
306
+ | 11.2.2 | Wireless scan inventory reconciled quarterly | Scan results vs inventory |
307
+ | 11.3 | External and internal vulnerabilities assessed | Vulnerability scanning programme |
308
+ | 11.3.1 | Internal vulnerability scans run at least every 3 months | Scan reports showing quarterly cadence |
309
+ | 11.3.2 | External vulnerability scans run at least every 3 months by an ASV | ASV scan reports; passing results |
310
+ | 11.3.3 | All exploitable vulnerabilities remediated and re-scanned | Remediation evidence; re-scan passing results |
311
+ | 11.4 | External and internal penetration testing is performed | Penetration test reports |
312
+ | 11.4.1 | Penetration testing methodology defined | Pen test scope document |
313
+ | 11.4.2 | Internal penetration testing at least annually and after changes | Annual pen test report |
314
+ | 11.4.3 | External penetration testing at least annually and after changes | External pen test report |
315
+ | 11.4.4 | Exploitable vulnerabilities from pen testing remediated and re-tested | Remediation tracking; re-test confirmation |
316
+ | 11.4.5 | Network segmentation verified by penetration testing at least every 6 months | Segmentation pen test report |
317
+ | 11.5 | Network intrusion detection/prevention techniques used | IDS/IPS deployment evidence |
318
+ | 11.5.1 | Intrusion detection/prevention used to detect and/or prevent intrusions | IDS/IPS alert logs; tuning records |
319
+ | 11.5.2 | Change detection mechanism deployed on CDE | FIM solution alerts; change records |
320
+ | 11.6 | Unauthorised changes on payment pages detected and responded to (**NEW v4.0**) | Script integrity monitoring |
321
+ | 11.6.1 | Change and tamper detection mechanism for payment pages deployed | HTTP header monitoring; script hash verification |
322
+
323
+ **Common gaps**: ASV scans failing (not "clean"); penetration testing not truly internal + external; segmentation not tested; no FIM; payment page integrity not monitored (v4.0 new).
324
+
325
+ ---
326
+
327
+ ## GOAL 6: Maintain an Information Security Policy
328
+
329
+ ### Requirement 12 — Support Information Security with Organizational Policies and Programs
330
+
331
+ | Sub-Req | Description | Evidence for QSA |
332
+ |---------|-------------|-----------------|
333
+ | 12.1 | Comprehensive information security policy defined, published, and maintained | Security policy doc; annual review |
334
+ | 12.2 | Targeted risk analysis process defined for flexible requirements | TRA template; completed TRAs |
335
+ | 12.3 | Risks to CHD and cardholder data environment managed | Risk management programme |
336
+ | 12.3.1 | Targeted risk analysis for each PCI DSS requirement with customised approach | TRA documentation per requirement |
337
+ | 12.3.2 | TRA performed for flexible-frequency requirements | Documented TRAs for each flexible req |
338
+ | 12.3.3 | Cryptographic cipher suites and protocols reviewed and documented at least once every 12 months | Crypto inventory; annual review records |
339
+ | 12.3.4 | Hardware and software technologies reviewed at least once every 12 months | Tech lifecycle review records |
340
+ | 12.4 | PCI DSS compliance managed throughout the year | Compliance programme; quarterly review |
341
+ | 12.4.2 | Reviews confirming personnel follow security policies performed at least quarterly | Quarterly compliance review records |
342
+ | 12.5 | PCI DSS scope documented and validated | Scope documentation; annual review |
343
+ | 12.5.1 | Inventory of system components in scope for PCI DSS maintained | CDE system inventory |
344
+ | 12.5.2 | PCI DSS scope verified at least every 12 months and after major changes | Annual scope review; post-change assessment |
345
+ | 12.6 | Security awareness education implemented | Security awareness programme; training records |
346
+ | 12.6.1 | Security awareness programme in place | Programme documentation |
347
+ | 12.6.2 | Security awareness programme reviewed at least every 12 months | Review records |
348
+ | 12.6.3 | Personnel acknowledge at least annually they have read and understood security policy | Signed acknowledgements |
349
+ | 12.7 | Personnel are screened before granting access to CDE | Background check policy; records |
350
+ | 12.8 | Third-party service providers (TPSPs) with CHD access are managed | TPSP inventory; compliance monitoring |
351
+ | 12.8.1 | List of all TPSPs maintained | TPSP register |
352
+ | 12.8.2 | Written agreements with TPSPs acknowledging PCI DSS responsibility | Signed agreements |
353
+ | 12.8.3 | Established process for engaging TPSPs | TPSP due diligence process |
354
+ | 12.8.4 | TPSP PCI DSS compliance status monitored at least annually | Annual TPSP compliance confirmation; AOC |
355
+ | 12.8.5 | Information about which PCI DSS requirements managed by each TPSP | Responsibility matrix |
356
+ | 12.9 | TPSPs support customers' PCI DSS compliance | TPSP acknowledgement of responsibility |
357
+ | 12.10 | Suspected and confirmed security incidents responded to immediately | Incident response plan; test records |
358
+ | 12.10.1 | Incident response plan created and ready | Documented IR plan |
359
+ | 12.10.2 | IR plan reviewed and tested at least annually | Annual tabletop or drill evidence |
360
+ | 12.10.3 | Specific personnel designated for 24/7 incident response | On-call roster; contact list |
361
+ | 12.10.4 | IR personnel trained appropriately | Annual training records |
362
+ | 12.10.5 | Alerts from security monitoring systems included in IR plan | IR plan references monitoring alerts |
363
+ | 12.10.6 | IR plan updated when new threats or lessons learned | Version history; update records |
364
+ | 12.10.7 | Incident response procedures for discovery of stored PAN in unexpected location | PAN discovery procedure |
365
+
366
+ **Common gaps**: Security policy not reviewed annually; no TPSP register or compliance monitoring; incident response plan never tested; personnel not acknowledging policy; no TRA process.