Details of the PCI DSS v4.0 Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in PCI DSS v4.0. For more information about this compliance standard, see PCI DSS v4.0. To understand Ownership, see Azure Policy policy definition and Shared responsibility in the cloud.

The following mappings are to the PCI DSS v4.0 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the PCI DSS v4 Regulatory Compliance built-in initiative definition.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Requirement 01: Install and Maintain Network Security Controls

Processes and mechanisms for installing and maintaining network security controls are defined and understood

ID: PCI DSS v4.0 1.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Review and update configuration management policies and procedures	CMA_C1175 - Review and update configuration management policies and procedures	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0

Network security controls (NSCs) are configured and maintained

ID: PCI DSS v4.0 1.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Configure actions for noncompliant devices	CMA_0062 - Configure actions for noncompliant devices	Manual, Disabled	1.1.0
Develop and maintain baseline configurations	CMA_0153 - Develop and maintain baseline configurations	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish a configuration control board	CMA_0254 - Establish a configuration control board	Manual, Disabled	1.1.0
Establish and document a configuration management plan	CMA_0264 - Establish and document a configuration management plan	Manual, Disabled	1.1.0
Implement an automated configuration management tool	CMA_0311 - Implement an automated configuration management tool	Manual, Disabled	1.1.0

Network security controls (NSCs) are configured and maintained

ID: PCI DSS v4.0 1.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0

Network security controls (NSCs) are configured and maintained

ID: PCI DSS v4.0 1.2.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Check for privacy and security compliance before establishing internal connections	CMA_0053 - Check for privacy and security compliance before establishing internal connections	Manual, Disabled	1.1.0

Network security controls (NSCs) are configured and maintained

ID: PCI DSS v4.0 1.2.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Maintain records of processing of personal data	CMA_0353 - Maintain records of processing of personal data	Manual, Disabled	1.1.0

Network security controls (NSCs) are configured and maintained

ID: PCI DSS v4.0 1.2.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Identify external service providers	CMA_C1591 - Identify external service providers	Manual, Disabled	1.1.0
Require developer to identify SDLC ports, protocols, and services	CMA_C1578 - Require developer to identify SDLC ports, protocols, and services	Manual, Disabled	1.1.0

Network security controls (NSCs) are configured and maintained

ID: PCI DSS v4.0 1.2.8 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Enforce and audit access restrictions	CMA_C1203 - Enforce and audit access restrictions	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Review changes for any unauthorized changes	CMA_C1204 - Review changes for any unauthorized changes	Manual, Disabled	1.1.0

Network access to and from the cardholder data environment is restricted

ID: PCI DSS v4.0 1.3.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
All network ports should be restricted on network security groups associated to your virtual machine	Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.	AuditIfNotExists, Disabled	3.0.0
Storage accounts should restrict network access	Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges	Audit, Deny, Disabled	1.1.1

Network access to and from the cardholder data environment is restricted

ID: PCI DSS v4.0 1.3.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Document and implement wireless access guidelines	CMA_0190 - Document and implement wireless access guidelines	Manual, Disabled	1.1.0
Protect wireless access	CMA_0411 - Protect wireless access	Manual, Disabled	1.1.0

Network connections between trusted and untrusted networks are controlled

ID: PCI DSS v4.0 1.4.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0
Implement managed interface for each external service	CMA_C1626 - Implement managed interface for each external service	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0

Network connections between trusted and untrusted networks are controlled

ID: PCI DSS v4.0 1.4.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
All network ports should be restricted on network security groups associated to your virtual machine	Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.	AuditIfNotExists, Disabled	3.0.0
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0
Implement managed interface for each external service	CMA_C1626 - Implement managed interface for each external service	Manual, Disabled	1.1.0
Implement system boundary protection	CMA_0328 - Implement system boundary protection	Manual, Disabled	1.1.0
Secure the interface to external systems	CMA_0491 - Secure the interface to external systems	Manual, Disabled	1.1.0
Storage accounts should restrict network access	Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges	Audit, Deny, Disabled	1.1.1

Network connections between trusted and untrusted networks are controlled

ID: PCI DSS v4.0 1.4.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0

Network connections between trusted and untrusted networks are controlled

ID: PCI DSS v4.0 1.4.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control information flow	CMA_0079 - Control information flow	Manual, Disabled	1.1.0
Employ flow control mechanisms of encrypted information	CMA_0211 - Employ flow control mechanisms of encrypted information	Manual, Disabled	1.1.0

Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated

ID: PCI DSS v4.0 1.5.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0

Requirement 10: Log and Monitor All Access to System Components and Cardholder Data

Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented

ID: PCI DSS v4.0 10.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop audit and accountability policies and procedures	CMA_0154 - Develop audit and accountability policies and procedures	Manual, Disabled	1.1.0
Develop information security policies and procedures	CMA_0158 - Develop information security policies and procedures	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Conduct a full text analysis of logged privileged commands	CMA_0056 - Conduct a full text analysis of logged privileged commands	Manual, Disabled	1.1.0
Monitor account activity	CMA_0377 - Monitor account activity	Manual, Disabled	1.1.0
Monitor privileged role assignment	CMA_0378 - Monitor privileged role assignment	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
Use privileged identity management	CMA_0533 - Use privileged identity management	Manual, Disabled	1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Conduct a full text analysis of logged privileged commands	CMA_0056 - Conduct a full text analysis of logged privileged commands	Manual, Disabled	1.1.0
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Monitor account activity	CMA_0377 - Monitor account activity	Manual, Disabled	1.1.0
Monitor privileged role assignment	CMA_0378 - Monitor privileged role assignment	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
Use privileged identity management	CMA_0533 - Use privileged identity management	Manual, Disabled	1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Automate account management	CMA_0026 - Automate account management	Manual, Disabled	1.1.0
Conduct a full text analysis of logged privileged commands	CMA_0056 - Conduct a full text analysis of logged privileged commands	Manual, Disabled	1.1.0
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Manage system and admin accounts	CMA_0368 - Manage system and admin accounts	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Monitor account activity	CMA_0377 - Monitor account activity	Manual, Disabled	1.1.0
Monitor privileged role assignment	CMA_0378 - Monitor privileged role assignment	Manual, Disabled	1.1.0
Notify when account is not needed	CMA_0383 - Notify when account is not needed	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
Use privileged identity management	CMA_0533 - Use privileged identity management	Manual, Disabled	1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1.6 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Conduct a full text analysis of logged privileged commands	CMA_0056 - Conduct a full text analysis of logged privileged commands	Manual, Disabled	1.1.0
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Monitor account activity	CMA_0377 - Monitor account activity	Manual, Disabled	1.1.0
Monitor privileged role assignment	CMA_0378 - Monitor privileged role assignment	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
Use privileged identity management	CMA_0533 - Use privileged identity management	Manual, Disabled	1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1.7 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Audit diagnostic setting for selected resource types	Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.	AuditIfNotExists	2.0.1
Auditing on SQL server should be enabled	Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.	AuditIfNotExists, Disabled	2.0.0
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Storage accounts should be migrated to new Azure Resource Manager resources	Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management	Audit, Deny, Disabled	1.0.0
Virtual machines should be migrated to new Azure Resource Manager resources	Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management	Audit, Deny, Disabled	1.0.0

Audit logs are protected from destruction and unauthorized modifications

ID: PCI DSS v4.0 10.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Enable dual or joint authorization	CMA_0226 - Enable dual or joint authorization	Manual, Disabled	1.1.0
Protect audit information	CMA_0401 - Protect audit information	Manual, Disabled	1.1.0

Audit logs are protected from destruction and unauthorized modifications

ID: PCI DSS v4.0 10.3.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Enable dual or joint authorization	CMA_0226 - Enable dual or joint authorization	Manual, Disabled	1.1.0
Protect audit information	CMA_0401 - Protect audit information	Manual, Disabled	1.1.0

Audit logs are protected from destruction and unauthorized modifications

ID: PCI DSS v4.0 10.3.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Audit diagnostic setting for selected resource types	Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.	AuditIfNotExists	2.0.1
Auditing on SQL server should be enabled	Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.	AuditIfNotExists, Disabled	2.0.0
Establish backup policies and procedures	CMA_0268 - Establish backup policies and procedures	Manual, Disabled	1.1.0
Storage accounts should be migrated to new Azure Resource Manager resources	Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management	Audit, Deny, Disabled	1.0.0
Virtual machines should be migrated to new Azure Resource Manager resources	Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management	Audit, Deny, Disabled	1.0.0

Audit logs are protected from destruction and unauthorized modifications

ID: PCI DSS v4.0 10.3.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Enable dual or joint authorization	CMA_0226 - Enable dual or joint authorization	Manual, Disabled	1.1.0
Protect audit information	CMA_0401 - Protect audit information	Manual, Disabled	1.1.0

Audit logs are reviewed to identify anomalies or suspicious activity

ID: PCI DSS v4.0 10.4.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Correlate audit records	CMA_0087 - Correlate audit records	Manual, Disabled	1.1.0
Establish requirements for audit review and reporting	CMA_0277 - Establish requirements for audit review and reporting	Manual, Disabled	1.1.0
Integrate audit review, analysis, and reporting	CMA_0339 - Integrate audit review, analysis, and reporting	Manual, Disabled	1.1.0
Integrate cloud app security with a siem	CMA_0340 - Integrate cloud app security with a siem	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review administrator assignments weekly	CMA_0461 - Review administrator assignments weekly	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0
Review cloud identity report overview	CMA_0468 - Review cloud identity report overview	Manual, Disabled	1.1.0
Review controlled folder access events	CMA_0471 - Review controlled folder access events	Manual, Disabled	1.1.0
Review file and folder activity	CMA_0473 - Review file and folder activity	Manual, Disabled	1.1.0
Review role group changes weekly	CMA_0476 - Review role group changes weekly	Manual, Disabled	1.1.0

Audit logs are reviewed to identify anomalies or suspicious activity

ID: PCI DSS v4.0 10.4.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Correlate audit records	CMA_0087 - Correlate audit records	Manual, Disabled	1.1.0
Establish requirements for audit review and reporting	CMA_0277 - Establish requirements for audit review and reporting	Manual, Disabled	1.1.0
Integrate audit review, analysis, and reporting	CMA_0339 - Integrate audit review, analysis, and reporting	Manual, Disabled	1.1.0
Integrate cloud app security with a siem	CMA_0340 - Integrate cloud app security with a siem	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review administrator assignments weekly	CMA_0461 - Review administrator assignments weekly	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0
Review cloud identity report overview	CMA_0468 - Review cloud identity report overview	Manual, Disabled	1.1.0
Review controlled folder access events	CMA_0471 - Review controlled folder access events	Manual, Disabled	1.1.0
Review file and folder activity	CMA_0473 - Review file and folder activity	Manual, Disabled	1.1.0
Review role group changes weekly	CMA_0476 - Review role group changes weekly	Manual, Disabled	1.1.0

Audit logs are reviewed to identify anomalies or suspicious activity

ID: PCI DSS v4.0 10.4.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Correlate audit records	CMA_0087 - Correlate audit records	Manual, Disabled	1.1.0
Establish requirements for audit review and reporting	CMA_0277 - Establish requirements for audit review and reporting	Manual, Disabled	1.1.0
Integrate audit review, analysis, and reporting	CMA_0339 - Integrate audit review, analysis, and reporting	Manual, Disabled	1.1.0
Integrate cloud app security with a siem	CMA_0340 - Integrate cloud app security with a siem	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review administrator assignments weekly	CMA_0461 - Review administrator assignments weekly	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0
Review cloud identity report overview	CMA_0468 - Review cloud identity report overview	Manual, Disabled	1.1.0
Review controlled folder access events	CMA_0471 - Review controlled folder access events	Manual, Disabled	1.1.0
Review file and folder activity	CMA_0473 - Review file and folder activity	Manual, Disabled	1.1.0
Review role group changes weekly	CMA_0476 - Review role group changes weekly	Manual, Disabled	1.1.0

Audit logs are reviewed to identify anomalies or suspicious activity

ID: PCI DSS v4.0 10.4.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Correlate audit records	CMA_0087 - Correlate audit records	Manual, Disabled	1.1.0
Establish requirements for audit review and reporting	CMA_0277 - Establish requirements for audit review and reporting	Manual, Disabled	1.1.0
Integrate audit review, analysis, and reporting	CMA_0339 - Integrate audit review, analysis, and reporting	Manual, Disabled	1.1.0
Integrate cloud app security with a siem	CMA_0340 - Integrate cloud app security with a siem	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review administrator assignments weekly	CMA_0461 - Review administrator assignments weekly	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0
Review cloud identity report overview	CMA_0468 - Review cloud identity report overview	Manual, Disabled	1.1.0
Review controlled folder access events	CMA_0471 - Review controlled folder access events	Manual, Disabled	1.1.0
Review file and folder activity	CMA_0473 - Review file and folder activity	Manual, Disabled	1.1.0
Review role group changes weekly	CMA_0476 - Review role group changes weekly	Manual, Disabled	1.1.0

Audit logs are reviewed to identify anomalies or suspicious activity

ID: PCI DSS v4.0 10.4.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Correlate audit records	CMA_0087 - Correlate audit records	Manual, Disabled	1.1.0
Establish requirements for audit review and reporting	CMA_0277 - Establish requirements for audit review and reporting	Manual, Disabled	1.1.0
Integrate audit review, analysis, and reporting	CMA_0339 - Integrate audit review, analysis, and reporting	Manual, Disabled	1.1.0
Integrate cloud app security with a siem	CMA_0340 - Integrate cloud app security with a siem	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review administrator assignments weekly	CMA_0461 - Review administrator assignments weekly	Manual, Disabled	1.1.0
Review audit data	CMA_0466 - Review audit data	Manual, Disabled	1.1.0
Review cloud identity report overview	CMA_0468 - Review cloud identity report overview	Manual, Disabled	1.1.0
Review controlled folder access events	CMA_0471 - Review controlled folder access events	Manual, Disabled	1.1.0
Review file and folder activity	CMA_0473 - Review file and folder activity	Manual, Disabled	1.1.0
Review role group changes weekly	CMA_0476 - Review role group changes weekly	Manual, Disabled	1.1.0

Audit log history is retained and available for analysis

ID: PCI DSS v4.0 10.5.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Retain security policies and procedures	CMA_0454 - Retain security policies and procedures	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0

Time-synchronization mechanisms support consistent time settings across all systems

ID: PCI DSS v4.0 10.6.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Use system clocks for audit records	CMA_0535 - Use system clocks for audit records	Manual, Disabled	1.1.0

Time-synchronization mechanisms support consistent time settings across all systems

ID: PCI DSS v4.0 10.6.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Use system clocks for audit records	CMA_0535 - Use system clocks for audit records	Manual, Disabled	1.1.0

Time-synchronization mechanisms support consistent time settings across all systems

ID: PCI DSS v4.0 10.6.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Audit privileged functions	CMA_0019 - Audit privileged functions	Manual, Disabled	1.1.0
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Conduct a full text analysis of logged privileged commands	CMA_0056 - Conduct a full text analysis of logged privileged commands	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Monitor account activity	CMA_0377 - Monitor account activity	Manual, Disabled	1.1.0
Monitor privileged role assignment	CMA_0378 - Monitor privileged role assignment	Manual, Disabled	1.1.0
Restrict access to privileged accounts	CMA_0446 - Restrict access to privileged accounts	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0
Use privileged identity management	CMA_0533 - Use privileged identity management	Manual, Disabled	1.1.0

Failures of critical security control systems are detected, reported, and responded to promptly

ID: PCI DSS v4.0 10.7.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Create alternative actions for identified anomalies	CMA_C1711 - Create alternative actions for identified anomalies	Manual, Disabled	1.1.0
Govern and monitor audit processing activities	CMA_0289 - Govern and monitor audit processing activities	Manual, Disabled	1.1.0
Notify personnel of any failed security verification tests	CMA_C1710 - Notify personnel of any failed security verification tests	Manual, Disabled	1.1.0
Perform security function verification at a defined frequency	CMA_C1709 - Perform security function verification at a defined frequency	Manual, Disabled	1.1.0
Verify security functions	CMA_C1708 - Verify security functions	Manual, Disabled	1.1.0

Failures of critical security control systems are detected, reported, and responded to promptly

ID: PCI DSS v4.0 10.7.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Create alternative actions for identified anomalies	CMA_C1711 - Create alternative actions for identified anomalies	Manual, Disabled	1.1.0
Govern and monitor audit processing activities	CMA_0289 - Govern and monitor audit processing activities	Manual, Disabled	1.1.0
Notify personnel of any failed security verification tests	CMA_C1710 - Notify personnel of any failed security verification tests	Manual, Disabled	1.1.0
Perform security function verification at a defined frequency	CMA_C1709 - Perform security function verification at a defined frequency	Manual, Disabled	1.1.0
Verify security functions	CMA_C1708 - Verify security functions	Manual, Disabled	1.1.0

Failures of critical security control systems are detected, reported, and responded to promptly

ID: PCI DSS v4.0 10.7.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Create alternative actions for identified anomalies	CMA_C1711 - Create alternative actions for identified anomalies	Manual, Disabled	1.1.0
Notify personnel of any failed security verification tests	CMA_C1710 - Notify personnel of any failed security verification tests	Manual, Disabled	1.1.0
Perform security function verification at a defined frequency	CMA_C1709 - Perform security function verification at a defined frequency	Manual, Disabled	1.1.0
Verify security functions	CMA_C1708 - Verify security functions	Manual, Disabled	1.1.0

Requirement 11: Test Security of Systems and Networks Regularly

Processes and mechanisms for regularly testing security of systems and networks are defined and understood

ID: PCI DSS v4.0 11.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Review and update information integrity policies and procedures	CMA_C1667 - Review and update information integrity policies and procedures	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0
Review security assessment and authorization policies and procedures	CMA_C1143 - Review security assessment and authorization policies and procedures	Manual, Disabled	1.1.0

Wireless access points are identified and monitored, and unauthorized wireless access points are addressed

ID: PCI DSS v4.0 11.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Document and implement wireless access guidelines	CMA_0190 - Document and implement wireless access guidelines	Manual, Disabled	1.1.0
Protect wireless access	CMA_0411 - Protect wireless access	Manual, Disabled	1.1.0

External and internal vulnerabilities are regularly identified, prioritized, and addressed

ID: PCI DSS v4.0 11.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
A vulnerability assessment solution should be enabled on your virtual machines	Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.	AuditIfNotExists, Disabled	3.0.0
Monitor missing Endpoint Protection in Azure Security Center	Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
SQL databases should have vulnerability findings resolved	Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.	AuditIfNotExists, Disabled	4.1.0
System updates should be installed on your machines	Missing security system updates on your servers will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	4.0.0
Vulnerabilities in security configuration on your machines should be remediated	Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.1.0

External and internal vulnerabilities are regularly identified, prioritized, and addressed

ID: PCI DSS v4.0 11.3.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0

External and internal vulnerabilities are regularly identified, prioritized, and addressed

ID: PCI DSS v4.0 11.3.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0

External and internal vulnerabilities are regularly identified, prioritized, and addressed

ID: PCI DSS v4.0 11.3.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0

External and internal vulnerabilities are regularly identified, prioritized, and addressed

ID: PCI DSS v4.0 11.3.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0

External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected

ID: PCI DSS v4.0 11.4.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Employ independent team for penetration testing	CMA_C1171 - Employ independent team for penetration testing	Manual, Disabled	1.1.0

External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected

ID: PCI DSS v4.0 11.4.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Employ independent team for penetration testing	CMA_C1171 - Employ independent team for penetration testing	Manual, Disabled	1.1.0

Network intrusions and unexpected file changes are detected and responded to

ID: PCI DSS v4.0 11.5.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Alert personnel of information spillage	CMA_0007 - Alert personnel of information spillage	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Set automated notifications for new and trending cloud applications in your organization	CMA_0495 - Set automated notifications for new and trending cloud applications in your organization	Manual, Disabled	1.1.0

Network intrusions and unexpected file changes are detected and responded to

ID: PCI DSS v4.0 11.5.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Alert personnel of information spillage	CMA_0007 - Alert personnel of information spillage	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Set automated notifications for new and trending cloud applications in your organization	CMA_0495 - Set automated notifications for new and trending cloud applications in your organization	Manual, Disabled	1.1.0

Network intrusions and unexpected file changes are detected and responded to

ID: PCI DSS v4.0 11.5.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Employ automatic shutdown/restart when violations are detected	CMA_C1715 - Employ automatic shutdown/restart when violations are detected	Manual, Disabled	1.1.0
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0

Unauthorized changes on payment pages are detected and responded to

ID: PCI DSS v4.0 11.6.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Employ automatic shutdown/restart when violations are detected	CMA_C1715 - Employ automatic shutdown/restart when violations are detected	Manual, Disabled	1.1.0
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0

Requirement 12: Support Information Security with Organizational Policies and Programs

A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current

ID: PCI DSS v4.0 12.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0

A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current

ID: PCI DSS v4.0 12.1.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Appoint a senior information security officer	CMA_C1733 - Appoint a senior information security officer	Manual, Disabled	1.1.0

Suspected and confirmed security incidents that could impact the CDE are responded to immediately

ID: PCI DSS v4.0 12.10.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Maintain data breach records	CMA_0351 - Maintain data breach records	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0
Protect incident response plan	CMA_0405 - Protect incident response plan	Manual, Disabled	1.1.0

Suspected and confirmed security incidents that could impact the CDE are responded to immediately

ID: PCI DSS v4.0 12.10.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Provide information spillage training	CMA_0413 - Provide information spillage training	Manual, Disabled	1.1.0

Suspected and confirmed security incidents that could impact the CDE are responded to immediately

ID: PCI DSS v4.0 12.10.4.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Provide information spillage training	CMA_0413 - Provide information spillage training	Manual, Disabled	1.1.0

Suspected and confirmed security incidents that could impact the CDE are responded to immediately

ID: PCI DSS v4.0 12.10.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0

Suspected and confirmed security incidents that could impact the CDE are responded to immediately

ID: PCI DSS v4.0 12.10.6 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess information security events	CMA_0013 - Assess information security events	Manual, Disabled	1.1.0
Maintain incident response plan	CMA_0352 - Maintain incident response plan	Manual, Disabled	1.1.0

Suspected and confirmed security incidents that could impact the CDE are responded to immediately

ID: PCI DSS v4.0 12.10.7 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop an incident response plan	CMA_0145 - Develop an incident response plan	Manual, Disabled	1.1.0
Develop security safeguards	CMA_0161 - Develop security safeguards	Manual, Disabled	1.1.0
Enable network protection	CMA_0238 - Enable network protection	Manual, Disabled	1.1.0
Eradicate contaminated information	CMA_0253 - Eradicate contaminated information	Manual, Disabled	1.1.0
Execute actions in response to information spills	CMA_0281 - Execute actions in response to information spills	Manual, Disabled	1.1.0
Implement incident handling	CMA_0318 - Implement incident handling	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
View and investigate restricted users	CMA_0545 - View and investigate restricted users	Manual, Disabled	1.1.0

Acceptable use policies for end-user technologies are defined and implemented

ID: PCI DSS v4.0 12.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop acceptable use policies and procedures	CMA_0143 - Develop acceptable use policies and procedures	Manual, Disabled	1.1.0
Enforce rules of behavior and access agreements	CMA_0248 - Enforce rules of behavior and access agreements	Manual, Disabled	1.1.0
Require compliance with intellectual property rights	CMA_0432 - Require compliance with intellectual property rights	Manual, Disabled	1.1.0
Track software license usage	CMA_C1235 - Track software license usage	Manual, Disabled	1.1.0

Risks to the cardholder data environment are formally identified, evaluated, and managed

ID: PCI DSS v4.0 12.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Conduct risk assessment and distribute its results	CMA_C1544 - Conduct risk assessment and distribute its results	Manual, Disabled	1.1.0
Conduct risk assessment and document its results	CMA_C1542 - Conduct risk assessment and document its results	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

Risks to the cardholder data environment are formally identified, evaluated, and managed

ID: PCI DSS v4.0 12.3.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Conduct risk assessment and distribute its results	CMA_C1544 - Conduct risk assessment and distribute its results	Manual, Disabled	1.1.0
Conduct risk assessment and document its results	CMA_C1542 - Conduct risk assessment and document its results	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

Risks to the cardholder data environment are formally identified, evaluated, and managed

ID: PCI DSS v4.0 12.3.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Disseminate security alerts to personnel	CMA_C1705 - Disseminate security alerts to personnel	Manual, Disabled	1.1.0
Establish a threat intelligence program	CMA_0260 - Establish a threat intelligence program	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0

PCI DSS compliance is managed

ID: PCI DSS v4.0 12.4.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Manage compliance activities	CMA_0358 - Manage compliance activities	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

PCI DSS compliance is managed

ID: PCI DSS v4.0 12.4.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess Security Controls	CMA_C1145 - Assess Security Controls	Manual, Disabled	1.1.0
Configure detection whitelist	CMA_0068 - Configure detection whitelist	Manual, Disabled	1.1.0
Develop security assessment plan	CMA_C1144 - Develop security assessment plan	Manual, Disabled	1.1.0
Select additional testing for security control assessments	CMA_C1149 - Select additional testing for security control assessments	Manual, Disabled	1.1.0
Turn on sensors for endpoint security solution	CMA_0514 - Turn on sensors for endpoint security solution	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

PCI DSS compliance is managed

ID: PCI DSS v4.0 12.4.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Configure detection whitelist	CMA_0068 - Configure detection whitelist	Manual, Disabled	1.1.0
Deliver security assessment results	CMA_C1147 - Deliver security assessment results	Manual, Disabled	1.1.0
Develop POA&M	CMA_C1156 - Develop POA&M	Manual, Disabled	1.1.0
Produce Security Assessment report	CMA_C1146 - Produce Security Assessment report	Manual, Disabled	1.1.0
Turn on sensors for endpoint security solution	CMA_0514 - Turn on sensors for endpoint security solution	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0
Update POA&M items	CMA_C1157 - Update POA&M items	Manual, Disabled	1.1.0

PCI DSS scope is documented and validated

ID: PCI DSS v4.0 12.5.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Maintain records of processing of personal data	CMA_0353 - Maintain records of processing of personal data	Manual, Disabled	1.1.0

PCI DSS scope is documented and validated

ID: PCI DSS v4.0 12.5.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Create a data inventory	CMA_0096 - Create a data inventory	Manual, Disabled	1.1.0
Maintain records of processing of personal data	CMA_0353 - Maintain records of processing of personal data	Manual, Disabled	1.1.0

PCI DSS scope is documented and validated

ID: PCI DSS v4.0 12.5.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Establish an information security program	CMA_0263 - Establish an information security program	Manual, Disabled	1.1.0
Update information security policies	CMA_0518 - Update information security policies	Manual, Disabled	1.1.0

Security awareness education is an ongoing activity

ID: PCI DSS v4.0 12.6.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Document security and privacy training activities	CMA_0198 - Document security and privacy training activities	Manual, Disabled	1.1.0
Establish information security workforce development and improvement program	CMA_C1752 - Establish information security workforce development and improvement program	Manual, Disabled	1.1.0

Security awareness education is an ongoing activity

ID: PCI DSS v4.0 12.6.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Provide updated security awareness training	CMA_C1090 - Provide updated security awareness training	Manual, Disabled	1.1.0

Security awareness education is an ongoing activity

ID: PCI DSS v4.0 12.6.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Document personnel acceptance of privacy requirements	CMA_0193 - Document personnel acceptance of privacy requirements	Manual, Disabled	1.1.0
Provide periodic role-based security training	CMA_C1095 - Provide periodic role-based security training	Manual, Disabled	1.1.0
Provide periodic security awareness training	CMA_C1091 - Provide periodic security awareness training	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Provide role-based security training	CMA_C1094 - Provide role-based security training	Manual, Disabled	1.1.0
Provide security training before providing access	CMA_0418 - Provide security training before providing access	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0
Provide updated security awareness training	CMA_C1090 - Provide updated security awareness training	Manual, Disabled	1.1.0

Security awareness education is an ongoing activity

ID: PCI DSS v4.0 12.6.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement a threat awareness program	CMA_C1758 - Implement a threat awareness program	Manual, Disabled	1.1.0
Implement an insider threat program	CMA_C1751 - Implement an insider threat program	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0

Security awareness education is an ongoing activity

ID: PCI DSS v4.0 12.6.3.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Provide security training before providing access	CMA_0418 - Provide security training before providing access	Manual, Disabled	1.1.0
Provide security training for new users	CMA_0419 - Provide security training for new users	Manual, Disabled	1.1.0

Personnel are screened to reduce risks from insider threats

ID: PCI DSS v4.0 12.7.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Clear personnel with access to classified information	CMA_0054 - Clear personnel with access to classified information	Manual, Disabled	1.1.0
Implement personnel screening	CMA_0322 - Implement personnel screening	Manual, Disabled	1.1.0
Rescreen individuals at a defined frequency	CMA_C1512 - Rescreen individuals at a defined frequency	Manual, Disabled	1.1.0

Risk to information assets associated with third-party service provider (TPSP) relationships is managed

ID: PCI DSS v4.0 12.8.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0

Risk to information assets associated with third-party service provider (TPSP) relationships is managed

ID: PCI DSS v4.0 12.8.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define the duties of processors	CMA_0127 - Define the duties of processors	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Obtain design and implementation information for the security controls	CMA_C1576 - Obtain design and implementation information for the security controls	Manual, Disabled	1.1.1
Obtain functional properties of security controls	CMA_C1575 - Obtain functional properties of security controls	Manual, Disabled	1.1.0
Record disclosures of PII to third parties	CMA_0422 - Record disclosures of PII to third parties	Manual, Disabled	1.1.0

Risk to information assets associated with third-party service provider (TPSP) relationships is managed

ID: PCI DSS v4.0 12.8.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess risk in third party relationships	CMA_0014 - Assess risk in third party relationships	Manual, Disabled	1.1.0
Define requirements for supplying goods and services	CMA_0126 - Define requirements for supplying goods and services	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Establish policies for supply chain risk management	CMA_0275 - Establish policies for supply chain risk management	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0

Risk to information assets associated with third-party service provider (TPSP) relationships is managed

ID: PCI DSS v4.0 12.8.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assess risk in third party relationships	CMA_0014 - Assess risk in third party relationships	Manual, Disabled	1.1.0
Define requirements for supplying goods and services	CMA_0126 - Define requirements for supplying goods and services	Manual, Disabled	1.1.0
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Establish policies for supply chain risk management	CMA_0275 - Establish policies for supply chain risk management	Manual, Disabled	1.1.0
Obtain continuous monitoring plan for security controls	CMA_C1577 - Obtain continuous monitoring plan for security controls	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

Risk to information assets associated with third-party service provider (TPSP) relationships is managed

ID: PCI DSS v4.0 12.8.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Determine supplier contract obligations	CMA_0140 - Determine supplier contract obligations	Manual, Disabled	1.1.0
Document acquisition contract acceptance criteria	CMA_0187 - Document acquisition contract acceptance criteria	Manual, Disabled	1.1.0
Document protection of personal data in acquisition contracts	CMA_0194 - Document protection of personal data in acquisition contracts	Manual, Disabled	1.1.0
Document protection of security information in acquisition contracts	CMA_0195 - Document protection of security information in acquisition contracts	Manual, Disabled	1.1.0
Document requirements for the use of shared data in contracts	CMA_0197 - Document requirements for the use of shared data in contracts	Manual, Disabled	1.1.0
Document security assurance requirements in acquisition contracts	CMA_0199 - Document security assurance requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security documentation requirements in acquisition contract	CMA_0200 - Document security documentation requirements in acquisition contract	Manual, Disabled	1.1.0
Document security functional requirements in acquisition contracts	CMA_0201 - Document security functional requirements in acquisition contracts	Manual, Disabled	1.1.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Document the information system environment in acquisition contracts	CMA_0205 - Document the information system environment in acquisition contracts	Manual, Disabled	1.1.0
Document the protection of cardholder data in third party contracts	CMA_0207 - Document the protection of cardholder data in third party contracts	Manual, Disabled	1.1.0
Obtain design and implementation information for the security controls	CMA_C1576 - Obtain design and implementation information for the security controls	Manual, Disabled	1.1.1
Obtain functional properties of security controls	CMA_C1575 - Obtain functional properties of security controls	Manual, Disabled	1.1.0

Third-party service providers (TPSPs) support their customers' PCI DSS compliance

ID: PCI DSS v4.0 12.9.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define the duties of processors	CMA_0127 - Define the duties of processors	Manual, Disabled	1.1.0
Record disclosures of PII to third parties	CMA_0422 - Record disclosures of PII to third parties	Manual, Disabled	1.1.0
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0

Third-party service providers (TPSPs) support their customers' PCI DSS compliance

ID: PCI DSS v4.0 12.9.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Require external service providers to comply with security requirements	CMA_C1586 - Require external service providers to comply with security requirements	Manual, Disabled	1.1.0
Review cloud service provider's compliance with policies and agreements	CMA_0469 - Review cloud service provider's compliance with policies and agreements	Manual, Disabled	1.1.0
Undergo independent security review	CMA_0515 - Undergo independent security review	Manual, Disabled	1.1.0

Requirement 02: Apply Secure Configurations to All System Components

Processes and mechanisms for applying secure configurations to all system components are defined and understood

ID: PCI DSS v4.0 2.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Review and update configuration management policies and procedures	CMA_C1175 - Review and update configuration management policies and procedures	Manual, Disabled	1.1.0

System components are configured and managed securely

ID: PCI DSS v4.0 2.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Configure actions for noncompliant devices	CMA_0062 - Configure actions for noncompliant devices	Manual, Disabled	1.1.0
Develop and maintain baseline configurations	CMA_0153 - Develop and maintain baseline configurations	Manual, Disabled	1.1.0
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Establish a configuration control board	CMA_0254 - Establish a configuration control board	Manual, Disabled	1.1.0
Establish and document a configuration management plan	CMA_0264 - Establish and document a configuration management plan	Manual, Disabled	1.1.0
Implement an automated configuration management tool	CMA_0311 - Implement an automated configuration management tool	Manual, Disabled	1.1.0

System components are configured and managed securely

ID: PCI DSS v4.0 2.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Manage Authenticators	CMA_C1321 - Manage Authenticators	Manual, Disabled	1.1.0

System components are configured and managed securely

ID: PCI DSS v4.0 2.2.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Enforce security configuration settings	CMA_0249 - Enforce security configuration settings	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0

System components are configured and managed securely

ID: PCI DSS v4.0 2.2.7 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement cryptographic mechanisms	CMA_C1419 - Implement cryptographic mechanisms	Manual, Disabled	1.1.0

Wireless environments are configured and managed securely

ID: PCI DSS v4.0 2.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Document and implement wireless access guidelines	CMA_0190 - Document and implement wireless access guidelines	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Protect wireless access	CMA_0411 - Protect wireless access	Manual, Disabled	1.1.0

Wireless environments are configured and managed securely

ID: PCI DSS v4.0 2.3.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Document and implement wireless access guidelines	CMA_0190 - Document and implement wireless access guidelines	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Protect wireless access	CMA_0411 - Protect wireless access	Manual, Disabled	1.1.0

Requirement 03: Protect Stored Account Data

Processes and mechanisms for protecting stored account data are defined and understood

ID: PCI DSS v4.0 3.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Establish a privacy program	CMA_0257 - Establish a privacy program	Manual, Disabled	1.1.0
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0
Update privacy plan, policies, and procedures	CMA_C1807 - Update privacy plan, policies, and procedures	Manual, Disabled	1.1.0

Storage of account data is kept to a minimum

ID: PCI DSS v4.0 3.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Document the legal basis for processing personal information	CMA_0206 - Document the legal basis for processing personal information	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Review label activity and analytics	CMA_0474 - Review label activity and analytics	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

Sensitive authentication data (SAD) is not stored after authorization

ID: PCI DSS v4.0 3.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Document the legal basis for processing personal information	CMA_0206 - Document the legal basis for processing personal information	Manual, Disabled	1.1.0
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Restrict communications	CMA_0449 - Restrict communications	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

Sensitive authentication data (SAD) is not stored after authorization

ID: PCI DSS v4.0 3.3.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Document the legal basis for processing personal information	CMA_0206 - Document the legal basis for processing personal information	Manual, Disabled	1.1.0
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Restrict communications	CMA_0449 - Restrict communications	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

Sensitive authentication data (SAD) is not stored after authorization

ID: PCI DSS v4.0 3.3.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Document the legal basis for processing personal information	CMA_0206 - Document the legal basis for processing personal information	Manual, Disabled	1.1.0
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Restrict communications	CMA_0449 - Restrict communications	Manual, Disabled	1.1.0

Sensitive authentication data (SAD) is not stored after authorization

ID: PCI DSS v4.0 3.3.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Document the legal basis for processing personal information	CMA_0206 - Document the legal basis for processing personal information	Manual, Disabled	1.1.0
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Restrict communications	CMA_0449 - Restrict communications	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

Sensitive authentication data (SAD) is not stored after authorization

ID: PCI DSS v4.0 3.3.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Authenticate to cryptographic module	CMA_0021 - Authenticate to cryptographic module	Manual, Disabled	1.1.0

Sensitive authentication data (SAD) is not stored after authorization

ID: PCI DSS v4.0 3.3.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Accounts with write permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
An Azure Active Directory administrator should be provisioned for SQL servers	Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services	AuditIfNotExists, Disabled	1.0.0
Audit usage of custom RBAC roles	Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling	Audit, Disabled	1.0.1
Authenticate to cryptographic module	CMA_0021 - Authenticate to cryptographic module	Manual, Disabled	1.1.0
Document the legal basis for processing personal information	CMA_0206 - Document the legal basis for processing personal information	Manual, Disabled	1.1.0
Guest accounts with owner permissions on Azure resources should be removed	External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with read permissions on Azure resources should be removed	External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with write permissions on Azure resources should be removed	External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Obtain consent prior to collection or processing of personal data	CMA_0385 - Obtain consent prior to collection or processing of personal data	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Restrict communications	CMA_0449 - Restrict communications	Manual, Disabled	1.1.0

Access to displays of full PAN and ability to copy cardholder data are restricted

ID: PCI DSS v4.0 3.4.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Restrict communications	CMA_0449 - Restrict communications	Manual, Disabled	1.1.0

Access to displays of full PAN and ability to copy cardholder data are restricted

ID: PCI DSS v4.0 3.4.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement privacy notice delivery methods	CMA_0324 - Implement privacy notice delivery methods	Manual, Disabled	1.1.0
Provide privacy notice	CMA_0414 - Provide privacy notice	Manual, Disabled	1.1.0
Restrict communications	CMA_0449 - Restrict communications	Manual, Disabled	1.1.0

Primary account number (PAN) is secured wherever it is stored

ID: PCI DSS v4.0 3.5.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
App Service apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	4.0.0
Automation account variables should be encrypted	It is important to enable encryption of Automation account variable assets when storing sensitive data	Audit, Deny, Disabled	1.1.0
Establish a data leakage management procedure	CMA_0255 - Establish a data leakage management procedure	Manual, Disabled	1.1.0
Function apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	5.0.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Only secure connections to your Azure Cache for Redis should be enabled	Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	1.0.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect special information	CMA_0409 - Protect special information	Manual, Disabled	1.1.0
Secure transfer to storage accounts should be enabled	Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	2.0.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign	Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed	Audit, Deny, Disabled	1.1.0
Transparent Data Encryption on SQL databases should be enabled	Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements	AuditIfNotExists, Disabled	2.0.0
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources	By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison	AuditIfNotExists, Disabled	2.0.3

Primary account number (PAN) is secured wherever it is stored

ID: PCI DSS v4.0 3.5.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Establish a data leakage management procedure	CMA_0255 - Establish a data leakage management procedure	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect special information	CMA_0409 - Protect special information	Manual, Disabled	1.1.0

Primary account number (PAN) is secured wherever it is stored

ID: PCI DSS v4.0 3.5.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Establish a data leakage management procedure	CMA_0255 - Establish a data leakage management procedure	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect special information	CMA_0409 - Protect special information	Manual, Disabled	1.1.0

Primary account number (PAN) is secured wherever it is stored

ID: PCI DSS v4.0 3.5.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Establish a data leakage management procedure	CMA_0255 - Establish a data leakage management procedure	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect special information	CMA_0409 - Protect special information	Manual, Disabled	1.1.0

Cryptographic keys used to protect stored account data are secured

ID: PCI DSS v4.0 3.6.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

Cryptographic keys used to protect stored account data are secured

ID: PCI DSS v4.0 3.6.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

Cryptographic keys used to protect stored account data are secured

ID: PCI DSS v4.0 3.6.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Produce, control and distribute symmetric cryptographic keys	CMA_C1645 - Produce, control and distribute symmetric cryptographic keys	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

Cryptographic keys used to protect stored account data are secured

ID: PCI DSS v4.0 3.6.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

Cryptographic keys used to protect stored account data are secured

ID: PCI DSS v4.0 3.6.1.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Produce, control and distribute symmetric cryptographic keys	CMA_C1645 - Produce, control and distribute symmetric cryptographic keys	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Maintain availability of information	CMA_C1644 - Maintain availability of information	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Produce, control and distribute symmetric cryptographic keys	CMA_C1645 - Produce, control and distribute symmetric cryptographic keys	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.6 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.7 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.8 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.9 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented

ID: PCI DSS v4.0 4.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Review and update system and communications protection policies and procedures	CMA_C1616 - Review and update system and communications protection policies and procedures	Manual, Disabled	1.1.0

PAN is protected with strong cryptography during transmission

ID: PCI DSS v4.0 4.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Produce, control and distribute asymmetric cryptographic keys	CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys	Manual, Disabled	1.1.0
Produce, control and distribute symmetric cryptographic keys	CMA_C1645 - Produce, control and distribute symmetric cryptographic keys	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

PAN is protected with strong cryptography during transmission

ID: PCI DSS v4.0 4.2.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define a physical key management process	CMA_0115 - Define a physical key management process	Manual, Disabled	1.1.0
Define cryptographic use	CMA_0120 - Define cryptographic use	Manual, Disabled	1.1.0
Define organizational requirements for cryptographic key management	CMA_0123 - Define organizational requirements for cryptographic key management	Manual, Disabled	1.1.0
Determine assertion requirements	CMA_0136 - Determine assertion requirements	Manual, Disabled	1.1.0
Issue public key certificates	CMA_0347 - Issue public key certificates	Manual, Disabled	1.1.0
Maintain availability of information	CMA_C1644 - Maintain availability of information	Manual, Disabled	1.1.0
Manage symmetric cryptographic keys	CMA_0367 - Manage symmetric cryptographic keys	Manual, Disabled	1.1.0
Restrict access to private keys	CMA_0445 - Restrict access to private keys	Manual, Disabled	1.1.0

PAN is protected with strong cryptography during transmission

ID: PCI DSS v4.0 4.2.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Document and implement wireless access guidelines	CMA_0190 - Document and implement wireless access guidelines	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Protect wireless access	CMA_0411 - Protect wireless access	Manual, Disabled	1.1.0

PAN is protected with strong cryptography during transmission

ID: PCI DSS v4.0 4.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Configure workstations to check for digital certificates	CMA_0073 - Configure workstations to check for digital certificates	Manual, Disabled	1.1.0
Protect data in transit using encryption	CMA_0403 - Protect data in transit using encryption	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0

Requirement 05: Protect All Systems and Networks from Malicious Software

Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood

ID: PCI DSS v4.0 5.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Review and update information integrity policies and procedures	CMA_C1667 - Review and update information integrity policies and procedures	Manual, Disabled	1.1.0

Malicious software (malware) is prevented, or detected and addressed

ID: PCI DSS v4.0 5.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
A vulnerability assessment solution should be enabled on your virtual machines	Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.	AuditIfNotExists, Disabled	3.0.0
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Monitor missing Endpoint Protection in Azure Security Center	Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
SQL databases should have vulnerability findings resolved	Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.	AuditIfNotExists, Disabled	4.1.0
System updates should be installed on your machines	Missing security system updates on your servers will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	4.0.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0
Vulnerabilities in security configuration on your machines should be remediated	Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.1.0

Malicious software (malware) is prevented, or detected and addressed

ID: PCI DSS v4.0 5.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
A vulnerability assessment solution should be enabled on your virtual machines	Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.	AuditIfNotExists, Disabled	3.0.0
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Monitor missing Endpoint Protection in Azure Security Center	Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
SQL databases should have vulnerability findings resolved	Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.	AuditIfNotExists, Disabled	4.1.0
System updates should be installed on your machines	Missing security system updates on your servers will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	4.0.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0
Vulnerabilities in security configuration on your machines should be remediated	Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.1.0

Malicious software (malware) is prevented, or detected and addressed

ID: PCI DSS v4.0 5.2.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
A vulnerability assessment solution should be enabled on your virtual machines	Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.	AuditIfNotExists, Disabled	3.0.0
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Monitor missing Endpoint Protection in Azure Security Center	Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
SQL databases should have vulnerability findings resolved	Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.	AuditIfNotExists, Disabled	4.1.0
System updates should be installed on your machines	Missing security system updates on your servers will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	4.0.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0
Vulnerabilities in security configuration on your machines should be remediated	Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.1.0

Malicious software (malware) is prevented, or detected and addressed

ID: PCI DSS v4.0 5.2.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Conduct Risk Assessment	CMA_C1543 - Conduct Risk Assessment	Manual, Disabled	1.1.0
Conduct risk assessment and document its results	CMA_C1542 - Conduct risk assessment and document its results	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0

Anti-malware mechanisms and processes are active, maintained, and monitored

ID: PCI DSS v4.0 5.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0

Anti-malware mechanisms and processes are active, maintained, and monitored

ID: PCI DSS v4.0 5.3.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0

Anti-malware mechanisms and processes are active, maintained, and monitored

ID: PCI DSS v4.0 5.3.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adhere to retention periods defined	CMA_0004 - Adhere to retention periods defined	Manual, Disabled	1.1.0
Determine auditable events	CMA_0137 - Determine auditable events	Manual, Disabled	1.1.0
Retain security policies and procedures	CMA_0454 - Retain security policies and procedures	Manual, Disabled	1.1.0
Retain terminated user data	CMA_0455 - Retain terminated user data	Manual, Disabled	1.1.0

Anti-malware mechanisms and processes are active, maintained, and monitored

ID: PCI DSS v4.0 5.3.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0

Anti-phishing mechanisms protect users against phishing attacks

ID: PCI DSS v4.0 5.4.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Block untrusted and unsigned processes that run from USB	CMA_0050 - Block untrusted and unsigned processes that run from USB	Manual, Disabled	1.1.0
Manage gateways	CMA_0363 - Manage gateways	Manual, Disabled	1.1.0
Perform a trend analysis on threats	CMA_0389 - Perform a trend analysis on threats	Manual, Disabled	1.1.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Review malware detections report weekly	CMA_0475 - Review malware detections report weekly	Manual, Disabled	1.1.0
Review threat protection status weekly	CMA_0479 - Review threat protection status weekly	Manual, Disabled	1.1.0
Update antivirus definitions	CMA_0517 - Update antivirus definitions	Manual, Disabled	1.1.0

Requirement 06: Develop and Maintain Secure Systems and Software

Processes and mechanisms for developing and maintaining secure systems and software are defined and understood

ID: PCI DSS v4.0 6.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Review and update configuration management policies and procedures	CMA_C1175 - Review and update configuration management policies and procedures	Manual, Disabled	1.1.0
Review and update system and services acquisition policies and procedures	CMA_C1560 - Review and update system and services acquisition policies and procedures	Manual, Disabled	1.1.0

Bespoke and custom software are developed securely

ID: PCI DSS v4.0 6.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Provide periodic role-based security training	CMA_C1095 - Provide periodic role-based security training	Manual, Disabled	1.1.0
Provide security training before providing access	CMA_0418 - Provide security training before providing access	Manual, Disabled	1.1.0

Bespoke and custom software are developed securely

ID: PCI DSS v4.0 6.2.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Separate duties of individuals	CMA_0492 - Separate duties of individuals	Manual, Disabled	1.1.0

Bespoke and custom software are developed securely

ID: PCI DSS v4.0 6.2.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
App Service apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	4.0.0
Automation account variables should be encrypted	It is important to enable encryption of Automation account variable assets when storing sensitive data	Audit, Deny, Disabled	1.1.0
Function apps should only be accessible over HTTPS	Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.	Audit, Disabled, Deny	5.0.0
Only secure connections to your Azure Cache for Redis should be enabled	Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	1.0.0
Secure transfer to storage accounts should be enabled	Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking	Audit, Deny, Disabled	2.0.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign	Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed	Audit, Deny, Disabled	1.1.0
Transparent Data Encryption on SQL databases should be enabled	Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements	AuditIfNotExists, Disabled	2.0.0
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources	By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison	AuditIfNotExists, Disabled	2.0.3

Security vulnerabilities are identified and addressed

ID: PCI DSS v4.0 6.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Disseminate security alerts to personnel	CMA_C1705 - Disseminate security alerts to personnel	Manual, Disabled	1.1.0
Establish a threat intelligence program	CMA_0260 - Establish a threat intelligence program	Manual, Disabled	1.1.0
Implement security directives	CMA_C1706 - Implement security directives	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0

Security vulnerabilities are identified and addressed

ID: PCI DSS v4.0 6.3.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Obtain Admin documentation	CMA_C1580 - Obtain Admin documentation	Manual, Disabled	1.1.0

Security vulnerabilities are identified and addressed

ID: PCI DSS v4.0 6.3.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
A vulnerability assessment solution should be enabled on your virtual machines	Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.	AuditIfNotExists, Disabled	3.0.0
Monitor missing Endpoint Protection in Azure Security Center	Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0
SQL databases should have vulnerability findings resolved	Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.	AuditIfNotExists, Disabled	4.1.0
System updates should be installed on your machines	Missing security system updates on your servers will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	4.0.0
Vulnerabilities in security configuration on your machines should be remediated	Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.1.0

Public-facing web applications are protected against attacks

ID: PCI DSS v4.0 6.4.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
A vulnerability assessment solution should be enabled on your virtual machines	Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.	AuditIfNotExists, Disabled	3.0.0
Monitor missing Endpoint Protection in Azure Security Center	Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.0.0
Perform vulnerability scans	CMA_0393 - Perform vulnerability scans	Manual, Disabled	1.1.0
Remediate information system flaws	CMA_0427 - Remediate information system flaws	Manual, Disabled	1.1.0
SQL databases should have vulnerability findings resolved	Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.	AuditIfNotExists, Disabled	4.1.0
System updates should be installed on your machines	Missing security system updates on your servers will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	4.0.0
Vulnerabilities in security configuration on your machines should be remediated	Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations	AuditIfNotExists, Disabled	3.1.0

Public-facing web applications are protected against attacks

ID: PCI DSS v4.0 6.4.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Verify software, firmware and information integrity	CMA_0542 - Verify software, firmware and information integrity	Manual, Disabled	1.1.0
View and configure system diagnostic data	CMA_0544 - View and configure system diagnostic data	Manual, Disabled	1.1.0

Changes to all system components are managed securely

ID: PCI DSS v4.0 6.5.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Develop and maintain a vulnerability management standard	CMA_0152 - Develop and maintain a vulnerability management standard	Manual, Disabled	1.1.0
Establish a risk management strategy	CMA_0258 - Establish a risk management strategy	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform a risk assessment	CMA_0388 - Perform a risk assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0

Changes to all system components are managed securely

ID: PCI DSS v4.0 6.5.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Require developers to manage change integrity	CMA_C1595 - Require developers to manage change integrity	Manual, Disabled	1.1.0

Changes to all system components are managed securely

ID: PCI DSS v4.0 6.5.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Limit privileges to make changes in production environment	CMA_C1206 - Limit privileges to make changes in production environment	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0

Changes to all system components are managed securely

ID: PCI DSS v4.0 6.5.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Limit privileges to make changes in production environment	CMA_C1206 - Limit privileges to make changes in production environment	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0

Changes to all system components are managed securely

ID: PCI DSS v4.0 6.5.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Incorporate security and data privacy practices in research processing	CMA_0331 - Incorporate security and data privacy practices in research processing	Manual, Disabled	1.1.0

Changes to all system components are managed securely

ID: PCI DSS v4.0 6.5.6 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Conduct a security impact analysis	CMA_0057 - Conduct a security impact analysis	Manual, Disabled	1.1.0
Establish and document change control processes	CMA_0265 - Establish and document change control processes	Manual, Disabled	1.1.0
Establish configuration management requirements for developers	CMA_0270 - Establish configuration management requirements for developers	Manual, Disabled	1.1.0
Perform a privacy impact assessment	CMA_0387 - Perform a privacy impact assessment	Manual, Disabled	1.1.0
Perform audit for configuration change control	CMA_0390 - Perform audit for configuration change control	Manual, Disabled	1.1.0

Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know

Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood

ID: PCI DSS v4.0 7.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0
Review access control policies and procedures	CMA_0457 - Review access control policies and procedures	Manual, Disabled	1.1.0

Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood

ID: PCI DSS v4.0 7.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Develop access control policies and procedures	CMA_0144 - Develop access control policies and procedures	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Govern policies and procedures	CMA_0292 - Govern policies and procedures	Manual, Disabled	1.1.0

Access to system components and data is appropriately defined and assigned

ID: PCI DSS v4.0 7.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
A maximum of 3 owners should be designated for your subscription	It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.	AuditIfNotExists, Disabled	3.0.0
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0
There should be more than one owner assigned to your subscription	It is recommended to designate more than one subscription owner in order to have administrator access redundancy.	AuditIfNotExists, Disabled	3.0.0

Access to system components and data is appropriately defined and assigned

ID: PCI DSS v4.0 7.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
A maximum of 3 owners should be designated for your subscription	It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.	AuditIfNotExists, Disabled	3.0.0
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
There should be more than one owner assigned to your subscription	It is recommended to designate more than one subscription owner in order to have administrator access redundancy.	AuditIfNotExists, Disabled	3.0.0

Access to system components and data is appropriately defined and assigned

ID: PCI DSS v4.0 7.2.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0

Access to system components and data is appropriately defined and assigned

ID: PCI DSS v4.0 7.2.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Audit user account status	CMA_0020 - Audit user account status	Manual, Disabled	1.1.0
Review account provisioning logs	CMA_0460 - Review account provisioning logs	Manual, Disabled	1.1.0
Review user accounts	CMA_0480 - Review user accounts	Manual, Disabled	1.1.0
Review user privileges	CMA_C1039 - Review user privileges	Manual, Disabled	1.1.0

Access to system components and data is appropriately defined and assigned

ID: PCI DSS v4.0 7.2.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define information system account types	CMA_0121 - Define information system account types	Manual, Disabled	1.1.0

Access to system components and data is appropriately defined and assigned

ID: PCI DSS v4.0 7.2.5.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Monitor account activity	CMA_0377 - Monitor account activity	Manual, Disabled	1.1.0

Access to system components and data is appropriately defined and assigned

ID: PCI DSS v4.0 7.2.6 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Design an access control model	CMA_0129 - Design an access control model	Manual, Disabled	1.1.0
Employ least privilege access	CMA_0212 - Employ least privilege access	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0

Access to system components and data is managed via an access control system(s)

ID: PCI DSS v4.0 7.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Accounts with write permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
An Azure Active Directory administrator should be provisioned for SQL servers	Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services	AuditIfNotExists, Disabled	1.0.0
Audit usage of custom RBAC roles	Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling	Audit, Disabled	1.0.1
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Automate account management	CMA_0026 - Automate account management	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Guest accounts with owner permissions on Azure resources should be removed	External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with read permissions on Azure resources should be removed	External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with write permissions on Azure resources should be removed	External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Manage system and admin accounts	CMA_0368 - Manage system and admin accounts	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Notify when account is not needed	CMA_0383 - Notify when account is not needed	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0

Access to system components and data is managed via an access control system(s)

ID: PCI DSS v4.0 7.3.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Automate account management	CMA_0026 - Automate account management	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Manage system and admin accounts	CMA_0368 - Manage system and admin accounts	Manual, Disabled	1.1.0
Monitor access across the organization	CMA_0376 - Monitor access across the organization	Manual, Disabled	1.1.0
Notify when account is not needed	CMA_0383 - Notify when account is not needed	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0

Access to system components and data is managed via an access control system(s)

ID: PCI DSS v4.0 7.3.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Authorize access to security functions and information	CMA_0022 - Authorize access to security functions and information	Manual, Disabled	1.1.0
Authorize and manage access	CMA_0023 - Authorize and manage access	Manual, Disabled	1.1.0
Enforce logical access	CMA_0245 - Enforce logical access	Manual, Disabled	1.1.0
Enforce mandatory and discretionary access control policies	CMA_0246 - Enforce mandatory and discretionary access control policies	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0
Review user groups and applications with access to sensitive data	CMA_0481 - Review user groups and applications with access to sensitive data	Manual, Disabled	1.1.0

Requirement 08: Identify Users and Authenticate Access to System Components

Processes and mechanisms for identifying users and authenticating access to system components are defined and understood

ID: PCI DSS v4.0 8.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Review and update identification and authentication policies and procedures	CMA_C1299 - Review and update identification and authentication policies and procedures	Manual, Disabled	1.1.0

User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle

ID: PCI DSS v4.0 8.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assign system identifiers	CMA_0018 - Assign system identifiers	Manual, Disabled	1.1.0
Enforce user uniqueness	CMA_0250 - Enforce user uniqueness	Manual, Disabled	1.1.0
Support personal verification credentials issued by legal authorities	CMA_0507 - Support personal verification credentials issued by legal authorities	Manual, Disabled	1.1.0

User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle

ID: PCI DSS v4.0 8.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define and enforce conditions for shared and group accounts	CMA_0117 - Define and enforce conditions for shared and group accounts	Manual, Disabled	1.1.0
Reissue authenticators for changed groups and accounts	CMA_0426 - Reissue authenticators for changed groups and accounts	Manual, Disabled	1.1.0
Require use of individual authenticators	CMA_C1305 - Require use of individual authenticators	Manual, Disabled	1.1.0
Terminate customer controlled account credentials	CMA_C1022 - Terminate customer controlled account credentials	Manual, Disabled	1.1.0

User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle

ID: PCI DSS v4.0 8.2.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Satisfy token quality requirements	CMA_0487 - Satisfy token quality requirements	Manual, Disabled	1.1.0

User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle

ID: PCI DSS v4.0 8.2.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Assign system identifiers	CMA_0018 - Assign system identifiers	Manual, Disabled	1.1.0
Blocked accounts with owner permissions on Azure resources should be removed	Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.	AuditIfNotExists, Disabled	1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed	Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with owner permissions on Azure resources should be removed	External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with read permissions on Azure resources should be removed	External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with write permissions on Azure resources should be removed	External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0

User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle

ID: PCI DSS v4.0 8.2.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Blocked accounts with owner permissions on Azure resources should be removed	Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.	AuditIfNotExists, Disabled	1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed	Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.	AuditIfNotExists, Disabled	1.0.0

User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle

ID: PCI DSS v4.0 8.2.6 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Disable authenticators upon termination	CMA_0169 - Disable authenticators upon termination	Manual, Disabled	1.1.0
Revoke privileged roles as appropriate	CMA_0483 - Revoke privileged roles as appropriate	Manual, Disabled	1.1.0

User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle

ID: PCI DSS v4.0 8.2.7 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Blocked accounts with owner permissions on Azure resources should be removed	Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.	AuditIfNotExists, Disabled	1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed	Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with owner permissions on Azure resources should be removed	External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with read permissions on Azure resources should be removed	External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with write permissions on Azure resources should be removed	External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Identify and authenticate non-organizational users	CMA_C1346 - Identify and authenticate non-organizational users	Manual, Disabled	1.1.0

User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle

ID: PCI DSS v4.0 8.2.8 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define and enforce inactivity log policy	CMA_C1017 - Define and enforce inactivity log policy	Manual, Disabled	1.1.0
Terminate user session automatically	CMA_C1054 - Terminate user session automatically	Manual, Disabled	1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Establish authenticator types and processes	CMA_0267 - Establish authenticator types and processes	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Satisfy token quality requirements	CMA_0487 - Satisfy token quality requirements	Manual, Disabled	1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.10 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Manage authenticator lifetime and reuse	CMA_0355 - Manage authenticator lifetime and reuse	Manual, Disabled	1.1.0
Refresh authenticators	CMA_0425 - Refresh authenticators	Manual, Disabled	1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.10.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Manage authenticator lifetime and reuse	CMA_0355 - Manage authenticator lifetime and reuse	Manual, Disabled	1.1.0
Refresh authenticators	CMA_0425 - Refresh authenticators	Manual, Disabled	1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.11 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Distribute authenticators	CMA_0184 - Distribute authenticators	Manual, Disabled	1.1.0
Establish authenticator types and processes	CMA_0267 - Establish authenticator types and processes	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Satisfy token quality requirements	CMA_0487 - Satisfy token quality requirements	Manual, Disabled	1.1.0
Verify identity before distributing authenticators	CMA_0538 - Verify identity before distributing authenticators	Manual, Disabled	1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Ensure authorized users protect provided authenticators	CMA_C1339 - Ensure authorized users protect provided authenticators	Manual, Disabled	1.1.0
Protect passwords with encryption	CMA_0408 - Protect passwords with encryption	Manual, Disabled	1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Enforce a limit of consecutive failed login attempts	CMA_C1044 - Enforce a limit of consecutive failed login attempts	Manual, Disabled	1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.5 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Establish authenticator types and processes	CMA_0267 - Establish authenticator types and processes	Manual, Disabled	1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.6 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities	This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.	modify	4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity	This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.	modify	4.1.0
Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24	AuditIfNotExists, Disabled	2.1.0
Audit Windows machines that do not have the maximum password age set to specified number of days	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days	AuditIfNotExists, Disabled	2.1.0
Audit Windows machines that do not restrict the minimum password length to specified number of characters	Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters	AuditIfNotExists, Disabled	2.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs	This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.	deployIfNotExists	1.2.0
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Establish a password policy	CMA_0256 - Establish a password policy	Manual, Disabled	1.1.0
Implement parameters for memorized secret verifiers	CMA_0321 - Implement parameters for memorized secret verifiers	Manual, Disabled	1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.8 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement training for protecting authenticators	CMA_0329 - Implement training for protecting authenticators	Manual, Disabled	1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.9 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Manage authenticator lifetime and reuse	CMA_0355 - Manage authenticator lifetime and reuse	Manual, Disabled	1.1.0
Refresh authenticators	CMA_0425 - Refresh authenticators	Manual, Disabled	1.1.0

Multi-factor authentication (MFA) is implemented to secure access into the CDE

ID: PCI DSS v4.0 8.4.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Accounts with write permissions on Azure resources should be MFA enabled	Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources.	AuditIfNotExists, Disabled	1.0.0
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
An Azure Active Directory administrator should be provisioned for SQL servers	Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services	AuditIfNotExists, Disabled	1.0.0
Audit usage of custom RBAC roles	Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling	Audit, Disabled	1.0.1
Guest accounts with owner permissions on Azure resources should be removed	External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with read permissions on Azure resources should be removed	External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0
Guest accounts with write permissions on Azure resources should be removed	External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.	AuditIfNotExists, Disabled	1.0.0

Multi-factor authentication (MFA) is implemented to secure access into the CDE

ID: PCI DSS v4.0 8.4.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Satisfy token quality requirements	CMA_0487 - Satisfy token quality requirements	Manual, Disabled	1.1.0

Multi-factor authentication (MFA) is implemented to secure access into the CDE

ID: PCI DSS v4.0 8.4.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Satisfy token quality requirements	CMA_0487 - Satisfy token quality requirements	Manual, Disabled	1.1.0

Multi-factor authentication (MFA) systems are configured to prevent misuse

ID: PCI DSS v4.0 8.5.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Adopt biometric authentication mechanisms	CMA_0005 - Adopt biometric authentication mechanisms	Manual, Disabled	1.1.0
Authorize remote access	CMA_0024 - Authorize remote access	Manual, Disabled	1.1.0
Document mobility training	CMA_0191 - Document mobility training	Manual, Disabled	1.1.0
Document remote access guidelines	CMA_0196 - Document remote access guidelines	Manual, Disabled	1.1.0
Identify and authenticate network devices	CMA_0296 - Identify and authenticate network devices	Manual, Disabled	1.1.0
Implement controls to secure alternate work sites	CMA_0315 - Implement controls to secure alternate work sites	Manual, Disabled	1.1.0
Provide privacy training	CMA_0415 - Provide privacy training	Manual, Disabled	1.1.0
Satisfy token quality requirements	CMA_0487 - Satisfy token quality requirements	Manual, Disabled	1.1.0

Use of application and system accounts and associated authentication factors is strictly managed

ID: PCI DSS v4.0 8.6.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Define information system account types	CMA_0121 - Define information system account types	Manual, Disabled	1.1.0
Require approval for account creation	CMA_0431 - Require approval for account creation	Manual, Disabled	1.1.0

Use of application and system accounts and associated authentication factors is strictly managed

ID: PCI DSS v4.0 8.6.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement training for protecting authenticators	CMA_0329 - Implement training for protecting authenticators	Manual, Disabled	1.1.0

Use of application and system accounts and associated authentication factors is strictly managed

ID: PCI DSS v4.0 8.6.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Document security strength requirements in acquisition contracts	CMA_0203 - Document security strength requirements in acquisition contracts	Manual, Disabled	1.1.0
Establish a password policy	CMA_0256 - Establish a password policy	Manual, Disabled	1.1.0
Implement parameters for memorized secret verifiers	CMA_0321 - Implement parameters for memorized secret verifiers	Manual, Disabled	1.1.0
Implement training for protecting authenticators	CMA_0329 - Implement training for protecting authenticators	Manual, Disabled	1.1.0
Manage authenticator lifetime and reuse	CMA_0355 - Manage authenticator lifetime and reuse	Manual, Disabled	1.1.0
Refresh authenticators	CMA_0425 - Refresh authenticators	Manual, Disabled	1.1.0

Requirement 09: Restrict Physical Access to Cardholder Data

Processes and mechanisms for restricting physical access to cardholder data are defined and understood

ID: PCI DSS v4.0 9.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Review and update media protection policies and procedures	CMA_C1427 - Review and update media protection policies and procedures	Manual, Disabled	1.1.0
Review and update physical and environmental policies and procedures	CMA_C1446 - Review and update physical and environmental policies and procedures	Manual, Disabled	1.1.0

Physical access controls manage entry into facilities and systems containing cardholder data

ID: PCI DSS v4.0 9.2.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0

Physical access controls manage entry into facilities and systems containing cardholder data

ID: PCI DSS v4.0 9.2.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0

Physical access controls manage entry into facilities and systems containing cardholder data

ID: PCI DSS v4.0 9.2.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0

Physical access for personnel and visitors is authorized and managed

ID: PCI DSS v4.0 9.3.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0

Physical access for personnel and visitors is authorized and managed

ID: PCI DSS v4.0 9.3.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0

Physical access for personnel and visitors is authorized and managed

ID: PCI DSS v4.0 9.3.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0

Physical access for personnel and visitors is authorized and managed

ID: PCI DSS v4.0 9.3.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0

Physical access for personnel and visitors is authorized and managed

ID: PCI DSS v4.0 9.3.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.1.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.4 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Manage the transportation of assets	CMA_0370 - Manage the transportation of assets	Manual, Disabled	1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.5.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Create a data inventory	CMA_0096 - Create a data inventory	Manual, Disabled	1.1.0
Maintain records of processing of personal data	CMA_0353 - Maintain records of processing of personal data	Manual, Disabled	1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.6 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.7 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Employ a media sanitization mechanism	CMA_0208 - Employ a media sanitization mechanism	Manual, Disabled	1.1.0
Implement controls to secure all media	CMA_0314 - Implement controls to secure all media	Manual, Disabled	1.1.0
Perform disposition review	CMA_0391 - Perform disposition review	Manual, Disabled	1.1.0
Verify personal data is deleted at the end of processing	CMA_0540 - Verify personal data is deleted at the end of processing	Manual, Disabled	1.1.0

Point of interaction (POI) devices are protected from tampering and unauthorized substitution

ID: PCI DSS v4.0 9.5.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0

Point of interaction (POI) devices are protected from tampering and unauthorized substitution

ID: PCI DSS v4.0 9.5.1.2 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0

Point of interaction (POI) devices are protected from tampering and unauthorized substitution

ID: PCI DSS v4.0 9.5.1.2.1 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Control physical access	CMA_0081 - Control physical access	Manual, Disabled	1.1.0
Implement physical security for offices, working areas, and secure areas	CMA_0323 - Implement physical security for offices, working areas, and secure areas	Manual, Disabled	1.1.0
Manage the input, output, processing, and storage of data	CMA_0369 - Manage the input, output, processing, and storage of data	Manual, Disabled	1.1.0

Point of interaction (POI) devices are protected from tampering and unauthorized substitution

ID: PCI DSS v4.0 9.5.1.3 Ownership: Shared

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Provide security training before providing access	CMA_0418 - Provide security training before providing access	Manual, Disabled	1.1.0

Next steps

Additional articles about Azure Policy:

• Regulatory Compliance overview.
• See the initiative definition structure.
• Review other examples at Azure Policy samples.
• Review Understanding policy effects.
• Learn how to remediate non-compliant resources.