← Frameworks / PCI DSS v4.0.1 / Control Mappings

Payment Card Industry Data Security Standard v4.0.1

Global security standard for organisations that store, process, or transmit cardholder data. Defines 12 requirements across 6 control objectives for protecting payment card data.

Controls: 125

Total Mappings: 244

Publisher: PCI Security Standards Council Version: 4.0.1

PCI DSS v4.0.1 → SP 800-53 SP 800-53 → PCI DSS v4.0.1 Coverage Analysis

AC (11) AT (4) AU (9) CA (5) CM (11) CP (1) IA (4) IR (9) MA (1) MP (7) PE (6) PL (6) PM (4) PS (3) RA (5) SA (10) SC (13) SI (10) SR (6)

AC Access Control

Control	Name	PCI DSS v4.0.1 References
AC-01	Access Control Policies and Procedures	12.17.1
AC-02	Account Management	2.2.12.2.27.28.28.6
AC-03	Access Enforcement	1.2.83.47.27.3
AC-04	Information Flow Enforcement	1.21.3
AC-05	Separation Of Duties	7.2
AC-06	Least Privilege	3.47.17.28.6
AC-17	Remote Access	2.2.7
AC-18	Wireless Access Restrictions	11.2
AC-19	Access Control For Portable And Mobile Devices	1.5
AC-20	Use Of External Information Systems	1.512.2
AC-25	Reference Monitor	7.3

AT Awareness and Training

Control	Name	PCI DSS v4.0.1 References
AT-01	Security Awareness And Training Policy And Procedures	12.112.6
AT-02	Security Awareness	12.65.4
AT-03	Security Training	12.66.2.1
AT-04	Security Training Records	12.6

AU Audit and Accountability

Control	Name	PCI DSS v4.0.1 References
AU-01	Audit And Accountability Policy And Procedures	10.112.1
AU-02	Auditable Events	10.2
AU-03	Content Of Audit Records	10.2
AU-05	Response To Audit Processing Failures	10.7
AU-06	Audit Monitoring, Analysis, And Reporting	10.411.5
AU-08	Time Stamps	10.6
AU-09	Protection Of Audit Information	10.3
AU-11	Audit Record Retention	10.5
AU-12	Audit Record Generation	10.2

CA Security Assessment and Authorization

Control	Name	PCI DSS v4.0.1 References
CA-01	Certification, Accreditation, And Security Assessment Policies And Procedures	11.112.1
CA-02	Security Assessments	12.412.5
CA-07	Continuous Monitoring	12.4
CA-08	Penetration Testing	11.4
CA-09	Internal System Connections	1.21.311.3

CM Configuration Management

Control	Name	PCI DSS v4.0.1 References
CM-01	Configuration Management Policy And Procedures	1.112.12.1
CM-02	Baseline Configuration	1.21.2.12.12.2
CM-03	Configuration Change Control	1.2.811.66.5
CM-04	Monitoring Configuration Changes	6.5
CM-05	Access Restrictions For Change	6.5
CM-06	Configuration Settings	1.21.2.11.2.82.12.22.2.12.2.2
CM-07	Least Functionality	1.2.52.22.2.5
CM-08	Information System Component Inventory	11.212.5
CM-12	Information Location	12.53.13.23.5
CM-13	Data Action Mapping	3.34.14.2
CM-14	Signed Components	11.511.66.2

CP Contingency Planning

Control	Name	PCI DSS v4.0.1 References
CP-01	Contingency Planning Policy And Procedures	12.1

IA Identification and Authentication

Control	Name	PCI DSS v4.0.1 References
IA-01	Identification And Authentication Policy And Procedures	12.18.1
IA-02	User Identification And Authentication	8.18.38.48.5
IA-04	Identifier Management	8.2
IA-05	Authenticator Management	2.2.12.2.28.28.38.3.68.3.98.6

IR Incident Response

Control	Name	PCI DSS v4.0.1 References
IR-01	Incident Response Policy And Procedures	12.112.10
IR-02	Incident Response Training	12.10
IR-03	Incident Response Testing And Exercises	12.10
IR-04	Incident Handling	10.711.512.10
IR-05	Incident Monitoring	12.10
IR-06	Incident Reporting	10.712.10
IR-07	Incident Response Assistance	12.10
IR-08	Incident Response Plan	12.10
IR-09	Information Spillage Response	12.10

MA Maintenance

Control	Name	PCI DSS v4.0.1 References
MA-01	System Maintenance Policy And Procedures	12.1

MP Media Protection

Control	Name	PCI DSS v4.0.1 References
MP-01	Media Protection Policy And Procedures	12.13.1
MP-02	Media Access	9.4
MP-03	Media Labeling	9.4
MP-04	Media Storage	9.4
MP-05	Media Transport	9.4
MP-06	Media Sanitization And Disposal	9.4
MP-07	Media Use	9.4

PE Physical and Environmental Protection

Control	Name	PCI DSS v4.0.1 References
PE-01	Physical And Environmental Protection Policy And Procedures	12.19.1
PE-02	Physical Access Authorizations	9.29.3
PE-03	Physical Access Control	9.29.39.5
PE-06	Monitoring Physical Access	9.2
PE-07	Visitor Control	9.29.3
PE-08	Access Records	9.29.3

PL Planning

Control	Name	PCI DSS v4.0.1 References
PL-01	Security Planning Policy And Procedures	1.110.111.112.13.14.15.17.18.19.1
PL-02	System Security Plan	12.5
PL-04	Rules Of Behavior	12.2
PL-09	Central Management	12.1
PL-10	Baseline Selection	2.12.2
PL-11	Baseline Tailoring	2.12.2

PM Program Management

Control	Name	PCI DSS v4.0.1 References
PM-01	Information Security Program Plan	12.1
PM-06	Measures of Performance	12.4
PM-09	Risk Management Strategy	12.3
PM-25	Minimization of Personally Identifiable Information Used in Testing, Training, and Research	3.2

PS Personnel Security

Control	Name	PCI DSS v4.0.1 References
PS-01	Personnel Security Policy And Procedures	12.1
PS-03	Personnel Screening	12.7
PS-07	Third-Party Personnel Security	12.7

RA Risk Assessment

Control	Name	PCI DSS v4.0.1 References
RA-01	Risk Assessment Policy And Procedures	12.1
RA-02	Security Categorization	12.3
RA-03	Risk Assessment	12.3
RA-05	Vulnerability Scanning	11.36.3
RA-07	Risk Response	12.3

SA System and Services Acquisition

Control	Name	PCI DSS v4.0.1 References
SA-01	System And Services Acquisition Policy And Procedures	12.16.1
SA-03	Life Cycle Support	6.16.2
SA-04	Acquisitions	12.8
SA-08	Security Engineering Principles	6.2
SA-09	External Information System Services	12.812.9
SA-10	Developer Configuration Management	6.26.5
SA-11	Developer Security Testing	6.26.2.36.4
SA-15	Development Process, Standards, and Tools	6.16.2
SA-16	Developer-Provided Training	6.2.1
SA-17	Developer Security and Privacy Architecture and Design	6.2

SC System and Communications Protection

Control	Name	PCI DSS v4.0.1 References
SC-01	System And Communications Protection Policy And Procedures	12.1
SC-07	Boundary Protection	1.11.21.2.11.2.51.31.41.55.46.4
SC-08	Transmission Integrity	2.2.74.14.2
SC-12	Cryptographic Key Establishment And Management	3.53.63.7
SC-13	Use Of Cryptography	2.2.73.54.14.2
SC-24	Fail in Known State	10.7
SC-26	Decoys	11.111.4
SC-28	Protection of Information at Rest	3.13.33.5
SC-34	Non-modifiable Executable Programs	5.2
SC-35	External Malicious Code Identification	11.55.3
SC-37	Out-of-band Channels	8.38.4
SC-44	Detonation Chambers	5.2
SC-45	System Time Synchronization	10.6

SI System and Information Integrity

Control	Name	PCI DSS v4.0.1 References
SI-01	System And Information Integrity Policy And Procedures	12.15.1
SI-02	Flaw Remediation	11.36.36.3.3
SI-03	Malicious Code Protection	5.15.25.36.4
SI-04	Information System Monitoring Tools And Techniques	10.410.711.211.511.6
SI-05	Security Alerts And Advisories	6.3
SI-07	Software And Information Integrity	11.511.6
SI-08	Spam Protection	5.4
SI-12	Information Output Handling And Retention	3.23.3
SI-16	Memory Protection	5.26.2
SI-19	De-identification	3.4

SR Supply Chain Risk Management

Control	Name	PCI DSS v4.0.1 References
SR-01	Policy and Procedures	12.812.9
SR-03	Supply Chain Controls and Processes	12.8
SR-06	Supplier Assessments and Reviews	12.8
SR-09	Tamper Resistance and Detection	9.5
SR-10	Inspection of Systems or Components	9.5
SR-11	Component Authenticity	9.5