Controls & Evidence
PCI DSS v4.0.1 readiness evaluates your controls across multiple domains. For each domain, reviewers look for evidence that controls are designed properly and operating effectively. Below are the core control domains with minimum requirements and example evidence artifacts.
What reviewers look for: Reviewers don't just check that policies exist. They verify that controls are operating as described, that evidence is produced on schedule, and that gaps are tracked and remediated. The evidence examples below show what "operating effectiveness" looks like in practice.
Firewalls, network segmentation, and traffic restrictions protecting the cardholder data environment.
Requirements
- Network security controls (firewalls/NSCs) installed between the CDE and all untrusted networks
- NSC configurations documented, reviewed, and approved at least every six months
- Inbound and outbound traffic restricted to only that which is necessary for cardholder data processing
- Network segmentation validated through penetration testing at least annually and after significant changes
Evidence Examples
| Artifact | Owner | Frequency |
| NSC rule sets with documented business justification for each permitted connection | Network admin | Semi-annually |
| Current network diagrams showing all CDE connections and segmentation boundaries | Security team | Annually and on change |
| Penetration test reports validating segmentation effectiveness | QSA | Annually and after significant network changes |
Hardening standards, default credential removal, and function isolation for all system components.
Requirements
- Vendor-supplied defaults changed before deploying any system component onto the network
- Hardening standards developed and applied to all system components in the CDE
- Primary functions isolated — one primary function per server where feasible
- System inventory maintained with configuration standards mapped to each component
Evidence Examples
| Artifact | Owner | Frequency |
| Hardening standards documents aligned to CIS benchmarks or equivalent | IT admin | Annually and on change |
| Configuration audit reports showing compliance with hardening standards | Security team | Quarterly |
| System component inventory with configuration baseline references | IT admin | Annually and on change |
Minimization, masking, encryption, and key management for stored cardholder data and sensitive authentication data.
Requirements
- Stored account data minimized — only data necessary for business needs is retained
- PAN rendered unreadable anywhere it is stored using truncation, hashing, tokenization, or strong encryption
- Sensitive authentication data (SAD) not stored after authorization, even if encrypted
- Cryptographic key management procedures documented and implemented for all encryption of stored data
Evidence Examples
| Artifact | Owner | Frequency |
| Data retention and disposal policy with defined retention periods | Compliance | Annually |
| PAN discovery scan results showing no unprotected PAN in storage | Security team | Quarterly |
| Encryption key management records including key custodian assignments and rotation schedules | Security team | Annually and on key events |
| Data flow diagrams documenting all locations where account data is stored | Compliance | Annually and on change |
TLS configuration, certificate management, and encryption of cardholder data during transmission over open and public networks.
Requirements
- Strong cryptography used during transmission of cardholder data over open and public networks
- Only trusted keys and certificates accepted — expired or self-signed certificates rejected
- PAN protected if transmitted via end-user messaging technologies (email, instant messaging, SMS, chat)
Evidence Examples
| Artifact | Owner | Frequency |
| TLS configuration records showing minimum protocol versions and cipher suites | IT admin | Semi-annually |
| Certificate inventory with expiration dates and renewal tracking | Security team | Quarterly |
| Messaging security policies prohibiting unencrypted PAN in end-user communications | Compliance | Annually |
Anti-malware deployment, scanning, real-time protection, and anti-phishing mechanisms across all CDE systems.
Requirements
- Anti-malware solutions deployed on all systems commonly affected by malicious software
- Periodic scans and active or real-time protection enabled and not disabled by users
- Anti-malware mechanisms kept current with automatic updates and actively running
- Anti-phishing mechanisms deployed to detect and protect against phishing attacks
Evidence Examples
| Artifact | Owner | Frequency |
| Anti-malware deployment reports showing coverage of all in-scope endpoints | IT admin | Quarterly |
| Malware scan logs and detection event summaries | Security team | Monthly |
| Anti-malware signature and engine update verification records | IT admin | Monthly |
Patch management, secure coding practices, WAF deployment, and change control for all custom and third-party software.
Requirements
- Security patches for all software components applied within defined risk-based timeframes
- Custom software developed securely following industry standards (OWASP Top 10, SANS CWE Top 25)
- Public-facing web applications protected by WAF or regular vulnerability assessments
- Change control processes enforced for all changes to system components in the CDE
Evidence Examples
| Artifact | Owner | Frequency |
| Patch management records showing installation dates relative to release dates | IT admin | Monthly |
| Secure coding training completion records for development staff | Security team | Annually |
| WAF configuration and rule set documentation | Security team | Semi-annually |
| Change control logs with security impact assessment and approval records | IT admin | Per change |
Role-based access control, least privilege enforcement, and deny-all-by-default configuration for CDE access.
Requirements
- Access to system components and cardholder data limited to only those individuals whose job requires such access
- Access control system configured to deny all access by default and grant only explicitly authorized permissions
- Roles and access privileges documented with business justification for each role
Evidence Examples
| Artifact | Owner | Frequency |
| Access control matrices mapping roles to permitted resources and data types | Compliance | Semi-annually |
| Role definitions with documented business justification for CDE access | Security team | Annually |
| Periodic access review records confirming continued need-to-know | Compliance | Semi-annually |
Unique user IDs, multi-factor authentication, password policies, and service account management for CDE access.
Requirements
- Unique identification assigned to each person with computer access to the CDE
- Multi-factor authentication (MFA) required for all access into the CDE and for all remote network access
- Strong authentication management including password complexity, expiration, and lockout controls
- Shared, group, or generic accounts prohibited except where documented business necessity exists with enhanced monitoring
- Service and system accounts managed with restricted privileges, documented owners, and periodic review
Evidence Examples
| Artifact | Owner | Frequency |
| User ID policy requiring unique identification and prohibiting shared accounts | Security team | Annually |
| MFA enrollment records and enforcement configuration for CDE access | IT admin | Quarterly |
| Password policy configuration showing complexity, rotation, and lockout settings | IT admin | Semi-annually |
| Service account inventory with owners, privilege levels, and review dates | Security team | Semi-annually |
Facility security, visitor management, media handling, and physical controls protecting CDE infrastructure.
Requirements
- Physical access controls restrict entry to the CDE to authorized personnel only
- Visitors identified, authorized, escorted, and logged in areas containing CDE systems
- All media containing cardholder data physically secured and access restricted
- Strict control of internal and external distribution of media containing cardholder data
- Electronic media containing cardholder data rendered unrecoverable when no longer needed
Evidence Examples
| Artifact | Owner | Frequency |
| Physical access logs showing badge-in/badge-out records for CDE areas | Security team | Daily review |
| Visitor logs with identification, escort, and authorization records | Security team | Daily review |
| Media destruction records with method, date, and witness documentation | IT admin | Per event |
| Facility security assessment documenting physical access control mechanisms | Security team | Annually |
Audit trail implementation, event correlation, time synchronization, log review, and retention for all CDE activity.
Requirements
- Audit trails established for all access to system components and cardholder data, linking actions to individual users
- Automated audit trail mechanisms implemented for reconstructing security-relevant events
- Time synchronization using NTP across all critical systems to ensure accurate log correlation
- Audit logs reviewed at least daily, with automated mechanisms to detect anomalies and alert on suspicious activity
- Audit trail history retained for at least 12 months, with at least three months immediately available for analysis
Evidence Examples
| Artifact | Owner | Frequency |
| Log configurations showing captured event types and fields per system component | IT admin | Semi-annually |
| SIEM dashboards and alert rule definitions for security event detection | Security team | Quarterly |
| Daily log review records documenting reviewer, findings, and actions taken | Security team | Daily |
| Log retention policy and storage capacity verification | IT admin | Annually |
Vulnerability scanning, penetration testing, intrusion detection, and file integrity monitoring for CDE systems.
Requirements
- Internal and external vulnerability scans performed at least quarterly and after significant changes, with external scans conducted by an Approved Scanning Vendor (ASV)
- Penetration testing performed at least annually and after significant infrastructure or application changes
- Intrusion-detection and/or intrusion-prevention systems (IDS/IPS) deployed to monitor all traffic in the CDE
- Change-detection mechanisms (file integrity monitoring) deployed on critical system files, configuration files, and content files
Evidence Examples
| Artifact | Owner | Frequency |
| ASV scan reports showing passing external vulnerability scan results | QSA | Quarterly |
| Penetration test reports covering network-layer and application-layer testing | Security team | Annually and after significant changes |
| IDS/IPS configuration documentation and alert review records | Security team | Semi-annually |
| File integrity monitoring alert logs and weekly comparison results | IT admin | Weekly |
Enterprise security policy, risk assessment, awareness training, incident response, and service provider management.
Requirements
- Information security policy established, published, maintained, reviewed annually, and acknowledged by all personnel
- Acceptable use policies defined for critical technologies including remote access, wireless, removable media, and email
- Formal risk assessment process conducted at least annually and upon significant environmental changes
- Security awareness program implemented with training upon hire and at least annually thereafter
- Incident response plan established, tested at least annually, and ready for immediate activation
Evidence Examples
| Artifact | Owner | Frequency |
| Information security policy document with version control and annual review date | Compliance | Annually |
| Employee policy acknowledgment records confirming receipt and understanding | Compliance | Annually and upon hire |
| Risk assessment report documenting identified threats, vulnerabilities, and risk ratings | Security team | Annually |
| Security awareness training completion records and incident response plan test results | Security team | Annually |
Evidence Naming Conventions
Organized, traceable evidence is critical for a smooth review. Adopting a consistent convention makes evidence retrieval faster and reduces friction.
Recommended format:
ControlID_System_ArtifactType_YYYY-MM-DD_Period_Owner_v# Key principles for evidence management:
- Centralized repository with access control and version history
- Consistent naming across all control domains and artifact types
- Defined cadence for each evidence type: event-driven, monthly, quarterly, or annual
- Immutable exports where possible to demonstrate evidence integrity
AI and data companies: Standard controls are the baseline. See the AI-specific advisory modules for additional controls addressing data governance, prompt logging, RAG security, and model vendor risk.