Details of the PCI DSS v4.0 Regulatory Compliance built-in initiative
Article 02/10/2025
2 contributors
Feedback
In this article
Requirement 01: Install and Maintain Network Security Controls
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
Requirement 11: Test Security of Systems and Networks Regularly
Requirement 12: Support Information Security with Organizational Policies and Programs
Requirement 02: Apply Secure Configurations to All System Components
Requirement 03: Protect Stored Account Data
Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
Requirement 05: Protect All Systems and Networks from Malicious Software
Requirement 06: Develop and Maintain Secure Systems and Software
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know
Requirement 08: Identify Users and Authenticate Access to System Components
Requirement 09: Restrict Physical Access to Cardholder Data
Next steps
Show 9 more
The following article details how the Azure Policy Regulatory Compliance built-in initiative
definition maps to compliance domains and controls in PCI DSS v4.0.
For more information about this compliance standard, see
PCI DSS v4.0 . To understand
Ownership , review the policy type and
Shared responsibility in the cloud .
The following mappings are to the PCI DSS v4.0 controls. Many of the controls
are implemented with an Azure Policy initiative definition. To review the complete
initiative definition, open Policy in the Azure portal and select the Definitions page.
Then, find and select the PCI DSS v4 Regulatory Compliance built-in
initiative definition.
Important
Each control below is associated with one or more Azure Policy definitions.
These policies may help you assess compliance with the
control; however, there often is not a one-to-one or complete match between a control and one or
more policies. As such, Compliant in Azure Policy refers only to the policy definitions
themselves; this doesn't ensure you're fully compliant with all requirements of a control. In
addition, the compliance standard includes controls that aren't addressed by any Azure Policy
definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your
overall compliance status. The associations between compliance domains, controls, and Azure Policy
definitions for this compliance standard may change over time. To view the change history, see the
GitHub Commit History .
Requirement 01: Install and Maintain Network Security Controls
Processes and mechanisms for installing and maintaining network security controls are defined and understood
ID : PCI DSS v4.0 1.1.1
Ownership : Shared
Expand table
Network security controls (NSCs) are configured and maintained
ID : PCI DSS v4.0 1.2.1
Ownership : Shared
Expand table
Network security controls (NSCs) are configured and maintained
ID : PCI DSS v4.0 1.2.2
Ownership : Shared
Expand table
Network security controls (NSCs) are configured and maintained
ID : PCI DSS v4.0 1.2.3
Ownership : Shared
Expand table
Network security controls (NSCs) are configured and maintained
ID : PCI DSS v4.0 1.2.4
Ownership : Shared
Expand table
Network security controls (NSCs) are configured and maintained
ID : PCI DSS v4.0 1.2.5
Ownership : Shared
Expand table
Network security controls (NSCs) are configured and maintained
ID : PCI DSS v4.0 1.2.8
Ownership : Shared
Expand table
Network access to and from the cardholder data environment is restricted
ID : PCI DSS v4.0 1.3.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
All network ports should be restricted on network security groups associated to your virtual machine
Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.
AuditIfNotExists, Disabled
3.0.0
Storage accounts should restrict network access
Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges
Audit, Deny, Disabled
1.1.1
Network access to and from the cardholder data environment is restricted
ID : PCI DSS v4.0 1.3.3
Ownership : Shared
Expand table
Network connections between trusted and untrusted networks are controlled
ID : PCI DSS v4.0 1.4.1
Ownership : Shared
Expand table
Network connections between trusted and untrusted networks are controlled
ID : PCI DSS v4.0 1.4.2
Ownership : Shared
Expand table
Network connections between trusted and untrusted networks are controlled
ID : PCI DSS v4.0 1.4.3
Ownership : Shared
Expand table
Network connections between trusted and untrusted networks are controlled
ID : PCI DSS v4.0 1.4.4
Ownership : Shared
Expand table
Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated
ID : PCI DSS v4.0 1.5.1
Ownership : Shared
Expand table
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented
ID : PCI DSS v4.0 10.1.1
Ownership : Shared
Expand table
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events
ID : PCI DSS v4.0 10.2.1
Ownership : Shared
Expand table
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events
ID : PCI DSS v4.0 10.2.1.1
Ownership : Shared
Expand table
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events
ID : PCI DSS v4.0 10.2.1.2
Ownership : Shared
Expand table
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events
ID : PCI DSS v4.0 10.2.1.3
Ownership : Shared
Expand table
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events
ID : PCI DSS v4.0 10.2.1.4
Ownership : Shared
Expand table
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events
ID : PCI DSS v4.0 10.2.1.5
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Audit user account status
CMA_0020 - Audit user account status
Manual, Disabled
1.1.0
Automate account management
CMA_0026 - Automate account management
Manual, Disabled
1.1.0
Conduct a full text analysis of logged privileged commands
CMA_0056 - Conduct a full text analysis of logged privileged commands
Manual, Disabled
1.1.0
Determine auditable events
CMA_0137 - Determine auditable events
Manual, Disabled
1.1.0
Manage system and admin accounts
CMA_0368 - Manage system and admin accounts
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Monitor account activity
CMA_0377 - Monitor account activity
Manual, Disabled
1.1.0
Monitor privileged role assignment
CMA_0378 - Monitor privileged role assignment
Manual, Disabled
1.1.0
Notify when account is not needed
CMA_0383 - Notify when account is not needed
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Revoke privileged roles as appropriate
CMA_0483 - Revoke privileged roles as appropriate
Manual, Disabled
1.1.0
Use privileged identity management
CMA_0533 - Use privileged identity management
Manual, Disabled
1.1.0
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events
ID : PCI DSS v4.0 10.2.1.6
Ownership : Shared
Expand table
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events
ID : PCI DSS v4.0 10.2.1.7
Ownership : Shared
Expand table
Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events
ID : PCI DSS v4.0 10.2.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Audit diagnostic setting for selected resource types
Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.
AuditIfNotExists
2.0.1
Auditing on SQL server should be enabled
Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.
AuditIfNotExists, Disabled
2.0.0
Determine auditable events
CMA_0137 - Determine auditable events
Manual, Disabled
1.1.0
Storage accounts should be migrated to new Azure Resource Manager resources
Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management
Audit, Deny, Disabled
1.0.0
Virtual machines should be migrated to new Azure Resource Manager resources
Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management
Audit, Deny, Disabled
1.0.0
Audit logs are protected from destruction and unauthorized modifications
ID : PCI DSS v4.0 10.3.1
Ownership : Shared
Expand table
Audit logs are protected from destruction and unauthorized modifications
ID : PCI DSS v4.0 10.3.2
Ownership : Shared
Expand table
Audit logs are protected from destruction and unauthorized modifications
ID : PCI DSS v4.0 10.3.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Audit diagnostic setting for selected resource types
Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings.
AuditIfNotExists
2.0.1
Auditing on SQL server should be enabled
Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.
AuditIfNotExists, Disabled
2.0.0
Establish backup policies and procedures
CMA_0268 - Establish backup policies and procedures
Manual, Disabled
1.1.0
Storage accounts should be migrated to new Azure Resource Manager resources
Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management
Audit, Deny, Disabled
1.0.0
Virtual machines should be migrated to new Azure Resource Manager resources
Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management
Audit, Deny, Disabled
1.0.0
Audit logs are protected from destruction and unauthorized modifications
ID : PCI DSS v4.0 10.3.4
Ownership : Shared
Expand table
Audit logs are reviewed to identify anomalies or suspicious activity
ID : PCI DSS v4.0 10.4.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
Audit logs are reviewed to identify anomalies or suspicious activity
ID : PCI DSS v4.0 10.4.1.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
Audit logs are reviewed to identify anomalies or suspicious activity
ID : PCI DSS v4.0 10.4.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
Audit logs are reviewed to identify anomalies or suspicious activity
ID : PCI DSS v4.0 10.4.2.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
Audit logs are reviewed to identify anomalies or suspicious activity
ID : PCI DSS v4.0 10.4.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Correlate audit records
CMA_0087 - Correlate audit records
Manual, Disabled
1.1.0
Establish requirements for audit review and reporting
CMA_0277 - Establish requirements for audit review and reporting
Manual, Disabled
1.1.0
Integrate audit review, analysis, and reporting
CMA_0339 - Integrate audit review, analysis, and reporting
Manual, Disabled
1.1.0
Integrate cloud app security with a siem
CMA_0340 - Integrate cloud app security with a siem
Manual, Disabled
1.1.0
Review account provisioning logs
CMA_0460 - Review account provisioning logs
Manual, Disabled
1.1.0
Review administrator assignments weekly
CMA_0461 - Review administrator assignments weekly
Manual, Disabled
1.1.0
Review audit data
CMA_0466 - Review audit data
Manual, Disabled
1.1.0
Review cloud identity report overview
CMA_0468 - Review cloud identity report overview
Manual, Disabled
1.1.0
Review controlled folder access events
CMA_0471 - Review controlled folder access events
Manual, Disabled
1.1.0
Review file and folder activity
CMA_0473 - Review file and folder activity
Manual, Disabled
1.1.0
Review role group changes weekly
CMA_0476 - Review role group changes weekly
Manual, Disabled
1.1.0
Audit log history is retained and available for analysis
ID : PCI DSS v4.0 10.5.1
Ownership : Shared
Expand table
Time-synchronization mechanisms support consistent time settings across all systems
ID : PCI DSS v4.0 10.6.1
Ownership : Shared
Expand table
Time-synchronization mechanisms support consistent time settings across all systems
ID : PCI DSS v4.0 10.6.2
Ownership : Shared
Expand table
Time-synchronization mechanisms support consistent time settings across all systems
ID : PCI DSS v4.0 10.6.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Audit privileged functions
CMA_0019 - Audit privileged functions
Manual, Disabled
1.1.0
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Conduct a full text analysis of logged privileged commands
CMA_0056 - Conduct a full text analysis of logged privileged commands
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Monitor account activity
CMA_0377 - Monitor account activity
Manual, Disabled
1.1.0
Monitor privileged role assignment
CMA_0378 - Monitor privileged role assignment
Manual, Disabled
1.1.0
Restrict access to privileged accounts
CMA_0446 - Restrict access to privileged accounts
Manual, Disabled
1.1.0
Revoke privileged roles as appropriate
CMA_0483 - Revoke privileged roles as appropriate
Manual, Disabled
1.1.0
Use privileged identity management
CMA_0533 - Use privileged identity management
Manual, Disabled
1.1.0
Failures of critical security control systems are detected, reported, and responded to promptly
ID : PCI DSS v4.0 10.7.1
Ownership : Shared
Expand table
Failures of critical security control systems are detected, reported, and responded to promptly
ID : PCI DSS v4.0 10.7.2
Ownership : Shared
Expand table
Failures of critical security control systems are detected, reported, and responded to promptly
ID : PCI DSS v4.0 10.7.3
Ownership : Shared
Expand table
Requirement 11: Test Security of Systems and Networks Regularly
Processes and mechanisms for regularly testing security of systems and networks are defined and understood
ID : PCI DSS v4.0 11.1.1
Ownership : Shared
Expand table
Wireless access points are identified and monitored, and unauthorized wireless access points are addressed
ID : PCI DSS v4.0 11.2.2
Ownership : Shared
Expand table
External and internal vulnerabilities are regularly identified, prioritized, and addressed
ID : PCI DSS v4.0 11.3.1
Ownership : Shared
Expand table
External and internal vulnerabilities are regularly identified, prioritized, and addressed
ID : PCI DSS v4.0 11.3.1.1
Ownership : Shared
Expand table
External and internal vulnerabilities are regularly identified, prioritized, and addressed
ID : PCI DSS v4.0 11.3.1.3
Ownership : Shared
Expand table
External and internal vulnerabilities are regularly identified, prioritized, and addressed
ID : PCI DSS v4.0 11.3.2
Ownership : Shared
Expand table
External and internal vulnerabilities are regularly identified, prioritized, and addressed
ID : PCI DSS v4.0 11.3.2.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 11.4.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 11.4.3
Ownership : Shared
Expand table
Network intrusions and unexpected file changes are detected and responded to
ID : PCI DSS v4.0 11.5.1
Ownership : Shared
Expand table
Network intrusions and unexpected file changes are detected and responded to
ID : PCI DSS v4.0 11.5.1.1
Ownership : Shared
Expand table
Network intrusions and unexpected file changes are detected and responded to
ID : PCI DSS v4.0 11.5.2
Ownership : Shared
Expand table
Unauthorized changes on payment pages are detected and responded to
ID : PCI DSS v4.0 11.6.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 12.1.2
Ownership : Shared
Expand table
ID : PCI DSS v4.0 12.1.4
Ownership : Shared
Expand table
ID : PCI DSS v4.0 12.10.2
Ownership : Shared
Expand table
ID : PCI DSS v4.0 12.10.4
Ownership : Shared
Expand table
ID : PCI DSS v4.0 12.10.4.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 12.10.5
Ownership : Shared
Expand table
ID : PCI DSS v4.0 12.10.6
Ownership : Shared
Expand table
ID : PCI DSS v4.0 12.10.7
Ownership : Shared
Expand table
Acceptable use policies for end-user technologies are defined and implemented
ID : PCI DSS v4.0 12.2.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 12.3.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 12.3.2
Ownership : Shared
Expand table
ID : PCI DSS v4.0 12.3.4
Ownership : Shared
Expand table
PCI DSS compliance is managed
ID : PCI DSS v4.0 12.4.1
Ownership : Shared
Expand table
PCI DSS compliance is managed
ID : PCI DSS v4.0 12.4.2
Ownership : Shared
Expand table
PCI DSS compliance is managed
ID : PCI DSS v4.0 12.4.2.1
Ownership : Shared
Expand table
PCI DSS scope is documented and validated
ID : PCI DSS v4.0 12.5.2
Ownership : Shared
Expand table
PCI DSS scope is documented and validated
ID : PCI DSS v4.0 12.5.2.1
Ownership : Shared
Expand table
PCI DSS scope is documented and validated
ID : PCI DSS v4.0 12.5.3
Ownership : Shared
Expand table
Security awareness education is an ongoing activity
ID : PCI DSS v4.0 12.6.1
Ownership : Shared
Expand table
Security awareness education is an ongoing activity
ID : PCI DSS v4.0 12.6.2
Ownership : Shared
Expand table
Security awareness education is an ongoing activity
ID : PCI DSS v4.0 12.6.3
Ownership : Shared
Expand table
Security awareness education is an ongoing activity
ID : PCI DSS v4.0 12.6.3.1
Ownership : Shared
Expand table
Security awareness education is an ongoing activity
ID : PCI DSS v4.0 12.6.3.2
Ownership : Shared
Expand table
Personnel are screened to reduce risks from insider threats
ID : PCI DSS v4.0 12.7.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 12.8.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 12.8.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Define the duties of processors
CMA_0127 - Define the duties of processors
Manual, Disabled
1.1.0
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Obtain design and implementation information for the security controls
CMA_C1576 - Obtain design and implementation information for the security controls
Manual, Disabled
1.1.1
Obtain functional properties of security controls
CMA_C1575 - Obtain functional properties of security controls
Manual, Disabled
1.1.0
Record disclosures of PII to third parties
CMA_0422 - Record disclosures of PII to third parties
Manual, Disabled
1.1.0
ID : PCI DSS v4.0 12.8.3
Ownership : Shared
Expand table
ID : PCI DSS v4.0 12.8.4
Ownership : Shared
Expand table
ID : PCI DSS v4.0 12.8.5
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Determine supplier contract obligations
CMA_0140 - Determine supplier contract obligations
Manual, Disabled
1.1.0
Document acquisition contract acceptance criteria
CMA_0187 - Document acquisition contract acceptance criteria
Manual, Disabled
1.1.0
Document protection of personal data in acquisition contracts
CMA_0194 - Document protection of personal data in acquisition contracts
Manual, Disabled
1.1.0
Document protection of security information in acquisition contracts
CMA_0195 - Document protection of security information in acquisition contracts
Manual, Disabled
1.1.0
Document requirements for the use of shared data in contracts
CMA_0197 - Document requirements for the use of shared data in contracts
Manual, Disabled
1.1.0
Document security assurance requirements in acquisition contracts
CMA_0199 - Document security assurance requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security documentation requirements in acquisition contract
CMA_0200 - Document security documentation requirements in acquisition contract
Manual, Disabled
1.1.0
Document security functional requirements in acquisition contracts
CMA_0201 - Document security functional requirements in acquisition contracts
Manual, Disabled
1.1.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Document the information system environment in acquisition contracts
CMA_0205 - Document the information system environment in acquisition contracts
Manual, Disabled
1.1.0
Document the protection of cardholder data in third party contracts
CMA_0207 - Document the protection of cardholder data in third party contracts
Manual, Disabled
1.1.0
Obtain design and implementation information for the security controls
CMA_C1576 - Obtain design and implementation information for the security controls
Manual, Disabled
1.1.1
Obtain functional properties of security controls
CMA_C1575 - Obtain functional properties of security controls
Manual, Disabled
1.1.0
Third-party service providers (TPSPs) support their customers' PCI DSS compliance
ID : PCI DSS v4.0 12.9.1
Ownership : Shared
Expand table
Third-party service providers (TPSPs) support their customers' PCI DSS compliance
ID : PCI DSS v4.0 12.9.2
Ownership : Shared
Expand table
Requirement 02: Apply Secure Configurations to All System Components
Processes and mechanisms for applying secure configurations to all system components are defined and understood
ID : PCI DSS v4.0 2.1.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 2.2.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 2.2.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Manage Authenticators
CMA_C1321 - Manage Authenticators
Manual, Disabled
1.1.0
ID : PCI DSS v4.0 2.2.5
Ownership : Shared
Expand table
ID : PCI DSS v4.0 2.2.7
Ownership : Shared
Expand table
ID : PCI DSS v4.0 2.3.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 2.3.2
Ownership : Shared
Expand table
Requirement 03: Protect Stored Account Data
Processes and mechanisms for protecting stored account data are defined and understood
ID : PCI DSS v4.0 3.1.1
Ownership : Shared
Expand table
Storage of account data is kept to a minimum
ID : PCI DSS v4.0 3.2.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Adhere to retention periods defined
CMA_0004 - Adhere to retention periods defined
Manual, Disabled
1.1.0
Control physical access
CMA_0081 - Control physical access
Manual, Disabled
1.1.0
Document the legal basis for processing personal information
CMA_0206 - Document the legal basis for processing personal information
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
Obtain consent prior to collection or processing of personal data
CMA_0385 - Obtain consent prior to collection or processing of personal data
Manual, Disabled
1.1.0
Perform disposition review
CMA_0391 - Perform disposition review
Manual, Disabled
1.1.0
Review label activity and analytics
CMA_0474 - Review label activity and analytics
Manual, Disabled
1.1.0
Verify personal data is deleted at the end of processing
CMA_0540 - Verify personal data is deleted at the end of processing
Manual, Disabled
1.1.0
Sensitive authentication data (SAD) is not stored after authorization
ID : PCI DSS v4.0 3.3.1
Ownership : Shared
Expand table
Sensitive authentication data (SAD) is not stored after authorization
ID : PCI DSS v4.0 3.3.1.1
Ownership : Shared
Expand table
Sensitive authentication data (SAD) is not stored after authorization
ID : PCI DSS v4.0 3.3.1.2
Ownership : Shared
Expand table
Sensitive authentication data (SAD) is not stored after authorization
ID : PCI DSS v4.0 3.3.1.3
Ownership : Shared
Expand table
Sensitive authentication data (SAD) is not stored after authorization
ID : PCI DSS v4.0 3.3.2
Ownership : Shared
Expand table
Sensitive authentication data (SAD) is not stored after authorization
ID : PCI DSS v4.0 3.3.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers
Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services
AuditIfNotExists, Disabled
1.0.0
Audit usage of custom RBAC roles
Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling
Audit, Disabled
1.0.1
Authenticate to cryptographic module
CMA_0021 - Authenticate to cryptographic module
Manual, Disabled
1.1.0
Document the legal basis for processing personal information
CMA_0206 - Document the legal basis for processing personal information
Manual, Disabled
1.1.0
Guest accounts with owner permissions on Azure resources should be removed
External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.
AuditIfNotExists, Disabled
1.0.0
Guest accounts with read permissions on Azure resources should be removed
External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.
AuditIfNotExists, Disabled
1.0.0
Guest accounts with write permissions on Azure resources should be removed
External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.
AuditIfNotExists, Disabled
1.0.0
Implement privacy notice delivery methods
CMA_0324 - Implement privacy notice delivery methods
Manual, Disabled
1.1.0
Obtain consent prior to collection or processing of personal data
CMA_0385 - Obtain consent prior to collection or processing of personal data
Manual, Disabled
1.1.0
Provide privacy notice
CMA_0414 - Provide privacy notice
Manual, Disabled
1.1.0
Restrict communications
CMA_0449 - Restrict communications
Manual, Disabled
1.1.0
Access to displays of full PAN and ability to copy cardholder data are restricted
ID : PCI DSS v4.0 3.4.1
Ownership : Shared
Expand table
Access to displays of full PAN and ability to copy cardholder data are restricted
ID : PCI DSS v4.0 3.4.2
Ownership : Shared
Expand table
Primary account number (PAN) is secured wherever it is stored
ID : PCI DSS v4.0 3.5.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
App Service apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
4.0.0
Automation account variables should be encrypted
It is important to enable encryption of Automation account variable assets when storing sensitive data
Audit, Deny, Disabled
1.1.0
Establish a data leakage management procedure
CMA_0255 - Establish a data leakage management procedure
Manual, Disabled
1.1.0
Function apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
5.0.0
Implement controls to secure all media
CMA_0314 - Implement controls to secure all media
Manual, Disabled
1.1.0
Only secure connections to your Azure Cache for Redis should be enabled
Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
1.0.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Protect special information
CMA_0409 - Protect special information
Manual, Disabled
1.1.0
Secure transfer to storage accounts should be enabled
Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
2.0.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed
Audit, Deny, Disabled
1.1.0
Transparent Data Encryption on SQL databases should be enabled
Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements
AuditIfNotExists, Disabled
2.0.0
Primary account number (PAN) is secured wherever it is stored
ID : PCI DSS v4.0 3.5.1.1
Ownership : Shared
Expand table
Primary account number (PAN) is secured wherever it is stored
ID : PCI DSS v4.0 3.5.1.2
Ownership : Shared
Expand table
Primary account number (PAN) is secured wherever it is stored
ID : PCI DSS v4.0 3.5.1.3
Ownership : Shared
Expand table
Cryptographic keys used to protect stored account data are secured
ID : PCI DSS v4.0 3.6.1
Ownership : Shared
Expand table
Cryptographic keys used to protect stored account data are secured
ID : PCI DSS v4.0 3.6.1.1
Ownership : Shared
Expand table
Cryptographic keys used to protect stored account data are secured
ID : PCI DSS v4.0 3.6.1.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Define a physical key management process
CMA_0115 - Define a physical key management process
Manual, Disabled
1.1.0
Define cryptographic use
CMA_0120 - Define cryptographic use
Manual, Disabled
1.1.0
Define organizational requirements for cryptographic key management
CMA_0123 - Define organizational requirements for cryptographic key management
Manual, Disabled
1.1.0
Determine assertion requirements
CMA_0136 - Determine assertion requirements
Manual, Disabled
1.1.0
Issue public key certificates
CMA_0347 - Issue public key certificates
Manual, Disabled
1.1.0
Manage symmetric cryptographic keys
CMA_0367 - Manage symmetric cryptographic keys
Manual, Disabled
1.1.0
Produce, control and distribute symmetric cryptographic keys
CMA_C1645 - Produce, control and distribute symmetric cryptographic keys
Manual, Disabled
1.1.0
Restrict access to private keys
CMA_0445 - Restrict access to private keys
Manual, Disabled
1.1.0
Cryptographic keys used to protect stored account data are secured
ID : PCI DSS v4.0 3.6.1.3
Ownership : Shared
Expand table
Cryptographic keys used to protect stored account data are secured
ID : PCI DSS v4.0 3.6.1.4
Ownership : Shared
Expand table
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented
ID : PCI DSS v4.0 3.7.1
Ownership : Shared
Expand table
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented
ID : PCI DSS v4.0 3.7.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Define a physical key management process
CMA_0115 - Define a physical key management process
Manual, Disabled
1.1.0
Define cryptographic use
CMA_0120 - Define cryptographic use
Manual, Disabled
1.1.0
Define organizational requirements for cryptographic key management
CMA_0123 - Define organizational requirements for cryptographic key management
Manual, Disabled
1.1.0
Determine assertion requirements
CMA_0136 - Determine assertion requirements
Manual, Disabled
1.1.0
Issue public key certificates
CMA_0347 - Issue public key certificates
Manual, Disabled
1.1.0
Manage symmetric cryptographic keys
CMA_0367 - Manage symmetric cryptographic keys
Manual, Disabled
1.1.0
Produce, control and distribute symmetric cryptographic keys
CMA_C1645 - Produce, control and distribute symmetric cryptographic keys
Manual, Disabled
1.1.0
Restrict access to private keys
CMA_0445 - Restrict access to private keys
Manual, Disabled
1.1.0
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented
ID : PCI DSS v4.0 3.7.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Define a physical key management process
CMA_0115 - Define a physical key management process
Manual, Disabled
1.1.0
Define cryptographic use
CMA_0120 - Define cryptographic use
Manual, Disabled
1.1.0
Define organizational requirements for cryptographic key management
CMA_0123 - Define organizational requirements for cryptographic key management
Manual, Disabled
1.1.0
Determine assertion requirements
CMA_0136 - Determine assertion requirements
Manual, Disabled
1.1.0
Issue public key certificates
CMA_0347 - Issue public key certificates
Manual, Disabled
1.1.0
Maintain availability of information
CMA_C1644 - Maintain availability of information
Manual, Disabled
1.1.0
Manage symmetric cryptographic keys
CMA_0367 - Manage symmetric cryptographic keys
Manual, Disabled
1.1.0
Produce, control and distribute symmetric cryptographic keys
CMA_C1645 - Produce, control and distribute symmetric cryptographic keys
Manual, Disabled
1.1.0
Restrict access to private keys
CMA_0445 - Restrict access to private keys
Manual, Disabled
1.1.0
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented
ID : PCI DSS v4.0 3.7.4
Ownership : Shared
Expand table
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented
ID : PCI DSS v4.0 3.7.5
Ownership : Shared
Expand table
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented
ID : PCI DSS v4.0 3.7.6
Ownership : Shared
Expand table
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented
ID : PCI DSS v4.0 3.7.7
Ownership : Shared
Expand table
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented
ID : PCI DSS v4.0 3.7.8
Ownership : Shared
Expand table
Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented
ID : PCI DSS v4.0 3.7.9
Ownership : Shared
Expand table
Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented
ID : PCI DSS v4.0 4.1.1
Ownership : Shared
Expand table
PAN is protected with strong cryptography during transmission
ID : PCI DSS v4.0 4.2.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Configure workstations to check for digital certificates
CMA_0073 - Configure workstations to check for digital certificates
Manual, Disabled
1.1.0
Define a physical key management process
CMA_0115 - Define a physical key management process
Manual, Disabled
1.1.0
Define cryptographic use
CMA_0120 - Define cryptographic use
Manual, Disabled
1.1.0
Define organizational requirements for cryptographic key management
CMA_0123 - Define organizational requirements for cryptographic key management
Manual, Disabled
1.1.0
Determine assertion requirements
CMA_0136 - Determine assertion requirements
Manual, Disabled
1.1.0
Issue public key certificates
CMA_0347 - Issue public key certificates
Manual, Disabled
1.1.0
Manage symmetric cryptographic keys
CMA_0367 - Manage symmetric cryptographic keys
Manual, Disabled
1.1.0
Produce, control and distribute asymmetric cryptographic keys
CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys
Manual, Disabled
1.1.0
Produce, control and distribute symmetric cryptographic keys
CMA_C1645 - Produce, control and distribute symmetric cryptographic keys
Manual, Disabled
1.1.0
Protect data in transit using encryption
CMA_0403 - Protect data in transit using encryption
Manual, Disabled
1.1.0
Protect passwords with encryption
CMA_0408 - Protect passwords with encryption
Manual, Disabled
1.1.0
Restrict access to private keys
CMA_0445 - Restrict access to private keys
Manual, Disabled
1.1.0
PAN is protected with strong cryptography during transmission
ID : PCI DSS v4.0 4.2.1.1
Ownership : Shared
Expand table
PAN is protected with strong cryptography during transmission
ID : PCI DSS v4.0 4.2.1.2
Ownership : Shared
Expand table
PAN is protected with strong cryptography during transmission
ID : PCI DSS v4.0 4.2.2
Ownership : Shared
Expand table
Requirement 05: Protect All Systems and Networks from Malicious Software
Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood
ID : PCI DSS v4.0 5.1.1
Ownership : Shared
Expand table
Malicious software (malware) is prevented, or detected and addressed
ID : PCI DSS v4.0 5.2.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines
Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.
AuditIfNotExists, Disabled
3.0.0
Block untrusted and unsigned processes that run from USB
CMA_0050 - Block untrusted and unsigned processes that run from USB
Manual, Disabled
1.1.0
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Review malware detections report weekly
CMA_0475 - Review malware detections report weekly
Manual, Disabled
1.1.0
Review threat protection status weekly
CMA_0479 - Review threat protection status weekly
Manual, Disabled
1.1.0
SQL databases should have vulnerability findings resolved
Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.
AuditIfNotExists, Disabled
4.1.0
Update antivirus definitions
CMA_0517 - Update antivirus definitions
Manual, Disabled
1.1.0
Vulnerabilities in security configuration on your machines should be remediated
Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations
AuditIfNotExists, Disabled
3.1.0
Malicious software (malware) is prevented, or detected and addressed
ID : PCI DSS v4.0 5.2.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines
Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.
AuditIfNotExists, Disabled
3.0.0
Block untrusted and unsigned processes that run from USB
CMA_0050 - Block untrusted and unsigned processes that run from USB
Manual, Disabled
1.1.0
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Review malware detections report weekly
CMA_0475 - Review malware detections report weekly
Manual, Disabled
1.1.0
Review threat protection status weekly
CMA_0479 - Review threat protection status weekly
Manual, Disabled
1.1.0
SQL databases should have vulnerability findings resolved
Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.
AuditIfNotExists, Disabled
4.1.0
Update antivirus definitions
CMA_0517 - Update antivirus definitions
Manual, Disabled
1.1.0
Vulnerabilities in security configuration on your machines should be remediated
Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations
AuditIfNotExists, Disabled
3.1.0
Malicious software (malware) is prevented, or detected and addressed
ID : PCI DSS v4.0 5.2.3
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines
Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you.
AuditIfNotExists, Disabled
3.0.0
Block untrusted and unsigned processes that run from USB
CMA_0050 - Block untrusted and unsigned processes that run from USB
Manual, Disabled
1.1.0
Manage gateways
CMA_0363 - Manage gateways
Manual, Disabled
1.1.0
Perform a trend analysis on threats
CMA_0389 - Perform a trend analysis on threats
Manual, Disabled
1.1.0
Perform vulnerability scans
CMA_0393 - Perform vulnerability scans
Manual, Disabled
1.1.0
Review malware detections report weekly
CMA_0475 - Review malware detections report weekly
Manual, Disabled
1.1.0
Review threat protection status weekly
CMA_0479 - Review threat protection status weekly
Manual, Disabled
1.1.0
SQL databases should have vulnerability findings resolved
Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities.
AuditIfNotExists, Disabled
4.1.0
Update antivirus definitions
CMA_0517 - Update antivirus definitions
Manual, Disabled
1.1.0
Vulnerabilities in security configuration on your machines should be remediated
Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations
AuditIfNotExists, Disabled
3.1.0
Malicious software (malware) is prevented, or detected and addressed
ID : PCI DSS v4.0 5.2.3.1
Ownership : Shared
Expand table
Anti-malware mechanisms and processes are active, maintained, and monitored
ID : PCI DSS v4.0 5.3.1
Ownership : Shared
Expand table
Anti-malware mechanisms and processes are active, maintained, and monitored
ID : PCI DSS v4.0 5.3.3
Ownership : Shared
Expand table
Anti-malware mechanisms and processes are active, maintained, and monitored
ID : PCI DSS v4.0 5.3.4
Ownership : Shared
Expand table
Anti-malware mechanisms and processes are active, maintained, and monitored
ID : PCI DSS v4.0 5.3.5
Ownership : Shared
Expand table
Anti-phishing mechanisms protect users against phishing attacks
ID : PCI DSS v4.0 5.4.1
Ownership : Shared
Expand table
Requirement 06: Develop and Maintain Secure Systems and Software
Processes and mechanisms for developing and maintaining secure systems and software are defined and understood
ID : PCI DSS v4.0 6.1.1
Ownership : Shared
Expand table
Bespoke and custom software are developed securely
ID : PCI DSS v4.0 6.2.2
Ownership : Shared
Expand table
Bespoke and custom software are developed securely
ID : PCI DSS v4.0 6.2.3.1
Ownership : Shared
Expand table
Bespoke and custom software are developed securely
ID : PCI DSS v4.0 6.2.4
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
App Service apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
4.0.0
Automation account variables should be encrypted
It is important to enable encryption of Automation account variable assets when storing sensitive data
Audit, Deny, Disabled
1.1.0
Function apps should only be accessible over HTTPS
Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.
Audit, Disabled, Deny
5.0.0
Only secure connections to your Azure Cache for Redis should be enabled
Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
1.0.0
Secure transfer to storage accounts should be enabled
Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking
Audit, Deny, Disabled
2.0.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed
Audit, Deny, Disabled
1.1.0
Transparent Data Encryption on SQL databases should be enabled
Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements
AuditIfNotExists, Disabled
2.0.0
Security vulnerabilities are identified and addressed
ID : PCI DSS v4.0 6.3.1
Ownership : Shared
Expand table
Security vulnerabilities are identified and addressed
ID : PCI DSS v4.0 6.3.2
Ownership : Shared
Expand table
Security vulnerabilities are identified and addressed
ID : PCI DSS v4.0 6.3.3
Ownership : Shared
Expand table
Public-facing web applications are protected against attacks
ID : PCI DSS v4.0 6.4.1
Ownership : Shared
Expand table
Public-facing web applications are protected against attacks
ID : PCI DSS v4.0 6.4.3
Ownership : Shared
Expand table
Changes to all system components are managed securely
ID : PCI DSS v4.0 6.5.1
Ownership : Shared
Expand table
Changes to all system components are managed securely
ID : PCI DSS v4.0 6.5.2
Ownership : Shared
Expand table
Changes to all system components are managed securely
ID : PCI DSS v4.0 6.5.3
Ownership : Shared
Expand table
Changes to all system components are managed securely
ID : PCI DSS v4.0 6.5.4
Ownership : Shared
Expand table
Changes to all system components are managed securely
ID : PCI DSS v4.0 6.5.5
Ownership : Shared
Expand table
Changes to all system components are managed securely
ID : PCI DSS v4.0 6.5.6
Ownership : Shared
Expand table
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know
Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood
ID : PCI DSS v4.0 7.1.1
Ownership : Shared
Expand table
Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood
ID : PCI DSS v4.0 7.1.2
Ownership : Shared
Expand table
Access to system components and data is appropriately defined and assigned
ID : PCI DSS v4.0 7.2.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
A maximum of 3 owners should be designated for your subscription
It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.
AuditIfNotExists, Disabled
3.0.0
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Design an access control model
CMA_0129 - Design an access control model
Manual, Disabled
1.1.0
Employ least privilege access
CMA_0212 - Employ least privilege access
Manual, Disabled
1.1.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
There should be more than one owner assigned to your subscription
It is recommended to designate more than one subscription owner in order to have administrator access redundancy.
AuditIfNotExists, Disabled
3.0.0
Access to system components and data is appropriately defined and assigned
ID : PCI DSS v4.0 7.2.2
Ownership : Shared
Expand table
Access to system components and data is appropriately defined and assigned
ID : PCI DSS v4.0 7.2.3
Ownership : Shared
Expand table
Access to system components and data is appropriately defined and assigned
ID : PCI DSS v4.0 7.2.4
Ownership : Shared
Expand table
Access to system components and data is appropriately defined and assigned
ID : PCI DSS v4.0 7.2.5
Ownership : Shared
Expand table
Access to system components and data is appropriately defined and assigned
ID : PCI DSS v4.0 7.2.5.1
Ownership : Shared
Expand table
Access to system components and data is appropriately defined and assigned
ID : PCI DSS v4.0 7.2.6
Ownership : Shared
Expand table
Access to system components and data is managed via an access control system(s)
ID : PCI DSS v4.0 7.3.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
An Azure Active Directory administrator should be provisioned for SQL servers
Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services
AuditIfNotExists, Disabled
1.0.0
Audit usage of custom RBAC roles
Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling
Audit, Disabled
1.0.1
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Automate account management
CMA_0026 - Automate account management
Manual, Disabled
1.1.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Guest accounts with owner permissions on Azure resources should be removed
External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.
AuditIfNotExists, Disabled
1.0.0
Guest accounts with read permissions on Azure resources should be removed
External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.
AuditIfNotExists, Disabled
1.0.0
Guest accounts with write permissions on Azure resources should be removed
External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access.
AuditIfNotExists, Disabled
1.0.0
Manage system and admin accounts
CMA_0368 - Manage system and admin accounts
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Notify when account is not needed
CMA_0383 - Notify when account is not needed
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
Access to system components and data is managed via an access control system(s)
ID : PCI DSS v4.0 7.3.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Authorize access to security functions and information
CMA_0022 - Authorize access to security functions and information
Manual, Disabled
1.1.0
Authorize and manage access
CMA_0023 - Authorize and manage access
Manual, Disabled
1.1.0
Automate account management
CMA_0026 - Automate account management
Manual, Disabled
1.1.0
Enforce logical access
CMA_0245 - Enforce logical access
Manual, Disabled
1.1.0
Enforce mandatory and discretionary access control policies
CMA_0246 - Enforce mandatory and discretionary access control policies
Manual, Disabled
1.1.0
Manage system and admin accounts
CMA_0368 - Manage system and admin accounts
Manual, Disabled
1.1.0
Monitor access across the organization
CMA_0376 - Monitor access across the organization
Manual, Disabled
1.1.0
Notify when account is not needed
CMA_0383 - Notify when account is not needed
Manual, Disabled
1.1.0
Require approval for account creation
CMA_0431 - Require approval for account creation
Manual, Disabled
1.1.0
Review user groups and applications with access to sensitive data
CMA_0481 - Review user groups and applications with access to sensitive data
Manual, Disabled
1.1.0
Access to system components and data is managed via an access control system(s)
ID : PCI DSS v4.0 7.3.3
Ownership : Shared
Expand table
Requirement 08: Identify Users and Authenticate Access to System Components
Processes and mechanisms for identifying users and authenticating access to system components are defined and understood
ID : PCI DSS v4.0 8.1.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 8.2.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 8.2.2
Ownership : Shared
Expand table
ID : PCI DSS v4.0 8.2.3
Ownership : Shared
Expand table
ID : PCI DSS v4.0 8.2.4
Ownership : Shared
Expand table
ID : PCI DSS v4.0 8.2.5
Ownership : Shared
Expand table
ID : PCI DSS v4.0 8.2.6
Ownership : Shared
Expand table
ID : PCI DSS v4.0 8.2.7
Ownership : Shared
Expand table
ID : PCI DSS v4.0 8.2.8
Ownership : Shared
Expand table
Strong authentication for users and administrators is established and managed
ID : PCI DSS v4.0 8.3.1
Ownership : Shared
Expand table
Strong authentication for users and administrators is established and managed
ID : PCI DSS v4.0 8.3.10
Ownership : Shared
Expand table
Strong authentication for users and administrators is established and managed
ID : PCI DSS v4.0 8.3.10.1
Ownership : Shared
Expand table
Strong authentication for users and administrators is established and managed
ID : PCI DSS v4.0 8.3.11
Ownership : Shared
Expand table
Strong authentication for users and administrators is established and managed
ID : PCI DSS v4.0 8.3.2
Ownership : Shared
Expand table
Strong authentication for users and administrators is established and managed
ID : PCI DSS v4.0 8.3.4
Ownership : Shared
Expand table
Strong authentication for users and administrators is established and managed
ID : PCI DSS v4.0 8.3.5
Ownership : Shared
Expand table
Strong authentication for users and administrators is established and managed
ID : PCI DSS v4.0 8.3.6
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol .
modify
4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol .
modify
4.1.0
Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords
Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol . Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24
AuditIfNotExists, Disabled
2.1.0
Audit Windows machines that do not have the maximum password age set to specified number of days
Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol . Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days
AuditIfNotExists, Disabled
2.1.0
Audit Windows machines that do not restrict the minimum password length to specified number of characters
Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol . Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters
AuditIfNotExists, Disabled
2.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol .
deployIfNotExists
1.2.0
Document security strength requirements in acquisition contracts
CMA_0203 - Document security strength requirements in acquisition contracts
Manual, Disabled
1.1.0
Establish a password policy
CMA_0256 - Establish a password policy
Manual, Disabled
1.1.0
Implement parameters for memorized secret verifiers
CMA_0321 - Implement parameters for memorized secret verifiers
Manual, Disabled
1.1.0
Strong authentication for users and administrators is established and managed
ID : PCI DSS v4.0 8.3.8
Ownership : Shared
Expand table
Strong authentication for users and administrators is established and managed
ID : PCI DSS v4.0 8.3.9
Ownership : Shared
Expand table
Multi-factor authentication (MFA) is implemented to secure access into the CDE
ID : PCI DSS v4.0 8.4.1
Ownership : Shared
Expand table
Multi-factor authentication (MFA) is implemented to secure access into the CDE
ID : PCI DSS v4.0 8.4.2
Ownership : Shared
Expand table
Multi-factor authentication (MFA) is implemented to secure access into the CDE
ID : PCI DSS v4.0 8.4.3
Ownership : Shared
Expand table
ID : PCI DSS v4.0 8.5.1
Ownership : Shared
Expand table
Use of application and system accounts and associated authentication factors is strictly managed
ID : PCI DSS v4.0 8.6.1
Ownership : Shared
Expand table
Use of application and system accounts and associated authentication factors is strictly managed
ID : PCI DSS v4.0 8.6.2
Ownership : Shared
Expand table
Use of application and system accounts and associated authentication factors is strictly managed
ID : PCI DSS v4.0 8.6.3
Ownership : Shared
Expand table
Requirement 09: Restrict Physical Access to Cardholder Data
Processes and mechanisms for restricting physical access to cardholder data are defined and understood
ID : PCI DSS v4.0 9.1.1
Ownership : Shared
Expand table
Physical access controls manage entry into facilities and systems containing cardholder data
ID : PCI DSS v4.0 9.2.2
Ownership : Shared
Expand table
Physical access controls manage entry into facilities and systems containing cardholder data
ID : PCI DSS v4.0 9.2.3
Ownership : Shared
Expand table
Physical access controls manage entry into facilities and systems containing cardholder data
ID : PCI DSS v4.0 9.2.4
Ownership : Shared
Expand table
Physical access for personnel and visitors is authorized and managed
ID : PCI DSS v4.0 9.3.1
Ownership : Shared
Expand table
Physical access for personnel and visitors is authorized and managed
ID : PCI DSS v4.0 9.3.1.1
Ownership : Shared
Expand table
Physical access for personnel and visitors is authorized and managed
ID : PCI DSS v4.0 9.3.2
Ownership : Shared
Expand table
Physical access for personnel and visitors is authorized and managed
ID : PCI DSS v4.0 9.3.3
Ownership : Shared
Expand table
Physical access for personnel and visitors is authorized and managed
ID : PCI DSS v4.0 9.3.4
Ownership : Shared
Expand table
ID : PCI DSS v4.0 9.4.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 9.4.1.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 9.4.2
Ownership : Shared
Expand table
ID : PCI DSS v4.0 9.4.3
Ownership : Shared
Expand table
ID : PCI DSS v4.0 9.4.4
Ownership : Shared
Expand table
ID : PCI DSS v4.0 9.4.5.1
Ownership : Shared
Expand table
ID : PCI DSS v4.0 9.4.6
Ownership : Shared
Expand table
ID : PCI DSS v4.0 9.4.7
Ownership : Shared
Expand table
Point of interaction (POI) devices are protected from tampering and unauthorized substitution
ID : PCI DSS v4.0 9.5.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Control physical access
CMA_0081 - Control physical access
Manual, Disabled
1.1.0
Implement physical security for offices, working areas, and secure areas
CMA_0323 - Implement physical security for offices, working areas, and secure areas
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
Point of interaction (POI) devices are protected from tampering and unauthorized substitution
ID : PCI DSS v4.0 9.5.1.2
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Control physical access
CMA_0081 - Control physical access
Manual, Disabled
1.1.0
Implement physical security for offices, working areas, and secure areas
CMA_0323 - Implement physical security for offices, working areas, and secure areas
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
Point of interaction (POI) devices are protected from tampering and unauthorized substitution
ID : PCI DSS v4.0 9.5.1.2.1
Ownership : Shared
Expand table
Name(Azure portal)
Description
Effect(s)
Version(GitHub)
Control physical access
CMA_0081 - Control physical access
Manual, Disabled
1.1.0
Implement physical security for offices, working areas, and secure areas
CMA_0323 - Implement physical security for offices, working areas, and secure areas
Manual, Disabled
1.1.0
Manage the input, output, processing, and storage of data
CMA_0369 - Manage the input, output, processing, and storage of data
Manual, Disabled
1.1.0
Point of interaction (POI) devices are protected from tampering and unauthorized substitution
ID : PCI DSS v4.0 9.5.1.3
Ownership : Shared
Expand table
Additional articles about Azure Policy: