Rediger

Del via


Details of the PCI DSS v4.0 Regulatory Compliance built-in initiative

The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in PCI DSS v4.0. For more information about this compliance standard, see PCI DSS v4.0. To understand Ownership, review the policy type and Shared responsibility in the cloud.

The following mappings are to the PCI DSS v4.0 controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the PCI DSS v4 Regulatory Compliance built-in initiative definition.

Important

Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.

Requirement 01: Install and Maintain Network Security Controls

Processes and mechanisms for installing and maintaining network security controls are defined and understood

ID: PCI DSS v4.0 1.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0

Network security controls (NSCs) are configured and maintained

ID: PCI DSS v4.0 1.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0

Network security controls (NSCs) are configured and maintained

ID: PCI DSS v4.0 1.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0

Network security controls (NSCs) are configured and maintained

ID: PCI DSS v4.0 1.2.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Check for privacy and security compliance before establishing internal connections CMA_0053 - Check for privacy and security compliance before establishing internal connections Manual, Disabled 1.1.0

Network security controls (NSCs) are configured and maintained

ID: PCI DSS v4.0 1.2.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

Network security controls (NSCs) are configured and maintained

ID: PCI DSS v4.0 1.2.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Identify external service providers CMA_C1591 - Identify external service providers Manual, Disabled 1.1.0
Require developer to identify SDLC ports, protocols, and services CMA_C1578 - Require developer to identify SDLC ports, protocols, and services Manual, Disabled 1.1.0

Network security controls (NSCs) are configured and maintained

ID: PCI DSS v4.0 1.2.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enforce and audit access restrictions CMA_C1203 - Enforce and audit access restrictions Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Review changes for any unauthorized changes CMA_C1204 - Review changes for any unauthorized changes Manual, Disabled 1.1.0

Network access to and from the cardholder data environment is restricted

ID: PCI DSS v4.0 1.3.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1

Network access to and from the cardholder data environment is restricted

ID: PCI DSS v4.0 1.3.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0

Network connections between trusted and untrusted networks are controlled

ID: PCI DSS v4.0 1.4.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0

Network connections between trusted and untrusted networks are controlled

ID: PCI DSS v4.0 1.4.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
All network ports should be restricted on network security groups associated to your virtual machine Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. AuditIfNotExists, Disabled 3.0.0
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0
Implement managed interface for each external service CMA_C1626 - Implement managed interface for each external service Manual, Disabled 1.1.0
Implement system boundary protection CMA_0328 - Implement system boundary protection Manual, Disabled 1.1.0
Secure the interface to external systems CMA_0491 - Secure the interface to external systems Manual, Disabled 1.1.0
Storage accounts should restrict network access Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges Audit, Deny, Disabled 1.1.1

Network connections between trusted and untrusted networks are controlled

ID: PCI DSS v4.0 1.4.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0

Network connections between trusted and untrusted networks are controlled

ID: PCI DSS v4.0 1.4.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control information flow CMA_0079 - Control information flow Manual, Disabled 1.1.0
Employ flow control mechanisms of encrypted information CMA_0211 - Employ flow control mechanisms of encrypted information Manual, Disabled 1.1.0

Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated

ID: PCI DSS v4.0 1.5.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0

Requirement 10: Log and Monitor All Access to System Components and Cardholder Data

Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented

ID: PCI DSS v4.0 10.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop audit and accountability policies and procedures CMA_0154 - Develop audit and accountability policies and procedures Manual, Disabled 1.1.0
Develop information security policies and procedures CMA_0158 - Develop information security policies and procedures Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.1.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0

Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events

ID: PCI DSS v4.0 10.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit diagnostic setting for selected resource types Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. AuditIfNotExists 2.0.1
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0

Audit logs are protected from destruction and unauthorized modifications

ID: PCI DSS v4.0 10.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0

Audit logs are protected from destruction and unauthorized modifications

ID: PCI DSS v4.0 10.3.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0

Audit logs are protected from destruction and unauthorized modifications

ID: PCI DSS v4.0 10.3.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit diagnostic setting for selected resource types Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. AuditIfNotExists 2.0.1
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Establish backup policies and procedures CMA_0268 - Establish backup policies and procedures Manual, Disabled 1.1.0
Storage accounts should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0
Virtual machines should be migrated to new Azure Resource Manager resources Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management Audit, Deny, Disabled 1.0.0

Audit logs are protected from destruction and unauthorized modifications

ID: PCI DSS v4.0 10.3.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enable dual or joint authorization CMA_0226 - Enable dual or joint authorization Manual, Disabled 1.1.0
Protect audit information CMA_0401 - Protect audit information Manual, Disabled 1.1.0

Audit logs are reviewed to identify anomalies or suspicious activity

ID: PCI DSS v4.0 10.4.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

Audit logs are reviewed to identify anomalies or suspicious activity

ID: PCI DSS v4.0 10.4.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

Audit logs are reviewed to identify anomalies or suspicious activity

ID: PCI DSS v4.0 10.4.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

Audit logs are reviewed to identify anomalies or suspicious activity

ID: PCI DSS v4.0 10.4.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

Audit logs are reviewed to identify anomalies or suspicious activity

ID: PCI DSS v4.0 10.4.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Correlate audit records CMA_0087 - Correlate audit records Manual, Disabled 1.1.0
Establish requirements for audit review and reporting CMA_0277 - Establish requirements for audit review and reporting Manual, Disabled 1.1.0
Integrate audit review, analysis, and reporting CMA_0339 - Integrate audit review, analysis, and reporting Manual, Disabled 1.1.0
Integrate cloud app security with a siem CMA_0340 - Integrate cloud app security with a siem Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review administrator assignments weekly CMA_0461 - Review administrator assignments weekly Manual, Disabled 1.1.0
Review audit data CMA_0466 - Review audit data Manual, Disabled 1.1.0
Review cloud identity report overview CMA_0468 - Review cloud identity report overview Manual, Disabled 1.1.0
Review controlled folder access events CMA_0471 - Review controlled folder access events Manual, Disabled 1.1.0
Review file and folder activity CMA_0473 - Review file and folder activity Manual, Disabled 1.1.0
Review role group changes weekly CMA_0476 - Review role group changes weekly Manual, Disabled 1.1.0

Audit log history is retained and available for analysis

ID: PCI DSS v4.0 10.5.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0

Time-synchronization mechanisms support consistent time settings across all systems

ID: PCI DSS v4.0 10.6.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Use system clocks for audit records CMA_0535 - Use system clocks for audit records Manual, Disabled 1.1.0

Time-synchronization mechanisms support consistent time settings across all systems

ID: PCI DSS v4.0 10.6.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Use system clocks for audit records CMA_0535 - Use system clocks for audit records Manual, Disabled 1.1.0

Time-synchronization mechanisms support consistent time settings across all systems

ID: PCI DSS v4.0 10.6.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit privileged functions CMA_0019 - Audit privileged functions Manual, Disabled 1.1.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Conduct a full text analysis of logged privileged commands CMA_0056 - Conduct a full text analysis of logged privileged commands Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0
Monitor privileged role assignment CMA_0378 - Monitor privileged role assignment Manual, Disabled 1.1.0
Restrict access to privileged accounts CMA_0446 - Restrict access to privileged accounts Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0
Use privileged identity management CMA_0533 - Use privileged identity management Manual, Disabled 1.1.0

Failures of critical security control systems are detected, reported, and responded to promptly

ID: PCI DSS v4.0 10.7.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create alternative actions for identified anomalies CMA_C1711 - Create alternative actions for identified anomalies Manual, Disabled 1.1.0
Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Manual, Disabled 1.1.0
Notify personnel of any failed security verification tests CMA_C1710 - Notify personnel of any failed security verification tests Manual, Disabled 1.1.0
Perform security function verification at a defined frequency CMA_C1709 - Perform security function verification at a defined frequency Manual, Disabled 1.1.0
Verify security functions CMA_C1708 - Verify security functions Manual, Disabled 1.1.0

Failures of critical security control systems are detected, reported, and responded to promptly

ID: PCI DSS v4.0 10.7.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create alternative actions for identified anomalies CMA_C1711 - Create alternative actions for identified anomalies Manual, Disabled 1.1.0
Govern and monitor audit processing activities CMA_0289 - Govern and monitor audit processing activities Manual, Disabled 1.1.0
Notify personnel of any failed security verification tests CMA_C1710 - Notify personnel of any failed security verification tests Manual, Disabled 1.1.0
Perform security function verification at a defined frequency CMA_C1709 - Perform security function verification at a defined frequency Manual, Disabled 1.1.0
Verify security functions CMA_C1708 - Verify security functions Manual, Disabled 1.1.0

Failures of critical security control systems are detected, reported, and responded to promptly

ID: PCI DSS v4.0 10.7.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create alternative actions for identified anomalies CMA_C1711 - Create alternative actions for identified anomalies Manual, Disabled 1.1.0
Notify personnel of any failed security verification tests CMA_C1710 - Notify personnel of any failed security verification tests Manual, Disabled 1.1.0
Perform security function verification at a defined frequency CMA_C1709 - Perform security function verification at a defined frequency Manual, Disabled 1.1.0
Verify security functions CMA_C1708 - Verify security functions Manual, Disabled 1.1.0

Requirement 11: Test Security of Systems and Networks Regularly

Processes and mechanisms for regularly testing security of systems and networks are defined and understood

ID: PCI DSS v4.0 11.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Review security assessment and authorization policies and procedures CMA_C1143 - Review security assessment and authorization policies and procedures Manual, Disabled 1.1.0

Wireless access points are identified and monitored, and unauthorized wireless access points are addressed

ID: PCI DSS v4.0 11.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0

External and internal vulnerabilities are regularly identified, prioritized, and addressed

ID: PCI DSS v4.0 11.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.1.0

External and internal vulnerabilities are regularly identified, prioritized, and addressed

ID: PCI DSS v4.0 11.3.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

External and internal vulnerabilities are regularly identified, prioritized, and addressed

ID: PCI DSS v4.0 11.3.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

External and internal vulnerabilities are regularly identified, prioritized, and addressed

ID: PCI DSS v4.0 11.3.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

External and internal vulnerabilities are regularly identified, prioritized, and addressed

ID: PCI DSS v4.0 11.3.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected

ID: PCI DSS v4.0 11.4.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Manual, Disabled 1.1.0

External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected

ID: PCI DSS v4.0 11.4.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ independent team for penetration testing CMA_C1171 - Employ independent team for penetration testing Manual, Disabled 1.1.0

Network intrusions and unexpected file changes are detected and responded to

ID: PCI DSS v4.0 11.5.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0
Set file integrity rules in your organization CMA_M1000 - Set file integrity rules in your organization Manual, Disabled 1.0.0

Network intrusions and unexpected file changes are detected and responded to

ID: PCI DSS v4.0 11.5.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Alert personnel of information spillage CMA_0007 - Alert personnel of information spillage Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Set automated notifications for new and trending cloud applications in your organization CMA_0495 - Set automated notifications for new and trending cloud applications in your organization Manual, Disabled 1.1.0

Network intrusions and unexpected file changes are detected and responded to

ID: PCI DSS v4.0 11.5.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Set file integrity rules in your organization CMA_M1000 - Set file integrity rules in your organization Manual, Disabled 1.0.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

Unauthorized changes on payment pages are detected and responded to

ID: PCI DSS v4.0 11.6.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ automatic shutdown/restart when violations are detected CMA_C1715 - Employ automatic shutdown/restart when violations are detected Manual, Disabled 1.1.0
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

Requirement 12: Support Information Security with Organizational Policies and Programs

A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current

ID: PCI DSS v4.0 12.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

A comprehensive information security policy that governs and provides direction for protection of the entity's information assets is known and current

ID: PCI DSS v4.0 12.1.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Appoint a senior information security officer CMA_C1733 - Appoint a senior information security officer Manual, Disabled 1.1.0

Suspected and confirmed security incidents that could impact the CDE are responded to immediately

ID: PCI DSS v4.0 12.10.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Maintain data breach records CMA_0351 - Maintain data breach records Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0
Protect incident response plan CMA_0405 - Protect incident response plan Manual, Disabled 1.1.0

Suspected and confirmed security incidents that could impact the CDE are responded to immediately

ID: PCI DSS v4.0 12.10.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0

Suspected and confirmed security incidents that could impact the CDE are responded to immediately

ID: PCI DSS v4.0 12.10.4.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide information spillage training CMA_0413 - Provide information spillage training Manual, Disabled 1.1.0

Suspected and confirmed security incidents that could impact the CDE are responded to immediately

ID: PCI DSS v4.0 12.10.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0

Suspected and confirmed security incidents that could impact the CDE are responded to immediately

ID: PCI DSS v4.0 12.10.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess information security events CMA_0013 - Assess information security events Manual, Disabled 1.1.0
Maintain incident response plan CMA_0352 - Maintain incident response plan Manual, Disabled 1.1.0

Suspected and confirmed security incidents that could impact the CDE are responded to immediately

ID: PCI DSS v4.0 12.10.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop an incident response plan CMA_0145 - Develop an incident response plan Manual, Disabled 1.1.0
Develop security safeguards CMA_0161 - Develop security safeguards Manual, Disabled 1.1.0
Enable network protection CMA_0238 - Enable network protection Manual, Disabled 1.1.0
Eradicate contaminated information CMA_0253 - Eradicate contaminated information Manual, Disabled 1.1.0
Execute actions in response to information spills CMA_0281 - Execute actions in response to information spills Manual, Disabled 1.1.0
Implement incident handling CMA_0318 - Implement incident handling Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
View and investigate restricted users CMA_0545 - View and investigate restricted users Manual, Disabled 1.1.0

Acceptable use policies for end-user technologies are defined and implemented

ID: PCI DSS v4.0 12.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop acceptable use policies and procedures CMA_0143 - Develop acceptable use policies and procedures Manual, Disabled 1.1.0
Enforce rules of behavior and access agreements CMA_0248 - Enforce rules of behavior and access agreements Manual, Disabled 1.1.0
Require compliance with intellectual property rights CMA_0432 - Require compliance with intellectual property rights Manual, Disabled 1.1.0
Track software license usage CMA_C1235 - Track software license usage Manual, Disabled 1.1.0

Risks to the cardholder data environment are formally identified, evaluated, and managed

ID: PCI DSS v4.0 12.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0

Risks to the cardholder data environment are formally identified, evaluated, and managed

ID: PCI DSS v4.0 12.3.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and distribute its results CMA_C1544 - Conduct risk assessment and distribute its results Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0

Risks to the cardholder data environment are formally identified, evaluated, and managed

ID: PCI DSS v4.0 12.3.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Disseminate security alerts to personnel CMA_C1705 - Disseminate security alerts to personnel Manual, Disabled 1.1.0
Establish a threat intelligence program CMA_0260 - Establish a threat intelligence program Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

PCI DSS compliance is managed

ID: PCI DSS v4.0 12.4.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Manage compliance activities CMA_0358 - Manage compliance activities Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0

PCI DSS compliance is managed

ID: PCI DSS v4.0 12.4.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess Security Controls CMA_C1145 - Assess Security Controls Manual, Disabled 1.1.0
Configure detection whitelist CMA_0068 - Configure detection whitelist Manual, Disabled 1.1.0
Develop security assessment plan CMA_C1144 - Develop security assessment plan Manual, Disabled 1.1.0
Select additional testing for security control assessments CMA_C1149 - Select additional testing for security control assessments Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

PCI DSS compliance is managed

ID: PCI DSS v4.0 12.4.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure detection whitelist CMA_0068 - Configure detection whitelist Manual, Disabled 1.1.0
Deliver security assessment results CMA_C1147 - Deliver security assessment results Manual, Disabled 1.1.0
Develop POA&M CMA_C1156 - Develop POA&M Manual, Disabled 1.1.0
Produce Security Assessment report CMA_C1146 - Produce Security Assessment report Manual, Disabled 1.1.0
Turn on sensors for endpoint security solution CMA_0514 - Turn on sensors for endpoint security solution Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0
Update POA&M items CMA_C1157 - Update POA&M items Manual, Disabled 1.1.0

PCI DSS scope is documented and validated

ID: PCI DSS v4.0 12.5.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

PCI DSS scope is documented and validated

ID: PCI DSS v4.0 12.5.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

PCI DSS scope is documented and validated

ID: PCI DSS v4.0 12.5.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish an information security program CMA_0263 - Establish an information security program Manual, Disabled 1.1.0
Update information security policies CMA_0518 - Update information security policies Manual, Disabled 1.1.0

Security awareness education is an ongoing activity

ID: PCI DSS v4.0 12.6.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security and privacy training activities CMA_0198 - Document security and privacy training activities Manual, Disabled 1.1.0
Establish information security workforce development and improvement program CMA_C1752 - Establish information security workforce development and improvement program Manual, Disabled 1.1.0

Security awareness education is an ongoing activity

ID: PCI DSS v4.0 12.6.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0

Security awareness education is an ongoing activity

ID: PCI DSS v4.0 12.6.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document personnel acceptance of privacy requirements CMA_0193 - Document personnel acceptance of privacy requirements Manual, Disabled 1.1.0
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide periodic security awareness training CMA_C1091 - Provide periodic security awareness training Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Provide role-based security training CMA_C1094 - Provide role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0
Provide updated security awareness training CMA_C1090 - Provide updated security awareness training Manual, Disabled 1.1.0

Security awareness education is an ongoing activity

ID: PCI DSS v4.0 12.6.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement a threat awareness program CMA_C1758 - Implement a threat awareness program Manual, Disabled 1.1.0
Implement an insider threat program CMA_C1751 - Implement an insider threat program Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0

Security awareness education is an ongoing activity

ID: PCI DSS v4.0 12.6.3.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0
Provide security training for new users CMA_0419 - Provide security training for new users Manual, Disabled 1.1.0

Personnel are screened to reduce risks from insider threats

ID: PCI DSS v4.0 12.7.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Clear personnel with access to classified information CMA_0054 - Clear personnel with access to classified information Manual, Disabled 1.1.0
Implement personnel screening CMA_0322 - Implement personnel screening Manual, Disabled 1.1.0
Rescreen individuals at a defined frequency CMA_C1512 - Rescreen individuals at a defined frequency Manual, Disabled 1.1.0

Risk to information assets associated with third-party service provider (TPSP) relationships is managed

ID: PCI DSS v4.0 12.8.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0

Risk to information assets associated with third-party service provider (TPSP) relationships is managed

ID: PCI DSS v4.0 12.8.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define the duties of processors CMA_0127 - Define the duties of processors Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Obtain design and implementation information for the security controls CMA_C1576 - Obtain design and implementation information for the security controls Manual, Disabled 1.1.1
Obtain functional properties of security controls CMA_C1575 - Obtain functional properties of security controls Manual, Disabled 1.1.0
Record disclosures of PII to third parties CMA_0422 - Record disclosures of PII to third parties Manual, Disabled 1.1.0

Risk to information assets associated with third-party service provider (TPSP) relationships is managed

ID: PCI DSS v4.0 12.8.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0

Risk to information assets associated with third-party service provider (TPSP) relationships is managed

ID: PCI DSS v4.0 12.8.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assess risk in third party relationships CMA_0014 - Assess risk in third party relationships Manual, Disabled 1.1.0
Define requirements for supplying goods and services CMA_0126 - Define requirements for supplying goods and services Manual, Disabled 1.1.0
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Establish policies for supply chain risk management CMA_0275 - Establish policies for supply chain risk management Manual, Disabled 1.1.0
Obtain continuous monitoring plan for security controls CMA_C1577 - Obtain continuous monitoring plan for security controls Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

Risk to information assets associated with third-party service provider (TPSP) relationships is managed

ID: PCI DSS v4.0 12.8.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Determine supplier contract obligations CMA_0140 - Determine supplier contract obligations Manual, Disabled 1.1.0
Document acquisition contract acceptance criteria CMA_0187 - Document acquisition contract acceptance criteria Manual, Disabled 1.1.0
Document protection of personal data in acquisition contracts CMA_0194 - Document protection of personal data in acquisition contracts Manual, Disabled 1.1.0
Document protection of security information in acquisition contracts CMA_0195 - Document protection of security information in acquisition contracts Manual, Disabled 1.1.0
Document requirements for the use of shared data in contracts CMA_0197 - Document requirements for the use of shared data in contracts Manual, Disabled 1.1.0
Document security assurance requirements in acquisition contracts CMA_0199 - Document security assurance requirements in acquisition contracts Manual, Disabled 1.1.0
Document security documentation requirements in acquisition contract CMA_0200 - Document security documentation requirements in acquisition contract Manual, Disabled 1.1.0
Document security functional requirements in acquisition contracts CMA_0201 - Document security functional requirements in acquisition contracts Manual, Disabled 1.1.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Document the information system environment in acquisition contracts CMA_0205 - Document the information system environment in acquisition contracts Manual, Disabled 1.1.0
Document the protection of cardholder data in third party contracts CMA_0207 - Document the protection of cardholder data in third party contracts Manual, Disabled 1.1.0
Obtain design and implementation information for the security controls CMA_C1576 - Obtain design and implementation information for the security controls Manual, Disabled 1.1.1
Obtain functional properties of security controls CMA_C1575 - Obtain functional properties of security controls Manual, Disabled 1.1.0

Third-party service providers (TPSPs) support their customers' PCI DSS compliance

ID: PCI DSS v4.0 12.9.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define the duties of processors CMA_0127 - Define the duties of processors Manual, Disabled 1.1.0
Record disclosures of PII to third parties CMA_0422 - Record disclosures of PII to third parties Manual, Disabled 1.1.0
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0

Third-party service providers (TPSPs) support their customers' PCI DSS compliance

ID: PCI DSS v4.0 12.9.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Require external service providers to comply with security requirements CMA_C1586 - Require external service providers to comply with security requirements Manual, Disabled 1.1.0
Review cloud service provider's compliance with policies and agreements CMA_0469 - Review cloud service provider's compliance with policies and agreements Manual, Disabled 1.1.0
Undergo independent security review CMA_0515 - Undergo independent security review Manual, Disabled 1.1.0

Requirement 02: Apply Secure Configurations to All System Components

Processes and mechanisms for applying secure configurations to all system components are defined and understood

ID: PCI DSS v4.0 2.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0

System components are configured and managed securely

ID: PCI DSS v4.0 2.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure actions for noncompliant devices CMA_0062 - Configure actions for noncompliant devices Manual, Disabled 1.1.0
Develop and maintain baseline configurations CMA_0153 - Develop and maintain baseline configurations Manual, Disabled 1.1.0
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Establish a configuration control board CMA_0254 - Establish a configuration control board Manual, Disabled 1.1.0
Establish and document a configuration management plan CMA_0264 - Establish and document a configuration management plan Manual, Disabled 1.1.0
Implement an automated configuration management tool CMA_0311 - Implement an automated configuration management tool Manual, Disabled 1.1.0

System components are configured and managed securely

ID: PCI DSS v4.0 2.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Manage Authenticators CMA_C1321 - Manage Authenticators Manual, Disabled 1.1.0

System components are configured and managed securely

ID: PCI DSS v4.0 2.2.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enforce security configuration settings CMA_0249 - Enforce security configuration settings Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

System components are configured and managed securely

ID: PCI DSS v4.0 2.2.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement cryptographic mechanisms CMA_C1419 - Implement cryptographic mechanisms Manual, Disabled 1.1.0

Wireless environments are configured and managed securely

ID: PCI DSS v4.0 2.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0

Wireless environments are configured and managed securely

ID: PCI DSS v4.0 2.3.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0

Requirement 03: Protect Stored Account Data

Processes and mechanisms for protecting stored account data are defined and understood

ID: PCI DSS v4.0 3.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a privacy program CMA_0257 - Establish a privacy program Manual, Disabled 1.1.0
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0
Update privacy plan, policies, and procedures CMA_C1807 - Update privacy plan, policies, and procedures Manual, Disabled 1.1.0

Storage of account data is kept to a minimum

ID: PCI DSS v4.0 3.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Review label activity and analytics CMA_0474 - Review label activity and analytics Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

Sensitive authentication data (SAD) is not stored after authorization

ID: PCI DSS v4.0 3.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Restrict communications CMA_0449 - Restrict communications Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

Sensitive authentication data (SAD) is not stored after authorization

ID: PCI DSS v4.0 3.3.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Restrict communications CMA_0449 - Restrict communications Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

Sensitive authentication data (SAD) is not stored after authorization

ID: PCI DSS v4.0 3.3.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Restrict communications CMA_0449 - Restrict communications Manual, Disabled 1.1.0

Sensitive authentication data (SAD) is not stored after authorization

ID: PCI DSS v4.0 3.3.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Manual, Disabled 1.1.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Restrict communications CMA_0449 - Restrict communications Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

Sensitive authentication data (SAD) is not stored after authorization

ID: PCI DSS v4.0 3.3.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0

Sensitive authentication data (SAD) is not stored after authorization

ID: PCI DSS v4.0 3.3.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Authenticate to cryptographic module CMA_0021 - Authenticate to cryptographic module Manual, Disabled 1.1.0
Document the legal basis for processing personal information CMA_0206 - Document the legal basis for processing personal information Manual, Disabled 1.1.0
Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with read permissions on Azure resources should be removed External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with write permissions on Azure resources should be removed External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Obtain consent prior to collection or processing of personal data CMA_0385 - Obtain consent prior to collection or processing of personal data Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Restrict communications CMA_0449 - Restrict communications Manual, Disabled 1.1.0

Access to displays of full PAN and ability to copy cardholder data are restricted

ID: PCI DSS v4.0 3.4.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Restrict communications CMA_0449 - Restrict communications Manual, Disabled 1.1.0

Access to displays of full PAN and ability to copy cardholder data are restricted

ID: PCI DSS v4.0 3.4.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement privacy notice delivery methods CMA_0324 - Implement privacy notice delivery methods Manual, Disabled 1.1.0
Provide privacy notice CMA_0414 - Provide privacy notice Manual, Disabled 1.1.0
Restrict communications CMA_0449 - Restrict communications Manual, Disabled 1.1.0

Primary account number (PAN) is secured wherever it is stored

ID: PCI DSS v4.0 3.5.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Deny, Disabled 1.1.0
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit, Deny, Disabled 1.1.0
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0

Primary account number (PAN) is secured wherever it is stored

ID: PCI DSS v4.0 3.5.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0

Primary account number (PAN) is secured wherever it is stored

ID: PCI DSS v4.0 3.5.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0

Primary account number (PAN) is secured wherever it is stored

ID: PCI DSS v4.0 3.5.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish a data leakage management procedure CMA_0255 - Establish a data leakage management procedure Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect special information CMA_0409 - Protect special information Manual, Disabled 1.1.0

Cryptographic keys used to protect stored account data are secured

ID: PCI DSS v4.0 3.6.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Cryptographic keys used to protect stored account data are secured

ID: PCI DSS v4.0 3.6.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Cryptographic keys used to protect stored account data are secured

ID: PCI DSS v4.0 3.6.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Produce, control and distribute symmetric cryptographic keys CMA_C1645 - Produce, control and distribute symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Cryptographic keys used to protect stored account data are secured

ID: PCI DSS v4.0 3.6.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Cryptographic keys used to protect stored account data are secured

ID: PCI DSS v4.0 3.6.1.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Produce, control and distribute symmetric cryptographic keys CMA_C1645 - Produce, control and distribute symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Maintain availability of information CMA_C1644 - Maintain availability of information Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Produce, control and distribute symmetric cryptographic keys CMA_C1645 - Produce, control and distribute symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented

ID: PCI DSS v4.0 3.7.9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented

ID: PCI DSS v4.0 4.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update system and communications protection policies and procedures CMA_C1616 - Review and update system and communications protection policies and procedures Manual, Disabled 1.1.0

PAN is protected with strong cryptography during transmission

ID: PCI DSS v4.0 4.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Produce, control and distribute asymmetric cryptographic keys CMA_C1646 - Produce, control and distribute asymmetric cryptographic keys Manual, Disabled 1.1.0
Produce, control and distribute symmetric cryptographic keys CMA_C1645 - Produce, control and distribute symmetric cryptographic keys Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

PAN is protected with strong cryptography during transmission

ID: PCI DSS v4.0 4.2.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define a physical key management process CMA_0115 - Define a physical key management process Manual, Disabled 1.1.0
Define cryptographic use CMA_0120 - Define cryptographic use Manual, Disabled 1.1.0
Define organizational requirements for cryptographic key management CMA_0123 - Define organizational requirements for cryptographic key management Manual, Disabled 1.1.0
Determine assertion requirements CMA_0136 - Determine assertion requirements Manual, Disabled 1.1.0
Issue public key certificates CMA_0347 - Issue public key certificates Manual, Disabled 1.1.0
Maintain availability of information CMA_C1644 - Maintain availability of information Manual, Disabled 1.1.0
Manage symmetric cryptographic keys CMA_0367 - Manage symmetric cryptographic keys Manual, Disabled 1.1.0
Restrict access to private keys CMA_0445 - Restrict access to private keys Manual, Disabled 1.1.0

PAN is protected with strong cryptography during transmission

ID: PCI DSS v4.0 4.2.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document and implement wireless access guidelines CMA_0190 - Document and implement wireless access guidelines Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Protect wireless access CMA_0411 - Protect wireless access Manual, Disabled 1.1.0

PAN is protected with strong cryptography during transmission

ID: PCI DSS v4.0 4.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Configure workstations to check for digital certificates CMA_0073 - Configure workstations to check for digital certificates Manual, Disabled 1.1.0
Protect data in transit using encryption CMA_0403 - Protect data in transit using encryption Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

Requirement 05: Protect All Systems and Networks from Malicious Software

Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood

ID: PCI DSS v4.0 5.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update information integrity policies and procedures CMA_C1667 - Review and update information integrity policies and procedures Manual, Disabled 1.1.0

Malicious software (malware) is prevented, or detected and addressed

ID: PCI DSS v4.0 5.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.1.0

Malicious software (malware) is prevented, or detected and addressed

ID: PCI DSS v4.0 5.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.1.0

Malicious software (malware) is prevented, or detected and addressed

ID: PCI DSS v4.0 5.2.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.1.0

Malicious software (malware) is prevented, or detected and addressed

ID: PCI DSS v4.0 5.2.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct Risk Assessment CMA_C1543 - Conduct Risk Assessment Manual, Disabled 1.1.0
Conduct risk assessment and document its results CMA_C1542 - Conduct risk assessment and document its results Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0

Anti-malware mechanisms and processes are active, maintained, and monitored

ID: PCI DSS v4.0 5.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Anti-malware mechanisms and processes are active, maintained, and monitored

ID: PCI DSS v4.0 5.3.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Anti-malware mechanisms and processes are active, maintained, and monitored

ID: PCI DSS v4.0 5.3.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adhere to retention periods defined CMA_0004 - Adhere to retention periods defined Manual, Disabled 1.1.0
Determine auditable events CMA_0137 - Determine auditable events Manual, Disabled 1.1.0
Retain security policies and procedures CMA_0454 - Retain security policies and procedures Manual, Disabled 1.1.0
Retain terminated user data CMA_0455 - Retain terminated user data Manual, Disabled 1.1.0

Anti-malware mechanisms and processes are active, maintained, and monitored

ID: PCI DSS v4.0 5.3.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0

Anti-phishing mechanisms protect users against phishing attacks

ID: PCI DSS v4.0 5.4.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Block untrusted and unsigned processes that run from USB CMA_0050 - Block untrusted and unsigned processes that run from USB Manual, Disabled 1.1.0
Manage gateways CMA_0363 - Manage gateways Manual, Disabled 1.1.0
Perform a trend analysis on threats CMA_0389 - Perform a trend analysis on threats Manual, Disabled 1.1.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Review malware detections report weekly CMA_0475 - Review malware detections report weekly Manual, Disabled 1.1.0
Review threat protection status weekly CMA_0479 - Review threat protection status weekly Manual, Disabled 1.1.0
Update antivirus definitions CMA_0517 - Update antivirus definitions Manual, Disabled 1.1.0

Requirement 06: Develop and Maintain Secure Systems and Software

Processes and mechanisms for developing and maintaining secure systems and software are defined and understood

ID: PCI DSS v4.0 6.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update configuration management policies and procedures CMA_C1175 - Review and update configuration management policies and procedures Manual, Disabled 1.1.0
Review and update system and services acquisition policies and procedures CMA_C1560 - Review and update system and services acquisition policies and procedures Manual, Disabled 1.1.0

Bespoke and custom software are developed securely

ID: PCI DSS v4.0 6.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide periodic role-based security training CMA_C1095 - Provide periodic role-based security training Manual, Disabled 1.1.0
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0

Bespoke and custom software are developed securely

ID: PCI DSS v4.0 6.2.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Separate duties of individuals CMA_0492 - Separate duties of individuals Manual, Disabled 1.1.0

Bespoke and custom software are developed securely

ID: PCI DSS v4.0 6.2.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
App Service apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 4.0.0
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data Audit, Deny, Disabled 1.1.0
Function apps should only be accessible over HTTPS Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Audit, Disabled, Deny 5.0.0
Only secure connections to your Azure Cache for Redis should be enabled Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 1.0.0
Secure transfer to storage accounts should be enabled Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking Audit, Deny, Disabled 2.0.0
Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed Audit, Deny, Disabled 1.1.0
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0

Security vulnerabilities are identified and addressed

ID: PCI DSS v4.0 6.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Disseminate security alerts to personnel CMA_C1705 - Disseminate security alerts to personnel Manual, Disabled 1.1.0
Establish a threat intelligence program CMA_0260 - Establish a threat intelligence program Manual, Disabled 1.1.0
Implement security directives CMA_C1706 - Implement security directives Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0

Security vulnerabilities are identified and addressed

ID: PCI DSS v4.0 6.3.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Obtain Admin documentation CMA_C1580 - Obtain Admin documentation Manual, Disabled 1.1.0

Security vulnerabilities are identified and addressed

ID: PCI DSS v4.0 6.3.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.1.0

Public-facing web applications are protected against attacks

ID: PCI DSS v4.0 6.4.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A vulnerability assessment solution should be enabled on your virtual machines Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. AuditIfNotExists, Disabled 3.0.0
Perform vulnerability scans CMA_0393 - Perform vulnerability scans Manual, Disabled 1.1.0
Remediate information system flaws CMA_0427 - Remediate information system flaws Manual, Disabled 1.1.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
Vulnerabilities in security configuration on your machines should be remediated Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations AuditIfNotExists, Disabled 3.1.0

Public-facing web applications are protected against attacks

ID: PCI DSS v4.0 6.4.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Verify software, firmware and information integrity CMA_0542 - Verify software, firmware and information integrity Manual, Disabled 1.1.0
View and configure system diagnostic data CMA_0544 - View and configure system diagnostic data Manual, Disabled 1.1.0

Changes to all system components are managed securely

ID: PCI DSS v4.0 6.5.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Develop and maintain a vulnerability management standard CMA_0152 - Develop and maintain a vulnerability management standard Manual, Disabled 1.1.0
Establish a risk management strategy CMA_0258 - Establish a risk management strategy Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform a risk assessment CMA_0388 - Perform a risk assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0

Changes to all system components are managed securely

ID: PCI DSS v4.0 6.5.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Require developers to manage change integrity CMA_C1595 - Require developers to manage change integrity Manual, Disabled 1.1.0

Changes to all system components are managed securely

ID: PCI DSS v4.0 6.5.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0

Changes to all system components are managed securely

ID: PCI DSS v4.0 6.5.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Limit privileges to make changes in production environment CMA_C1206 - Limit privileges to make changes in production environment Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0

Changes to all system components are managed securely

ID: PCI DSS v4.0 6.5.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Incorporate security and data privacy practices in research processing CMA_0331 - Incorporate security and data privacy practices in research processing Manual, Disabled 1.1.0

Changes to all system components are managed securely

ID: PCI DSS v4.0 6.5.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Conduct a security impact analysis CMA_0057 - Conduct a security impact analysis Manual, Disabled 1.1.0
Establish and document change control processes CMA_0265 - Establish and document change control processes Manual, Disabled 1.1.0
Establish configuration management requirements for developers CMA_0270 - Establish configuration management requirements for developers Manual, Disabled 1.1.0
Perform a privacy impact assessment CMA_0387 - Perform a privacy impact assessment Manual, Disabled 1.1.0
Perform audit for configuration change control CMA_0390 - Perform audit for configuration change control Manual, Disabled 1.1.0

Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know

Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood

ID: PCI DSS v4.0 7.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0
Review access control policies and procedures CMA_0457 - Review access control policies and procedures Manual, Disabled 1.1.0

Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood

ID: PCI DSS v4.0 7.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Develop access control policies and procedures CMA_0144 - Develop access control policies and procedures Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Govern policies and procedures CMA_0292 - Govern policies and procedures Manual, Disabled 1.1.0

Access to system components and data is appropriately defined and assigned

ID: PCI DSS v4.0 7.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 3.0.0

Access to system components and data is appropriately defined and assigned

ID: PCI DSS v4.0 7.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 3.0.0
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 3.0.0

Access to system components and data is appropriately defined and assigned

ID: PCI DSS v4.0 7.2.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0

Access to system components and data is appropriately defined and assigned

ID: PCI DSS v4.0 7.2.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit user account status CMA_0020 - Audit user account status Manual, Disabled 1.1.0
Review account provisioning logs CMA_0460 - Review account provisioning logs Manual, Disabled 1.1.0
Review user accounts CMA_0480 - Review user accounts Manual, Disabled 1.1.0
Review user privileges CMA_C1039 - Review user privileges Manual, Disabled 1.1.0

Access to system components and data is appropriately defined and assigned

ID: PCI DSS v4.0 7.2.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0

Access to system components and data is appropriately defined and assigned

ID: PCI DSS v4.0 7.2.5.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Monitor account activity CMA_0377 - Monitor account activity Manual, Disabled 1.1.0

Access to system components and data is appropriately defined and assigned

ID: PCI DSS v4.0 7.2.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Design an access control model CMA_0129 - Design an access control model Manual, Disabled 1.1.0
Employ least privilege access CMA_0212 - Employ least privilege access Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0

Access to system components and data is managed via an access control system(s)

ID: PCI DSS v4.0 7.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with read permissions on Azure resources should be removed External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with write permissions on Azure resources should be removed External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0

Access to system components and data is managed via an access control system(s)

ID: PCI DSS v4.0 7.3.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Automate account management CMA_0026 - Automate account management Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Manage system and admin accounts CMA_0368 - Manage system and admin accounts Manual, Disabled 1.1.0
Monitor access across the organization CMA_0376 - Monitor access across the organization Manual, Disabled 1.1.0
Notify when account is not needed CMA_0383 - Notify when account is not needed Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0

Access to system components and data is managed via an access control system(s)

ID: PCI DSS v4.0 7.3.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Authorize access to security functions and information CMA_0022 - Authorize access to security functions and information Manual, Disabled 1.1.0
Authorize and manage access CMA_0023 - Authorize and manage access Manual, Disabled 1.1.0
Enforce logical access CMA_0245 - Enforce logical access Manual, Disabled 1.1.0
Enforce mandatory and discretionary access control policies CMA_0246 - Enforce mandatory and discretionary access control policies Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0
Review user groups and applications with access to sensitive data CMA_0481 - Review user groups and applications with access to sensitive data Manual, Disabled 1.1.0

Requirement 08: Identify Users and Authenticate Access to System Components

Processes and mechanisms for identifying users and authenticating access to system components are defined and understood

ID: PCI DSS v4.0 8.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update identification and authentication policies and procedures CMA_C1299 - Review and update identification and authentication policies and procedures Manual, Disabled 1.1.0

ID: PCI DSS v4.0 8.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign system identifiers CMA_0018 - Assign system identifiers Manual, Disabled 1.1.0
Enforce user uniqueness CMA_0250 - Enforce user uniqueness Manual, Disabled 1.1.0
Support personal verification credentials issued by legal authorities CMA_0507 - Support personal verification credentials issued by legal authorities Manual, Disabled 1.1.0

ID: PCI DSS v4.0 8.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and enforce conditions for shared and group accounts CMA_0117 - Define and enforce conditions for shared and group accounts Manual, Disabled 1.1.0
Reissue authenticators for changed groups and accounts CMA_0426 - Reissue authenticators for changed groups and accounts Manual, Disabled 1.1.0
Require use of individual authenticators CMA_C1305 - Require use of individual authenticators Manual, Disabled 1.1.0
Terminate customer controlled account credentials CMA_C1022 - Terminate customer controlled account credentials Manual, Disabled 1.1.0

ID: PCI DSS v4.0 8.2.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Manual, Disabled 1.1.0

ID: PCI DSS v4.0 8.2.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Assign system identifiers CMA_0018 - Assign system identifiers Manual, Disabled 1.1.0
Blocked accounts with owner permissions on Azure resources should be removed Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with read permissions on Azure resources should be removed External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with write permissions on Azure resources should be removed External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0

ID: PCI DSS v4.0 8.2.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Blocked accounts with owner permissions on Azure resources should be removed Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0

ID: PCI DSS v4.0 8.2.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Disable authenticators upon termination CMA_0169 - Disable authenticators upon termination Manual, Disabled 1.1.0
Revoke privileged roles as appropriate CMA_0483 - Revoke privileged roles as appropriate Manual, Disabled 1.1.0

ID: PCI DSS v4.0 8.2.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Blocked accounts with owner permissions on Azure resources should be removed Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Blocked accounts with read and write permissions on Azure resources should be removed Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 1.0.0
Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with read permissions on Azure resources should be removed External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with write permissions on Azure resources should be removed External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Identify and authenticate non-organizational users CMA_C1346 - Identify and authenticate non-organizational users Manual, Disabled 1.1.0

ID: PCI DSS v4.0 8.2.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define and enforce inactivity log policy CMA_C1017 - Define and enforce inactivity log policy Manual, Disabled 1.1.0
Terminate user session automatically CMA_C1054 - Terminate user session automatically Manual, Disabled 1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Manual, Disabled 1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.10 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.10.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.11 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Distribute authenticators CMA_0184 - Distribute authenticators Manual, Disabled 1.1.0
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Manual, Disabled 1.1.0
Verify identity before distributing authenticators CMA_0538 - Verify identity before distributing authenticators Manual, Disabled 1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Ensure authorized users protect provided authenticators CMA_C1339 - Ensure authorized users protect provided authenticators Manual, Disabled 1.1.0
Protect passwords with encryption CMA_0408 - Protect passwords with encryption Manual, Disabled 1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Enforce a limit of consecutive failed login attempts CMA_C1044 - Enforce a limit of consecutive failed login attempts Manual, Disabled 1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.5 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Establish authenticator types and processes CMA_0267 - Establish authenticator types and processes Manual, Disabled 1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. modify 4.1.0
Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that do not have the maximum password age set to specified number of days Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days AuditIfNotExists, Disabled 2.1.0
Audit Windows machines that do not restrict the minimum password length to specified number of characters Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters AuditIfNotExists, Disabled 2.1.0
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. deployIfNotExists 1.2.0
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.8 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0

Strong authentication for users and administrators is established and managed

ID: PCI DSS v4.0 8.3.9 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0

Multi-factor authentication (MFA) is implemented to secure access into the CDE

ID: PCI DSS v4.0 8.4.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Accounts with owner permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Accounts with write permissions on Azure resources should be MFA enabled Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 1.0.0
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Guest accounts with owner permissions on Azure resources should be removed External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with read permissions on Azure resources should be removed External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0
Guest accounts with write permissions on Azure resources should be removed External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 1.0.0

Multi-factor authentication (MFA) is implemented to secure access into the CDE

ID: PCI DSS v4.0 8.4.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Manual, Disabled 1.1.0

Multi-factor authentication (MFA) is implemented to secure access into the CDE

ID: PCI DSS v4.0 8.4.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Manual, Disabled 1.1.0

Multi-factor authentication (MFA) systems are configured to prevent misuse

ID: PCI DSS v4.0 8.5.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Adopt biometric authentication mechanisms CMA_0005 - Adopt biometric authentication mechanisms Manual, Disabled 1.1.0
Authorize remote access CMA_0024 - Authorize remote access Manual, Disabled 1.1.0
Document mobility training CMA_0191 - Document mobility training Manual, Disabled 1.1.0
Document remote access guidelines CMA_0196 - Document remote access guidelines Manual, Disabled 1.1.0
Identify and authenticate network devices CMA_0296 - Identify and authenticate network devices Manual, Disabled 1.1.0
Implement controls to secure alternate work sites CMA_0315 - Implement controls to secure alternate work sites Manual, Disabled 1.1.0
Provide privacy training CMA_0415 - Provide privacy training Manual, Disabled 1.1.0
Satisfy token quality requirements CMA_0487 - Satisfy token quality requirements Manual, Disabled 1.1.0

Use of application and system accounts and associated authentication factors is strictly managed

ID: PCI DSS v4.0 8.6.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Define information system account types CMA_0121 - Define information system account types Manual, Disabled 1.1.0
Require approval for account creation CMA_0431 - Require approval for account creation Manual, Disabled 1.1.0

Use of application and system accounts and associated authentication factors is strictly managed

ID: PCI DSS v4.0 8.6.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0

Use of application and system accounts and associated authentication factors is strictly managed

ID: PCI DSS v4.0 8.6.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Document security strength requirements in acquisition contracts CMA_0203 - Document security strength requirements in acquisition contracts Manual, Disabled 1.1.0
Establish a password policy CMA_0256 - Establish a password policy Manual, Disabled 1.1.0
Implement parameters for memorized secret verifiers CMA_0321 - Implement parameters for memorized secret verifiers Manual, Disabled 1.1.0
Implement training for protecting authenticators CMA_0329 - Implement training for protecting authenticators Manual, Disabled 1.1.0
Manage authenticator lifetime and reuse CMA_0355 - Manage authenticator lifetime and reuse Manual, Disabled 1.1.0
Refresh authenticators CMA_0425 - Refresh authenticators Manual, Disabled 1.1.0

Requirement 09: Restrict Physical Access to Cardholder Data

Processes and mechanisms for restricting physical access to cardholder data are defined and understood

ID: PCI DSS v4.0 9.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Review and update media protection policies and procedures CMA_C1427 - Review and update media protection policies and procedures Manual, Disabled 1.1.0
Review and update physical and environmental policies and procedures CMA_C1446 - Review and update physical and environmental policies and procedures Manual, Disabled 1.1.0

Physical access controls manage entry into facilities and systems containing cardholder data

ID: PCI DSS v4.0 9.2.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0

Physical access controls manage entry into facilities and systems containing cardholder data

ID: PCI DSS v4.0 9.2.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Physical access controls manage entry into facilities and systems containing cardholder data

ID: PCI DSS v4.0 9.2.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Physical access for personnel and visitors is authorized and managed

ID: PCI DSS v4.0 9.3.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0

Physical access for personnel and visitors is authorized and managed

ID: PCI DSS v4.0 9.3.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0

Physical access for personnel and visitors is authorized and managed

ID: PCI DSS v4.0 9.3.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Physical access for personnel and visitors is authorized and managed

ID: PCI DSS v4.0 9.3.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Physical access for personnel and visitors is authorized and managed

ID: PCI DSS v4.0 9.3.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.1.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.4 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Manage the transportation of assets CMA_0370 - Manage the transportation of assets Manual, Disabled 1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.5.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Create a data inventory CMA_0096 - Create a data inventory Manual, Disabled 1.1.0
Maintain records of processing of personal data CMA_0353 - Maintain records of processing of personal data Manual, Disabled 1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.6 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

Media with cardholder data is securely stored, accessed, distributed, and destroyed

ID: PCI DSS v4.0 9.4.7 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Employ a media sanitization mechanism CMA_0208 - Employ a media sanitization mechanism Manual, Disabled 1.1.0
Implement controls to secure all media CMA_0314 - Implement controls to secure all media Manual, Disabled 1.1.0
Perform disposition review CMA_0391 - Perform disposition review Manual, Disabled 1.1.0
Verify personal data is deleted at the end of processing CMA_0540 - Verify personal data is deleted at the end of processing Manual, Disabled 1.1.0

Point of interaction (POI) devices are protected from tampering and unauthorized substitution

ID: PCI DSS v4.0 9.5.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0

Point of interaction (POI) devices are protected from tampering and unauthorized substitution

ID: PCI DSS v4.0 9.5.1.2 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0

Point of interaction (POI) devices are protected from tampering and unauthorized substitution

ID: PCI DSS v4.0 9.5.1.2.1 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Control physical access CMA_0081 - Control physical access Manual, Disabled 1.1.0
Implement physical security for offices, working areas, and secure areas CMA_0323 - Implement physical security for offices, working areas, and secure areas Manual, Disabled 1.1.0
Manage the input, output, processing, and storage of data CMA_0369 - Manage the input, output, processing, and storage of data Manual, Disabled 1.1.0

Point of interaction (POI) devices are protected from tampering and unauthorized substitution

ID: PCI DSS v4.0 9.5.1.3 Ownership: Shared

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Provide security training before providing access CMA_0418 - Provide security training before providing access Manual, Disabled 1.1.0

Next steps

Additional articles about Azure Policy: