[{"data":1,"prerenderedAt":13697},["ShallowReactive",2],{"\u002Fframeworks\u002Fpci":3,"framework-hub-topics-pci":541,"related-glossary-pci":4056,"related-frameworks-pci":10608},{"id":4,"title":5,"advantages":6,"body":28,"checklist":461,"cta":470,"description":447,"extension":473,"faq":474,"hero":492,"lastUpdated":508,"meta":509,"name":44,"navigation":510,"path":511,"resources":512,"seo":525,"slug":528,"stats":529,"stem":539,"__hash__":540},"frameworks\u002F5.frameworks\u002Fpci.md","Pci",[7,14,21],{"title":8,"description":9,"bullets":10},"Cardholder data mapped","Visualize systems, networks, and data flows tied to each DSS requirement.",[11,12,13],"Track segmentation documentation and approvals","Connect SIEM and log tools for retention evidence","Link vulnerability scans and pen tests to controls",{"title":15,"description":16,"bullets":17},"Task orchestration for engineering","Send prioritized remediation tasks to Jira or Linear with context.",[18,19,20],"Auto-created tickets with required evidence","SLA tracking ensures high-risk remediations close on time","Change management logs sync back automatically",{"title":22,"description":23,"bullets":24},"QSA-ready collaboration","Centralize requests, walkthroughs, and findings with secure file sharing.",[25,26,27],"QSA comments resolve next to each control","Expiring links for sensitive diagrams","Exportable ROC narrative drafts",{"type":29,"value":30,"toc":446},"minimark",[31,36,46,49,52,56,64,156,159,163,170,174,187,191,199,254,267,271,282,285,288,292,309,313,316,354,362,366,369,373,386,390,393,443],[32,33,35],"h2",{"id":34},"what-is-pci-dss","What is PCI DSS?",[37,38,39,40,45],"p",{},"The Payment Card Industry Data Security Standard -- universally known as ",[41,42,44],"a",{"href":43},"\u002Fglossary\u002Fpci-dss","PCI DSS"," -- is the global baseline for protecting payment card data. Any organization that stores, processes, or transmits cardholder data is expected to meet PCI DSS, from a mom-and-pop e-commerce store to a Fortune 500 retailer and every payment processor in between. PCI DSS exists because card data is one of the most monetizable targets on the internet, and a single breach can expose millions of account numbers, trigger steep fines, and end businesses. PCI DSS translates decades of hard-won lessons into a prescriptive framework that security, engineering, and finance teams can operationalize.",[37,47,48],{},"PCI DSS is maintained by the Payment Card Industry Security Standards Council (PCI SSC), an independent standards body founded in 2006 by the five major payment brands: Visa, Mastercard, American Express, Discover, and JCB. The PCI SSC writes and publishes the standard, accredits assessors and scanning vendors, and runs supporting programs such as PA-DSS (now replaced by the PCI Secure Software Standard) and P2PE. While the PCI SSC owns the standard itself, it does not enforce PCI DSS. Enforcement is delegated to the card brands, which in turn push obligations down through acquiring banks and payment processors to merchants and service providers. In practice, your acquirer is the entity that tells you which PCI DSS validation path you owe and what happens if you fail it.",[37,50,51],{},"PCI DSS emerged from a patchwork of brand-specific programs in the early 2000s, including Visa's Cardholder Information Security Program (CISP) and Mastercard's Site Data Protection (SDP). PCI DSS v1.0 launched in December 2004. PCI DSS v2.0 arrived in 2010, v3.0 in 2013, v3.1 in 2015, v3.2 in 2016, v3.2.1 in 2018, and the long-anticipated PCI DSS v4.0 in March 2022, followed by v4.0.1 clarifications in June 2024. Organizations have until March 31, 2025 to fully meet the new \"future-dated\" PCI DSS v4.0 requirements. Each revision tightens controls around emerging threats: phishing-resistant authentication, e-commerce script tampering, automated log review, and customized approaches for mature security programs.",[32,53,55],{"id":54},"the-12-pci-dss-requirements","The 12 PCI DSS requirements",[37,57,58,59,63],{},"PCI DSS organizes technical and operational controls across twelve core requirements grouped into six objectives. The full set of PCI DSS requirements is detailed on the ",[41,60,62],{"href":61},"\u002Fframeworks\u002Fpci\u002Frequirements","PCI DSS requirements page","; at a glance they are:",[65,66,67,80,86,102,108,114,120,126,132,138,144,150],"ol",{},[68,69,70,74,75,79],"li",{},[71,72,73],"strong",{},"Install and maintain network security controls"," -- firewalls and equivalent controls around the ",[41,76,78],{"href":77},"\u002Fglossary\u002Fcardholder-data-environment","cardholder data environment",".",[68,81,82,85],{},[71,83,84],{},"Apply secure configurations to all system components"," -- hardening standards, default credential elimination, and secure build baselines.",[68,87,88,91,92,96,97,101],{},[71,89,90],{},"Protect stored account data"," -- encryption, truncation, hashing, or ",[41,93,95],{"href":94},"\u002Fglossary\u002Ftokenization","tokenization"," of the ",[41,98,100],{"href":99},"\u002Fglossary\u002Fpan","PAN"," and prohibition on storing sensitive authentication data.",[68,103,104,107],{},[71,105,106],{},"Protect cardholder data with strong cryptography during transmission"," over open, public networks.",[68,109,110,113],{},[71,111,112],{},"Protect all systems and networks from malicious software"," -- anti-malware on in-scope systems and defenses against script-based threats.",[68,115,116,119],{},[71,117,118],{},"Develop and maintain secure systems and software"," -- secure SDLC, patching, and vulnerability management for in-scope systems.",[68,121,122,125],{},[71,123,124],{},"Restrict access to system components and cardholder data by business need to know"," -- least-privilege role design.",[68,127,128,131],{},[71,129,130],{},"Identify users and authenticate access to system components"," -- unique IDs, strong authentication, and phishing-resistant MFA.",[68,133,134,137],{},[71,135,136],{},"Restrict physical access to cardholder data"," -- physical security for facilities, media, and devices.",[68,139,140,143],{},[71,141,142],{},"Log and monitor all access to system components and cardholder data"," -- centralized logging, daily review, and tamper protection.",[68,145,146,149],{},[71,147,148],{},"Test security of systems and networks regularly"," -- ASV scans, internal scans, pen tests, and segmentation validation.",[68,151,152,155],{},[71,153,154],{},"Support information security with organizational policies and programs"," -- governance, awareness, incident response, and third-party oversight.",[37,157,158],{},"Each PCI DSS requirement is broken into numbered sub-requirements with explicit testing procedures that an assessor follows line by line. The \"defined approach\" dictates specific controls; PCI DSS v4.0 also introduces a \"customized approach\" where mature organizations can meet a requirement's objective through alternative controls, documented in a controls matrix and targeted risk analysis.",[32,160,162],{"id":161},"pci-dss-v40-changes","PCI DSS v4.0 changes",[37,164,165,166,79],{},"PCI DSS v4.0 is the largest revision in more than a decade. Its headline shifts include a customized-approach validation path, mandatory multi-factor authentication for all access into the CDE, expanded requirements to detect and respond to e-commerce script tampering, targeted risk analyses replacing prescriptive frequencies, and stronger expectations for continuous security rather than point-in-time compliance. Several of the most material v4.0 controls became mandatory on March 31, 2025 after a two-year grace period. The full changelog, new testing procedures, and a migration checklist are covered in the ",[41,167,169],{"href":168},"\u002Fframeworks\u002Fpci\u002Fv4-changes","PCI DSS v4.0 changes guide",[32,171,173],{"id":172},"merchant-compliance-levels-1-4","Merchant compliance levels 1-4",[37,175,176,177,181,182,186],{},"Every merchant is assigned to one of four PCI DSS compliance levels based on annual card transaction volume across all channels. PCI DSS Level 1 covers merchants processing more than 6 million transactions per year and requires a formal Report on Compliance (ROC) signed by a ",[41,178,180],{"href":179},"\u002Fglossary\u002Fqsa","QSA",". Level 2 covers 1-6 million transactions. Level 3 covers 20,000 to 1 million e-commerce transactions. Level 4 covers everything below those thresholds. Service providers have their own two-level structure. Your acquiring bank can also assign you a higher PCI DSS level at its discretion -- particularly after a breach. The ",[41,183,185],{"href":184},"\u002Fframeworks\u002Fpci\u002Fcompliance-levels","PCI DSS compliance levels page"," breaks down every threshold by card brand and the validation path each level owes.",[32,188,190],{"id":189},"self-assessment-questionnaires-saqs","Self-Assessment Questionnaires (SAQs)",[37,192,193,194,198],{},"Merchants and service providers that are not required to complete a full PCI DSS Report on Compliance validate using a ",[41,195,197],{"href":196},"\u002Fglossary\u002Fsaq","Self-Assessment Questionnaire",", or SAQ. The PCI SSC publishes nine SAQ types, each tailored to a specific acceptance channel and technology profile:",[200,201,202,208,214,220,226,232,238,244],"ul",{},[68,203,204,207],{},[71,205,206],{},"SAQ A"," -- card-not-present merchants that fully outsource all cardholder data functions.",[68,209,210,213],{},[71,211,212],{},"SAQ A-EP"," -- e-commerce merchants that partially outsource payment processing but host pages that could affect payment page security.",[68,215,216,219],{},[71,217,218],{},"SAQ B"," -- merchants using only imprint machines or standalone dial-out terminals.",[68,221,222,225],{},[71,223,224],{},"SAQ B-IP"," -- merchants using only standalone IP-connected POI devices.",[68,227,228,231],{},[71,229,230],{},"SAQ C-VT"," -- merchants entering transactions into a virtual payment terminal.",[68,233,234,237],{},[71,235,236],{},"SAQ C"," -- merchants with payment application systems connected to the internet.",[68,239,240,243],{},[71,241,242],{},"SAQ P2PE"," -- merchants using PCI-listed point-to-point encryption solutions.",[68,245,246,249,250,253],{},[71,247,248],{},"SAQ D for Merchants"," and ",[71,251,252],{},"SAQ D for Service Providers"," -- the catch-all SAQs for entities that store cardholder data or do not qualify for a simpler SAQ.",[37,255,256,257,261,262,266],{},"Eligibility is narrow and precise. Picking the wrong SAQ is one of the most common PCI DSS mistakes -- and one that an acquiring bank or breach investigation can expose instantly. The ",[41,258,260],{"href":259},"\u002Fframeworks\u002Fpci\u002Fself-assessment-questionnaire","SAQ reference"," and the ",[41,263,265],{"href":264},"\u002Fframeworks\u002Fpci\u002Fsaq-types-explained","SAQ types explained"," page walk through each SAQ's eligibility, question count, and typical pitfalls.",[32,268,270],{"id":269},"cardholder-data-environment-cde-and-scoping","Cardholder data environment (CDE) and scoping",[37,272,273,274,276,277,281],{},"Every PCI DSS program begins with scoping. The ",[41,275,78],{"href":77},", or CDE, is the set of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, plus any system component that is connected to or could impact the security of those components. Determining what is in ",[41,278,280],{"href":279},"\u002Fglossary\u002Fpci-scope","PCI scope"," is the single highest-leverage activity in a PCI DSS program -- it drives how many controls apply, how much evidence you collect, and how much your QSA engagement costs.",[37,283,284],{},"PCI DSS scoping has three categories: CDE systems that directly handle card data; connected-to systems that can route traffic to the CDE, authenticate CDE users, or otherwise interact with CDE components; and security-impacting systems that could affect CDE security even without direct connectivity (think SIEM, patch management, or anti-malware consoles). All three categories are in scope for PCI DSS.",[37,286,287],{},"Document your CDE with an annotated network diagram and a data-flow diagram for every payment channel. PCI DSS v4.0 makes these diagrams a requirement, not a nice-to-have, and your assessor will test them during every assessment.",[32,289,291],{"id":290},"scope-reduction-strategies","Scope reduction strategies",[37,293,294,295,299,300,304,305,308],{},"Because PCI DSS obligations scale with the CDE, shrinking the CDE is the fastest way to cut PCI DSS cost and risk. Effective ",[41,296,298],{"href":297},"\u002Fframeworks\u002Fpci\u002Fscope-reduction","PCI DSS scope reduction"," typically combines four levers: strong ",[41,301,303],{"href":302},"\u002Fframeworks\u002Fpci\u002Fnetwork-segmentation","network segmentation"," that isolates the CDE onto dedicated VLANs with tightly controlled firewall rules; ",[41,306,95],{"href":307},"\u002Fframeworks\u002Fpci\u002Ftokenization-vs-encryption"," that replaces stored PANs with non-sensitive surrogates; PCI-listed point-to-point encryption (P2PE) that removes in-store networks from PCI scope; and outsourcing card capture to a validated service provider so your systems never touch real card data. Layered correctly, these strategies can reduce a PCI DSS assessment from hundreds of in-scope systems to a handful.",[32,310,312],{"id":311},"key-pci-dss-roles-qsas-asvs-and-isas","Key PCI DSS roles: QSAs, ASVs, and ISAs",[37,314,315],{},"Three accredited roles support every PCI DSS program:",[200,317,318,333,348],{},[68,319,320,327,328,332],{},[71,321,322,323,326],{},"Qualified Security Assessors (",[41,324,325],{"href":179},"QSAs",")"," -- individuals and firms certified by the PCI SSC to perform on-site PCI DSS assessments, produce the ROC, and sign the Attestation of Compliance. Selecting the right QSA shapes your PCI DSS experience for years; the ",[41,329,331],{"href":330},"\u002Fframeworks\u002Fpci\u002Fqsa-selection","QSA selection guide"," covers how to evaluate firms, cost drivers, and red flags.",[68,334,335,342,343,347],{},[71,336,337,338,326],{},"Approved Scanning Vendors (",[41,339,341],{"href":340},"\u002Fglossary\u002Fasv","ASVs"," -- PCI SSC-approved firms that run the quarterly external vulnerability scans required by PCI DSS Requirement 11.3.2. The ",[41,344,346],{"href":345},"\u002Fframeworks\u002Fpci\u002Fasv-program","ASV program guide"," covers vendor selection, scanning cadence, passing thresholds, and remediation workflows.",[68,349,350,353],{},[71,351,352],{},"Internal Security Assessors (ISAs)"," -- employees who have completed PCI SSC training and can complete certain internal PCI DSS assessments or support a QSA engagement. ISAs are a cost-effective way to build PCI DSS capability inside large programs.",[37,355,356,357,361],{},"Penetration testing (Requirement 11.4) sits alongside ASV scanning and is a frequent source of PCI DSS findings. The ",[41,358,360],{"href":359},"\u002Fframeworks\u002Fpci\u002Fpenetration-testing","PCI DSS penetration testing guide"," covers internal vs external scope, segmentation testing, and frequency.",[32,363,365],{"id":364},"penalties-for-non-compliance","Penalties for non-compliance",[37,367,368],{},"PCI DSS is not law, but non-compliance carries material financial consequences. Acquirers can levy fines of $5,000 to $100,000 per month for PCI DSS violations, pass fines down to merchants, raise transaction fees, or revoke payment processing privileges outright. After a confirmed breach of card data, a merchant typically faces a forensic PFI investigation, card brand fines, assessments for fraud losses, reissuance costs for compromised cards, and mandatory Level 1 PCI DSS validation going forward. Regulators and state attorneys general may also get involved, and the organization almost always faces litigation. In short, PCI DSS fines are rarely the largest line item -- the true cost of a breach is reputational damage, customer churn, and the fully loaded cost of breach response.",[32,370,372],{"id":371},"pci-dss-vs-other-frameworks","PCI DSS vs other frameworks",[37,374,375,376,380,381,385],{},"PCI DSS is narrower and more prescriptive than most security frameworks. ISO 27001 is a management-system standard focused on the process of running an ISMS; it tells you how to manage risk but does not specify controls the way PCI DSS does. SOC 2 is an attestation framework where you define your own controls against the Trust Services Criteria; PCI DSS prescribes them. HIPAA and HITECH cover protected health information, not cardholder data. NIST CSF and NIST SP 800-53 offer control catalogues and risk management guidance that many organizations map into their PCI DSS program, especially under the v4.0 customized approach. PCI DSS is also one of the few frameworks with ongoing external validation -- ASV scans every quarter, penetration tests at least annually, and a full assessment every year. For businesses in the ",[41,377,379],{"href":378},"\u002Findustry\u002Ffinance","finance industry"," or running ",[41,382,384],{"href":383},"\u002Findustry\u002Fecommerce","e-commerce"," platforms, PCI DSS almost always becomes the binding constraint that the rest of the security program organizes around.",[32,387,389],{"id":388},"getting-pci-compliant","Getting PCI compliant",[37,391,392],{},"A typical path to PCI DSS compliance looks like this:",[65,394,395,401,407,413,419,425,431,437],{},[68,396,397,400],{},[71,398,399],{},"Define scope"," -- inventory every place card data lives, moves, or could move. Produce annotated network and data-flow diagrams.",[68,402,403,406],{},[71,404,405],{},"Reduce scope"," -- apply segmentation, tokenization, P2PE, and outsourcing to shrink the CDE before assessment.",[68,408,409,412],{},[71,410,411],{},"Select your validation path"," -- confirm your PCI DSS level with your acquirer and determine whether you owe a ROC or an SAQ.",[68,414,415,418],{},[71,416,417],{},"Gap assess"," -- map your current controls to every applicable PCI DSS requirement and prioritize remediation.",[68,420,421,424],{},[71,422,423],{},"Remediate and document"," -- close gaps, write the policies and procedures PCI DSS expects, and stand up the logging, monitoring, scanning, and testing programs.",[68,426,427,430],{},[71,428,429],{},"Engage your QSA or ASV"," -- commission the ASV scans, book the penetration test, and (for Level 1) schedule your QSA engagement early enough to allow remediation cycles.",[68,432,433,436],{},[71,434,435],{},"Validate and attest"," -- produce the ROC or SAQ plus Attestation of Compliance, and submit to your acquirer on the required cadence.",[68,438,439,442],{},[71,440,441],{},"Operate continuously"," -- PCI DSS v4.0 expects continuous monitoring, targeted risk analyses, and evidence that controls stay effective between assessments.",[37,444,445],{},"episki automates the bulk of the evidence collection, control testing, and QSA collaboration work so your PCI DSS program is audit-ready year-round instead of scrambling at the end of each cycle. If you are starting a new PCI DSS program or rebuilding an existing one, episki can shorten your path from scoping through Report on Compliance.",{"title":447,"searchDepth":448,"depth":448,"links":449},"",2,[450,451,452,453,454,455,456,457,458,459,460],{"id":34,"depth":448,"text":35},{"id":54,"depth":448,"text":55},{"id":161,"depth":448,"text":162},{"id":172,"depth":448,"text":173},{"id":189,"depth":448,"text":190},{"id":269,"depth":448,"text":270},{"id":290,"depth":448,"text":291},{"id":311,"depth":448,"text":312},{"id":364,"depth":448,"text":365},{"id":371,"depth":448,"text":372},{"id":388,"depth":448,"text":389},{"title":462,"description":463,"items":464},"PCI DSS playbook","Follow structured milestones from scoping through ROC submission.",[465,466,467,468,469],"Automated scope confirmation questionnaires","Connector-backed logging and monitoring checks","Quarterly vulnerability and penetration testing tracker","Change-management evidence capture","ROC narrative template and artifact index",{"title":471,"description":472},"Keep PCI DSS audit-ready around the clock","Spin up your trial, sync evidence, and invite your QSA in a single day.","md",{"title":475,"items":476},"PCI DSS frequently asked questions",[477,480,483,486,489],{"label":478,"content":479},"What are the PCI DSS compliance levels?","PCI DSS has four merchant levels based on annual transaction volume. Level 1 (over 6 million transactions) requires a formal Report on Compliance by a QSA. Levels 2-4 may self-assess using the appropriate Self-Assessment Questionnaire (SAQ). Service providers have two levels with different validation requirements.",{"label":481,"content":482},"What changed in PCI DSS 4.0?","PCI DSS 4.0 introduced a customized validation approach allowing organizations to meet objectives with alternative controls, expanded multi-factor authentication requirements, strengthened e-commerce and phishing protections, and added emphasis on continuous security rather than point-in-time compliance.",{"label":484,"content":485},"Who needs PCI DSS compliance?","Any organization that stores, processes, or transmits cardholder data must comply with PCI DSS. This includes merchants, payment processors, acquirers, issuers, and service providers. The scope is determined by your cardholder data environment (CDE).",{"label":487,"content":488},"How often is a PCI DSS assessment required?","PCI DSS assessments are required annually. Level 1 merchants and service providers must complete a formal assessment by a Qualified Security Assessor (QSA). Additionally, quarterly network vulnerability scans by an Approved Scanning Vendor (ASV) are required.",{"label":490,"content":491},"What is a cardholder data environment (CDE)?","The CDE includes all people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, plus any systems connected to those components. Accurate CDE scoping is the foundation of an efficient PCI DSS assessment.",{"headline":493,"title":494,"description":495,"links":496},"PCI controls that stay current","Keep PCI DSS requirements passing even as your CDE evolves","episki maps DSS requirements, automates testing, and keeps QSAs collaborating in one secure workspace.",[497,501],{"label":498,"icon":499,"to":500},"Start PCI trial","i-lucide-rocket","https:\u002F\u002Fepiski.app\u002Fauth\u002Fregister",{"label":502,"icon":503,"color":504,"variant":505,"to":506,"target":507},"Book a demo","i-lucide-calendar","neutral","subtle","\u002Fdemo","_blank","2026-04-27",{},true,"\u002Fframeworks\u002Fpci",{"headline":513,"title":513,"description":514,"items":515},"PCI enablement kit","Give leadership, ops, and QSAs a single source of truth.",[516,519,522],{"title":517,"description":518},"CDE architecture report","Share sanitized diagrams and segmentation notes with prospects.",{"title":520,"description":521},"Risk and remediation digest","Weekly summary of open items, owners, and due dates.",{"title":523,"description":524},"Assessor workspace","Prebuilt template keeps every requirement, artifact, and note aligned.",{"title":526,"description":527},"PCI DSS Compliance Tool","Automate PCI DSS evidence collection, manage QSA collaboration, and keep cardholder data controls current. Start your free 14-day trial with episki.","pci",[530,533,536],{"value":531,"description":532},"90% automation","Evidence coverage across access, logging, segmentation, and monitoring.",{"value":534,"description":535},"QSA portal","Scoped access keeps your assessor in sync without endless spreadsheets.",{"value":537,"description":538},"Weekly drift checks","Automated alerts highlight misconfigurations before audits.","5.frameworks\u002Fpci","wxvQHRYeBHEsDrDF1QZg43Nio6AvwX3DWW21RftBG2c",[542,836,1221,1592,1851,2144,2364,2695,3061,3425,3709],{"id":543,"title":544,"body":545,"description":804,"extension":473,"faq":805,"frameworkSlug":528,"lastUpdated":819,"meta":820,"navigation":510,"path":345,"relatedTerms":821,"relatedTopics":826,"seo":831,"stem":834,"__hash__":835},"frameworkTopics\u002F5.frameworks\u002Fpci\u002Fasv-program.md","PCI DSS ASV Program and Quarterly External Scans",{"type":29,"value":546,"toc":794},[547,551,554,557,561,564,567,581,584,588,591,635,638,642,645,707,710,714,717,720,724,727,730,734,784,788],[32,548,550],{"id":549},"what-the-pci-dss-asv-program-is","What the PCI DSS ASV program is",[37,552,553],{},"The Approved Scanning Vendor (ASV) program is the PCI Security Standards Council's accreditation scheme for firms that perform the external vulnerability scans PCI DSS requires. Under PCI DSS Requirement 11.3.2, every organization with internet-facing systems in the cardholder data environment must run external vulnerability scans at least quarterly and after any significant change, and those scans must be performed by an ASV. Only firms listed on the PCI SSC's public ASV list can produce reports that satisfy PCI DSS; scans from unaccredited scanners or purely internal tooling do not count.",[37,555,556],{},"ASVs earn their status by passing an annual PCI SSC qualification, running their scanning tooling through a rigorous validation environment, and employing certified ASV employees. The PCI SSC maintains the master list of ASVs and publishes updates as firms are added, renewed, or removed. Selecting an ASV is therefore both a PCI DSS compliance decision and a security decision: the ASV's scanners, processes, and analyst capacity materially shape the quality of your external vulnerability data.",[32,558,560],{"id":559},"how-quarterly-external-scans-work","How quarterly external scans work",[37,562,563],{},"PCI DSS Requirement 11.3.2 mandates external vulnerability scanning at least once every three months, with every quarterly scan producing a passing result. The ASV configures scanning against the internet-facing IP ranges and fully qualified domain names in the cardholder data environment. The ASV runs automated vulnerability checks, produces a scan report, and works with you through dispute and remediation until the scan passes.",[37,565,566],{},"A passing PCI DSS ASV scan has:",[200,568,569,572,575,578],{},[68,570,571],{},"No vulnerabilities rated CVSS 4.0 or higher that remain exploitable after validation",[68,573,574],{},"No \"automatic failure\" findings such as SQL injection, cross-site scripting on sensitive pages, insecure remote access, or default passwords on any accessible service",[68,576,577],{},"No evidence that the scan was inappropriately restricted by firewall rules, rate limiting, or intrusion prevention systems",[68,579,580],{},"All in-scope hosts successfully scanned, not marked as unreachable without documented justification",[37,582,583],{},"If any of those conditions fail, the scan fails. You remediate the finding, request a rescan, and repeat until the quarter closes with a clean result. The PCI DSS rule of four is strict: you need four passing quarterly ASV scans per reporting period, not four attempted scans. Missing a quarter is a PCI DSS finding your QSA will flag.",[32,585,587],{"id":586},"remediation-timelines-and-workflow","Remediation timelines and workflow",[37,589,590],{},"A realistic PCI DSS ASV cadence looks like this:",[65,592,593,599,605,611,617,623,629],{},[68,594,595,598],{},[71,596,597],{},"Scan window opens"," at the start of each quarter. You schedule the scan with your ASV, confirm the IP ranges and domains in scope, and update any authentication material the scanner needs.",[68,600,601,604],{},[71,602,603],{},"Initial scan runs"," -- typically overnight or over a weekend to avoid business impact.",[68,606,607,610],{},[71,608,609],{},"Results are delivered"," within a few business days. Your team reviews findings with the ASV.",[68,612,613,616],{},[71,614,615],{},"Disputes are raised"," for false positives, compensating controls, or findings that do not apply in context. The ASV evaluates evidence and either accepts the dispute (the finding is suppressed) or rejects it (you remediate).",[68,618,619,622],{},[71,620,621],{},"Remediation"," -- you patch, reconfigure, or retire affected components.",[68,624,625,628],{},[71,626,627],{},"Rescan"," -- the ASV reruns the scan or a targeted subset. If clean, the quarter passes. If not, loop back.",[68,630,631,634],{},[71,632,633],{},"Final passing report"," is archived for your QSA and retained for at least 12 months.",[37,636,637],{},"PCI DSS does not prescribe an absolute remediation deadline inside a quarter, but practical limits apply: the quarter itself is the deadline. If you cannot remediate and rescan to a passing result before the next quarter begins, you have a PCI DSS finding. Well-run programs aim to pass the first scan of every quarter within two to three weeks, leaving buffer for unexpected findings.",[32,639,641],{"id":640},"selecting-an-asv","Selecting an ASV",[37,643,644],{},"The PCI SSC does not rank ASVs, so selection is up to you. Evaluate prospective ASVs against the following criteria:",[200,646,647,653,659,665,671,677,683,689,695,701],{},[68,648,649,652],{},[71,650,651],{},"PCI SSC listing"," -- confirm the firm is on the current ASV list. Accreditation lapses.",[68,654,655,658],{},[71,656,657],{},"Scanning technology"," -- ask which engine powers their scanning (commercial, open source, proprietary) and how frequently their vulnerability signatures update.",[68,660,661,664],{},[71,662,663],{},"Coverage of your stack"," -- if you run container workloads, serverless functions, or unusual platforms, confirm the ASV can scan them.",[68,666,667,670],{},[71,668,669],{},"Authenticated scan support"," -- most PCI DSS ASV scans are unauthenticated, but some findings require credentialed validation during dispute.",[68,672,673,676],{},[71,674,675],{},"Analyst depth"," -- an ASV with strong analysts accelerates dispute resolution dramatically. Ask how many certified ASV employees they have and what response SLAs they offer.",[68,678,679,682],{},[71,680,681],{},"Reporting portal"," -- review the portal used to schedule scans, review findings, manage disputes, and download attestations. Clunky portals waste security team time every quarter.",[68,684,685,688],{},[71,686,687],{},"Integration options"," -- API, SSO, ticketing integrations (Jira, ServiceNow), and export formats that feed your evidence system of record.",[68,690,691,694],{},[71,692,693],{},"Pricing model"," -- per-IP, per-domain, or flat-rate. Confirm rescan fees and what \"significant change\" scans cost.",[68,696,697,700],{},[71,698,699],{},"Dispute and escalation process"," -- how quickly can you get an analyst on a call when a finding is blocking a passing scan?",[68,702,703,706],{},[71,704,705],{},"References"," -- ask for references from organizations of similar size and stack.",[37,708,709],{},"Many organizations pair their ASV with the same firm that provides their QSA services, though they are distinct programs with distinct accreditations. If you choose the same firm, confirm they can operationally keep the two functions independent.",[32,711,713],{"id":712},"internal-scanning-and-the-bigger-pci-dss-picture","Internal scanning and the bigger PCI DSS picture",[37,715,716],{},"External ASV scans are only half of PCI DSS Requirement 11.3. You must also perform internal vulnerability scans at least quarterly and after significant change, re-scanning until all high-risk vulnerabilities are resolved. Internal scans can be performed by your own staff with commercial scanning tools -- they do not require an ASV. PCI DSS v4.0 tightens expectations on internal scan coverage, authenticated scanning, and risk-ranking of findings.",[37,718,719],{},"Together, ASV scans, internal scans, penetration testing, and segmentation testing make up the testing stack that Requirement 11 demands. ASV reports feed your Attestation of Compliance, your QSA's testing procedures, and your own board reporting on vulnerability posture.",[32,721,723],{"id":722},"how-this-fits-into-pci-dss-compliance","How this fits into PCI DSS compliance",[37,725,726],{},"Quarterly ASV scans are one of the most visible artifacts in a PCI DSS program. Your acquirer often reviews ASV attestations alongside your SAQ or ROC, card brands may audit ASV records during a breach investigation, and QSAs use ASV history as an early signal of program maturity. A clean ASV history with promptly resolved findings tells a compelling story. A history of missed quarters, unresolved disputes, or gaps in coverage does the opposite and almost always triggers deeper testing during an assessment.",[37,728,729],{},"ASV scanning is also closely tied to PCI DSS scope. Every time your external attack surface changes -- new domains, new public IPs, new cloud environments -- the ASV scope must be updated. Organizations that treat the ASV contract as set-and-forget often discover during an assessment that their ASV has been scanning a stale inventory for quarters, invalidating the PCI DSS evidence they thought they had.",[32,731,733],{"id":732},"common-mistakes","Common mistakes",[200,735,736,742,748,754,760,766,772,778],{},[68,737,738,741],{},[71,739,740],{},"Scoping the ASV to a subset of internet-facing assets",", leaving cardholder-data-affecting systems unscanned.",[68,743,744,747],{},[71,745,746],{},"Ignoring new domains and cloud resources"," until the ASV renewal, creating gaps that a QSA will discover.",[68,749,750,753],{},[71,751,752],{},"Allowing firewall or WAF rules to block the ASV scanner",", producing \"unable to scan\" findings that invalidate the scan.",[68,755,756,759],{},[71,757,758],{},"Suppressing findings without documented compensating controls"," -- ASV disputes must be evidence-backed.",[68,761,762,765],{},[71,763,764],{},"Missing a quarter because a rescan slipped",", which produces a PCI DSS finding that carries into the ROC.",[68,767,768,771],{},[71,769,770],{},"Treating ASV scans as a substitute for internal scans or penetration testing"," -- they are not interchangeable under PCI DSS.",[68,773,774,777],{},[71,775,776],{},"Relying on default credentials or test accounts"," on any internet-facing system, which is an automatic ASV failure.",[68,779,780,783],{},[71,781,782],{},"Procuring ASV services purely on price",", then discovering the support model cannot keep up with dispute volume.",[32,785,787],{"id":786},"how-episki-helps","How episki helps",[37,789,790,791,79],{},"episki centralizes every ASV scan, dispute, and remediation ticket against the specific PCI DSS requirement it supports, so quarter-over-quarter evidence is always at hand. We connect to your ASV portal, reconcile scanned assets against your cloud inventory, and route findings to engineering owners with remediation SLAs tied back to the PCI DSS requirement they satisfy. See how we support continuous PCI DSS evidence on the ",[41,792,793],{"href":511},"PCI DSS hub",{"title":447,"searchDepth":448,"depth":448,"links":795},[796,797,798,799,800,801,802,803],{"id":549,"depth":448,"text":550},{"id":559,"depth":448,"text":560},{"id":586,"depth":448,"text":587},{"id":640,"depth":448,"text":641},{"id":712,"depth":448,"text":713},{"id":722,"depth":448,"text":723},{"id":732,"depth":448,"text":733},{"id":786,"depth":448,"text":787},"A practical guide to the PCI DSS Approved Scanning Vendor (ASV) program, quarterly external vulnerability scans, remediation timelines, and how to select the right ASV.",{"items":806},[807,810,813,816],{"label":808,"content":809},"What is a PCI DSS ASV?","An Approved Scanning Vendor (ASV) is an organization certified by the PCI Security Standards Council to perform the external vulnerability scans required by PCI DSS Requirement 11.3.2. Only ASVs on the PCI SSC's published list can produce scan reports that satisfy PCI DSS.",{"label":811,"content":812},"How often are PCI DSS ASV scans required?","PCI DSS requires external ASV scans at least quarterly, plus an additional scan after any significant change to the in-scope environment. All four quarterly scans must have a passing result during the reporting period.",{"label":814,"content":815},"What counts as a passing ASV scan?","A passing ASV scan has no vulnerabilities rated CVSS 4.0 or higher after validation and no automatic failures such as default credentials or cross-site scripting on accessible pages. Failed scans must be remediated and rescanned until a clean, passing result is produced.",{"label":817,"content":818},"Who needs PCI DSS ASV scans?","Any organization with internet-facing systems in the cardholder data environment must run quarterly ASV scans. This includes most merchants accepting card-not-present transactions and all service providers that handle cardholder data over the internet.","2026-04-16",{},[822,823,824,825],"asv","pci-dss","pci-scope","vulnerability-management",[827,828,829,830],"requirements","penetration-testing","scope-reduction","qsa-selection",{"title":832,"description":833},"PCI DSS ASV Program: Quarterly Scans, Remediation & Vendor Selection","Everything you need to know about the PCI DSS ASV program — quarterly external vulnerability scans, passing thresholds, remediation timelines, and selecting an Approved Scanning Vendor.","5.frameworks\u002Fpci\u002Fasv-program","czpbkV8MpfNBucbxY5kpFREMCUA70p5n94ntk8vGlFY",{"id":837,"title":838,"body":839,"description":1195,"extension":473,"faq":1196,"frameworkSlug":528,"lastUpdated":819,"meta":1210,"navigation":510,"path":184,"relatedTerms":1211,"relatedTopics":1213,"seo":1216,"stem":1219,"__hash__":1220},"frameworkTopics\u002F5.frameworks\u002Fpci\u002Fcompliance-levels.md","PCI DSS Compliance Levels",{"type":29,"value":840,"toc":1173},[841,845,848,855,859,864,870,875,889,894,908,915,919,924,928,939,946,950,955,959,968,971,975,980,984,994,997,1001,1004,1008,1014,1018,1028,1032,1037,1041,1048,1051,1055,1058,1090,1093,1097,1101,1104,1108,1113,1117,1120,1124,1131,1135,1138,1170],[32,842,844],{"id":843},"how-pci-dss-compliance-levels-work","How PCI DSS compliance levels work",[37,846,847],{},"PCI DSS applies universally to any organization that stores, processes, or transmits cardholder data. However, the validation requirements -- how you demonstrate compliance -- vary based on your transaction volume and business type. The payment card brands (Visa, Mastercard, American Express, Discover, and JCB) each define their own compliance level thresholds, though the levels are broadly similar.",[37,849,850,851,854],{},"Understanding your compliance level is essential for planning your ",[41,852,853],{"href":511},"PCI DSS compliance"," program. Your level determines whether you need a formal on-site assessment by a Qualified Security Assessor (QSA) or can self-validate using a Self-Assessment Questionnaire (SAQ).",[32,856,858],{"id":857},"merchant-compliance-levels","Merchant compliance levels",[860,861,863],"h3",{"id":862},"level-1-largest-merchants","Level 1 - Largest merchants",[37,865,866,869],{},[71,867,868],{},"Transaction threshold:"," More than 6 million card transactions per year across all channels (Visa and Mastercard). American Express sets this at 2.5 million transactions.",[37,871,872],{},[71,873,874],{},"Validation requirements:",[200,876,877,880,883,886],{},[68,878,879],{},"Annual Report on Compliance (ROC) completed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA)",[68,881,882],{},"Quarterly network vulnerability scans by an Approved Scanning Vendor (ASV)",[68,884,885],{},"Attestation of Compliance (AOC) signed by the QSA and an officer of the organization",[68,887,888],{},"Annual penetration test",[37,890,891],{},[71,892,893],{},"Who falls into Level 1:",[200,895,896,899,902,905],{},[68,897,898],{},"Major retailers, airlines, and hospitality chains",[68,900,901],{},"Large e-commerce platforms",[68,903,904],{},"Any merchant that has experienced a data breach resulting in account data compromise (regardless of transaction volume)",[68,906,907],{},"Any merchant that a payment brand identifies as Level 1 at its discretion",[37,909,910,911,914],{},"Level 1 assessments are the most rigorous and expensive. The ROC process involves detailed evidence review, on-site interviews, system sampling, and testing of every applicable control across all 12 ",[41,912,913],{"href":61},"PCI DSS requirements",". Assessments typically take several weeks to several months depending on the size and complexity of the cardholder data environment.",[860,916,918],{"id":917},"level-2-mid-size-merchants","Level 2 - Mid-size merchants",[37,920,921,923],{},[71,922,868],{}," 1 million to 6 million card transactions per year (Visa and Mastercard).",[37,925,926],{},[71,927,874],{},[200,929,930,933,936],{},[68,931,932],{},"Annual Self-Assessment Questionnaire (SAQ) appropriate to the merchant's payment processing environment",[68,934,935],{},"Quarterly ASV vulnerability scans",[68,937,938],{},"Attestation of Compliance (AOC)",[37,940,941,942,945],{},"Some acquiring banks may require Level 2 merchants to complete a ROC or engage a QSA to validate their SAQ, particularly if the merchant operates in a high-risk industry or has experienced security incidents. The specific SAQ type depends on how the merchant processes payments -- see the ",[41,943,944],{"href":259},"SAQ guide"," for details.",[860,947,949],{"id":948},"level-3-e-commerce-merchants","Level 3 - E-commerce merchants",[37,951,952,954],{},[71,953,868],{}," 20,000 to 1 million e-commerce transactions per year (Visa). Mastercard defines Level 3 as merchants processing 20,000 to 1 million total transactions.",[37,956,957],{},[71,958,874],{},[200,960,961,964,966],{},[68,962,963],{},"Annual SAQ appropriate to the merchant's environment",[68,965,935],{},[68,967,938],{},[37,969,970],{},"Level 3 was originally designed to address e-commerce merchants specifically, recognizing the elevated risk of card-not-present transactions. In practice, the validation requirements are similar to Level 2, but the threshold is significantly lower for online-only merchants.",[860,972,974],{"id":973},"level-4-smallest-merchants","Level 4 - Smallest merchants",[37,976,977,979],{},[71,978,868],{}," Fewer than 20,000 e-commerce transactions per year and fewer than 1 million total transactions across all channels.",[37,981,982],{},[71,983,874],{},[200,985,986,989,992],{},[68,987,988],{},"Annual SAQ appropriate to the merchant's environment (recommended but determined by acquirer)",[68,990,991],{},"Quarterly ASV vulnerability scans (if applicable to the SAQ type)",[68,993,938],{},[37,995,996],{},"Level 4 encompasses the vast majority of merchants worldwide. While the validation requirements are the least demanding, the PCI DSS requirements themselves still apply in full. A data breach at a Level 4 merchant carries the same consequences as one at a Level 1 merchant. Many acquiring banks set their own requirements for Level 4 merchants, and some may not actively enforce SAQ completion, which unfortunately leads to gaps in security.",[32,998,1000],{"id":999},"service-provider-compliance-levels","Service provider compliance levels",[37,1002,1003],{},"Service providers -- organizations that store, process, or transmit cardholder data on behalf of other entities, or that could affect the security of cardholder data -- have their own compliance levels.",[860,1005,1007],{"id":1006},"service-provider-level-1","Service provider Level 1",[37,1009,1010,1013],{},[71,1011,1012],{},"Threshold:"," More than 300,000 card transactions per year (Visa) or any service provider that stores, processes, or transmits more than 300,000 Mastercard transactions.",[37,1015,1016],{},[71,1017,874],{},[200,1019,1020,1023,1025],{},[68,1021,1022],{},"Annual ROC by a QSA",[68,1024,935],{},[68,1026,1027],{},"Semi-annual segmentation penetration testing (more frequent than merchant requirements)",[860,1029,1031],{"id":1030},"service-provider-level-2","Service provider Level 2",[37,1033,1034,1036],{},[71,1035,1012],{}," Fewer than 300,000 card transactions per year.",[37,1038,1039],{},[71,1040,874],{},[200,1042,1043,1046],{},[68,1044,1045],{},"Annual SAQ-D for Service Providers",[68,1047,935],{},[37,1049,1050],{},"Service providers face additional PCI DSS requirements beyond those for merchants, including change detection mechanisms, penetration testing of segmentation controls every six months, and documented responsibilities in customer agreements. Many payment brands maintain public registries of validated service providers that merchants can reference.",[32,1052,1054],{"id":1053},"payment-brand-variations","Payment brand variations",[37,1056,1057],{},"While the levels described above represent the general framework, each payment brand has specific nuances:",[200,1059,1060,1066,1072,1078,1084],{},[68,1061,1062,1065],{},[71,1063,1064],{},"Visa"," distinguishes between e-commerce and total transaction counts for Levels 3 and 4",[68,1067,1068,1071],{},[71,1069,1070],{},"Mastercard"," includes a \"Site Data Protection\" (SDP) program with registration requirements",[68,1073,1074,1077],{},[71,1075,1076],{},"American Express"," uses a lower Level 1 threshold (2.5 million transactions) and refers to its program as the Data Security Operating Policy (DSOP)",[68,1079,1080,1083],{},[71,1081,1082],{},"Discover"," follows a similar four-level structure but determines levels based on Discover-brand transactions specifically",[68,1085,1086,1089],{},[71,1087,1088],{},"JCB"," follows a structure aligned with Visa but with its own compliance program requirements",[37,1091,1092],{},"Organizations that accept multiple card brands must meet the most stringent level applicable across all brands. If you process 3 million Visa transactions (Level 2 for Visa) but 3 million American Express transactions (Level 1 for Amex), you would need to meet Level 1 validation requirements.",[32,1094,1096],{"id":1095},"how-compliance-levels-affect-your-program","How compliance levels affect your program",[860,1098,1100],{"id":1099},"assessment-cost-and-effort","Assessment cost and effort",[37,1102,1103],{},"Level 1 assessments involving a QSA engagement can cost anywhere from $50,000 to over $500,000 depending on the complexity of the environment, the number of locations, and the maturity of existing controls. Self-assessment at Levels 2 through 4 is less expensive but still requires significant internal effort to gather evidence, complete the questionnaire accurately, and maintain documentation.",[860,1105,1107],{"id":1106},"scope-reduction-benefits","Scope reduction benefits",[37,1109,1110,1112],{},[41,1111,298],{"href":297}," techniques benefit organizations at every level. For Level 1 merchants, a smaller cardholder data environment means a shorter, less expensive QSA engagement. For Level 2 through 4 merchants, scope reduction may qualify you for a simpler SAQ type, reducing the number of questions from over 300 (SAQ D) to as few as 22 (SAQ A).",[860,1114,1116],{"id":1115},"acquirer-requirements","Acquirer requirements",[37,1118,1119],{},"Your acquiring bank (the bank that processes card transactions on your behalf) is ultimately responsible for ensuring your compliance. Acquirers may impose requirements beyond the minimum defined by the payment brands. Some acquirers require Level 2 merchants to undergo QSA assessments, mandate specific SAQ types, or set deadlines for compliance validation that differ from the payment brand's timelines.",[860,1121,1123],{"id":1122},"breach-consequences-by-level","Breach consequences by level",[37,1125,1126,1127,1130],{},"A data breach can result in escalation to a higher compliance level, significant fines from payment brands (ranging from $5,000 to $100,000 per month of non-compliance), forensic investigation costs, and potential loss of the ability to process card payments. These consequences apply regardless of compliance level, which is why organizations at every level in the ",[41,1128,1129],{"href":378},"fintech industry"," and beyond should invest in robust security controls rather than treating compliance as a box-checking exercise.",[32,1132,1134],{"id":1133},"determining-your-level","Determining your level",[37,1136,1137],{},"To determine your compliance level:",[65,1139,1140,1146,1152,1158,1164],{},[68,1141,1142,1145],{},[71,1143,1144],{},"Count your annual transactions"," across all channels and all payment brands",[68,1147,1148,1151],{},[71,1149,1150],{},"Identify which payment brands you accept"," and check each brand's specific thresholds",[68,1153,1154,1157],{},[71,1155,1156],{},"Consult your acquiring bank"," for any additional requirements or level assignments",[68,1159,1160,1163],{},[71,1161,1162],{},"Consider breach history"," -- a prior breach may automatically place you at Level 1",[68,1165,1166,1169],{},[71,1167,1168],{},"Plan for growth"," -- if you are approaching a threshold, plan for the next level's validation requirements proactively",[37,1171,1172],{},"Your compliance level is not static. As transaction volumes grow, you may move to a higher level with more demanding validation requirements. Building a mature compliance program early ensures a smoother transition when that time comes.",{"title":447,"searchDepth":448,"depth":448,"links":1174},[1175,1176,1183,1187,1188,1194],{"id":843,"depth":448,"text":844},{"id":857,"depth":448,"text":858,"children":1177},[1178,1180,1181,1182],{"id":862,"depth":1179,"text":863},3,{"id":917,"depth":1179,"text":918},{"id":948,"depth":1179,"text":949},{"id":973,"depth":1179,"text":974},{"id":999,"depth":448,"text":1000,"children":1184},[1185,1186],{"id":1006,"depth":1179,"text":1007},{"id":1030,"depth":1179,"text":1031},{"id":1053,"depth":448,"text":1054},{"id":1095,"depth":448,"text":1096,"children":1189},[1190,1191,1192,1193],{"id":1099,"depth":1179,"text":1100},{"id":1106,"depth":1179,"text":1107},{"id":1115,"depth":1179,"text":1116},{"id":1122,"depth":1179,"text":1123},{"id":1133,"depth":448,"text":1134},"An explanation of PCI DSS merchant and service provider compliance levels, transaction thresholds, and validation requirements for each level.",{"items":1197},[1198,1201,1204,1207],{"label":1199,"content":1200},"How do I determine my PCI DSS compliance level?","Your level is based on annual card transaction volume across all channels and payment brands. Merchant Level 1 is 6+ million transactions, Level 2 is 1–6 million, Level 3 is 20,000–1 million e-commerce transactions, and Level 4 is everything below those thresholds. Your acquiring bank may also assign a higher level.",{"label":1202,"content":1203},"What is the difference between SAQ and ROC in PCI DSS?","A Self-Assessment Questionnaire (SAQ) is a self-validation tool used by Level 2–4 merchants. A Report on Compliance (ROC) is a formal assessment conducted by a Qualified Security Assessor (QSA) and is required for Level 1 merchants. ROC assessments are significantly more rigorous and expensive.",{"label":1205,"content":1206},"Can a data breach change my PCI compliance level?","Yes. Any merchant that experiences a data breach resulting in account data compromise is automatically escalated to Level 1 regardless of transaction volume. Payment brands can also assign Level 1 status at their discretion.",{"label":1208,"content":1209},"How much does a PCI DSS Level 1 assessment cost?","Level 1 QSA assessments typically cost $50,000 to over $500,000 depending on environment complexity, number of locations, and control maturity. Self-assessment at Levels 2–4 is less expensive but still requires significant internal effort for evidence gathering and documentation.",{},[823,1212],"grc",[827,1214,1215],"self-assessment-questionnaire","v4-changes",{"title":1217,"description":1218},"PCI DSS Compliance Levels Explained: Merchant Level 1–4 & Service Provider Requirements","PCI DSS merchant levels 1–4 and service provider levels explained — transaction thresholds, SAQ vs ROC validation, and what each level requires.","5.frameworks\u002Fpci\u002Fcompliance-levels","q9VxhLQLRZBdJPmHYvuWAhLc8o4cKzw19jyXrfSQ5Ww",{"id":1222,"title":1223,"body":1224,"description":1565,"extension":473,"faq":1566,"frameworkSlug":528,"lastUpdated":819,"meta":1580,"navigation":510,"path":302,"relatedTerms":1581,"relatedTopics":1585,"seo":1587,"stem":1590,"__hash__":1591},"frameworkTopics\u002F5.frameworks\u002Fpci\u002Fnetwork-segmentation.md","PCI DSS Network Segmentation",{"type":29,"value":1225,"toc":1553},[1226,1230,1233,1236,1240,1243,1269,1272,1276,1279,1299,1302,1306,1309,1347,1350,1354,1357,1401,1404,1408,1411,1414,1428,1431,1435,1438,1476,1479,1481,1484,1487,1489,1545,1547],[32,1227,1229],{"id":1228},"why-pci-dss-network-segmentation-matters","Why PCI DSS network segmentation matters",[37,1231,1232],{},"Without network segmentation, every system that can reach any CDE system is in PCI DSS scope. That typically means a flat corporate network with thousands of endpoints and servers, all of them pulled into the assessment. Network segmentation is the architectural pattern that draws a firm boundary around the cardholder data environment, isolates it, and allows the rest of the corporate network to remain out of PCI DSS scope.",[37,1234,1235],{},"Segmentation is not strictly required by PCI DSS. You can choose to run a flat network and put every system through PCI DSS testing. Almost no one does. The cost savings from segmentation are usually 10x or more across the life of a PCI DSS program -- fewer controls to implement, fewer systems to scan, fewer owners to interview, fewer evidence items to maintain. Segmentation is therefore the first design conversation in every PCI DSS program and the first architectural pattern a QSA will review.",[32,1237,1239],{"id":1238},"what-pci-dss-segmentation-must-enforce","What PCI DSS segmentation must enforce",[37,1241,1242],{},"PCI DSS segmentation must:",[200,1244,1245,1251,1257,1263],{},[68,1246,1247,1250],{},[71,1248,1249],{},"Isolate the CDE from out-of-scope networks."," Traffic between the two is denied by default.",[68,1252,1253,1256],{},[71,1254,1255],{},"Allow only explicitly approved, business-justified traffic."," Every exception is documented, owned, and reviewed.",[68,1258,1259,1262],{},[71,1260,1261],{},"Use technical controls, not just policy."," Segmentation must be enforced by firewalls, ACLs, network security groups, or equivalent controls -- not by trust or convention.",[68,1264,1265,1268],{},[71,1266,1267],{},"Be validated."," Penetration testing confirms the isolation holds in practice.",[37,1270,1271],{},"A segmentation design is not \"we put the CDE on VLAN 200.\" It is a documented set of trust zones, a firewall ruleset that enforces traffic between them, a change process that governs rule modifications, a regular review cadence for the rules, and a testing program that validates the whole system every six or twelve months.",[32,1273,1275],{"id":1274},"vlan-isolation-in-on-premise-networks","VLAN isolation in on-premise networks",[37,1277,1278],{},"The classic on-premise PCI DSS segmentation pattern is VLAN-based isolation:",[200,1280,1281,1284,1287,1290,1293,1296],{},[68,1282,1283],{},"Dedicated VLANs for CDE systems, typically one per function (payment application servers, databases, jump hosts).",[68,1285,1286],{},"Dedicated VLANs for CDE management traffic, separate from CDE data plane traffic.",[68,1288,1289],{},"Stateful firewalls enforcing traffic policy between CDE VLANs and non-CDE VLANs.",[68,1291,1292],{},"Access control lists or micro-segmentation within the CDE to limit lateral traffic.",[68,1294,1295],{},"No routed paths from corporate VLANs to the CDE except through documented chokepoints.",[68,1297,1298],{},"Separate DNS, NTP, and authentication services for the CDE where feasible.",[37,1300,1301],{},"Wireless networks deserve special attention. PCI DSS treats wireless access to the CDE as high-risk and requires strong authentication, unique credentials, and specific testing. Many organizations exclude wireless from the CDE entirely by routing wireless through a dedicated zone that has no direct path to cardholder data.",[32,1303,1305],{"id":1304},"cloud-segmentation-patterns","Cloud segmentation patterns",[37,1307,1308],{},"PCI DSS segmentation in the cloud is conceptually identical but uses cloud-native primitives:",[200,1310,1311,1317,1323,1329,1335,1341],{},[68,1312,1313,1316],{},[71,1314,1315],{},"Dedicated VPCs or projects"," for the CDE, with explicit peering or transit rules to the rest of the environment.",[68,1318,1319,1322],{},[71,1320,1321],{},"Tight security groups and network ACLs"," that enforce least-privilege traffic between the CDE and everything else.",[68,1324,1325,1328],{},[71,1326,1327],{},"Private endpoints"," so cloud services consumed by CDE workloads do not traverse the public internet.",[68,1330,1331,1334],{},[71,1332,1333],{},"Service mesh or identity-based network policies"," that enforce workload-level segmentation within the CDE.",[68,1336,1337,1340],{},[71,1338,1339],{},"No shared accounts or projects"," between the CDE and non-CDE workloads unless explicitly in scope.",[68,1342,1343,1346],{},[71,1344,1345],{},"Cloud provider landing-zone patterns"," that codify segmentation through infrastructure-as-code.",[37,1348,1349],{},"Cloud environments introduce their own risks. Misconfigured security groups, overly broad IAM roles that cross CDE boundaries, shared logging and monitoring services that collect CDE data into out-of-scope buckets -- all of these can undo segmentation. PCI DSS does not care whether segmentation is implemented with a physical firewall or a cloud security group; it cares whether the isolation actually holds.",[32,1351,1353],{"id":1352},"firewall-rule-design-and-review","Firewall rule design and review",[37,1355,1356],{},"PCI DSS Requirement 1 governs network security controls including firewall and equivalent rules. A strong segmentation program maintains:",[200,1358,1359,1365,1371,1377,1383,1389,1395],{},[68,1360,1361,1364],{},[71,1362,1363],{},"Documented ruleset"," with business justification for every allow rule.",[68,1366,1367,1370],{},[71,1368,1369],{},"Deny-by-default"," posture with explicit allow rules.",[68,1372,1373,1376],{},[71,1374,1375],{},"Rule review"," at least every six months, removing stale rules and validating business justification.",[68,1378,1379,1382],{},[71,1380,1381],{},"Change management"," with documented approvals for every rule change.",[68,1384,1385,1388],{},[71,1386,1387],{},"Separation of duties"," so the person requesting a rule change is not the person approving it or the person implementing it.",[68,1390,1391,1394],{},[71,1392,1393],{},"Egress filtering"," -- outbound rules from the CDE to the internet and to non-CDE networks are explicitly defined.",[68,1396,1397,1400],{},[71,1398,1399],{},"Ingress filtering"," from the internet into the CDE follows the same allow-list approach.",[37,1402,1403],{},"The PCI DSS v4.0 revisions of Requirement 1 explicitly cover \"network security controls\" rather than just firewalls, recognizing that modern environments use a variety of technologies. What does not change is the substance: deny by default, justify every exception, review regularly.",[32,1405,1407],{"id":1406},"validation-testing-requirement-1145","Validation testing (Requirement 11.4.5)",[37,1409,1410],{},"Segmentation only counts if it is validated. PCI DSS Requirement 11.4.5 requires penetration testing of segmentation controls at least every 12 months for merchants and every six months for service providers, plus after any change to segmentation.",[37,1412,1413],{},"A sound segmentation test:",[200,1415,1416,1419,1422,1425],{},[68,1417,1418],{},"Places the tester on every out-of-scope network segment that is supposed to be isolated from the CDE.",[68,1420,1421],{},"Attempts every protocol and every CDE IP from each out-of-scope segment.",[68,1423,1424],{},"Documents what was and was not reachable.",[68,1426,1427],{},"Escalates any unexpected reachability to remediation, then retests.",[37,1429,1430],{},"Testing is not a tabletop. It is hands-on, from real network positions. Evidence is the pen-test report, the tester's qualifications, and the retest results.",[32,1432,1434],{"id":1433},"operational-risks-that-undo-segmentation","Operational risks that undo segmentation",[37,1436,1437],{},"Most segmentation failures are not architectural -- they are operational. Common patterns:",[200,1439,1440,1446,1452,1458,1464,1470],{},[68,1441,1442,1445],{},[71,1443,1444],{},"Jump hosts that drift"," out of hardening baselines and become lateral-movement paths.",[68,1447,1448,1451],{},[71,1449,1450],{},"Monitoring and logging tools"," that collect CDE data into out-of-scope systems, dragging those systems back into scope.",[68,1453,1454,1457],{},[71,1455,1456],{},"Backup and recovery infrastructure"," that bridges the CDE to out-of-scope storage.",[68,1459,1460,1463],{},[71,1461,1462],{},"Remote access vendors"," whose connections traverse segmentation boundaries because an exception was never formally reviewed.",[68,1465,1466,1469],{},[71,1467,1468],{},"CI\u002FCD pipelines"," that deploy to the CDE from out-of-scope build agents, creating a direct path that segmentation did not account for.",[68,1471,1472,1475],{},[71,1473,1474],{},"Ephemeral compute"," that spins up into the wrong network segment because infrastructure-as-code templates drifted.",[37,1477,1478],{},"Treat segmentation as a product, not a project. Build segmentation reviews into every major change, every new vendor, and every architectural decision.",[32,1480,723],{"id":722},[37,1482,1483],{},"Network segmentation is the force multiplier of a PCI DSS program. Requirement 1 (network security controls) is where segmentation is built. Requirement 2 (secure configurations) hardens the systems on either side of the boundary. Requirement 4 (cryptography in transit) protects any cross-boundary traffic. Requirement 7 and 8 (access control and authentication) govern who can cross. Requirement 10 (logging) records crossings. Requirement 11 (testing) validates isolation. A well-designed segmentation architecture pays dividends in every PCI DSS requirement you subsequently evaluate.",[37,1485,1486],{},"For mature PCI DSS programs, segmentation also becomes the substrate for broader security. A CDE segmentation pattern that works for PCI DSS is often reused for HIPAA-regulated data, for export-controlled environments, and for sensitive customer datasets. The investment compounds.",[32,1488,733],{"id":732},[200,1490,1491,1497,1503,1509,1515,1521,1527,1533,1539],{},[68,1492,1493,1496],{},[71,1494,1495],{},"Flat networks"," where CDE and non-CDE systems coexist on the same subnet.",[68,1498,1499,1502],{},[71,1500,1501],{},"Overly permissive firewall rules"," that negate the benefit of segmentation.",[68,1504,1505,1508],{},[71,1506,1507],{},"Unreviewed rulesets"," that accumulate stale exceptions over years.",[68,1510,1511,1514],{},[71,1512,1513],{},"Segmentation that stops at the network layer"," but ignores identity-based lateral movement.",[68,1516,1517,1520],{},[71,1518,1519],{},"Monitoring and backup systems"," that bridge the CDE into out-of-scope storage.",[68,1522,1523,1526],{},[71,1524,1525],{},"Missing segmentation testing"," or testing that does not cover every out-of-scope segment.",[68,1528,1529,1532],{},[71,1530,1531],{},"Cloud security groups and VPCs"," that look segmented but are reachable via misconfigured peering or shared identity.",[68,1534,1535,1538],{},[71,1536,1537],{},"VPN and remote access"," tools that punch holes through the boundary without documented justification.",[68,1540,1541,1544],{},[71,1542,1543],{},"Shadow IT"," -- unsanctioned services on out-of-scope subnets that need CDE access and create undocumented exceptions.",[32,1546,787],{"id":786},[37,1548,1549,1550,1552],{},"episki connects to your firewalls, cloud security groups, and network tooling, continuously reconciling your segmentation design against the traffic that is actually flowing. Drift in firewall rules, new exceptions, and unexpected cross-segment traffic surface as PCI DSS findings before your next assessment. Explore the ",[41,1551,793],{"href":511}," for how this fits into the broader program.",{"title":447,"searchDepth":448,"depth":448,"links":1554},[1555,1556,1557,1558,1559,1560,1561,1562,1563,1564],{"id":1228,"depth":448,"text":1229},{"id":1238,"depth":448,"text":1239},{"id":1274,"depth":448,"text":1275},{"id":1304,"depth":448,"text":1305},{"id":1352,"depth":448,"text":1353},{"id":1406,"depth":448,"text":1407},{"id":1433,"depth":448,"text":1434},{"id":722,"depth":448,"text":723},{"id":732,"depth":448,"text":733},{"id":786,"depth":448,"text":787},"Network segmentation for PCI DSS scope reduction — VLAN isolation, firewall rules, validation testing, and building an isolated cardholder data environment.",{"items":1567},[1568,1571,1574,1577],{"label":1569,"content":1570},"Is network segmentation required for PCI DSS?","Network segmentation is not strictly required by PCI DSS, but without it the entire network is in scope. Segmentation is how almost every organization achieves a manageable PCI DSS scope, and once implemented, segmentation controls must be tested at least annually (every six months for service providers).",{"label":1572,"content":1573},"What counts as effective PCI DSS network segmentation?","Effective segmentation isolates the cardholder data environment on dedicated network segments with firewall or equivalent controls that enforce a deny-by-default policy between the CDE and out-of-scope networks. Only explicitly approved, business-justified traffic is permitted, and the segmentation is validated through penetration testing.",{"label":1575,"content":1576},"Does cloud segmentation work for PCI DSS?","Yes. Cloud-native constructs like VPCs, security groups, subnets, service meshes, and identity-based network policies can satisfy PCI DSS segmentation if configured and validated to enforce CDE isolation. The evidence expectations are the same as for on-premise segmentation — documented design, rule review, and penetration testing.",{"label":1578,"content":1579},"How often must PCI DSS segmentation be validated?","At least every 12 months for merchants, every 6 months for service providers, and after any change that affects segmentation. Penetration testing is the PCI DSS-required method of validation — scans and configuration reviews are not a substitute.",{},[1582,1583,824,1584],"firewall","network-security","cardholder-data-environment",[829,827,828,1586],"tokenization-vs-encryption",{"title":1588,"description":1589},"PCI DSS Network Segmentation Guide: VLANs, Firewalls & Validation Testing","A practical PCI DSS network segmentation guide. VLAN isolation, firewall rules, cloud segmentation patterns, and how to validate segmentation controls under Requirement 11.4.5.","5.frameworks\u002Fpci\u002Fnetwork-segmentation","SAuRb-ng3K_g04a_zAnsH9mIJp97SR-DqG6t8qAwMII",{"id":1593,"title":1594,"body":1595,"description":1826,"extension":473,"faq":1827,"frameworkSlug":528,"lastUpdated":819,"meta":1841,"navigation":510,"path":359,"relatedTerms":1842,"relatedTopics":1843,"seo":1846,"stem":1849,"__hash__":1850},"frameworkTopics\u002F5.frameworks\u002Fpci\u002Fpenetration-testing.md","PCI DSS Penetration Testing (Requirement 11.4)",{"type":29,"value":1596,"toc":1815},[1597,1601,1604,1607,1611,1614,1658,1661,1665,1668,1674,1680,1683,1687,1690,1693,1707,1710,1714,1717,1720,1724,1727,1738,1741,1743,1746,1749,1751,1807,1809],[32,1598,1600],{"id":1599},"why-pci-dss-penetration-testing-matters","Why PCI DSS penetration testing matters",[37,1602,1603],{},"PCI DSS treats penetration testing as the ground-truth check on every other control in the program. ASV scans are automated and narrow. Internal vulnerability scans are deeper but still automated. Penetration testing puts a human adversary's perspective on your cardholder data environment and answers the only question that really matters: can an attacker actually reach cardholder data? PCI DSS Requirement 11.4 operationalizes that question into a set of testing obligations that apply to every organization subject to PCI DSS -- not just Level 1 merchants.",[37,1605,1606],{},"Penetration testing is also the requirement most often misinterpreted during a PCI DSS assessment. Organizations substitute vulnerability scans for penetration tests. They test application layers but skip the network layer. They skip segmentation validation. They engage a firm that produces a generic report with no evidence of hands-on testing. Each of these shortcuts is visible to a trained QSA and becomes a PCI DSS finding.",[32,1608,1610],{"id":1609},"what-requirement-114-actually-demands","What Requirement 11.4 actually demands",[37,1612,1613],{},"PCI DSS Requirement 11.4 has several sub-requirements:",[200,1615,1616,1622,1628,1634,1640,1646,1652],{},[68,1617,1618,1621],{},[71,1619,1620],{},"11.4.1"," -- a documented penetration testing methodology that is industry-accepted (NIST SP 800-115, OWASP Testing Guide, PTES, OSSTMM), covers the entire CDE perimeter and critical systems, includes testing from inside and outside the network, validates segmentation and scope-reduction controls, covers application-layer testing (at minimum, the OWASP Top 10 risks), and accounts for threats and vulnerabilities encountered in the past 12 months.",[68,1623,1624,1627],{},[71,1625,1626],{},"11.4.2"," -- internal penetration testing at least annually and after any significant change.",[68,1629,1630,1633],{},[71,1631,1632],{},"11.4.3"," -- external penetration testing at least annually and after any significant change.",[68,1635,1636,1639],{},[71,1637,1638],{},"11.4.4"," -- exploitable vulnerabilities found during penetration testing are corrected and the testing is repeated to verify the corrections.",[68,1641,1642,1645],{},[71,1643,1644],{},"11.4.5"," -- for organizations using network segmentation to reduce PCI DSS scope, segmentation controls are tested at least every 12 months for merchants and every 6 months for service providers, and after any change to segmentation controls.",[68,1647,1648,1651],{},[71,1649,1650],{},"11.4.6"," -- additional service-provider testing obligations for multi-tenant environments.",[68,1653,1654,1657],{},[71,1655,1656],{},"11.4.7"," -- multi-tenant service providers support customer penetration testing.",[37,1659,1660],{},"Every one of those sub-requirements has dedicated testing procedures that your QSA follows. Evidence includes the documented methodology, scoping documentation, tester qualifications, the final report, remediation tracking, and the rescan or retest results.",[32,1662,1664],{"id":1663},"internal-vs-external-penetration-testing","Internal vs external penetration testing",[37,1666,1667],{},"PCI DSS splits penetration testing into two perspectives.",[37,1669,1670,1673],{},[71,1671,1672],{},"External penetration testing"," simulates an adversary on the public internet. The tester has only what an outsider would have: public IP ranges, domain names, public-facing applications, and open-source intelligence. External tests exercise the perimeter -- firewalls, web applications, remote access portals, e-commerce checkouts -- and map what an attacker can reach from outside your network. External testing must cover the entire CDE perimeter plus any critical systems exposed to the internet.",[37,1675,1676,1679],{},[71,1677,1678],{},"Internal penetration testing"," simulates an adversary who has already gained a foothold inside the network, whether through a phished employee, a compromised contractor, or an insider threat. Internal testing exercises the defenses that stand between that foothold and the cardholder data environment: segmentation, privileged access controls, lateral-movement detection, hardening of jump hosts, and monitoring. Internal testing is where segmentation actually gets validated.",[37,1681,1682],{},"PCI DSS requires both perspectives. An organization that only runs external testing is missing half of the Requirement 11.4 obligation and creating a blind spot for exactly the attack path most commonly used in card-data breaches.",[32,1684,1686],{"id":1685},"segmentation-testing-requirement-1145","Segmentation testing (Requirement 11.4.5)",[37,1688,1689],{},"If you rely on network segmentation to reduce your PCI DSS scope, segmentation testing is non-negotiable. PCI DSS Requirement 11.4.5 requires that the segmentation controls isolating the CDE are tested at least annually for merchants, at least every six months for service providers, and after any change to segmentation. The testing must confirm that out-of-scope networks cannot reach the CDE and that the segmentation controls are operating as documented.",[37,1691,1692],{},"A good segmentation test looks like this:",[200,1694,1695,1698,1701,1704],{},[68,1696,1697],{},"The tester is placed on every out-of-scope network segment that is supposed to be isolated from the CDE.",[68,1699,1700],{},"From each segment, the tester attempts to reach every CDE system by any protocol.",[68,1702,1703],{},"Any connectivity discovered is flagged as a segmentation finding.",[68,1705,1706],{},"Findings are remediated, and the test is repeated until isolation is confirmed.",[37,1708,1709],{},"Segmentation testing does not require an attempt to compromise the CDE -- it is about reachability. A segmentation test where the tester merely ran a port scan from one corporate subnet is not sufficient. The test must cover every out-of-scope segment that could affect CDE isolation.",[32,1711,1713],{"id":1712},"frequency-change-driven-testing-and-retesting","Frequency, change-driven testing, and retesting",[37,1715,1716],{},"PCI DSS penetration testing is at least annual. But the real test frequency is driven by change. Any significant change to the CDE -- architecture changes, major software releases, new third-party integrations, new locations, new acquisition integrations, material infrastructure migration -- triggers a new test. Service providers have shorter mandatory cycles on segmentation testing (every six months).",[37,1718,1719],{},"Retesting is a specific PCI DSS obligation. Once a penetration test finds an exploitable vulnerability, you remediate it and then retest to confirm the fix. A report that lists findings but never shows retesting results is incomplete evidence under PCI DSS Requirement 11.4.4.",[32,1721,1723],{"id":1722},"tester-qualifications","Tester qualifications",[37,1725,1726],{},"PCI DSS does not name specific certifications but requires testers to be \"qualified\" and \"organizationally independent.\" In practice that means:",[200,1728,1729,1732,1735],{},[68,1730,1731],{},"Certifications such as OSCP, OSEP, OSWE, GPEN, GWAPT, GXPN, CRTO, or CREST tester grades, backed by evidence of real engagement experience.",[68,1733,1734],{},"Organizational independence -- testers do not test systems they built, manage, or rely on day to day.",[68,1736,1737],{},"Methodology discipline -- the tester follows the documented methodology and produces evidence of hands-on testing, not just tool output.",[37,1739,1740],{},"For internal teams, separation between build and test functions plus documented qualifications can satisfy PCI DSS. For external engagements, request the CVs and certifications of the specific individuals who will do the testing, not just the firm's credentials.",[32,1742,723],{"id":722},[37,1744,1745],{},"Penetration testing is where every other PCI DSS control gets pressure-tested. Requirement 1 firewalls are validated during external testing. Requirement 2 hardening and Requirement 6 secure development are validated during application and internal testing. Requirement 8 authentication is validated at every stage. Requirement 10 logging and monitoring is validated when the tester's activity is (or is not) detected. Requirement 11.3 scanning programs are validated by comparing scan output to pen-test findings. A well-run PCI DSS penetration test is therefore not just a 11.4 artifact -- it is the feedback loop for the entire PCI DSS program.",[37,1747,1748],{},"Your QSA will pay particular attention to the pen-test report during every PCI DSS assessment. They will compare the scope to your documented CDE, check that findings have been remediated and retested, and look for the patterns that signal low-quality testing (no evidence of exploitation, no enumeration of internal hosts, no segmentation testing, boilerplate executive summary).",[32,1750,733],{"id":732},[200,1752,1753,1759,1765,1771,1777,1783,1789,1795,1801],{},[68,1754,1755,1758],{},[71,1756,1757],{},"Substituting vulnerability scanning for penetration testing."," Scans detect vulnerabilities; tests exploit them to produce impact evidence. PCI DSS distinguishes the two.",[68,1760,1761,1764],{},[71,1762,1763],{},"Skipping internal testing"," and presenting only external pen-test reports.",[68,1766,1767,1770],{},[71,1768,1769],{},"Segmentation testing that does not cover every out-of-scope segment"," -- a subset test is not a PCI DSS segmentation test.",[68,1772,1773,1776],{},[71,1774,1775],{},"Missing change-driven retests"," after material CDE changes throughout the year.",[68,1778,1779,1782],{},[71,1780,1781],{},"Failing to retest remediated findings",", leaving a gap in Requirement 11.4.4 evidence.",[68,1784,1785,1788],{},[71,1786,1787],{},"Engaging testers without verifying qualifications"," or organizational independence.",[68,1790,1791,1794],{},[71,1792,1793],{},"Pen-test reports that lack evidence of hands-on testing"," -- the report must show what the tester did, not just what the tools found.",[68,1796,1797,1800],{},[71,1798,1799],{},"Treating PCI DSS pen testing as a once-a-year event"," disconnected from vulnerability management, change control, and application security.",[68,1802,1803,1806],{},[71,1804,1805],{},"Limiting scope to the easiest systems to test"," rather than the full CDE perimeter and critical systems.",[32,1808,787],{"id":786},[37,1810,1811,1812,1814],{},"episki maps every penetration testing finding to the specific PCI DSS requirement it affects, routes remediation tasks to the right engineering owner, and tracks retesting evidence automatically. Your QSA sees a clean chain from finding to fix to retest, without you digging through email or shared drives. See the ",[41,1813,793],{"href":511}," to learn more.",{"title":447,"searchDepth":448,"depth":448,"links":1816},[1817,1818,1819,1820,1821,1822,1823,1824,1825],{"id":1599,"depth":448,"text":1600},{"id":1609,"depth":448,"text":1610},{"id":1663,"depth":448,"text":1664},{"id":1685,"depth":448,"text":1686},{"id":1712,"depth":448,"text":1713},{"id":1722,"depth":448,"text":1723},{"id":722,"depth":448,"text":723},{"id":732,"depth":448,"text":733},{"id":786,"depth":448,"text":787},"PCI DSS Requirement 11.4 penetration testing — internal vs external testing, segmentation validation, frequency, scope, and methodology.",{"items":1828},[1829,1832,1835,1838],{"label":1830,"content":1831},"How often is PCI DSS penetration testing required?","PCI DSS requires penetration testing at least annually and after any significant change to the in-scope environment. Segmentation controls must be tested at least every six months for service providers and at least annually for merchants.",{"label":1833,"content":1834},"What is the difference between PCI DSS internal and external penetration testing?","External penetration testing simulates an attacker on the public internet attempting to breach the cardholder data environment. Internal penetration testing simulates an attacker who has already gained access to the internal network attempting to compromise CDE systems. PCI DSS Requirement 11.4 requires both.",{"label":1836,"content":1837},"Does PCI DSS penetration testing require a specific methodology?","PCI DSS Requirement 11.4.1 requires a documented methodology based on industry-accepted approaches such as NIST SP 800-115, OWASP, PTES, or OSSTMM. The methodology must be kept current, reviewed annually, and followed by a qualified tester.",{"label":1839,"content":1840},"Can internal staff perform PCI DSS penetration tests?","Yes, but the tester must be organizationally independent from the systems being tested and must be demonstrably qualified through certifications, experience, and training. Most organizations choose a third-party testing firm to satisfy independence and qualification requirements cleanly.",{},[828,823,824,1584],[827,1844,1845,829],"asv-program","network-segmentation",{"title":1847,"description":1848},"PCI DSS Penetration Testing: Requirement 11.4 Guide (Internal, External, Segmentation)","A practical guide to PCI DSS Requirement 11.4 penetration testing. Covers internal vs external scope, segmentation testing, frequency, methodology, and common pitfalls.","5.frameworks\u002Fpci\u002Fpenetration-testing","AxYyZa_L84eQvUEexqB2owrLAbcN4NXkPORzLu8yejg",{"id":1852,"title":1853,"body":1854,"description":2118,"extension":473,"faq":2119,"frameworkSlug":528,"lastUpdated":819,"meta":2133,"navigation":510,"path":330,"relatedTerms":2134,"relatedTopics":2137,"seo":2139,"stem":2142,"__hash__":2143},"frameworkTopics\u002F5.frameworks\u002Fpci\u002Fqsa-selection.md","How to Select a PCI DSS QSA",{"type":29,"value":1855,"toc":2099},[1856,1860,1863,1866,1870,1873,1877,1880,1884,1887,1891,1894,1898,1901,1905,1908,1912,1915,1919,1922,1926,1929,1933,1936,1968,1971,1975,1978,2022,2025,2029,2032,2035,2037,2040,2042,2092,2094],[32,1857,1859],{"id":1858},"why-qsa-selection-matters","Why QSA selection matters",[37,1861,1862],{},"For any PCI DSS program that requires a Report on Compliance -- typically Level 1 merchants and service providers -- the Qualified Security Assessor (QSA) is the single most important third party you will engage. The QSA signs the Attestation of Compliance that your acquirer relies on, interprets ambiguous PCI DSS requirements in the context of your environment, and sets the tone for how smoothly the assessment runs. A strong QSA makes your PCI DSS program sharper. A weak QSA makes every control feel punitive and every evidence request ambiguous. Selecting the right QSA is therefore a multi-year decision that shapes cost, risk, and internal credibility.",[37,1864,1865],{},"PCI DSS QSAs are individuals; QSA Companies (QSACs) are firms. The PCI SSC accredits both. Individual QSAs pass annual training and requalification, and QSACs carry firm-level accreditation, quality assurance obligations, and reporting duties. The PCI SSC publishes the master list of QSACs and the regions each is authorized to work in. Your first filter is straightforward: the firm must be an active QSAC authorized in your geography.",[32,1867,1869],{"id":1868},"criteria-for-evaluating-pci-dss-qsa-firms","Criteria for evaluating PCI DSS QSA firms",[37,1871,1872],{},"Look beyond the PCI SSC list when choosing a QSA. The firms on it vary dramatically in size, philosophy, and operational approach. Evaluate candidates on the following:",[860,1874,1876],{"id":1875},"industry-and-technology-fit","Industry and technology fit",[37,1878,1879],{},"Does the QSA firm regularly assess organizations like yours -- same transaction volume, same acceptance channels, same cloud and data stack? A QSA that has signed a hundred AWS-native SaaS ROCs will understand your PCI DSS scoping questions in ways a QSA fresh from brick-and-mortar retail will not. Ask for two or three references with similar profiles, and talk to them.",[860,1881,1883],{"id":1882},"qsa-tenure-and-turnover","QSA tenure and turnover",[37,1885,1886],{},"Individual QSAs carry the assessment experience. Ask who specifically will be assigned to your engagement, how long they have been a certified QSA, and what their history is with payment technologies relevant to you. High turnover at a QSAC is a yellow flag because the person who scoped your program in year one may not be there in year three.",[860,1888,1890],{"id":1889},"methodology-and-deliverables","Methodology and deliverables",[37,1892,1893],{},"Request a redacted sample ROC and sample evidence requests. A well-written ROC is clear, precise, and tells your story without padding. Watch for generic narratives that could describe any merchant -- that is a sign of a firm running every client through the same template.",[860,1895,1897],{"id":1896},"technology-support","Technology support",[37,1899,1900],{},"Modern QSA firms use assessment platforms, evidence portals, and integrations into GRC tooling. If your program runs on a GRC platform (like episki), ask how they collaborate via that tool rather than an email chain of spreadsheets. The QSA experience improves dramatically when evidence lives in one system.",[860,1902,1904],{"id":1903},"geographic-coverage","Geographic coverage",[37,1906,1907],{},"PCI DSS assessments often require on-site testing at data centers, retail stores, or call centers. Confirm that the QSAC can reach every site you need assessed without stacking excessive travel fees.",[860,1909,1911],{"id":1910},"pricing-transparency","Pricing transparency",[37,1913,1914],{},"Ask for a written scoping questionnaire and a fixed or capped fee. Beware of open-ended time-and-materials contracts where the QSA's incentive is to expand hours. Confirm what is included: scoping, readiness, the ROC, the AOC, rescans, and remediation advisory. Clarify what is billed separately: additional sites, pen testing support, scope expansion.",[860,1916,1918],{"id":1917},"quality-assurance-program","Quality assurance program",[37,1920,1921],{},"The PCI SSC requires QSACs to maintain QA processes over their ROCs. Ask how the firm's QA works, who reviews the ROC before it leaves the firm, and what their error rate has been in PCI SSC audits.",[860,1923,1925],{"id":1924},"red-flags","Red flags",[37,1927,1928],{},"Avoid QSAs that promise to \"make the assessment easier\" in ways that would compromise independence. Avoid firms that pitch aggressive advisory services alongside the assessment engagement -- the PCI SSC has rules on independence that can be violated when advisory work gets too close to the assessment scope. Walk away from QSAs who will not share a sample ROC or references.",[32,1930,1932],{"id":1931},"engagement-scope-and-phases","Engagement scope and phases",[37,1934,1935],{},"A standard PCI DSS QSA engagement runs in five phases:",[65,1937,1938,1944,1950,1956,1962],{},[68,1939,1940,1943],{},[71,1941,1942],{},"Scoping"," -- the QSA works with you to confirm the CDE, the in-scope systems, the card acceptance channels, the controls that apply, and the testing approach. Scoping is where customized approach decisions get documented, targeted risk analyses are reviewed, and segmentation boundaries are walked through. Skipping or rushing scoping is the most expensive PCI DSS mistake a program can make.",[68,1945,1946,1949],{},[71,1947,1948],{},"Readiness or gap assessment"," -- optional but common. The QSA reviews your existing evidence against every applicable PCI DSS requirement and produces a prioritized findings list. Readiness gives you a runway to remediate before fieldwork begins.",[68,1951,1952,1955],{},[71,1953,1954],{},"Evidence collection and fieldwork"," -- the bulk of the engagement. The QSA requests evidence, interviews control owners, reviews configurations, watches live demonstrations, and samples systems. Fieldwork can be on-site, remote, or hybrid.",[68,1957,1958,1961],{},[71,1959,1960],{},"Drafting and QA"," -- the QSA writes the ROC, the QSAC performs internal QA, and you review for factual accuracy. This phase usually surfaces last-minute evidence gaps.",[68,1963,1964,1967],{},[71,1965,1966],{},"Final deliverables"," -- the QSA issues the final ROC, the AOC, and any supporting attestations. You submit to your acquirer.",[37,1969,1970],{},"Each phase has its own effort profile. Scoping is a few weeks. Readiness is typically a month. Evidence collection and fieldwork is the longest phase and can span two to four months in Level 1 environments. Drafting is a few weeks.",[32,1972,1974],{"id":1973},"cost-drivers-for-pci-dss-qsa-engagements","Cost drivers for PCI DSS QSA engagements",[37,1976,1977],{},"PCI DSS QSA costs are driven by complexity, not just size. The major drivers are:",[200,1979,1980,1986,1992,1998,2004,2010,2016],{},[68,1981,1982,1985],{},[71,1983,1984],{},"CDE size and heterogeneity"," -- more systems, more platforms, more clouds, more cost.",[68,1987,1988,1991],{},[71,1989,1990],{},"Number of physical sites"," requiring on-site testing.",[68,1993,1994,1997],{},[71,1995,1996],{},"Acceptance channels"," -- e-commerce, card-present, MOTO, mobile, and call center each require testing.",[68,1999,2000,2003],{},[71,2001,2002],{},"Third parties"," -- each service provider in scope adds evidence review effort.",[68,2005,2006,2009],{},[71,2007,2008],{},"Program maturity"," -- mature programs with strong evidence and automation burn less QSA time than programs that assemble evidence manually.",[68,2011,2012,2015],{},[71,2013,2014],{},"Customized approach usage"," -- customized approach requirements require targeted risk analyses and additional testing that add cost.",[68,2017,2018,2021],{},[71,2019,2020],{},"Remediation support"," -- advisory and rescans between fieldwork and ROC delivery can add meaningful cost if not explicit in the SOW.",[37,2023,2024],{},"A rough range: small service providers with a tight CDE might pay $40,000 to $80,000 for an annual ROC. Mid-size SaaS providers typically land between $100,000 and $250,000. Large multinational retailers with thousands of stores routinely exceed $500,000 per year.",[32,2026,2028],{"id":2027},"what-to-expect-during-the-assessment","What to expect during the assessment",[37,2030,2031],{},"Expect the PCI DSS QSA to ask for evidence directly from source systems rather than summary spreadsheets. Expect live walkthroughs of SIEM dashboards, patch management consoles, identity systems, and firewall managers. Expect sampling: the QSA will pick a subset of systems, users, or change tickets and test them in depth. Expect questions on exceptions -- every control has edge cases, and the QSA will probe how you handle them.",[37,2033,2034],{},"Plan for a dedicated PCI DSS program lead who is the single point of contact for the QSA. That lead aligns internal subject-matter experts to evidence requests, tracks outstanding items, and keeps the assessment on schedule. A part-time owner trying to juggle the QSA with other duties is the most common cause of schedule slip.",[32,2036,723],{"id":722},[37,2038,2039],{},"The QSA is the custodian of your PCI DSS attestation. Everything else in your PCI DSS program -- your ASV scans, penetration tests, policies, segmentation, control automation -- exists to be evaluated through the QSA's lens. Choosing the right QSA multiplies the effectiveness of every PCI DSS investment you have already made. Choosing poorly introduces friction, rework, and interpretation disputes that drain PCI DSS program capacity all year.",[32,2041,733],{"id":732},[200,2043,2044,2050,2056,2062,2068,2074,2080,2086],{},[68,2045,2046,2049],{},[71,2047,2048],{},"Shopping on price alone"," and ending up with a QSA whose methodology drives months of avoidable rework.",[68,2051,2052,2055],{},[71,2053,2054],{},"Skipping references"," and discovering only after signing that the QSA has no experience with your technology stack.",[68,2057,2058,2061],{},[71,2059,2060],{},"Not locking down scope"," in the SOW, letting the engagement drift into unbudgeted advisory work.",[68,2063,2064,2067],{},[71,2065,2066],{},"Giving the QSA raw access to production systems"," instead of a prepared evidence package, burning time on discovery instead of assessment.",[68,2069,2070,2073],{},[71,2071,2072],{},"Treating the readiness phase as optional"," when meaningful remediation is needed before fieldwork.",[68,2075,2076,2079],{},[71,2077,2078],{},"Rotating QSAs too often",", losing the institutional context that makes year two and beyond faster.",[68,2081,2082,2085],{},[71,2083,2084],{},"Holding the QSA at arm's length"," instead of making them a collaborative partner through the engagement.",[68,2087,2088,2091],{},[71,2089,2090],{},"Failing to align the QSA and ASV"," so findings from one program contradict or duplicate the other.",[32,2093,787],{"id":786},[37,2095,2096,2097,79],{},"episki gives your QSA a scoped, read-only workspace where they can see every PCI DSS control, its evidence, and its testing history without chasing spreadsheets and screenshots. That shortens fieldwork, reduces QSA hours, and helps your assessment team focus on the handful of PCI DSS controls that actually need discussion. Learn more on the ",[41,2098,793],{"href":511},{"title":447,"searchDepth":448,"depth":448,"links":2100},[2101,2102,2112,2113,2114,2115,2116,2117],{"id":1858,"depth":448,"text":1859},{"id":1868,"depth":448,"text":1869,"children":2103},[2104,2105,2106,2107,2108,2109,2110,2111],{"id":1875,"depth":1179,"text":1876},{"id":1882,"depth":1179,"text":1883},{"id":1889,"depth":1179,"text":1890},{"id":1896,"depth":1179,"text":1897},{"id":1903,"depth":1179,"text":1904},{"id":1910,"depth":1179,"text":1911},{"id":1917,"depth":1179,"text":1918},{"id":1924,"depth":1179,"text":1925},{"id":1931,"depth":448,"text":1932},{"id":1973,"depth":448,"text":1974},{"id":2027,"depth":448,"text":2028},{"id":722,"depth":448,"text":723},{"id":732,"depth":448,"text":733},{"id":786,"depth":448,"text":787},"A practical guide to selecting a Qualified Security Assessor (QSA) for PCI DSS — evaluating firms, cost drivers, engagement scope, and what to expect during the assessment.",{"items":2120},[2121,2124,2127,2130],{"label":2122,"content":2123},"What is a PCI DSS QSA?","A Qualified Security Assessor (QSA) is a professional certified by the PCI Security Standards Council to perform on-site PCI DSS assessments and produce the Report on Compliance (ROC). QSAs work for QSA companies (QSACs) that carry their own PCI SSC accreditation.",{"label":2125,"content":2126},"How much does a PCI DSS QSA assessment cost?","PCI DSS QSA engagements typically cost $40,000 to over $500,000 depending on cardholder data environment complexity, number of locations, existing program maturity, and whether significant remediation support is needed. Boutique firms are often less expensive than Big Four, though the quality gap is narrower than for other audits.",{"label":2128,"content":2129},"How long does a PCI DSS QSA engagement take?","A typical Level 1 ROC takes 3 to 6 months from kickoff to signed Attestation of Compliance. Highly complex environments or significant remediation can stretch that to 9-12 months. Most QSAs structure the engagement as a scoping phase, a readiness or gap phase, an evidence-collection phase, on-site or virtual fieldwork, and a drafting and QA phase.",{"label":2131,"content":2132},"Should I reuse the same QSA year over year?","It is permitted and common to keep the same PCI DSS QSA for multiple years — continuity accelerates every subsequent assessment. That said, many mature programs rotate QSAs every few years to get fresh perspective, benchmark pricing, and avoid auditor complacency.",{},[2135,823,824,2136],"qsa","saq",[827,2138,1844,829],"compliance-levels",{"title":2140,"description":2141},"How to Select a PCI DSS QSA: Evaluation, Cost & Engagement Guide","Pick the right PCI DSS Qualified Security Assessor. Learn how to evaluate QSA firms, understand cost drivers, scope the engagement, and know what to expect during the assessment.","5.frameworks\u002Fpci\u002Fqsa-selection","TCqcgoA9A-ILcnGPf_ZopgYEk7ZkGqmRKvOtr79s920",{"id":2145,"title":2146,"body":2147,"description":2354,"extension":473,"faq":2355,"frameworkSlug":528,"lastUpdated":819,"meta":2356,"navigation":510,"path":61,"relatedTerms":2357,"relatedTopics":2358,"seo":2359,"stem":2362,"__hash__":2363},"frameworkTopics\u002F5.frameworks\u002Fpci\u002Frequirements.md","PCI DSS Requirements",{"type":29,"value":2148,"toc":2325},[2149,2153,2159,2162,2166,2170,2173,2177,2180,2184,2188,2191,2195,2198,2202,2206,2209,2213,2216,2220,2224,2227,2231,2234,2238,2241,2245,2249,2252,2256,2259,2263,2267,2270,2274,2277,2309,2315,2319],[32,2150,2152],{"id":2151},"overview-of-the-12-pci-dss-requirements","Overview of the 12 PCI DSS requirements",[37,2154,2155,2156,2158],{},"The Payment Card Industry Data Security Standard (PCI DSS) organizes its controls into 12 high-level requirements. These requirements apply to every entity that stores, processes, or transmits cardholder data, and they form the backbone of every ",[41,2157,853],{"href":511}," assessment. Understanding each requirement is the first step toward building a sustainable compliance program.",[37,2160,2161],{},"The requirements are grouped into six overarching goals that progress from building a secure network to maintaining an information security policy. Whether you are a Level 1 merchant completing a Report on Compliance or a smaller merchant filing a Self-Assessment Questionnaire, the same 12 requirements apply.",[32,2163,2165],{"id":2164},"goal-1-build-and-maintain-a-secure-network-and-systems","Goal 1: build and maintain a secure network and systems",[860,2167,2169],{"id":2168},"requirement-1-install-and-maintain-network-security-controls","Requirement 1 - Install and maintain network security controls",[37,2171,2172],{},"Requirement 1 mandates that organizations deploy firewalls, network security appliances, and segmentation controls to protect the cardholder data environment (CDE). In PCI DSS v4.0, the language shifted from \"firewalls\" to \"network security controls\" to acknowledge modern architectures such as cloud-native security groups, micro-segmentation, and software-defined networking. Organizations must document all network connections into and out of the CDE, review rule sets at least every six months, and restrict traffic to only what is business-justified.",[860,2174,2176],{"id":2175},"requirement-2-apply-secure-configurations-to-all-system-components","Requirement 2 - Apply secure configurations to all system components",[37,2178,2179],{},"Default passwords, unnecessary services, and insecure protocols create easy attack vectors. Requirement 2 requires organizations to harden every system component by removing defaults, disabling unnecessary services, and configuring security parameters according to industry-accepted hardening standards such as CIS Benchmarks. PCI DSS v4.0 expanded this to explicitly cover all system components, not just vendor-supplied defaults.",[32,2181,2183],{"id":2182},"goal-2-protect-account-data","Goal 2: protect account data",[860,2185,2187],{"id":2186},"requirement-3-protect-stored-account-data","Requirement 3 - Protect stored account data",[37,2189,2190],{},"If your organization stores cardholder data, Requirement 3 dictates how it must be protected. This includes encryption, truncation, masking, and hashing. Sensitive authentication data such as full track data, CVV codes, and PINs must never be stored after authorization. PCI DSS v4.0 introduced more prescriptive guidance on keyed cryptographic hashes and disk-level encryption limitations, reinforcing that storage should be minimized wherever possible.",[860,2192,2194],{"id":2193},"requirement-4-protect-cardholder-data-with-strong-cryptography-during-transmission","Requirement 4 - Protect cardholder data with strong cryptography during transmission",[37,2196,2197],{},"Cardholder data transmitted over open, public networks must be encrypted using strong cryptography. Requirement 4 specifies the use of trusted certificates and secure protocols such as TLS 1.2 or higher. PCI DSS v4.0 clarified that this applies to all networks where data could be intercepted, including internal networks where risk is present, and deprecated older protocols like early TLS and SSL.",[32,2199,2201],{"id":2200},"goal-3-maintain-a-vulnerability-management-program","Goal 3: maintain a vulnerability management program",[860,2203,2205],{"id":2204},"requirement-5-protect-all-systems-and-networks-from-malicious-software","Requirement 5 - Protect all systems and networks from malicious software",[37,2207,2208],{},"Anti-malware solutions must be deployed on all systems commonly affected by malicious software. Requirement 5 in v4.0 expanded its scope beyond traditional endpoints to include any system component that could be impacted. Organizations must ensure that anti-malware mechanisms are actively running, generating audit logs, and cannot be disabled by users without authorization. Phishing protections were also added as a new focus area.",[860,2210,2212],{"id":2211},"requirement-6-develop-and-maintain-secure-systems-and-software","Requirement 6 - Develop and maintain secure systems and software",[37,2214,2215],{},"Requirement 6 addresses secure software development and timely patching. Critical security patches must be applied within one month of release. Organizations developing payment applications must follow a secure development lifecycle. PCI DSS v4.0 introduced a significant new sub-requirement mandating that public-facing web applications be protected by automated technical solutions that detect and prevent web-based attacks, such as web application firewalls (WAFs).",[32,2217,2219],{"id":2218},"goal-4-implement-strong-access-control-measures","Goal 4: implement strong access control measures",[860,2221,2223],{"id":2222},"requirement-7-restrict-access-to-system-components-and-cardholder-data-by-business-need-to-know","Requirement 7 - Restrict access to system components and cardholder data by business need to know",[37,2225,2226],{},"Access to cardholder data and CDE systems must follow the principle of least privilege. Only personnel whose job functions require access should have it, and access must be granted through a formal authorization process. PCI DSS v4.0 requires that access reviews occur at least every six months and that all access is revoked promptly when no longer needed.",[860,2228,2230],{"id":2229},"requirement-8-identify-users-and-authenticate-access-to-system-components","Requirement 8 - Identify users and authenticate access to system components",[37,2232,2233],{},"Every user must have a unique identifier, and authentication mechanisms must be strong enough to prevent unauthorized access. PCI DSS v4.0 significantly expanded multi-factor authentication (MFA) requirements, mandating MFA for all access into the CDE rather than just remote access. Password requirements were also updated to a minimum of 12 characters, with encouragement to adopt passphrases.",[860,2235,2237],{"id":2236},"requirement-9-restrict-physical-access-to-cardholder-data","Requirement 9 - Restrict physical access to cardholder data",[37,2239,2240],{},"Physical security controls protect servers, workstations, paper records, and networking equipment within the CDE. Requirement 9 covers visitor management, media destruction, and point-of-interaction device inspections. Organizations must maintain logs of physical access and periodically inspect POS devices for tampering or unauthorized substitution.",[32,2242,2244],{"id":2243},"goal-5-regularly-monitor-and-test-networks","Goal 5: regularly monitor and test networks",[860,2246,2248],{"id":2247},"requirement-10-log-and-monitor-all-access-to-system-components-and-cardholder-data","Requirement 10 - Log and monitor all access to system components and cardholder data",[37,2250,2251],{},"Comprehensive logging is essential for detecting breaches and supporting forensic investigations. Requirement 10 mandates that audit trails capture all individual user access to cardholder data, all actions by administrators, and all access to audit trails themselves. PCI DSS v4.0 introduced automated mechanisms for reviewing audit logs and detecting anomalies, moving beyond manual log review toward security information and event management (SIEM) integration.",[860,2253,2255],{"id":2254},"requirement-11-test-security-of-systems-and-networks-regularly","Requirement 11 - Test security of systems and networks regularly",[37,2257,2258],{},"Vulnerability scanning and penetration testing validate that security controls are functioning as intended. Requirement 11 specifies quarterly internal and external vulnerability scans (external scans by an Approved Scanning Vendor), annual penetration tests, and intrusion detection or prevention systems. PCI DSS v4.0 added authenticated internal scanning requirements and a new mandate for detecting and alerting on unauthorized changes to payment pages, addressing the growing threat of Magecart-style attacks on e-commerce sites.",[32,2260,2262],{"id":2261},"goal-6-maintain-an-information-security-policy","Goal 6: maintain an information security policy",[860,2264,2266],{"id":2265},"requirement-12-support-information-security-with-organizational-policies-and-programs","Requirement 12 - Support information security with organizational policies and programs",[37,2268,2269],{},"Requirement 12 requires a comprehensive information security policy that addresses all PCI DSS requirements. It covers security awareness training, incident response planning, risk assessments, and third-party service provider management. PCI DSS v4.0 expanded the risk assessment requirements and introduced a targeted risk analysis approach where organizations perform formal risk analyses to determine the frequency of certain recurring activities.",[32,2271,2273],{"id":2272},"key-changes-in-pci-dss-v40","Key changes in PCI DSS v4.0",[37,2275,2276],{},"PCI DSS v4.0 brought several cross-cutting changes that affect multiple requirements:",[200,2278,2279,2285,2291,2297,2303],{},[68,2280,2281,2284],{},[71,2282,2283],{},"Customized approach"," - Organizations can now meet requirement objectives through alternative controls validated by a customized approach, rather than following only the defined prescriptive approach.",[68,2286,2287,2290],{},[71,2288,2289],{},"Targeted risk analysis"," - A new methodology lets organizations determine the appropriate frequency for activities like log reviews and password changes based on documented risk analysis.",[68,2292,2293,2296],{},[71,2294,2295],{},"Expanded MFA"," - Multi-factor authentication is now required for all access into the CDE, not just remote access.",[68,2298,2299,2302],{},[71,2300,2301],{},"E-commerce protections"," - New requirements address script integrity monitoring and management for payment pages.",[68,2304,2305,2308],{},[71,2306,2307],{},"Phishing defenses"," - Explicit requirements for anti-phishing mechanisms were added under Requirement 5.",[37,2310,2311,2312,2314],{},"For a complete walkthrough of the transition, see the ",[41,2313,162],{"href":168}," topic.",[32,2316,2318],{"id":2317},"building-a-sustainable-compliance-program","Building a sustainable compliance program",[37,2320,2321,2322,2324],{},"Meeting the 12 PCI DSS requirements is not a one-time project. Organizations in the ",[41,2323,1129],{"href":378}," and beyond should treat compliance as an ongoing program with continuous monitoring, regular training, and periodic reassessment. Automating evidence collection, mapping controls to specific requirements, and integrating compliance workflows with engineering tools reduces the burden on security teams and ensures readiness for every assessment cycle.",{"title":447,"searchDepth":448,"depth":448,"links":2326},[2327,2328,2332,2336,2340,2345,2349,2352,2353],{"id":2151,"depth":448,"text":2152},{"id":2164,"depth":448,"text":2165,"children":2329},[2330,2331],{"id":2168,"depth":1179,"text":2169},{"id":2175,"depth":1179,"text":2176},{"id":2182,"depth":448,"text":2183,"children":2333},[2334,2335],{"id":2186,"depth":1179,"text":2187},{"id":2193,"depth":1179,"text":2194},{"id":2200,"depth":448,"text":2201,"children":2337},[2338,2339],{"id":2204,"depth":1179,"text":2205},{"id":2211,"depth":1179,"text":2212},{"id":2218,"depth":448,"text":2219,"children":2341},[2342,2343,2344],{"id":2222,"depth":1179,"text":2223},{"id":2229,"depth":1179,"text":2230},{"id":2236,"depth":1179,"text":2237},{"id":2243,"depth":448,"text":2244,"children":2346},[2347,2348],{"id":2247,"depth":1179,"text":2248},{"id":2254,"depth":1179,"text":2255},{"id":2261,"depth":448,"text":2262,"children":2350},[2351],{"id":2265,"depth":1179,"text":2266},{"id":2272,"depth":448,"text":2273},{"id":2317,"depth":448,"text":2318},"A detailed overview of all 12 PCI DSS requirements, what each covers, and how they changed in version 4.0.",null,{},[823,1212],[2138,1215,1214],{"title":2360,"description":2361},"PCI DSS Requirements - All 12 Requirements Explained","Understand the 12 PCI DSS requirements covering network security, data protection, access control, and monitoring. Includes PCI DSS v4.0 changes.","5.frameworks\u002Fpci\u002Frequirements","_FMxxQDWNJKBVtzBrnEdLKJcPrFtGwmwaW8TAFQOEkA",{"id":2365,"title":2366,"body":2367,"description":2672,"extension":473,"faq":2673,"frameworkSlug":528,"lastUpdated":819,"meta":2687,"navigation":510,"path":264,"relatedTerms":2688,"relatedTopics":2689,"seo":2690,"stem":2693,"__hash__":2694},"frameworkTopics\u002F5.frameworks\u002Fpci\u002Fsaq-types-explained.md","PCI DSS SAQ Types Explained (A, A-EP, B, B-IP, C, C-VT, D, P2PE)",{"type":29,"value":2368,"toc":2658},[2369,2373,2376,2379,2383,2386,2526,2529,2533,2536,2539,2543,2546,2550,2553,2556,2560,2563,2567,2570,2574,2577,2581,2584,2586,2589,2592,2594,2650,2652],[32,2370,2372],{"id":2371},"choosing-the-right-pci-dss-saq","Choosing the right PCI DSS SAQ",[37,2374,2375],{},"The PCI SSC publishes nine Self-Assessment Questionnaires (SAQs) to give eligible merchants and service providers a validation path that is scoped to their actual card acceptance profile. The right SAQ is the one that matches how card data actually enters, flows through, and leaves your environment. Picking the wrong SAQ is a common PCI DSS mistake -- one that becomes visible during breach investigation, acquirer review, or a subsequent move to a Report on Compliance.",[37,2377,2378],{},"SAQ selection starts with three questions: which channels do you use to accept cards, what technology handles card data on each channel, and do you store any cardholder data after the transaction. The answers drive which SAQ you are eligible for and which controls apply.",[32,2380,2382],{"id":2381},"all-saq-types-at-a-glance","All SAQ types at a glance",[37,2384,2385],{},"The table below summarizes the current PCI DSS v4.0 SAQ family. Question counts are approximate and vary slightly between minor revisions of PCI DSS; always confirm with the current SAQ document on the PCI SSC website. Each SAQ includes an Attestation of Compliance that must accompany it.",[2387,2388,2389,2405],"table",{},[2390,2391,2392],"thead",{},[2393,2394,2395,2399,2402],"tr",{},[2396,2397,2398],"th",{},"SAQ",[2396,2400,2401],{},"Eligibility summary",[2396,2403,2404],{},"Approx. questions",[2406,2407,2408,2422,2435,2448,2461,2474,2487,2500,2513],"tbody",{},[2393,2409,2410,2416,2419],{},[2411,2412,2413],"td",{},[71,2414,2415],{},"A",[2411,2417,2418],{},"Card-not-present merchants (e-commerce or mail\u002Ftelephone order) who fully outsource all cardholder data functions to PCI DSS-validated third parties. Your systems do not store, process, or transmit cardholder data.",[2411,2420,2421],{},"~31",[2393,2423,2424,2429,2432],{},[2411,2425,2426],{},[71,2427,2428],{},"A-EP",[2411,2430,2431],{},"E-commerce merchants who partially outsource payment processing but whose website could impact the security of the payment transaction -- for example, hosting the page that embeds a processor's iframe or JavaScript.",[2411,2433,2434],{},"~152",[2393,2436,2437,2442,2445],{},[2411,2438,2439],{},[71,2440,2441],{},"B",[2411,2443,2444],{},"Merchants using only imprint machines or standalone, dial-out terminals. No e-commerce, no electronic cardholder data storage.",[2411,2446,2447],{},"~41",[2393,2449,2450,2455,2458],{},[2411,2451,2452],{},[71,2453,2454],{},"B-IP",[2411,2456,2457],{},"Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor. No e-commerce, no electronic cardholder data storage.",[2411,2459,2460],{},"~86",[2393,2462,2463,2468,2471],{},[2411,2464,2465],{},[71,2466,2467],{},"C-VT",[2411,2469,2470],{},"Merchants entering a single transaction at a time into a web-based virtual payment terminal hosted by a PCI DSS-validated service provider. No e-commerce, no electronic cardholder data storage.",[2411,2472,2473],{},"~80",[2393,2475,2476,2481,2484],{},[2411,2477,2478],{},[71,2479,2480],{},"C",[2411,2482,2483],{},"Merchants with payment application systems connected to the internet (for example, integrated POS) that do not store electronic cardholder data.",[2411,2485,2486],{},"~160",[2393,2488,2489,2494,2497],{},[2411,2490,2491],{},[71,2492,2493],{},"P2PE",[2411,2495,2496],{},"Merchants using an approved PCI SSC-listed Point-to-Point Encryption (P2PE) solution for all payment acceptance. No other card acceptance channels and no storage of electronic cardholder data.",[2411,2498,2499],{},"~35",[2393,2501,2502,2507,2510],{},[2411,2503,2504],{},[71,2505,2506],{},"D for Merchants",[2411,2508,2509],{},"Merchants that do not fit any other SAQ, or that store cardholder data. Covers the full set of applicable PCI DSS requirements.",[2411,2511,2512],{},"~330+",[2393,2514,2515,2520,2523],{},[2411,2516,2517],{},[71,2518,2519],{},"D for Service Providers",[2411,2521,2522],{},"Service providers eligible to self-assess rather than complete a full ROC. Covers the full set of service-provider PCI DSS requirements.",[2411,2524,2525],{},"~370+",[37,2527,2528],{},"Exact question counts vary across PCI DSS revisions and between the defined and customized approaches.",[32,2530,2532],{"id":2531},"saq-a-fully-outsourced-e-commerce-and-moto","SAQ A - fully outsourced e-commerce and MOTO",[37,2534,2535],{},"SAQ A is the shortest SAQ and the target of most e-commerce scope reduction efforts. To qualify for SAQ A your website must either redirect customers entirely to the processor's hosted page or use a direct post or hosted iframe where the processor's infrastructure handles all cardholder data. Your servers never see the PAN. SAQ A applies only to card-not-present channels; card-present merchants cannot use SAQ A.",[37,2537,2538],{},"PCI DSS v4.0 expanded SAQ A to include controls that protect the payment page from e-skimming and script-tampering attacks. Even when the PAN never touches your servers, a compromised script on the page can capture card data before it ever reaches the processor. SAQ A now includes testing procedures related to Requirement 6.4.3 and 11.6.1 to address this risk.",[32,2540,2542],{"id":2541},"saq-a-ep-partial-outsourcing-with-payment-page-influence","SAQ A-EP - partial outsourcing with payment-page influence",[37,2544,2545],{},"SAQ A-EP is longer than SAQ A because the merchant has more ability to affect payment security. An A-EP merchant typically hosts the checkout page that loads the processor's iframe or JavaScript. The PAN never transits merchant infrastructure in a meaningful way, but scripts and pages hosted by the merchant are in a position to intercept or manipulate card data if compromised. SAQ A-EP applies e-commerce-relevant PCI DSS controls across access control, vulnerability management, network security, and logging -- roughly five times the work of SAQ A.",[32,2547,2549],{"id":2548},"saq-b-and-saq-b-ip-standalone-terminals","SAQ B and SAQ B-IP - standalone terminals",[37,2551,2552],{},"SAQ B is designed for very low-complexity card-present merchants using only imprint machines or standalone dial-out terminals. It is rare today and largely a legacy artifact.",[37,2554,2555],{},"SAQ B-IP covers merchants using only standalone IP-connected terminals approved under the PCI PTS program, where the terminals connect to the processor over IP but do not route through a merchant's payment application. The merchant environment around the terminal is smaller than C, but IP-connected terminals carry more risk than dial-out devices, so the SAQ is longer than SAQ B.",[32,2557,2559],{"id":2558},"saq-c-vt-virtual-terminals","SAQ C-VT - virtual terminals",[37,2561,2562],{},"SAQ C-VT is for merchants who key in transactions one at a time on a web-based virtual payment terminal operated by a PCI DSS-validated service provider. Typical users are professional services firms or small service businesses that take occasional card-present transactions through a computer and a web browser. SAQ C-VT has specific eligibility conditions -- including that the computer used for virtual terminal access is isolated and dedicated to that purpose.",[32,2564,2566],{"id":2565},"saq-c-integrated-payment-applications","SAQ C - integrated payment applications",[37,2568,2569],{},"SAQ C is for merchants with integrated payment applications that connect to the internet. The PAN transits merchant systems in transit but is not stored. SAQ C is substantially longer than SAQ B-IP because the merchant's environment includes more components that can affect payment security -- the POS, the network, the supporting infrastructure. SAQ C is common for small-to-mid-size brick-and-mortar retailers with integrated POS platforms.",[32,2571,2573],{"id":2572},"saq-p2pe-validated-point-to-point-encryption","SAQ P2PE - validated point-to-point encryption",[37,2575,2576],{},"SAQ P2PE is the payoff for adopting a PCI SSC-listed Point-to-Point Encryption solution. When all card acceptance flows through a listed P2PE solution, the merchant's environment between terminal and processor is removed from PCI DSS scope and SAQ P2PE covers the remaining obligations -- primarily terminal management, physical security, and incident response. SAQ P2PE is one of the shortest SAQs and a favorite of retail chains that can standardize on a single P2PE platform.",[32,2578,2580],{"id":2579},"saq-d-the-catch-all","SAQ D - the catch-all",[37,2582,2583],{},"SAQ D applies when the merchant or service provider does not fit any other SAQ, or when cardholder data is stored. SAQ D for Merchants covers every applicable PCI DSS requirement; SAQ D for Service Providers adds service-provider-specific obligations. SAQ D is the longest self-assessment questionnaire and, in effort terms, is close to a Report on Compliance without the QSA signature. Many Level 2 merchants and smaller service providers complete SAQ D annually.",[32,2585,723],{"id":722},[37,2587,2588],{},"The SAQ is your PCI DSS validation deliverable. Every merchant and service provider that does not owe a Report on Compliance owes one of the SAQs plus its Attestation of Compliance. The SAQ must be signed by an executive officer and submitted to your acquirer on the cadence your acquirer specifies -- typically annually. Getting the SAQ wrong has material consequences: your acquirer may reject it, your card brands may revalidate your level, or a breach investigation may discover that the SAQ you filed did not match your actual environment.",[37,2590,2591],{},"The SAQ also drives control effort. A merchant eligible for SAQ A can often run a PCI DSS program with a handful of controls and a tight scoping narrative. A merchant on SAQ D is running essentially the same program a Level 1 merchant runs, minus the QSA on-site. The difference between SAQ tiers is often more impactful than the difference between merchant levels.",[32,2593,733],{"id":732},[200,2595,2596,2602,2608,2614,2620,2626,2632,2638,2644],{},[68,2597,2598,2601],{},[71,2599,2600],{},"Self-selecting a simpler SAQ than your architecture supports"," -- for example, filing SAQ A while hosting scripts that influence the payment page.",[68,2603,2604,2607],{},[71,2605,2606],{},"Ignoring e-skimming controls"," introduced under PCI DSS v4.0 for SAQ A and A-EP merchants.",[68,2609,2610,2613],{},[71,2611,2612],{},"Confusing hosted-page with iframe-hosted"," checkouts. They are not always the same SAQ.",[68,2615,2616,2619],{},[71,2617,2618],{},"Missing PTS validation"," for standalone terminals claimed under SAQ B or B-IP.",[68,2621,2622,2625],{},[71,2623,2624],{},"Using non-dedicated workstations"," for virtual terminal access under SAQ C-VT.",[68,2627,2628,2631],{},[71,2629,2630],{},"Failing to revalidate the SAQ"," when channels change -- a new mobile app, a new acquisition, or a new recurring-billing capability can all move you to a different SAQ.",[68,2633,2634,2637],{},[71,2635,2636],{},"Treating SAQ D as a checkbox"," instead of a full PCI DSS program. SAQ D scope is nearly the same as a ROC.",[68,2639,2640,2643],{},[71,2641,2642],{},"Using outdated SAQ versions"," when the PCI SSC has released an updated SAQ aligned with the current PCI DSS version.",[68,2645,2646,2649],{},[71,2647,2648],{},"Signing the Attestation of Compliance without reviewing every answer"," with the control owners.",[32,2651,787],{"id":786},[37,2653,2654,2655,2657],{},"episki keeps your SAQ answers alive throughout the year, linking each question to the evidence and control owner that supports it. When the year-end SAQ is due, you are not assembling answers from memory -- you are confirming the position the platform has been maintaining all along. See the ",[41,2656,793],{"href":511}," for how SAQ workflows fit into a year-round PCI DSS program.",{"title":447,"searchDepth":448,"depth":448,"links":2659},[2660,2661,2662,2663,2664,2665,2666,2667,2668,2669,2670,2671],{"id":2371,"depth":448,"text":2372},{"id":2381,"depth":448,"text":2382},{"id":2531,"depth":448,"text":2532},{"id":2541,"depth":448,"text":2542},{"id":2548,"depth":448,"text":2549},{"id":2558,"depth":448,"text":2559},{"id":2565,"depth":448,"text":2566},{"id":2572,"depth":448,"text":2573},{"id":2579,"depth":448,"text":2580},{"id":722,"depth":448,"text":723},{"id":732,"depth":448,"text":733},{"id":786,"depth":448,"text":787},"Every PCI DSS Self-Assessment Questionnaire explained — eligibility, question counts, and typical use cases for SAQ A, A-EP, B, B-IP, C, C-VT, D, and P2PE.",{"items":2674},[2675,2678,2681,2684],{"label":2676,"content":2677},"Which PCI DSS SAQ should I use?","The right SAQ depends on your acceptance channel, the technology you use to accept cards, and whether you store cardholder data. Start by identifying how card data enters your environment — hosted page, iframe, POS terminal, virtual terminal, or direct — then match to the SAQ whose eligibility criteria fit exactly.",{"label":2679,"content":2680},"Can I change SAQ types between reporting periods?","Yes. If your acceptance channels or technology change, you must reassess which SAQ applies. Changing from SAQ D to SAQ A after outsourcing payment capture, for example, is a common scope reduction outcome. Document the change and the supporting architectural change with your acquirer.",{"label":2682,"content":2683},"What is the difference between SAQ A and SAQ A-EP?","SAQ A is for e-commerce merchants who fully outsource card capture (redirect or processor-hosted page) so their systems never touch card data. SAQ A-EP is for merchants whose website forwards card data but could affect the security of the payment page — for example, merchants using processor iframes or JavaScript that they host.",{"label":2685,"content":2686},"Do service providers use SAQs?","Some service providers use SAQ D for Service Providers to self-validate. Most service providers that handle cardholder data on behalf of merchants are required by their customers or card brands to complete a full Report on Compliance instead. Confirm with each card brand and with your customers.",{},[2136,823,824,1584],[1214,2138,829,1586],{"title":2691,"description":2692},"PCI DSS SAQ Types Explained: A, A-EP, B, B-IP, C, C-VT, D, P2PE","All PCI DSS SAQ types compared — eligibility rules, approximate question counts, use cases, and how to choose the right SAQ for your business.","5.frameworks\u002Fpci\u002Fsaq-types-explained","EMfWsZqyfCcQTPgSq1kcz0blcoyDJSBIgwItWr1oyzw",{"id":2696,"title":2697,"body":2698,"description":3038,"extension":473,"faq":3039,"frameworkSlug":528,"lastUpdated":819,"meta":3053,"navigation":510,"path":297,"relatedTerms":3054,"relatedTopics":3055,"seo":3056,"stem":3059,"__hash__":3060},"frameworkTopics\u002F5.frameworks\u002Fpci\u002Fscope-reduction.md","PCI DSS Scope Reduction",{"type":29,"value":2699,"toc":3021},[2700,2704,2710,2716,2720,2723,2727,2730,2734,2737,2741,2744,2746,2749,2752,2757,2771,2774,2779,2793,2796,2799,2804,2818,2823,2837,2841,2844,2849,2863,2868,2882,2886,2889,2894,2914,2920,2924,2927,2932,2949,2953,2956,2979,2982,2986,2989,3015],[32,2701,2703],{"id":2702},"why-scope-reduction-matters","Why scope reduction matters",[37,2705,2706,2707,2709],{},"The scope of a PCI DSS assessment is determined by the cardholder data environment (CDE) -- every system, network segment, person, and process that stores, processes, or transmits cardholder data, plus any component connected to or that could impact the security of those systems. The larger the CDE, the more controls you must implement, the more evidence you must collect, and the more expensive and time-consuming your ",[41,2708,853],{"href":511}," program becomes.",[37,2711,2712,2713,2715],{},"Scope reduction is the practice of shrinking the CDE through architectural and operational changes. A smaller scope means fewer systems to assess, fewer vulnerabilities to manage, and a faster path to compliance. For organizations in the ",[41,2714,1129],{"href":378}," handling high transaction volumes, effective scope reduction can be the difference between a manageable compliance program and an overwhelming one.",[32,2717,2719],{"id":2718},"understanding-the-cardholder-data-environment","Understanding the cardholder data environment",[37,2721,2722],{},"Before reducing scope, you must define it. The CDE includes three categories of systems:",[860,2724,2726],{"id":2725},"cde-systems","CDE systems",[37,2728,2729],{},"These are systems that directly store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD). Examples include payment application servers, databases containing card numbers, and point-of-sale terminals.",[860,2731,2733],{"id":2732},"connected-to-systems","Connected-to systems",[37,2735,2736],{},"Systems that have network connectivity to CDE systems, even if they do not handle cardholder data themselves, are considered \"connected to\" the CDE and are in scope. A domain controller that authenticates users accessing a payment server is a connected-to system. An application server on the same network segment as a payment processor is also in scope.",[860,2738,2740],{"id":2739},"security-impacting-systems","Security-impacting systems",[37,2742,2743],{},"Systems that could affect the security of the CDE are in scope even without direct connectivity. This includes SIEM servers that collect logs from CDE systems, anti-malware management consoles, and vulnerability scanners used against CDE components.",[32,2745,291],{"id":290},[860,2747,2748],{"id":1845},"Network segmentation",[37,2750,2751],{},"Network segmentation is the most fundamental scope reduction technique. By isolating the CDE on a dedicated network segment with strict access controls, you prevent other systems from being classified as \"connected to\" the CDE.",[37,2753,2754],{},[71,2755,2756],{},"Effective segmentation requires:",[200,2758,2759,2762,2765,2768],{},[68,2760,2761],{},"Dedicated VLANs or network segments for all CDE components",[68,2763,2764],{},"Firewall rules that restrict traffic between the CDE and the rest of the corporate network to only what is business-justified",[68,2766,2767],{},"Separate management interfaces for CDE networking equipment where feasible",[68,2769,2770],{},"Regular validation that segmentation controls are functioning correctly, including penetration testing that specifically targets segmentation boundaries",[37,2772,2773],{},"PCI DSS v4.0 requires that segmentation controls be tested at least every six months for service providers and annually for merchants. This testing must verify that the segmentation is effective at isolating the CDE from out-of-scope networks.",[37,2775,2776],{},[71,2777,2778],{},"Common segmentation mistakes:",[200,2780,2781,2784,2787,2790],{},[68,2782,2783],{},"Flat networks where CDE and non-CDE systems share the same subnet",[68,2785,2786],{},"Overly permissive firewall rules that negate the benefit of segmentation",[68,2788,2789],{},"Forgetting to segment management and monitoring networks",[68,2791,2792],{},"Allowing VPN or remote access solutions to bridge CDE and non-CDE segments",[860,2794,2795],{"id":95},"Tokenization",[37,2797,2798],{},"Tokenization replaces cardholder data with a surrogate value (a token) that has no exploitable meaning. When implemented correctly, systems that only handle tokens are not in scope for PCI DSS, because tokens are not considered cardholder data.",[37,2800,2801],{},[71,2802,2803],{},"How tokenization reduces scope:",[200,2805,2806,2809,2812,2815],{},[68,2807,2808],{},"Your application stores and processes tokens instead of primary account numbers (PANs)",[68,2810,2811],{},"The token vault, where tokens map back to real card numbers, remains in scope but is isolated to a dedicated, hardened environment",[68,2813,2814],{},"All other systems that interact with tokens (your CRM, analytics platform, order management system) are removed from scope",[68,2816,2817],{},"You can use tokens for recurring transactions, refunds, and customer lookups without touching real card data",[37,2819,2820],{},[71,2821,2822],{},"Tokenization considerations:",[200,2824,2825,2828,2831,2834],{},[68,2826,2827],{},"The tokenization system itself is in scope and must be PCI DSS compliant",[68,2829,2830],{},"Tokens must not be reversible through mathematical means without the token vault",[68,2832,2833],{},"If you use a third-party tokenization service provider, that provider must be PCI DSS validated",[68,2835,2836],{},"Format-preserving tokens that resemble card numbers may create confusion about whether real card data is present -- clear documentation is essential",[860,2838,2840],{"id":2839},"point-to-point-encryption-p2pe","Point-to-point encryption (P2PE)",[37,2842,2843],{},"PCI-validated Point-to-Point Encryption (P2PE) solutions encrypt cardholder data at the point of interaction (the payment terminal) and keep it encrypted until it reaches the decryption environment at the payment processor. When using a PCI-listed P2PE solution, the merchant's environment between the terminal and the processor is removed from scope.",[37,2845,2846],{},[71,2847,2848],{},"Scope reduction benefits of P2PE:",[200,2850,2851,2854,2857,2860],{},[68,2852,2853],{},"The encrypted data passing through your network is not considered cardholder data for scoping purposes",[68,2855,2856],{},"Network infrastructure between the P2PE terminal and the internet is not in scope",[68,2858,2859],{},"You may qualify for SAQ P2PE, which contains approximately 33 questions -- significantly fewer than other SAQ types",[68,2861,2862],{},"Physical security of terminals and P2PE device management become the primary compliance focus",[37,2864,2865],{},[71,2866,2867],{},"P2PE requirements:",[200,2869,2870,2873,2876,2879],{},[68,2871,2872],{},"The solution must be listed on the PCI SSC's list of validated P2PE solutions",[68,2874,2875],{},"Terminal management must follow the P2PE Instruction Manual (PIM) provided by the solution vendor",[68,2877,2878],{},"You cannot access the decryption keys or decrypted data at any point",[68,2880,2881],{},"Any deviation from the PIM may invalidate the scope reduction benefits",[860,2883,2885],{"id":2884},"outsourcing-payment-processing","Outsourcing payment processing",[37,2887,2888],{},"Fully outsourcing payment processing to a PCI DSS-validated service provider is another effective scope reduction strategy. By redirecting customers to a hosted payment page or using an iframe provided by the processor, your systems never touch cardholder data.",[37,2890,2891],{},[71,2892,2893],{},"Outsourcing approaches:",[200,2895,2896,2902,2908],{},[68,2897,2898,2901],{},[71,2899,2900],{},"URL redirect"," - The customer is redirected to the payment processor's website to enter card details, then returned to your site after payment. Your systems never handle cardholder data.",[68,2903,2904,2907],{},[71,2905,2906],{},"Embedded iframe"," - An iframe from the payment processor is embedded in your checkout page. The card data is submitted directly to the processor, bypassing your servers.",[68,2909,2910,2913],{},[71,2911,2912],{},"JavaScript tokenization"," - A JavaScript library from the processor captures card data in the browser and sends it directly to the processor, returning a token to your server.",[37,2915,2916,2917,2919],{},"Each approach has different scope implications. A URL redirect may qualify you for SAQ A, while an embedded iframe or JavaScript approach may require SAQ A-EP due to the risk that compromised scripts on your page could intercept card data. See the ",[41,2918,944],{"href":259}," for detailed eligibility criteria.",[860,2921,2923],{"id":2922},"data-minimization","Data minimization",[37,2925,2926],{},"The simplest scope reduction technique is to stop storing cardholder data you do not need. Many organizations retain full card numbers for convenience rather than necessity.",[37,2928,2929],{},[71,2930,2931],{},"Data minimization practices:",[200,2933,2934,2937,2940,2943,2946],{},[68,2935,2936],{},"Delete stored cardholder data that has no ongoing business or legal requirement",[68,2938,2939],{},"Truncate PANs to the first six and last four digits where full numbers are not needed",[68,2941,2942],{},"Never store sensitive authentication data (CVV, PIN, full track data) after authorization",[68,2944,2945],{},"Implement data retention policies with automated purging",[68,2947,2948],{},"Audit databases, log files, and backups for unintended cardholder data storage",[32,2950,2952],{"id":2951},"combining-strategies-for-maximum-reduction","Combining strategies for maximum reduction",[37,2954,2955],{},"The most effective scope reduction programs layer multiple strategies. A typical approach might combine:",[65,2957,2958,2963,2968,2973],{},[68,2959,2960,2962],{},[71,2961,2795],{}," for application-layer scope reduction, ensuring your databases and application servers only handle tokens",[68,2964,2965,2967],{},[71,2966,2748],{}," to isolate the remaining CDE systems (token vault, any systems that interact with the payment processor)",[68,2969,2970,2972],{},[71,2971,2493],{}," for in-store payment terminals, removing the retail network from scope",[68,2974,2975,2978],{},[71,2976,2977],{},"Outsourced payment pages"," for e-commerce, redirecting card data capture to a validated processor",[37,2980,2981],{},"This layered approach can reduce a CDE from hundreds of systems to a handful, dramatically simplifying the compliance assessment.",[32,2983,2985],{"id":2984},"validating-scope-reduction","Validating scope reduction",[37,2987,2988],{},"Scope reduction is only effective if it is properly validated. PCI DSS requires:",[200,2990,2991,2997,3003,3009],{},[68,2992,2993,2996],{},[71,2994,2995],{},"Documented data flows"," showing where cardholder data enters, moves through, and exits the environment",[68,2998,2999,3002],{},[71,3000,3001],{},"Network diagrams"," that clearly delineate CDE boundaries and segmentation controls",[68,3004,3005,3008],{},[71,3006,3007],{},"Penetration testing"," that validates segmentation effectiveness by attempting to access the CDE from out-of-scope networks",[68,3010,3011,3014],{},[71,3012,3013],{},"Annual scope confirmation"," as part of the assessment process, verifying that no new systems or data flows have expanded the CDE",[37,3016,3017,3018,3020],{},"Scope reduction is not a one-time project. As your architecture evolves, new integrations, cloud migrations, and business changes can inadvertently expand the CDE. Building scope reviews into your change management process ensures that reductions remain effective over time and your ",[41,3019,913],{"href":61}," stay manageable.",{"title":447,"searchDepth":448,"depth":448,"links":3022},[3023,3024,3029,3036,3037],{"id":2702,"depth":448,"text":2703},{"id":2718,"depth":448,"text":2719,"children":3025},[3026,3027,3028],{"id":2725,"depth":1179,"text":2726},{"id":2732,"depth":1179,"text":2733},{"id":2739,"depth":1179,"text":2740},{"id":290,"depth":448,"text":291,"children":3030},[3031,3032,3033,3034,3035],{"id":1845,"depth":1179,"text":2748},{"id":95,"depth":1179,"text":2795},{"id":2839,"depth":1179,"text":2840},{"id":2884,"depth":1179,"text":2885},{"id":2922,"depth":1179,"text":2923},{"id":2951,"depth":448,"text":2952},{"id":2984,"depth":448,"text":2985},"Strategies for reducing PCI DSS scope through network segmentation, tokenization, point-to-point encryption, and cardholder data environment management.",{"items":3040},[3041,3044,3047,3050],{"label":3042,"content":3043},"What is PCI DSS scope reduction?","Scope reduction is the practice of shrinking your cardholder data environment (CDE) through architectural changes like network segmentation, tokenization, and P2PE. A smaller CDE means fewer systems to assess, fewer controls to implement, and lower audit costs.",{"label":3045,"content":3046},"Does network segmentation remove systems from PCI scope?","Yes. Properly implemented network segmentation isolates the CDE on dedicated segments, preventing other systems from being classified as connected-to the CDE. Segmentation must be validated through penetration testing — every six months for service providers and annually for merchants.",{"label":3048,"content":3049},"Can tokenization eliminate PCI DSS requirements?","Tokenization removes systems that only handle tokens from PCI scope, since tokens are not cardholder data. However, the tokenization system itself (the token vault) remains in scope and must be PCI DSS compliant. The net effect is a dramatically smaller assessment footprint.",{"label":3051,"content":3052},"What is the fastest way to reduce PCI scope?","The quickest wins are outsourcing payment processing via hosted payment pages or iframes (potentially qualifying for SAQ A with only 22 questions) and implementing data minimization — deleting stored cardholder data you no longer need and truncating PANs to first six and last four digits.",{},[823,1212],[827,2138,1214],{"title":3057,"description":3058},"PCI DSS Scope Reduction: Network Segmentation, Tokenization & P2PE Guide","Reduce your PCI DSS audit scope and cost with network segmentation, tokenization, and P2PE. Practical strategies to minimize your cardholder data environment.","5.frameworks\u002Fpci\u002Fscope-reduction","VzMDMDIV4pDU3BgqGQmyJduhNJ7aCQrCZNKxAbJ2xjk",{"id":3062,"title":3063,"body":3064,"description":3416,"extension":473,"faq":2355,"frameworkSlug":528,"lastUpdated":819,"meta":3417,"navigation":510,"path":259,"relatedTerms":3418,"relatedTopics":3419,"seo":3420,"stem":3423,"__hash__":3424},"frameworkTopics\u002F5.frameworks\u002Fpci\u002Fself-assessment-questionnaire.md","PCI DSS Self-Assessment Questionnaire (SAQ)",{"type":29,"value":3065,"toc":3397},[3066,3070,3076,3082,3086,3089,3093,3096,3101,3115,3118,3122,3125,3129,3140,3143,3147,3150,3154,3168,3171,3175,3178,3182,3197,3200,3204,3207,3211,3223,3226,3230,3233,3238,3252,3255,3259,3262,3297,3301,3304,3308,3311,3315,3318,3344,3347,3351,3354,3358,3361,3365,3391],[32,3067,3069],{"id":3068},"what-is-a-pci-dss-self-assessment-questionnaire","What is a PCI DSS Self-Assessment Questionnaire?",[37,3071,3072,3073,3075],{},"The Self-Assessment Questionnaire (SAQ) is a validation tool provided by the PCI Security Standards Council for merchants and service providers who are not required to undergo a full on-site assessment by a Qualified Security Assessor (QSA). It allows organizations to self-evaluate their adherence to the ",[41,3074,913],{"href":61}," and report their compliance status to their acquiring bank or payment brand.",[37,3077,3078,3079,3081],{},"The SAQ is a critical component of ",[41,3080,853],{"href":511}," for the vast majority of merchants. While Level 1 merchants must complete a formal Report on Compliance (ROC), merchants at Levels 2 through 4 typically validate compliance through the appropriate SAQ type. Choosing the correct SAQ is one of the most important early decisions in your compliance journey.",[32,3083,3085],{"id":3084},"saq-types-and-eligibility","SAQ types and eligibility",[37,3087,3088],{},"The PCI SSC publishes several SAQ types, each tailored to a specific payment processing environment. Selecting the wrong SAQ can result in wasted effort or gaps in your compliance validation.",[860,3090,3092],{"id":3091},"saq-a-card-not-present-merchants-fully-outsourced","SAQ A - Card-not-present merchants (fully outsourced)",[37,3094,3095],{},"SAQ A is the shortest and simplest questionnaire. It applies to e-commerce or mail\u002Ftelephone-order merchants that have fully outsourced all cardholder data functions to PCI DSS-validated third-party service providers. Your website must not directly receive, process, store, or transmit cardholder data at any point.",[37,3097,3098],{},[71,3099,3100],{},"Eligibility criteria:",[200,3102,3103,3106,3109,3112],{},[68,3104,3105],{},"All payment processing is entirely outsourced to validated third parties",[68,3107,3108],{},"Your website does not receive cardholder data, even transiently",[68,3110,3111],{},"No electronic storage, processing, or transmission of cardholder data on your systems",[68,3113,3114],{},"You have confirmed your third-party providers are PCI DSS compliant",[37,3116,3117],{},"SAQ A contains approximately 22 questions and focuses primarily on policies, procedures, and service provider management.",[860,3119,3121],{"id":3120},"saq-a-ep-e-commerce-merchants-with-partial-outsourcing","SAQ A-EP - E-commerce merchants with partial outsourcing",[37,3123,3124],{},"SAQ A-EP applies to e-commerce merchants that outsource payment processing but whose website could still impact the security of the payment transaction. This commonly applies when your website hosts the payment page but uses an iframe or redirect to a third-party processor, or when your site includes scripts that could be manipulated to capture cardholder data.",[37,3126,3127],{},[71,3128,3100],{},[200,3130,3131,3134,3137],{},[68,3132,3133],{},"Payment processing is outsourced to a PCI DSS-validated third party",[68,3135,3136],{},"Your website does not receive cardholder data directly, but it can affect the security of the transaction",[68,3138,3139],{},"No electronic storage of cardholder data",[37,3141,3142],{},"SAQ A-EP is significantly longer than SAQ A, containing approximately 139 questions. It covers vulnerability scanning, penetration testing, and web application security, reflecting the risk that compromised website code could intercept payment data.",[860,3144,3146],{"id":3145},"saq-b-imprint-or-standalone-terminal-merchants","SAQ B - Imprint or standalone terminal merchants",[37,3148,3149],{},"SAQ B applies to merchants that process cardholder data only through imprint machines or standalone, dial-out payment terminals. These terminals must not be connected to the internet or any other systems in your environment.",[37,3151,3152],{},[71,3153,3100],{},[200,3155,3156,3159,3162,3165],{},[68,3157,3158],{},"Only imprint machines or standalone dial-out terminals are used",[68,3160,3161],{},"Terminals are not connected to the internet",[68,3163,3164],{},"No electronic cardholder data storage",[68,3166,3167],{},"No e-commerce channel",[37,3169,3170],{},"SAQ B contains approximately 41 questions and focuses primarily on physical security, terminal management, and policies.",[860,3172,3174],{"id":3173},"saq-c-merchants-with-payment-application-systems","SAQ C - Merchants with payment application systems",[37,3176,3177],{},"SAQ C applies to merchants that process cardholder data through payment application systems connected to the internet but do not store cardholder data electronically. This is common for brick-and-mortar retailers using point-of-sale systems with IP connectivity.",[37,3179,3180],{},[71,3181,3100],{},[200,3183,3184,3187,3190,3193,3195],{},[68,3185,3186],{},"Payment application system is connected to the internet for payment processing",[68,3188,3189],{},"Payment application system is not connected to any other systems within the environment",[68,3191,3192],{},"The physical store and POS environment are not connected to other locations",[68,3194,3164],{},[68,3196,3167],{},[37,3198,3199],{},"SAQ C contains approximately 160 questions and covers network segmentation, system hardening, access controls, and vulnerability management relevant to the payment application environment.",[860,3201,3203],{"id":3202},"saq-c-vt-virtual-terminal-merchants","SAQ C-VT - Virtual terminal merchants",[37,3205,3206],{},"SAQ C-VT is a variant for merchants that manually enter a single transaction at a time through a virtual terminal provided by a PCI DSS-validated third-party service provider. This applies to call center or mail-order operations where an operator keys in card data via a web browser.",[37,3208,3209],{},[71,3210,3100],{},[200,3212,3213,3216,3219,3221],{},[68,3214,3215],{},"Payment processing occurs only via a virtual terminal accessed through a web browser",[68,3217,3218],{},"The virtual terminal is provided by a PCI DSS-validated service provider",[68,3220,3164],{},[68,3222,3167],{},[37,3224,3225],{},"SAQ C-VT contains approximately 79 questions.",[860,3227,3229],{"id":3228},"saq-d-all-other-merchants-and-service-providers","SAQ D - All other merchants and service providers",[37,3231,3232],{},"SAQ D is the most comprehensive questionnaire and serves as the catch-all for any merchant or service provider that does not meet the eligibility criteria for the other SAQ types. SAQ D comes in two versions: SAQ D for Merchants and SAQ D for Service Providers.",[37,3234,3235],{},[71,3236,3237],{},"When SAQ D applies:",[200,3239,3240,3243,3246,3249],{},[68,3241,3242],{},"You store cardholder data electronically",[68,3244,3245],{},"You do not meet the eligibility criteria for any other SAQ type",[68,3247,3248],{},"Your acquiring bank or payment brand requires it",[68,3250,3251],{},"You are a service provider",[37,3253,3254],{},"SAQ D contains approximately 329 questions and covers all 12 PCI DSS requirements comprehensively. It essentially mirrors the scope of a full ROC assessment but is completed as a self-assessment.",[32,3256,3258],{"id":3257},"how-to-determine-your-saq-type","How to determine your SAQ type",[37,3260,3261],{},"Choosing the correct SAQ requires a thorough understanding of how cardholder data flows through your environment:",[65,3263,3264,3270,3276,3282,3288],{},[68,3265,3266,3269],{},[71,3267,3268],{},"Map your payment flows"," - Document exactly how cardholder data enters, moves through, and exits your environment. Include all channels: e-commerce, in-store, phone orders, and mobile.",[68,3271,3272,3275],{},[71,3273,3274],{},"Identify data touchpoints"," - Determine whether your systems receive, process, store, or transmit cardholder data at any stage.",[68,3277,3278,3281],{},[71,3279,3280],{},"Evaluate your technology"," - Assess whether you use outsourced payment pages, iframes, redirects, standalone terminals, virtual terminals, or payment applications.",[68,3283,3284,3287],{},[71,3285,3286],{},"Consult your acquirer"," - Your acquiring bank may have specific requirements or preferences regarding which SAQ type you should complete.",[68,3289,3290,3293,3294,3296],{},[71,3291,3292],{},"Consider scope reduction"," - Techniques like tokenization, point-to-point encryption (P2PE), and network segmentation can simplify your environment and potentially qualify you for a shorter SAQ. See ",[41,3295,298],{"href":297}," for more detail.",[32,3298,3300],{"id":3299},"completing-the-saq","Completing the SAQ",[37,3302,3303],{},"Once you have identified the correct SAQ type, the completion process involves several steps:",[860,3305,3307],{"id":3306},"gather-evidence","Gather evidence",[37,3309,3310],{},"For each applicable question, you will need to demonstrate that the corresponding control is in place. This includes policies, configuration screenshots, scan reports, access reviews, training records, and other artifacts. Automating evidence collection through a compliance platform reduces the time and effort required.",[860,3312,3314],{"id":3313},"answer-each-question","Answer each question",[37,3316,3317],{},"Every question in the SAQ requires one of four responses:",[200,3319,3320,3326,3332,3338],{},[68,3321,3322,3325],{},[71,3323,3324],{},"Yes"," - The control is fully in place",[68,3327,3328,3331],{},[71,3329,3330],{},"Yes with CCW"," - The control is in place with a compensating control worksheet",[68,3333,3334,3337],{},[71,3335,3336],{},"No"," - The control is not in place",[68,3339,3340,3343],{},[71,3341,3342],{},"N\u002FA"," - The question does not apply to your environment (with justification)",[37,3345,3346],{},"Any \"No\" response indicates a gap that must be remediated before you can attest to compliance.",[860,3348,3350],{"id":3349},"compensating-controls","Compensating controls",[37,3352,3353],{},"If you cannot meet a specific requirement as stated, PCI DSS allows compensating controls that mitigate the associated risk to an acceptable level. Compensating controls must be documented in a Compensating Control Worksheet and meet specific criteria: they must address the risk of the original requirement, provide a similar level of defense, and go above and beyond other PCI DSS requirements.",[860,3355,3357],{"id":3356},"attestation-of-compliance","Attestation of Compliance",[37,3359,3360],{},"After completing the SAQ, an authorized officer of the organization must sign the Attestation of Compliance (AOC), confirming the accuracy of the self-assessment. The completed SAQ and AOC are then submitted to your acquiring bank.",[32,3362,3364],{"id":3363},"common-pitfalls","Common pitfalls",[200,3366,3367,3373,3379,3385],{},[68,3368,3369,3372],{},[71,3370,3371],{},"Selecting the wrong SAQ type"," - Choosing a simpler SAQ than your environment warrants leaves gaps in your validation and may result in non-compliance findings.",[68,3374,3375,3378],{},[71,3376,3377],{},"Incomplete scoping"," - Failing to account for all payment channels, third-party integrations, or data flows leads to an inaccurate assessment.",[68,3380,3381,3384],{},[71,3382,3383],{},"Point-in-time mindset"," - The SAQ validates your compliance posture at a moment in time, but PCI DSS v4.0 emphasizes continuous compliance. Build processes that maintain controls year-round.",[68,3386,3387,3390],{},[71,3388,3389],{},"Ignoring third-party risk"," - Even with outsourced payment processing, you remain responsible for ensuring your service providers maintain their PCI DSS compliance.",[37,3392,3393,3394,3396],{},"Organizations in the ",[41,3395,1129],{"href":378}," often manage complex payment flows across multiple channels, making SAQ selection and scoping particularly important. A well-structured compliance program with automated evidence collection helps ensure that the SAQ process is efficient and accurate.",{"title":447,"searchDepth":448,"depth":448,"links":3398},[3399,3400,3408,3409,3415],{"id":3068,"depth":448,"text":3069},{"id":3084,"depth":448,"text":3085,"children":3401},[3402,3403,3404,3405,3406,3407],{"id":3091,"depth":1179,"text":3092},{"id":3120,"depth":1179,"text":3121},{"id":3145,"depth":1179,"text":3146},{"id":3173,"depth":1179,"text":3174},{"id":3202,"depth":1179,"text":3203},{"id":3228,"depth":1179,"text":3229},{"id":3257,"depth":448,"text":3258},{"id":3299,"depth":448,"text":3300,"children":3410},[3411,3412,3413,3414],{"id":3306,"depth":1179,"text":3307},{"id":3313,"depth":1179,"text":3314},{"id":3349,"depth":1179,"text":3350},{"id":3356,"depth":1179,"text":3357},{"id":3363,"depth":448,"text":3364},"A guide to the PCI DSS Self-Assessment Questionnaire types, which SAQ applies to your business, and how to complete the process.",{},[823,1212],[2138,827,829],{"title":3421,"description":3422},"PCI DSS Self-Assessment Questionnaire (SAQ) - Types and Guide","Learn which PCI DSS SAQ type applies to your business. Covers SAQ A, A-EP, B, C, and D with eligibility criteria and completion tips.","5.frameworks\u002Fpci\u002Fself-assessment-questionnaire","fozwUUWkod2HnMs8U2bAQeRSNlpEyMLo1qnB1s3dJZI",{"id":3426,"title":3427,"body":3428,"description":3682,"extension":473,"faq":3683,"frameworkSlug":528,"lastUpdated":819,"meta":3697,"navigation":510,"path":307,"relatedTerms":3698,"relatedTopics":3702,"seo":3704,"stem":3707,"__hash__":3708},"frameworkTopics\u002F5.frameworks\u002Fpci\u002Ftokenization-vs-encryption.md","Tokenization vs Encryption for PCI DSS PAN Protection",{"type":29,"value":3429,"toc":3671},[3430,3434,3440,3443,3447,3450,3453,3473,3476,3480,3483,3486,3506,3509,3513,3516,3519,3533,3536,3540,3543,3563,3566,3570,3596,3599,3601,3604,3607,3609,3664,3666],[32,3431,3433],{"id":3432},"two-tools-two-problems","Two tools, two problems",[37,3435,3436,3437,3439],{},"Tokenization and encryption both protect the primary account number (",[41,3438,100],{"href":99},"), but they solve different PCI DSS problems. Encryption protects PAN that you still need to retain. Tokenization replaces PAN you do not need to retain with a non-sensitive surrogate. Mature PCI DSS programs use both: tokenize everywhere you can to shrink the cardholder data environment, and encrypt everywhere you must actually store PAN.",[37,3441,3442],{},"Under PCI DSS, this distinction matters for scope. A system that stores encrypted PAN is still in scope for PCI DSS because the ciphertext, when decrypted, is cardholder data. A system that stores only tokens is generally out of PCI DSS scope because tokens are not cardholder data -- provided the tokenization implementation meets the PCI SSC's guidance on token generation, mapping, and vault isolation. The scope implication is why tokenization is such a powerful lever in a PCI DSS program and why most CFOs quickly support tokenization projects even when the implementation cost looks high.",[32,3444,3446],{"id":3445},"how-pci-dss-encryption-works","How PCI DSS encryption works",[37,3448,3449],{},"PCI DSS Requirement 3 governs stored account data. Acceptable methods for rendering PAN unreadable include one-way hashing, truncation, strong cryptography with associated key management (encryption), and index tokens. Encryption is by far the most common -- AES-256 in authenticated modes is the baseline, with RSA or elliptic-curve key wrapping for key management.",[37,3451,3452],{},"Encryption as a PCI DSS control brings along a whole key-management program:",[200,3454,3455,3458,3461,3464,3467,3470],{},[68,3456,3457],{},"Unique keys per environment and purpose.",[68,3459,3460],{},"Documented key lifecycle -- generation, distribution, storage, rotation, retirement, and destruction.",[68,3462,3463],{},"Hardware security module (HSM) or equivalent cryptographic module for root keys.",[68,3465,3466],{},"Key custodians with documented responsibilities and signed key custodian agreements.",[68,3468,3469],{},"Annual cryptographic key rotation or a cryptoperiod driven by documented risk analysis.",[68,3471,3472],{},"Access controls that enforce dual control and split knowledge for the most sensitive keys.",[37,3474,3475],{},"All of this is covered by PCI DSS Requirement 3, with supporting testing in Requirements 8 (authentication) and 10 (logging). Encryption is the right tool when the business truly needs the PAN -- card-on-file payments for recurring billing, payment processors performing settlement, or issuers generating card numbers. Encryption does not take the encrypted data out of PCI DSS scope.",[32,3477,3479],{"id":3478},"how-pci-dss-tokenization-works","How PCI DSS tokenization works",[37,3481,3482],{},"Tokenization replaces a PAN with a surrogate value that has no exploitable mathematical relationship to the original. The mapping from token to PAN is stored in a separate, highly protected system called the token vault. Systems that need to process the PAN (payment gateways, fraud tools, issuer systems) talk to the token vault; every other system holds only the token.",[37,3484,3485],{},"A PCI DSS-compliant tokenization program typically has:",[200,3487,3488,3491,3494,3497,3500,3503],{},[68,3489,3490],{},"A centralized token vault operated either in-house on PCI-assessed infrastructure or by a PCI DSS-validated tokenization service provider.",[68,3492,3493],{},"Strong cryptographic or non-deterministic mapping so tokens cannot be reversed without the vault.",[68,3495,3496],{},"Unique tokens per PAN, or per PAN plus merchant, or per PAN plus purpose, depending on business need.",[68,3498,3499],{},"Access controls that limit detokenization to a narrow set of service identities and humans.",[68,3501,3502],{},"Logging of every detokenization event.",[68,3504,3505],{},"Documented procedures for token issuance, rotation, and invalidation.",[37,3507,3508],{},"Systems that only hold tokens and never interact with the vault can typically be treated as out of PCI DSS scope. In practice, those systems often include CRM platforms, analytics warehouses, order-management systems, customer support tools, email and marketing platforms, and much of the operational infrastructure that would otherwise be pulled into PCI DSS scope simply because it touches PAN. The net effect is often an order-of-magnitude reduction in the PCI DSS footprint.",[32,3510,3512],{"id":3511},"format-preserving-tokens","Format-preserving tokens",[37,3514,3515],{},"Some applications expect a value that looks like a PAN -- 16 digits, the right leading BIN, Luhn-valid. Format-preserving tokens (sometimes called FPE tokens) satisfy those constraints by producing surrogates that pass PAN-shape validation. Format-preserving tokens are popular for retrofitting tokenization into legacy systems that would otherwise need invasive schema changes.",[37,3517,3518],{},"Format-preserving tokens come with care-and-feeding issues:",[200,3520,3521,3524,3527,3530],{},[68,3522,3523],{},"They can be confused with real PANs by testers, developers, and incident responders. Clear documentation and distinct BIN ranges help.",[68,3525,3526],{},"They must not be trivially reversible -- format-preserving encryption (FPE) is different from format-preserving tokenization, and PCI DSS treats them differently.",[68,3528,3529],{},"Detection rules (DLP, log scrubbing) must handle format-preserving tokens differently from real PANs to avoid noise.",[68,3531,3532],{},"Logs and audit trails should clearly indicate whether a value is a token or a real PAN.",[37,3534,3535],{},"Used well, format-preserving tokens let you deploy tokenization without re-architecting systems. Used poorly, they recreate PCI DSS confusion.",[32,3537,3539],{"id":3538},"vault-management","Vault management",[37,3541,3542],{},"The token vault is the highest-value asset in a tokenization program. It sits squarely in the PCI DSS cardholder data environment and deserves the strongest controls in the program:",[200,3544,3545,3548,3551,3554,3557,3560],{},[68,3546,3547],{},"Dedicated network segment with the fewest possible connections in and out.",[68,3549,3550],{},"Strict allow-list of service identities and humans authorized to detokenize.",[68,3552,3553],{},"Hardware-backed cryptography for the vault's encryption keys.",[68,3555,3556],{},"Comprehensive logging of every token-to-PAN lookup.",[68,3558,3559],{},"Rate limiting and anomaly detection on detokenization requests -- a compromised service account that starts detokenizing at unusual volume is one of the clearest intrusion signals.",[68,3561,3562],{},"Robust disaster recovery and backup controls that preserve the confidentiality of the vault's contents.",[37,3564,3565],{},"Whether you run the vault yourself or buy from a tokenization service provider, you need evidence that these controls are in place. If you use a service provider, their PCI DSS AOC and Responsibility Matrix are required evidence.",[32,3567,3569],{"id":3568},"when-each-applies","When each applies",[200,3571,3572,3578,3584,3590],{},[68,3573,3574,3577],{},[71,3575,3576],{},"Tokenize"," everywhere PAN is not strictly needed for business function. This usually covers customer service tooling, CRM, analytics, marketing, order management, and most of your application stack.",[68,3579,3580,3583],{},[71,3581,3582],{},"Encrypt"," PAN in the systems that must retain it -- payment processors, settlement systems, recurring-billing engines, and the token vault itself.",[68,3585,3586,3589],{},[71,3587,3588],{},"Use P2PE"," for card-present environments to remove the merchant's internal network from PCI DSS scope entirely.",[68,3591,3592,3595],{},[71,3593,3594],{},"Truncate or hash"," PAN where you only need the last four or a reference value -- receipts, reports, analytics dashboards. Truncation is free scope reduction.",[37,3597,3598],{},"The strategic question is rarely \"tokenize or encrypt\" but \"how do we combine tokenization, encryption, truncation, and P2PE to arrive at the smallest possible PCI DSS scope with the strongest possible protection.\"",[32,3600,723],{"id":722},[37,3602,3603],{},"Tokenization and encryption interact with a majority of PCI DSS requirements. Requirement 3 covers stored account data protection. Requirement 4 covers PAN transmitted over open, public networks. Requirement 6 covers the secure development of the tokenization and encryption systems themselves. Requirement 7 and 8 cover access to the token vault and to decryption keys. Requirement 10 covers logging of detokenization and key use. Requirement 11 validates that the controls actually work.",[37,3605,3606],{},"Most importantly, tokenization directly affects PCI DSS scoping -- and scope drives everything else in the PCI DSS program. A solid tokenization rollout is often the single highest-ROI PCI DSS investment a program can make, because it compounds across every subsequent control, every subsequent assessment, and every subsequent ASV scan.",[32,3608,733],{"id":732},[200,3610,3611,3617,3623,3629,3635,3641,3647,3652,3658],{},[68,3612,3613,3616],{},[71,3614,3615],{},"Treating encryption as scope reduction."," Encrypted PAN is still cardholder data and the system remains in PCI DSS scope.",[68,3618,3619,3622],{},[71,3620,3621],{},"Shipping tokens alongside PAN in logs or analytics"," because the application is not consistently tokenizing on the way in.",[68,3624,3625,3628],{},[71,3626,3627],{},"Deploying format-preserving tokens without distinguishing them from real PANs",", leading to confusion during investigation.",[68,3630,3631,3634],{},[71,3632,3633],{},"Leaving legacy databases with residual PAN"," after a tokenization rollout, creating PCI DSS findings years later.",[68,3636,3637,3640],{},[71,3638,3639],{},"Weak key management"," that puts encryption controls out of compliance with PCI DSS Requirement 3.6 and 3.7.",[68,3642,3643,3646],{},[71,3644,3645],{},"Running the token vault on shared infrastructure"," that lacks the segmentation and hardening PCI DSS expects.",[68,3648,3649],{},[71,3650,3651],{},"Relying on a tokenization service provider without confirming their PCI DSS validation and Responsibility Matrix.",[68,3653,3654,3657],{},[71,3655,3656],{},"Skipping detokenization rate limiting",", leaving the vault vulnerable to bulk extraction through a compromised service account.",[68,3659,3660,3663],{},[71,3661,3662],{},"Tokenizing only the happy path"," and leaving batch jobs, exports, or backup pipelines handling real PAN.",[32,3665,787],{"id":786},[37,3667,3668,3669,79],{},"episki maps your tokenization and encryption controls to every affected PCI DSS requirement, collects evidence from vaults and HSMs, and flags drift before your QSA does. We make it easy to prove to an assessor that tokens stay tokens, keys are managed, and the vault is airtight. Learn more on the ",[41,3670,793],{"href":511},{"title":447,"searchDepth":448,"depth":448,"links":3672},[3673,3674,3675,3676,3677,3678,3679,3680,3681],{"id":3432,"depth":448,"text":3433},{"id":3445,"depth":448,"text":3446},{"id":3478,"depth":448,"text":3479},{"id":3511,"depth":448,"text":3512},{"id":3538,"depth":448,"text":3539},{"id":3568,"depth":448,"text":3569},{"id":722,"depth":448,"text":723},{"id":732,"depth":448,"text":733},{"id":786,"depth":448,"text":787},"Tokenization vs encryption for protecting the primary account number (PAN) under PCI DSS — when each applies, vault management, format-preserving tokens, and scope impact.",{"items":3684},[3685,3688,3691,3694],{"label":3686,"content":3687},"Does tokenization remove data from PCI DSS scope?","Systems that only handle tokens are generally out of PCI DSS scope because tokens are not cardholder data. The token vault itself remains in scope and must be PCI DSS compliant. Tokenization does not eliminate PCI DSS — it reduces the footprint significantly.",{"label":3689,"content":3690},"Is encryption alone sufficient for PCI DSS PAN protection?","Encryption satisfies PCI DSS Requirement 3.5 for protecting stored PAN, but it does not remove the encrypted data from scope. Every system that stores, processes, or transmits the encrypted PAN remains in scope, along with all systems involved in key management.",{"label":3692,"content":3693},"What is a format-preserving token?","A format-preserving token is a surrogate value that looks like a PAN — same length, same leading digits, same Luhn validity — so it can flow through systems that expect a real card number. Format-preserving tokens must be clearly distinguishable from real PANs during testing and investigation to avoid confusion.",{"label":3695,"content":3696},"Which is better for PCI DSS — tokenization or encryption?","They solve different problems. Tokenization is about scope reduction: remove PAN data from systems that do not need it. Encryption is about protection: secure PAN data in systems that must retain it. Most mature PCI DSS programs use both, tokenizing everywhere they can and encrypting everywhere they must store PAN.",{},[95,3699,823,3700,3701],"pan","encryption","key-management",[829,827,1845,3703],"saq-types-explained",{"title":3705,"description":3706},"Tokenization vs Encryption for PCI DSS: PAN Protection Compared","Compare tokenization and encryption for PCI DSS PAN protection. Learn when to use each, how token vaults work, format-preserving tokens, and the impact on PCI DSS scope.","5.frameworks\u002Fpci\u002Ftokenization-vs-encryption","G8BDoH76VayKEaIUTnuuGD0hRsBi7OXVbd1sK9vWLus",{"id":3710,"title":3711,"body":3712,"description":4047,"extension":473,"faq":2355,"frameworkSlug":528,"lastUpdated":819,"meta":4048,"navigation":510,"path":168,"relatedTerms":4049,"relatedTopics":4050,"seo":4051,"stem":4054,"__hash__":4055},"frameworkTopics\u002F5.frameworks\u002Fpci\u002Fv4-changes.md","PCI DSS v4.0 Changes",{"type":29,"value":3713,"toc":4029},[3714,3718,3721,3727,3731,3735,3738,3744,3749,3752,3766,3769,3772,3775,3789,3792,3796,3800,3803,3817,3820,3824,3827,3831,3834,3848,3851,3855,3858,3862,3865,3869,3872,3876,3879,3953,3956,3960,3963,3974,3981,3985,3988,4024],[32,3715,3717],{"id":3716},"the-transition-from-v321-to-v40","The transition from v3.2.1 to v4.0",[37,3719,3720],{},"PCI DSS v4.0 was published in March 2022 and represents the most significant update to the standard since its inception. The PCI Security Standards Council designed v4.0 to address the evolving threat landscape, accommodate modern security technologies, and shift the compliance mindset from point-in-time validation to continuous security.",[37,3722,3723,3724,3726],{},"PCI DSS v3.2.1 was retired on March 31, 2024. All assessments conducted after that date must use PCI DSS v4.0. Additionally, a set of future-dated requirements originally designated as best practices became mandatory on March 31, 2025. Organizations that have not already adapted their ",[41,3725,853],{"href":511}," programs to v4.0 face immediate compliance gaps.",[32,3728,3730],{"id":3729},"key-structural-changes","Key structural changes",[860,3732,3734],{"id":3733},"the-customized-approach","The customized approach",[37,3736,3737],{},"The most significant structural change in PCI DSS v4.0 is the introduction of the customized approach as a formal validation method. Under v3.2.1, organizations had two options: meet the defined requirement as stated or implement a compensating control. PCI DSS v4.0 adds a third path.",[37,3739,3740,3743],{},[71,3741,3742],{},"Defined approach"," - Meet the requirement exactly as stated, using the prescribed testing procedures. This is the traditional approach and remains available for all requirements.",[37,3745,3746,3748],{},[71,3747,2283],{}," - Meet the stated security objective of a requirement using alternative controls or methods that the organization designs. The assessor validates that the customized implementation achieves the same security outcome as the defined requirement.",[37,3750,3751],{},"The customized approach provides flexibility for organizations with mature security programs that have implemented innovative controls not contemplated by the prescriptive requirements. However, it comes with additional documentation requirements:",[200,3753,3754,3757,3760,3763],{},[68,3755,3756],{},"A controls matrix documenting how the custom implementation meets the security objective",[68,3758,3759],{},"A targeted risk analysis supporting the approach",[68,3761,3762],{},"Testing procedures defined by the assessor to validate the implementation",[68,3764,3765],{},"More detailed documentation than the defined approach requires",[37,3767,3768],{},"The customized approach is not available for all requirements. Certain foundational requirements, such as not storing sensitive authentication data after authorization, must be met using the defined approach.",[860,3770,2289],{"id":3771},"targeted-risk-analysis",[37,3773,3774],{},"PCI DSS v4.0 introduces a formal targeted risk analysis methodology that allows organizations to determine the appropriate frequency for certain recurring activities. Under v3.2.1, many frequencies were prescriptively defined (for example, quarterly reviews). Under v4.0, organizations can perform a documented risk analysis to justify different frequencies for activities such as:",[200,3776,3777,3780,3783,3786],{},[68,3778,3779],{},"Log review frequency",[68,3781,3782],{},"Password change intervals",[68,3784,3785],{},"Detection mechanism alert tuning",[68,3787,3788],{},"Review of user accounts and access privileges",[37,3790,3791],{},"Each targeted risk analysis must be documented, approved by management, and reviewed at least annually. The analysis must consider threat likelihood, potential impact, and the effectiveness of existing controls. This approach acknowledges that a one-size-fits-all frequency may not be appropriate for every organization.",[32,3793,3795],{"id":3794},"new-and-expanded-requirements","New and expanded requirements",[860,3797,3799],{"id":3798},"multi-factor-authentication-expansion","Multi-factor authentication expansion",[37,3801,3802],{},"PCI DSS v3.2.1 required multi-factor authentication (MFA) for remote access to the CDE and for non-console administrative access. PCI DSS v4.0 expands MFA requirements significantly:",[200,3804,3805,3808,3811,3814],{},[68,3806,3807],{},"MFA is now required for all access into the cardholder data environment, not just remote access",[68,3809,3810],{},"This applies to all personnel, not just administrators",[68,3812,3813],{},"MFA systems must be resistant to replay attacks and cannot be bypassed by any user, including administrators, without explicit exception documentation",[68,3815,3816],{},"MFA implementations must use at least two different authentication factors (something you know, something you have, something you are)",[37,3818,3819],{},"This change reflects the reality that credential theft is a leading attack vector and that internal network access alone should not be sufficient to reach cardholder data systems.",[860,3821,3823],{"id":3822},"enhanced-password-requirements","Enhanced password requirements",[37,3825,3826],{},"Minimum password length increased from 7 characters to 12 characters (or 8 characters if the system cannot support 12). PCI DSS v4.0 also encourages the use of passphrases and reduces the emphasis on forced periodic password changes when other compensating controls (such as MFA) are in place. This aligns with modern guidance from NIST SP 800-63B.",[860,3828,3830],{"id":3829},"e-commerce-and-payment-page-protections","E-commerce and payment page protections",[37,3832,3833],{},"PCI DSS v4.0 added multiple requirements targeting e-commerce security, driven by the rise of Magecart-style attacks that inject malicious scripts into payment pages:",[200,3835,3836,3842],{},[68,3837,3838,3841],{},[71,3839,3840],{},"Requirement 6.4.3"," - All payment page scripts that are loaded and executed in the consumer's browser must be managed. Organizations must maintain an inventory of scripts, justify each script's presence, and implement a method to ensure script integrity.",[68,3843,3844,3847],{},[71,3845,3846],{},"Requirement 11.6.1"," - A change and tamper detection mechanism must monitor payment pages for unauthorized modifications. HTTP headers and scripts on payment pages must be evaluated for changes at least weekly or through an automated mechanism.",[37,3849,3850],{},"These requirements apply to any organization whose website hosts or influences payment pages, even if actual card data processing is outsourced to a third party.",[860,3852,3854],{"id":3853},"anti-phishing-mechanisms","Anti-phishing mechanisms",[37,3856,3857],{},"Requirement 5.4.1 introduced an explicit mandate for mechanisms to detect and protect personnel against phishing attacks. This includes technical controls such as email filtering, link analysis, and domain-based authentication (DMARC, DKIM, SPF), along with security awareness training specifically addressing phishing threats.",[860,3859,3861],{"id":3860},"automated-log-review","Automated log review",[37,3863,3864],{},"Requirement 10.4.1.1 introduced automated mechanisms for performing audit log reviews. While v3.2.1 allowed manual log review processes, v4.0 acknowledges that the volume and velocity of modern log data makes manual review impractical. Organizations should implement SIEM solutions or equivalent tools that can automatically detect anomalies and generate alerts.",[860,3866,3868],{"id":3867},"encryption-and-key-management-updates","Encryption and key management updates",[37,3870,3871],{},"PCI DSS v4.0 strengthened requirements around encryption, clarifying that disk-level or partition-level encryption alone is no longer acceptable for protecting stored cardholder data on electronic media (Requirement 3.5.1.2). This requirement specifically targets environments that relied solely on full-disk encryption solutions like BitLocker or FileVault without additional application-layer encryption.",[32,3873,3875],{"id":3874},"future-dated-requirements-now-mandatory","Future-dated requirements now mandatory",[37,3877,3878],{},"Several requirements in PCI DSS v4.0 were initially classified as best practices with a future effective date of March 31, 2025. These are now mandatory for all assessments:",[200,3880,3881,3887,3893,3899,3905,3911,3917,3923,3929,3935,3941,3947],{},[68,3882,3883,3886],{},[71,3884,3885],{},"Req 3.5.1.2"," - Disk-level encryption restrictions for removable electronic media",[68,3888,3889,3892],{},[71,3890,3891],{},"Req 5.3.3"," - Anti-malware scans for removable electronic media",[68,3894,3895,3898],{},[71,3896,3897],{},"Req 5.4.1"," - Anti-phishing mechanisms",[68,3900,3901,3904],{},[71,3902,3903],{},"Req 6.4.3"," - Payment page script management and integrity",[68,3906,3907,3910],{},[71,3908,3909],{},"Req 7.2.5"," - Application and system account access review",[68,3912,3913,3916],{},[71,3914,3915],{},"Req 8.3.6"," - Minimum 12-character passwords",[68,3918,3919,3922],{},[71,3920,3921],{},"Req 8.4.2"," - MFA for all CDE access",[68,3924,3925,3928],{},[71,3926,3927],{},"Req 8.6.3"," - Passwords for application and system accounts managed per defined criteria",[68,3930,3931,3934],{},[71,3932,3933],{},"Req 10.4.1.1"," - Automated log review mechanisms",[68,3936,3937,3940],{},[71,3938,3939],{},"Req 10.7.2"," - Detection and alerting for critical security control failures",[68,3942,3943,3946],{},[71,3944,3945],{},"Req 11.6.1"," - Payment page change and tamper detection",[68,3948,3949,3952],{},[71,3950,3951],{},"Req 12.3.1"," - Targeted risk analysis documentation for flexible requirement frequencies",[37,3954,3955],{},"Organizations that deferred these requirements during the transition period must now have them fully implemented and operational.",[32,3957,3959],{"id":3958},"impact-on-saqs-and-compliance-levels","Impact on SAQs and compliance levels",[37,3961,3962],{},"PCI DSS v4.0 updated all SAQ types to reflect the new and modified requirements. Key changes for self-assessing merchants include:",[200,3964,3965,3968,3971],{},[68,3966,3967],{},"SAQ A-EP now includes questions related to payment page script management and integrity monitoring",[68,3969,3970],{},"SAQ C and SAQ D incorporate the expanded MFA and password requirements",[68,3972,3973],{},"All SAQ types reflect the updated requirement numbering and language",[37,3975,3976,3977,3980],{},"For organizations at different ",[41,3978,3979],{"href":184},"PCI DSS compliance levels",", the impact varies. Level 1 merchants undergoing ROC assessments face the most comprehensive changes, while Level 4 merchants using SAQ A may see minimal impact if their payment processing is fully outsourced.",[32,3982,3984],{"id":3983},"preparing-for-ongoing-compliance","Preparing for ongoing compliance",[37,3986,3987],{},"The shift in PCI DSS v4.0 toward continuous security rather than annual compliance validation requires organizations to rethink their approach:",[200,3989,3990,3996,4002,4008,4018],{},[68,3991,3992,3995],{},[71,3993,3994],{},"Build monitoring into daily operations"," rather than scrambling before assessments",[68,3997,3998,4001],{},[71,3999,4000],{},"Automate evidence collection"," to maintain continuous compliance readiness",[68,4003,4004,4007],{},[71,4005,4006],{},"Invest in targeted risk analysis"," documentation as a core compliance activity",[68,4009,4010,4013,4014,4017],{},[71,4011,4012],{},"Review and update scope"," regularly, leveraging ",[41,4015,4016],{"href":297},"scope reduction"," strategies to minimize the compliance burden",[68,4019,4020,4023],{},[71,4021,4022],{},"Train teams"," on the new requirements, particularly around script management and MFA changes",[37,4025,3393,4026,4028],{},[41,4027,1129],{"href":378}," that handle payment data should treat the v4.0 transition as an opportunity to mature their security programs. The flexibility offered by the customized approach and targeted risk analysis rewards organizations that invest in understanding their threat landscape and building security controls tailored to their specific risks.",{"title":447,"searchDepth":448,"depth":448,"links":4030},[4031,4032,4036,4044,4045,4046],{"id":3716,"depth":448,"text":3717},{"id":3729,"depth":448,"text":3730,"children":4033},[4034,4035],{"id":3733,"depth":1179,"text":3734},{"id":3771,"depth":1179,"text":2289},{"id":3794,"depth":448,"text":3795,"children":4037},[4038,4039,4040,4041,4042,4043],{"id":3798,"depth":1179,"text":3799},{"id":3822,"depth":1179,"text":3823},{"id":3829,"depth":1179,"text":3830},{"id":3853,"depth":1179,"text":3854},{"id":3860,"depth":1179,"text":3861},{"id":3867,"depth":1179,"text":3868},{"id":3874,"depth":448,"text":3875},{"id":3958,"depth":448,"text":3959},{"id":3983,"depth":448,"text":3984},"A comprehensive overview of the key changes from PCI DSS v3.2.1 to v4.0, including new requirements, the customized approach, and the transition timeline.",{},[823,1212],[827,2138,1214],{"title":4052,"description":4053},"PCI DSS v4.0 Changes - What's New from v3.2.1 to v4.0","Key changes in PCI DSS v4.0 including the customized approach, expanded MFA, e-commerce protections, and transition timeline from v3.2.1.","5.frameworks\u002Fpci\u002Fv4-changes","rydeRDOBvcQ4xyt3B5VsbQT5QlreXALBiFnGLa7oCUo",[4057,4622,4843,5075,5279,5526,5726,5939,6067,6185,6307,6425,6969,7096,7621,7752,7874,7995,8127,8274,8504,8668,8916,9169,9373,9662,9851,10087,10295,10473],{"id":4058,"title":4059,"body":4060,"description":447,"extension":473,"lastUpdated":819,"meta":4604,"navigation":510,"path":4605,"relatedFrameworks":4606,"relatedTerms":4612,"seo":4616,"slug":4619,"stem":4620,"term":4065,"__hash__":4621},"glossary\u002F8.glossary\u002Faccess-control.md","Access Control",{"type":29,"value":4061,"toc":4590},[4062,4066,4069,4073,4076,4101,4105,4111,4117,4123,4129,4133,4136,4142,4159,4165,4179,4185,4196,4200,4203,4258,4262,4265,4279,4283,4286,4309,4313,4316,4365,4369,4372,4486,4489,4492,4521,4525,4531,4534,4570,4573,4576,4579,4583],[32,4063,4065],{"id":4064},"what-is-access-control","What is Access Control?",[37,4067,4068],{},"Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.",[860,4070,4072],{"id":4071},"what-are-the-core-principles-of-access-control","What are the core principles of access control?",[37,4074,4075],{},"Access control is built on several foundational principles:",[200,4077,4078,4084,4089,4095],{},[68,4079,4080,4083],{},[71,4081,4082],{},"Least privilege"," — users are granted only the minimum access necessary to perform their job functions",[68,4085,4086,4088],{},[71,4087,1387],{}," — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority",[68,4090,4091,4094],{},[71,4092,4093],{},"Need to know"," — access to information is restricted to those who require it for a specific purpose",[68,4096,4097,4100],{},[71,4098,4099],{},"Default deny"," — access is denied by default unless explicitly granted",[860,4102,4104],{"id":4103},"what-are-the-types-of-access-control","What are the types of access control?",[37,4106,4107,4110],{},[71,4108,4109],{},"Role-Based Access Control (RBAC)"," — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.",[37,4112,4113,4116],{},[71,4114,4115],{},"Attribute-Based Access Control (ABAC)"," — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).",[37,4118,4119,4122],{},[71,4120,4121],{},"Discretionary Access Control (DAC)"," — resource owners decide who can access their resources. Common in file systems where owners set permissions.",[37,4124,4125,4128],{},[71,4126,4127],{},"Mandatory Access Control (MAC)"," — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.",[860,4130,4132],{"id":4131},"what-are-access-control-components","What are access control components?",[37,4134,4135],{},"A complete access control program addresses:",[37,4137,4138,4141],{},[71,4139,4140],{},"Authentication"," — verifying the identity of users:",[200,4143,4144,4147,4150,4153,4156],{},[68,4145,4146],{},"Passwords and passphrases",[68,4148,4149],{},"Multi-factor authentication (MFA)",[68,4151,4152],{},"Single sign-on (SSO)",[68,4154,4155],{},"Biometric authentication",[68,4157,4158],{},"Certificate-based authentication",[37,4160,4161,4164],{},[71,4162,4163],{},"Authorization"," — determining what authenticated users can do:",[200,4166,4167,4170,4173,4176],{},[68,4168,4169],{},"Permission assignments",[68,4171,4172],{},"Role definitions",[68,4174,4175],{},"Access control lists",[68,4177,4178],{},"Policy enforcement points",[37,4180,4181,4184],{},[71,4182,4183],{},"Access lifecycle management"," — managing access throughout the user lifecycle:",[200,4186,4187,4190,4193],{},[68,4188,4189],{},"Provisioning (granting access when hired or role changes)",[68,4191,4192],{},"Review (periodic access certification)",[68,4194,4195],{},"Deprovisioning (revoking access upon termination or role change)",[860,4197,4199],{"id":4198},"how-do-compliance-frameworks-address-access-control","How do compliance frameworks address access control?",[37,4201,4202],{},"Every major framework requires access control:",[200,4204,4205,4214,4228,4242,4249],{},[68,4206,4207,4213],{},[71,4208,4209],{},[41,4210,4212],{"href":4211},"\u002Fframeworks\u002Fsoc2","SOC 2"," — CC6.1 through CC6.8 cover logical and physical access controls",[68,4215,4216,4222,4223,4227],{},[71,4217,4218],{},[41,4219,4221],{"href":4220},"\u002Fframeworks\u002Fiso27001","ISO 27001"," — ",[41,4224,4226],{"href":4225},"\u002Fglossary\u002Fannex-a","Annex A"," controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management",[68,4229,4230,4236,4237,4241],{},[71,4231,4232],{},[41,4233,4235],{"href":4234},"\u002Fframeworks\u002Fhipaa","HIPAA"," — the ",[41,4238,4240],{"href":4239},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","Security Rule"," requires access controls for ePHI (45 CFR 164.312(a))",[68,4243,4244,4248],{},[71,4245,4246],{},[41,4247,44],{"href":511}," — Requirements 7 and 8 address access restriction and user identification",[68,4250,4251,4257],{},[71,4252,4253],{},[41,4254,4256],{"href":4255},"\u002Fframeworks\u002Fnistcsf","NIST CSF"," — PR.AC covers identity management, authentication, and access control",[860,4259,4261],{"id":4260},"what-are-access-reviews","What are access reviews?",[37,4263,4264],{},"Regular access reviews (also called access certifications) are a critical control:",[200,4266,4267,4270,4273,4276],{},[68,4268,4269],{},"Review user access rights periodically (quarterly is common for sensitive systems)",[68,4271,4272],{},"Verify that access aligns with current job responsibilities",[68,4274,4275],{},"Identify and remove excessive or unnecessary access",[68,4277,4278],{},"Document review results and remediation actions",[860,4280,4282],{"id":4281},"what-are-common-access-control-weaknesses","What are common access control weaknesses?",[37,4284,4285],{},"Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:",[200,4287,4288,4291,4294,4297,4300,4303,4306],{},[68,4289,4290],{},"Excessive permissions that accumulate over time (privilege creep)",[68,4292,4293],{},"Shared or generic accounts that prevent individual accountability",[68,4295,4296],{},"Delayed deprovisioning when employees leave or change roles",[68,4298,4299],{},"Lack of MFA on critical systems and remote access paths",[68,4301,4302],{},"Inconsistent access review processes with no documented remediation",[68,4304,4305],{},"Service accounts with standing privileged access and no rotation schedule",[68,4307,4308],{},"Lack of visibility into SaaS application access outside the corporate IdP",[860,4310,4312],{"id":4311},"how-do-you-implement-access-control-in-practice","How do you implement access control in practice?",[37,4314,4315],{},"Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:",[65,4317,4318,4324,4330,4336,4342,4348,4359],{},[68,4319,4320,4323],{},[71,4321,4322],{},"Map your environment"," — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.",[68,4325,4326,4329],{},[71,4327,4328],{},"Define roles based on job functions"," — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.",[68,4331,4332,4335],{},[71,4333,4334],{},"Centralize authentication with SSO"," — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.",[68,4337,4338,4341],{},[71,4339,4340],{},"Layer MFA on all critical systems"," — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.",[68,4343,4344,4347],{},[71,4345,4346],{},"Automate provisioning and deprovisioning"," — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.",[68,4349,4350,4353,4354,4358],{},[71,4351,4352],{},"Build an access request and approval workflow"," — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an ",[41,4355,4357],{"href":4356},"\u002Fglossary\u002Faudit-trail","audit trail"," that satisfies compliance requirements.",[68,4360,4361,4364],{},[71,4362,4363],{},"Monitor and log access events"," — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.",[860,4366,4368],{"id":4367},"what-are-the-access-control-requirements","What are the access control requirements?",[37,4370,4371],{},"Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:",[2387,4373,4374,4391],{},[2390,4375,4376],{},[2393,4377,4378,4381,4383,4385,4387,4389],{},[2396,4379,4380],{},"Requirement",[2396,4382,4212],{},[2396,4384,4221],{},[2396,4386,4235],{},[2396,4388,44],{},[2396,4390,4256],{},[2406,4392,4393,4413,4432,4452,4469],{},[2393,4394,4395,4398,4401,4404,4407,4410],{},[2411,4396,4397],{},"Unique user IDs",[2411,4399,4400],{},"CC6.1",[2411,4402,4403],{},"A.5.16",[2411,4405,4406],{},"§164.312(a)(2)(i)",[2411,4408,4409],{},"Req 8.2.1",[2411,4411,4412],{},"PR.AC-1",[2393,4414,4415,4418,4420,4423,4426,4429],{},[2411,4416,4417],{},"MFA",[2411,4419,4400],{},[2411,4421,4422],{},"A.8.5",[2411,4424,4425],{},"Addressable",[2411,4427,4428],{},"Req 8.4",[2411,4430,4431],{},"PR.AC-7",[2393,4433,4434,4437,4440,4443,4446,4449],{},[2411,4435,4436],{},"Access reviews",[2411,4438,4439],{},"CC6.2",[2411,4441,4442],{},"A.5.18",[2411,4444,4445],{},"§164.312(a)(1)",[2411,4447,4448],{},"Req 7.2",[2411,4450,4451],{},"PR.AC-4",[2393,4453,4454,4456,4459,4462,4464,4467],{},[2411,4455,4082],{},[2411,4457,4458],{},"CC6.3",[2411,4460,4461],{},"A.5.15",[2411,4463,4445],{},[2411,4465,4466],{},"Req 7.1",[2411,4468,4451],{},[2393,4470,4471,4474,4476,4478,4481,4484],{},[2411,4472,4473],{},"Deprovisioning",[2411,4475,4439],{},[2411,4477,4442],{},[2411,4479,4480],{},"§164.312(a)(2)(ii)",[2411,4482,4483],{},"Req 8.2.6",[2411,4485,4412],{},[37,4487,4488],{},"Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.",[37,4490,4491],{},"A few notes on framework-specific nuances:",[200,4493,4494,4499,4507,4514],{},[68,4495,4496,4498],{},[71,4497,4235],{}," treats MFA as an \"addressable\" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.",[68,4500,4501,4506],{},[71,4502,4503,4505],{},[41,4504,44],{"href":511}," v4.0"," expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.",[68,4508,4509,4513],{},[71,4510,4511],{},[41,4512,4212],{"href":4211}," does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.",[68,4515,4516,4520],{},[71,4517,4518],{},[41,4519,4256],{"href":4255}," provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.",[860,4522,4524],{"id":4523},"how-does-zero-trust-relate-to-access-control","How does zero trust relate to access control?",[37,4526,4527,4528,79],{},"Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: ",[71,4529,4530],{},"never trust, always verify",[37,4532,4533],{},"In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:",[200,4535,4536,4542,4548,4558,4564],{},[68,4537,4538,4541],{},[71,4539,4540],{},"Continuous verification"," — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.",[68,4543,4544,4547],{},[71,4545,4546],{},"Micro-segmentation"," — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.",[68,4549,4550,4553,4554,4557],{},[71,4551,4552],{},"Device posture checks"," — the security state of the connecting device (patch level, endpoint protection status, disk ",[41,4555,3700],{"href":4556},"\u002Fglossary\u002Fencryption",") is evaluated before access is granted.",[68,4559,4560,4563],{},[71,4561,4562],{},"Identity-centric perimeter"," — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.",[68,4565,4566,4569],{},[71,4567,4568],{},"Least privilege enforcement at the session level"," — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.",[37,4571,4572],{},"NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.",[37,4574,4575],{},"Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.",[37,4577,4578],{},"Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.",[860,4580,4582],{"id":4581},"how-does-episki-help-with-access-control","How does episki help with access control?",[37,4584,4585,4586,79],{},"episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our ",[41,4587,4589],{"href":4588},"\u002Fframeworks","compliance platform",{"title":447,"searchDepth":448,"depth":448,"links":4591},[4592],{"id":4064,"depth":448,"text":4065,"children":4593},[4594,4595,4596,4597,4598,4599,4600,4601,4602,4603],{"id":4071,"depth":1179,"text":4072},{"id":4103,"depth":1179,"text":4104},{"id":4131,"depth":1179,"text":4132},{"id":4198,"depth":1179,"text":4199},{"id":4260,"depth":1179,"text":4261},{"id":4281,"depth":1179,"text":4282},{"id":4311,"depth":1179,"text":4312},{"id":4367,"depth":1179,"text":4368},{"id":4523,"depth":1179,"text":4524},{"id":4581,"depth":1179,"text":4582},{},"\u002Fglossary\u002Faccess-control",[4607,4608,4609,4610,528,4611],"cmmc","soc2","iso27001","hipaa","nistcsf",[4613,4614,3700,4615],"minimum-necessary-rule","audit-trail","user-entity-controls",{"title":4617,"description":4618},"Access Control in Compliance: RBAC, MFA & Least Privilege","Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","access-control","8.glossary\u002Faccess-control","06FHtOe5hEs65vhNnMjZcNgPP9NXCQTnLD9llz_jEjM",{"id":4623,"title":4624,"body":4625,"description":447,"extension":473,"lastUpdated":819,"meta":4835,"navigation":510,"path":340,"relatedFrameworks":4836,"relatedTerms":4837,"seo":4838,"slug":822,"stem":4841,"term":4630,"__hash__":4842},"glossary\u002F8.glossary\u002Fasv.md","Asv",{"type":29,"value":4626,"toc":4824},[4627,4631,4634,4638,4641,4658,4662,4665,4697,4701,4704,4746,4750,4753,4764,4767,4771,4774,4787,4790,4794,4797,4814,4818],[32,4628,4630],{"id":4629},"what-is-an-approved-scanning-vendor-asv","What is an Approved Scanning Vendor (ASV)?",[37,4632,4633],{},"An Approved Scanning Vendor (ASV) is a company certified by the PCI Security Standards Council to perform external vulnerability scans of internet-facing systems that are part of the cardholder data environment. ASV scans are a specific PCI DSS requirement (Requirement 11.3.2) and must be conducted quarterly by a PCI SSC-approved vendor.",[860,4635,4637],{"id":4636},"what-is-the-purpose-of-asv-scans","What is the purpose of ASV scans?",[37,4639,4640],{},"ASV scans serve as an independent check on the security of externally facing systems that could be used to access cardholder data. The scans identify:",[200,4642,4643,4646,4649,4652,4655],{},[68,4644,4645],{},"Known vulnerabilities in operating systems, applications, and network devices",[68,4647,4648],{},"Misconfigurations that could expose systems to attack",[68,4650,4651],{},"Weak or default credentials on internet-facing services",[68,4653,4654],{},"Missing security patches",[68,4656,4657],{},"Other security weaknesses visible from the external network",[860,4659,4661],{"id":4660},"what-are-the-asv-scan-requirements","What are the ASV scan requirements?",[37,4663,4664],{},"PCI DSS requires:",[200,4666,4667,4673,4679,4685,4691],{},[68,4668,4669,4672],{},[71,4670,4671],{},"Quarterly scans"," — external vulnerability scans must be performed at least once every 90 days",[68,4674,4675,4678],{},[71,4676,4677],{},"Passing results"," — scans must achieve a passing status, meaning no vulnerabilities with a CVSS score of 4.0 or higher remain unresolved",[68,4680,4681,4684],{},[71,4682,4683],{},"Scan coverage"," — all externally facing IP addresses and domains in scope must be included",[68,4686,4687,4690],{},[71,4688,4689],{},"Rescans after remediation"," — if a scan fails, vulnerabilities must be remediated and a rescan performed to confirm resolution",[68,4692,4693,4696],{},[71,4694,4695],{},"Scan after significant changes"," — additional scans may be required after significant infrastructure changes",[860,4698,4700],{"id":4699},"how-do-asv-scans-work","How do ASV scans work?",[37,4702,4703],{},"The ASV scan process typically follows these steps:",[65,4705,4706,4712,4718,4724,4730,4735,4740],{},[68,4707,4708,4711],{},[71,4709,4710],{},"Scope definition"," — the organization identifies all external IP addresses and domains in the cardholder data environment",[68,4713,4714,4717],{},[71,4715,4716],{},"Scan execution"," — the ASV performs automated vulnerability scanning against the defined scope",[68,4719,4720,4723],{},[71,4721,4722],{},"Results review"," — the ASV provides a report detailing identified vulnerabilities, their severity, and remediation guidance",[68,4725,4726,4729],{},[71,4727,4728],{},"Dispute resolution"," — if the organization believes a finding is a false positive, it can submit a dispute to the ASV with supporting evidence",[68,4731,4732,4734],{},[71,4733,621],{}," — the organization addresses identified vulnerabilities",[68,4736,4737,4739],{},[71,4738,627],{}," — if needed, the ASV performs additional scans to confirm remediation",[68,4741,4742,4745],{},[71,4743,4744],{},"Attestation"," — the ASV provides a scan attestation confirming the results",[860,4747,4749],{"id":4748},"what-is-the-difference-between-passing-and-failing-asv-scans","What is the difference between passing and failing ASV scans?",[37,4751,4752],{},"A scan is considered passing when:",[200,4754,4755,4758,4761],{},[68,4756,4757],{},"No vulnerabilities with a CVSS base score of 4.0 or higher are present",[68,4759,4760],{},"No automatic failure conditions exist (such as DNS zone transfers, unrestricted SQL access, or use of SSL\u002Fearly TLS)",[68,4762,4763],{},"All components in scope have been successfully scanned",[37,4765,4766],{},"Failing scans must be addressed before the organization can demonstrate compliance for that quarter.",[860,4768,4770],{"id":4769},"what-is-the-difference-between-asv-scans-and-penetration-testing","What is the difference between ASV scans and penetration testing?",[37,4772,4773],{},"ASV scans and penetration testing serve different purposes:",[200,4775,4776,4782],{},[68,4777,4778,4781],{},[71,4779,4780],{},"ASV scans"," are automated external vulnerability scans required quarterly, focused on identifying known vulnerabilities",[68,4783,4784,4786],{},[71,4785,3007],{}," involves manual testing by skilled testers who attempt to exploit vulnerabilities and chain findings together",[37,4788,4789],{},"Both are required by PCI DSS, but they serve complementary functions. ASV scans provide broad, frequent coverage while penetration tests provide deeper, more targeted analysis.",[860,4791,4793],{"id":4792},"how-do-you-choose-an-asv","How do you choose an ASV?",[37,4795,4796],{},"The PCI SSC maintains a list of approved scanning vendors on its website. When selecting an ASV, consider:",[200,4798,4799,4802,4805,4808,4811],{},[68,4800,4801],{},"Quality and usability of scan reports",[68,4803,4804],{},"False positive rates and dispute resolution processes",[68,4806,4807],{},"Customer support responsiveness",[68,4809,4810],{},"Integration capabilities with your security tools",[68,4812,4813],{},"Pricing structure",[860,4815,4817],{"id":4816},"how-does-episki-help-with-asv-scans","How does episki help with ASV scans?",[37,4819,4820,4821,79],{},"episki tracks your ASV scan schedule, stores scan results, and monitors remediation of identified vulnerabilities. The platform alerts you when quarterly scans are due and flags overdue remediation items. Learn more on our ",[41,4822,4823],{"href":511},"PCI DSS compliance page",{"title":447,"searchDepth":448,"depth":448,"links":4825},[4826],{"id":4629,"depth":448,"text":4630,"children":4827},[4828,4829,4830,4831,4832,4833,4834],{"id":4636,"depth":1179,"text":4637},{"id":4660,"depth":1179,"text":4661},{"id":4699,"depth":1179,"text":4700},{"id":4748,"depth":1179,"text":4749},{"id":4769,"depth":1179,"text":4770},{"id":4792,"depth":1179,"text":4793},{"id":4816,"depth":1179,"text":4817},{},[528],[823,2135,1584,828,824],{"title":4839,"description":4840},"Approved Scanning Vendor (ASV): PCI DSS Scan Requirements","An ASV is a PCI SSC-certified company that runs external vulnerability scans. Learn when ASV scans are required, how to pass, and what happens if you fail.","8.glossary\u002Fasv","1RCuGF3FH1uv6KD3UKnip7mN31_pxDH7c5aUf0urTlM",{"id":4844,"title":4845,"body":4846,"description":447,"extension":473,"lastUpdated":819,"meta":5064,"navigation":510,"path":4356,"relatedFrameworks":5065,"relatedTerms":5066,"seo":5070,"slug":4614,"stem":5073,"term":4851,"__hash__":5074},"glossary\u002F8.glossary\u002Faudit-trail.md","Audit Trail",{"type":29,"value":4847,"toc":5054},[4848,4852,4855,4859,4862,4900,4903,4923,4927,4930,4952,4956,4959,5003,5007,5010,5024,5028,5045,5049],[32,4849,4851],{"id":4850},"what-is-an-audit-trail","What is an Audit Trail?",[37,4853,4854],{},"An audit trail is a chronological record of activities, events, and changes within a system or process that provides documentary evidence of the sequence of actions performed. Audit trails answer the fundamental questions: who did what, when did they do it, where did it happen, and what was the result. They are essential for security monitoring, incident investigation, compliance demonstration, and accountability.",[860,4856,4858],{"id":4857},"what-do-audit-trails-capture","What do audit trails capture?",[37,4860,4861],{},"Effective audit trails typically record:",[200,4863,4864,4870,4876,4882,4888,4894],{},[68,4865,4866,4869],{},[71,4867,4868],{},"User actions"," — logins, logouts, data access, data modifications, privilege changes",[68,4871,4872,4875],{},[71,4873,4874],{},"System events"," — configuration changes, service starts and stops, errors, failures",[68,4877,4878,4881],{},[71,4879,4880],{},"Administrative actions"," — user account creation and deletion, permission changes, policy updates",[68,4883,4884,4887],{},[71,4885,4886],{},"Data changes"," — creation, modification, and deletion of records, including before and after values where applicable",[68,4889,4890,4893],{},[71,4891,4892],{},"Access attempts"," — both successful and failed authentication and authorization attempts",[68,4895,4896,4899],{},[71,4897,4898],{},"Security events"," — firewall rule changes, intrusion detection alerts, malware detections",[37,4901,4902],{},"Each audit trail entry should include:",[200,4904,4905,4908,4911,4914,4917,4920],{},[68,4906,4907],{},"Timestamp (synchronized across systems)",[68,4909,4910],{},"User or system identity",[68,4912,4913],{},"Action performed",[68,4915,4916],{},"Target resource or data",[68,4918,4919],{},"Outcome (success or failure)",[68,4921,4922],{},"Source (IP address, device, or location)",[860,4924,4926],{"id":4925},"what-are-the-audit-trail-requirements","What are the audit trail requirements?",[37,4928,4929],{},"Multiple compliance frameworks require audit trails:",[200,4931,4932,4937,4942,4947],{},[68,4933,4934,4936],{},[71,4935,4212],{}," — CC7.2 requires monitoring of system components for anomalies, and CC6.1 requires logical access controls with logging",[68,4938,4939,4941],{},[71,4940,4221],{}," — control A.8.15 addresses logging, and A.8.17 addresses clock synchronization for accurate audit trails",[68,4943,4944,4946],{},[71,4945,4235],{}," — the Security Rule requires audit controls that record and examine activity in systems containing ePHI (45 CFR 164.312(b))",[68,4948,4949,4951],{},[71,4950,44],{}," — Requirement 10 mandates logging and monitoring all access to network resources and cardholder data",[860,4953,4955],{"id":4954},"how-do-you-implement-audit-trails","How do you implement audit trails?",[37,4957,4958],{},"To implement effective audit trails:",[65,4960,4961,4967,4973,4979,4985,4991,4997],{},[68,4962,4963,4966],{},[71,4964,4965],{},"Enable logging"," — activate audit logging on all in-scope systems including applications, databases, operating systems, and network devices",[68,4968,4969,4972],{},[71,4970,4971],{},"Centralize logs"," — aggregate logs into a central platform (SIEM) for correlation and analysis",[68,4974,4975,4978],{},[71,4976,4977],{},"Protect integrity"," — ensure logs cannot be modified or deleted by users, including administrators",[68,4980,4981,4984],{},[71,4982,4983],{},"Synchronize time"," — use NTP to ensure timestamps are consistent across all systems",[68,4986,4987,4990],{},[71,4988,4989],{},"Define retention"," — establish retention periods aligned with compliance and business requirements",[68,4992,4993,4996],{},[71,4994,4995],{},"Monitor actively"," — review audit trails for suspicious activity, not just for compliance evidence",[68,4998,4999,5002],{},[71,5000,5001],{},"Automate alerts"," — configure alerts for critical events such as failed login attempts, privilege escalation, and unauthorized access",[860,5004,5006],{"id":5005},"how-long-should-audit-trails-be-retained","How long should audit trails be retained?",[37,5008,5009],{},"Retention requirements vary by framework and jurisdiction:",[200,5011,5012,5015,5018,5021],{},[68,5013,5014],{},"PCI DSS requires at least 12 months of audit trail history, with the most recent 3 months immediately available",[68,5016,5017],{},"HIPAA requires documentation retention for 6 years",[68,5019,5020],{},"ISO 27001 does not specify a fixed period but requires organizations to define and follow their own retention policy",[68,5022,5023],{},"SOC 2 audit periods typically require evidence covering the observation period",[860,5025,5027],{"id":5026},"what-are-common-pitfalls-with-audit-trails","What are common pitfalls with audit trails?",[200,5029,5030,5033,5036,5039,5042],{},[68,5031,5032],{},"Insufficient logging — missing critical events or systems",[68,5034,5035],{},"Log overload — logging too much without meaningful analysis",[68,5037,5038],{},"No log protection — allowing administrators to modify or delete logs",[68,5040,5041],{},"Inconsistent timestamps — making it impossible to correlate events across systems",[68,5043,5044],{},"No review process — collecting logs but never analyzing them",[860,5046,5048],{"id":5047},"how-does-episki-help-with-audit-trails","How does episki help with audit trails?",[37,5050,5051,5052,79],{},"episki integrates with your logging infrastructure to track compliance-relevant events, maintain audit trail records, and demonstrate continuous monitoring to auditors. The platform maps audit trail capabilities to framework requirements and flags gaps in coverage. Learn more on our ",[41,5053,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":5055},[5056],{"id":4850,"depth":448,"text":4851,"children":5057},[5058,5059,5060,5061,5062,5063],{"id":4857,"depth":1179,"text":4858},{"id":4925,"depth":1179,"text":4926},{"id":4954,"depth":1179,"text":4955},{"id":5005,"depth":1179,"text":5006},{"id":5026,"depth":1179,"text":5027},{"id":5047,"depth":1179,"text":5048},{},[4608,4609,4610,528],[5067,4619,5068,5069],"evidence-collection","continuous-monitoring","incident-response",{"title":5071,"description":5072},"What is an Audit Trail? Definition & Compliance Guide","An audit trail is a chronological record of system activities that provides evidence of who did what, when, and where for security and compliance purposes.","8.glossary\u002Faudit-trail","wGJCFb9Xcb1bQvrLNHVniHH6roxZCmzstztRki0-h68",{"id":5076,"title":5077,"body":5078,"description":447,"extension":473,"lastUpdated":819,"meta":5271,"navigation":510,"path":77,"relatedFrameworks":5272,"relatedTerms":5273,"seo":5274,"slug":1584,"stem":5277,"term":5083,"__hash__":5278},"glossary\u002F8.glossary\u002Fcardholder-data-environment.md","Cardholder Data Environment",{"type":29,"value":5079,"toc":5261},[5080,5084,5087,5091,5094,5120,5124,5127,5141,5144,5148,5151,5189,5193,5196,5219,5223,5226,5252,5256],[32,5081,5083],{"id":5082},"what-is-a-cardholder-data-environment","What is a Cardholder Data Environment?",[37,5085,5086],{},"The Cardholder Data Environment (CDE) is the collection of people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data. Defining the CDE is one of the most critical steps in PCI DSS compliance because it determines the scope of your assessment — everything inside the CDE must meet PCI DSS requirements.",[860,5088,5090],{"id":5089},"what-are-the-components-of-the-cde","What are the components of the CDE?",[37,5092,5093],{},"The CDE includes:",[200,5095,5096,5102,5108,5114],{},[68,5097,5098,5101],{},[71,5099,5100],{},"System components"," — servers, databases, applications, network devices, and any other technology that stores, processes, or transmits cardholder data",[68,5103,5104,5107],{},[71,5105,5106],{},"Network segments"," — the network segments where cardholder data flows or resides",[68,5109,5110,5113],{},[71,5111,5112],{},"People"," — employees, contractors, and third parties who have access to cardholder data or the systems that handle it",[68,5115,5116,5119],{},[71,5117,5118],{},"Processes"," — business processes that involve cardholder data, such as payment processing, refunds, chargebacks, and reporting",[860,5121,5123],{"id":5122},"what-counts-as-a-connected-system-in-the-cde","What counts as a connected system in the CDE?",[37,5125,5126],{},"Beyond the systems that directly handle cardholder data, PCI DSS also brings into scope any systems that are connected to or could affect the security of the CDE. These include:",[200,5128,5129,5132,5135,5138],{},[68,5130,5131],{},"Systems that provide security services to the CDE (firewalls, IDS\u002FIPS, authentication servers)",[68,5133,5134],{},"Systems on the same network segment as CDE components",[68,5136,5137],{},"Systems that can initiate connections into the CDE",[68,5139,5140],{},"Administrative systems used to manage CDE components",[37,5142,5143],{},"This expanded scope is why network segmentation is so important — it limits the number of connected systems and reduces the overall compliance burden.",[860,5145,5147],{"id":5146},"how-do-you-define-your-cde","How do you define your CDE?",[37,5149,5150],{},"To accurately define your CDE:",[65,5152,5153,5159,5165,5171,5177,5183],{},[68,5154,5155,5158],{},[71,5156,5157],{},"Map cardholder data flows"," — trace how cardholder data enters, moves through, and exits your environment",[68,5160,5161,5164],{},[71,5162,5163],{},"Identify all storage locations"," — find every database, file, log, and backup where cardholder data is stored",[68,5166,5167,5170],{},[71,5168,5169],{},"Document processing systems"," — identify every application and system that processes cardholder data",[68,5172,5173,5176],{},[71,5174,5175],{},"Map network paths"," — document the network segments and connections involved in cardholder data transmission",[68,5178,5179,5182],{},[71,5180,5181],{},"Identify connected systems"," — determine which systems connect to or could affect CDE components",[68,5184,5185,5188],{},[71,5186,5187],{},"Verify with data discovery"," — use data discovery tools to confirm that cardholder data does not exist outside the documented CDE",[860,5190,5192],{"id":5191},"how-do-you-reduce-the-cde","How do you reduce the CDE?",[37,5194,5195],{},"A smaller CDE means fewer systems in scope and lower compliance costs. Common strategies to reduce the CDE include:",[200,5197,5198,5203,5208,5214],{},[68,5199,5200,5202],{},[71,5201,2795],{}," — replace cardholder data with tokens that have no exploitable value, removing systems that only handle tokens from the CDE",[68,5204,5205,5207],{},[71,5206,2840],{}," — encrypt cardholder data from the point of interaction to the decryption point, potentially removing intermediate systems from scope",[68,5209,5210,5213],{},[71,5211,5212],{},"Outsourcing"," — shift cardholder data handling to a PCI-compliant service provider",[68,5215,5216,5218],{},[71,5217,2748],{}," — isolate the CDE from the rest of the network to prevent connected systems from being in scope",[860,5220,5222],{"id":5221},"what-are-common-mistakes-with-the-cde","What are common mistakes with the CDE?",[37,5224,5225],{},"Organizations frequently make errors when defining their CDE:",[200,5227,5228,5234,5240,5246],{},[68,5229,5230,5233],{},[71,5231,5232],{},"Incomplete data flow mapping"," — missing cardholder data in logs, backups, or test environments",[68,5235,5236,5239],{},[71,5237,5238],{},"Overlooking connected systems"," — failing to account for systems with network access to the CDE",[68,5241,5242,5245],{},[71,5243,5244],{},"Scope creep"," — allowing unnecessary systems to connect to the CDE, expanding scope",[68,5247,5248,5251],{},[71,5249,5250],{},"Stale documentation"," — not updating CDE documentation when systems change",[860,5253,5255],{"id":5254},"how-does-episki-help-with-the-cde","How does episki help with the CDE?",[37,5257,5258,5259,79],{},"episki helps you document and maintain your cardholder data environment definition, including data flow diagrams, system inventories, and network segmentation documentation. The platform tracks changes that could affect CDE scope and ensures your documentation stays current. Learn more on our ",[41,5260,4823],{"href":511},{"title":447,"searchDepth":448,"depth":448,"links":5262},[5263],{"id":5082,"depth":448,"text":5083,"children":5264},[5265,5266,5267,5268,5269,5270],{"id":5089,"depth":1179,"text":5090},{"id":5122,"depth":1179,"text":5123},{"id":5146,"depth":1179,"text":5147},{"id":5191,"depth":1179,"text":5192},{"id":5221,"depth":1179,"text":5222},{"id":5254,"depth":1179,"text":5255},{},[528],[823,824,3699,95,2135],{"title":5275,"description":5276},"What is a Cardholder Data Environment? Definition & Compliance Guide","The Cardholder Data Environment (CDE) encompasses all systems that store, process, or transmit cardholder data. Learn how to define and secure your CDE.","8.glossary\u002Fcardholder-data-environment","b6tMCigxUaqDmCxMICc_lqrlhozN9rvWz0eNQJC-I20",{"id":5280,"title":5281,"body":5282,"description":447,"extension":473,"lastUpdated":819,"meta":5515,"navigation":510,"path":5516,"relatedFrameworks":5517,"relatedTerms":5518,"seo":5520,"slug":5523,"stem":5524,"term":5287,"__hash__":5525},"glossary\u002F8.glossary\u002Fchange-management.md","Change Management",{"type":29,"value":5283,"toc":5504},[5284,5288,5291,5295,5298,5315,5319,5322,5328,5348,5354,5368,5374,5385,5391,5402,5408,5419,5423,5440,5444,5464,5468,5471,5475,5478,5495,5499],[32,5285,5287],{"id":5286},"what-is-change-management","What is Change Management?",[37,5289,5290],{},"Change management is the structured process of planning, approving, implementing, and reviewing changes to an organization's information systems, infrastructure, and applications. The goal is to ensure that changes are made in a controlled manner, minimizing the risk of unintended disruptions, security vulnerabilities, or compliance violations.",[860,5292,5294],{"id":5293},"why-does-change-management-matter","Why does change management matter?",[37,5296,5297],{},"Uncontrolled changes are a leading cause of system outages, security incidents, and compliance failures. Without a formal change management process:",[200,5299,5300,5303,5306,5309,5312],{},[68,5301,5302],{},"Untested changes can introduce bugs or vulnerabilities",[68,5304,5305],{},"Unauthorized modifications can compromise security controls",[68,5307,5308],{},"Conflicting changes can cause system instability",[68,5310,5311],{},"Auditors cannot verify that changes were properly authorized and tested",[68,5313,5314],{},"Troubleshooting becomes difficult without a record of what changed",[860,5316,5318],{"id":5317},"what-are-the-components-of-a-change-management-process","What are the components of a change management process?",[37,5320,5321],{},"An effective change management program includes:",[37,5323,5324,5327],{},[71,5325,5326],{},"Change request"," — a formal submission describing the proposed change, including:",[200,5329,5330,5333,5336,5339,5342,5345],{},[68,5331,5332],{},"Description of the change",[68,5334,5335],{},"Business justification",[68,5337,5338],{},"Risk assessment",[68,5340,5341],{},"Rollback plan",[68,5343,5344],{},"Testing plan",[68,5346,5347],{},"Implementation timeline",[37,5349,5350,5353],{},[71,5351,5352],{},"Review and approval"," — changes are reviewed by appropriate stakeholders:",[200,5355,5356,5359,5362,5365],{},[68,5357,5358],{},"Technical review for feasibility and impact",[68,5360,5361],{},"Security review for potential risks",[68,5363,5364],{},"Management approval based on risk and priority",[68,5366,5367],{},"Change Advisory Board (CAB) review for significant changes",[37,5369,5370,5373],{},[71,5371,5372],{},"Testing"," — changes are tested in a non-production environment before deployment:",[200,5375,5376,5379,5382],{},[68,5377,5378],{},"Functional testing to verify the change works as intended",[68,5380,5381],{},"Regression testing to confirm existing functionality is not broken",[68,5383,5384],{},"Security testing when the change affects security-relevant systems",[37,5386,5387,5390],{},[71,5388,5389],{},"Implementation"," — changes are deployed following the approved plan:",[200,5392,5393,5396,5399],{},[68,5394,5395],{},"During designated maintenance windows when appropriate",[68,5397,5398],{},"With monitoring for unexpected issues",[68,5400,5401],{},"With rollback procedures ready if problems occur",[37,5403,5404,5407],{},[71,5405,5406],{},"Post-implementation review"," — after deployment, verify:",[200,5409,5410,5413,5416],{},[68,5411,5412],{},"The change achieved its intended outcome",[68,5414,5415],{},"No unintended side effects occurred",[68,5417,5418],{},"Documentation is updated to reflect the change",[860,5420,5422],{"id":5421},"how-do-compliance-frameworks-address-change-management","How do compliance frameworks address change management?",[200,5424,5425,5430,5435],{},[68,5426,5427,5429],{},[71,5428,4212],{}," — CC8.1 requires that changes to infrastructure, data, software, and procedures are authorized, designed, developed, configured, documented, tested, approved, and implemented",[68,5431,5432,5434],{},[71,5433,4221],{}," — control A.8.32 addresses change management, requiring that changes to information processing facilities and systems be subject to change management procedures",[68,5436,5437,5439],{},[71,5438,44],{}," — Requirement 6.5 requires change control processes for all system components in the cardholder data environment",[860,5441,5443],{"id":5442},"what-are-the-types-of-changes-in-change-management","What are the types of changes in change management?",[200,5445,5446,5452,5458],{},[68,5447,5448,5451],{},[71,5449,5450],{},"Standard changes"," — pre-approved, low-risk, routine changes that follow a documented procedure (e.g., updating a standard software package)",[68,5453,5454,5457],{},[71,5455,5456],{},"Normal changes"," — changes that require the full change management process including review and approval",[68,5459,5460,5463],{},[71,5461,5462],{},"Emergency changes"," — urgent changes needed to resolve incidents or critical issues, typically with streamlined approval followed by retrospective documentation",[860,5465,5467],{"id":5466},"how-does-separation-of-duties-apply-to-change-management","How does separation of duties apply to change management?",[37,5469,5470],{},"A key control within change management is separation of duties — the person who develops a change should not be the same person who approves or deploys it to production. This prevents unauthorized or untested changes from reaching production systems.",[860,5472,5474],{"id":5473},"what-change-management-evidence-do-auditors-look-for","What change management evidence do auditors look for?",[37,5476,5477],{},"Auditors reviewing change management look for:",[200,5479,5480,5483,5486,5489,5492],{},[68,5481,5482],{},"Change request records with documented approvals",[68,5484,5485],{},"Evidence of testing before production deployment",[68,5487,5488],{},"Separation of duties between development, approval, and deployment",[68,5490,5491],{},"Rollback plans for significant changes",[68,5493,5494],{},"Post-implementation reviews",[860,5496,5498],{"id":5497},"how-does-episki-help-with-change-management","How does episki help with change management?",[37,5500,5501,5502,79],{},"episki tracks change management activities, integrates with ticketing and CI\u002FCD systems, and maintains audit-ready evidence of change approvals, testing, and deployment. The platform maps change management controls to SOC 2, ISO 27001, and PCI DSS requirements. Learn more on our ",[41,5503,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":5505},[5506],{"id":5286,"depth":448,"text":5287,"children":5507},[5508,5509,5510,5511,5512,5513,5514],{"id":5293,"depth":1179,"text":5294},{"id":5317,"depth":1179,"text":5318},{"id":5421,"depth":1179,"text":5422},{"id":5442,"depth":1179,"text":5443},{"id":5466,"depth":1179,"text":5467},{"id":5473,"depth":1179,"text":5474},{"id":5497,"depth":1179,"text":5498},{},"\u002Fglossary\u002Fchange-management",[4607,4608,4609,528],[4614,4619,5067,5519],"control-objectives",{"title":5521,"description":5522},"What is Change Management? Definition & Compliance Guide","Change management is the process of controlling modifications to systems and infrastructure to prevent unauthorized changes and maintain security and stability.","change-management","8.glossary\u002Fchange-management","xeecemxPeYwPVCVxeZ0eZXpmSOlKMkCLQoUsX4dbaQA",{"id":5527,"title":5528,"body":5529,"description":447,"extension":473,"lastUpdated":819,"meta":5716,"navigation":510,"path":4556,"relatedFrameworks":5717,"relatedTerms":5718,"seo":5721,"slug":3700,"stem":5724,"term":5534,"__hash__":5725},"glossary\u002F8.glossary\u002Fencryption.md","Encryption",{"type":29,"value":5530,"toc":5705},[5531,5535,5538,5542,5548,5554,5560,5564,5567,5570,5584,5588,5591,5593,5610,5614,5617,5649,5653,5675,5679,5696,5700],[32,5532,5534],{"id":5533},"what-is-encryption","What is Encryption?",[37,5536,5537],{},"Encryption is the process of converting readable data (plaintext) into an unreadable format (ciphertext) using a cryptographic algorithm and a key. Only authorized parties with the correct decryption key can convert the ciphertext back to plaintext. Encryption is one of the most important technical controls for protecting the confidentiality of sensitive data and is required by virtually every compliance framework.",[860,5539,5541],{"id":5540},"what-are-the-types-of-encryption","What are the types of encryption?",[37,5543,5544,5547],{},[71,5545,5546],{},"Symmetric encryption"," — uses the same key for both encryption and decryption. It is fast and efficient for large volumes of data. Common algorithms include AES-256 (the current standard) and AES-128.",[37,5549,5550,5553],{},[71,5551,5552],{},"Asymmetric encryption"," — uses a pair of keys: a public key for encryption and a private key for decryption. It is used for key exchange, digital signatures, and scenarios where parties cannot share a secret key in advance. Common algorithms include RSA and elliptic curve cryptography (ECC).",[37,5555,5556,5559],{},[71,5557,5558],{},"Hashing"," — technically not encryption (it is one-way and cannot be reversed), but often discussed alongside encryption. Hashing produces a fixed-length output from any input, used for password storage and data integrity verification. Common algorithms include SHA-256 and bcrypt.",[860,5561,5563],{"id":5562},"what-is-encryption-at-rest","What is encryption at rest?",[37,5565,5566],{},"Encryption at rest protects data stored in databases, file systems, backups, and storage media. If a storage device is stolen or improperly decommissioned, encryption prevents unauthorized access to the data.",[37,5568,5569],{},"Common implementations include:",[200,5571,5572,5575,5578,5581],{},[68,5573,5574],{},"Full disk encryption (BitLocker, FileVault, LUKS)",[68,5576,5577],{},"Database encryption (Transparent Data Encryption)",[68,5579,5580],{},"File-level encryption",[68,5582,5583],{},"Cloud storage encryption (most cloud providers offer encryption at rest by default)",[860,5585,5587],{"id":5586},"what-is-encryption-in-transit","What is encryption in transit?",[37,5589,5590],{},"Encryption in transit protects data as it moves between systems over networks. It prevents eavesdropping, man-in-the-middle attacks, and data interception.",[37,5592,5569],{},[200,5594,5595,5598,5601,5604,5607],{},[68,5596,5597],{},"TLS 1.2 or 1.3 for web traffic (HTTPS)",[68,5599,5600],{},"TLS for email (SMTP with STARTTLS)",[68,5602,5603],{},"VPN tunnels for site-to-site or remote access connections",[68,5605,5606],{},"SSH for administrative access",[68,5608,5609],{},"IPsec for network-level encryption",[860,5611,5613],{"id":5612},"how-does-key-management-support-encryption","How does key management support encryption?",[37,5615,5616],{},"Encryption is only as strong as its key management. Poor key management undermines the protection encryption provides. Key management best practices include:",[200,5618,5619,5625,5631,5637,5643],{},[68,5620,5621,5624],{},[71,5622,5623],{},"Key generation"," — use cryptographically secure random number generators",[68,5626,5627,5630],{},[71,5628,5629],{},"Key storage"," — store keys separately from the data they protect, using hardware security modules (HSMs) or key management services",[68,5632,5633,5636],{},[71,5634,5635],{},"Key rotation"," — rotate keys periodically to limit exposure if a key is compromised",[68,5638,5639,5642],{},[71,5640,5641],{},"Key access control"," — restrict key access to authorized personnel and systems",[68,5644,5645,5648],{},[71,5646,5647],{},"Key destruction"," — securely destroy keys when no longer needed",[860,5650,5652],{"id":5651},"what-are-the-encryption-requirements","What are the encryption requirements?",[200,5654,5655,5660,5665,5670],{},[68,5656,5657,5659],{},[71,5658,4212],{}," — CC6.1 and CC6.7 address protection of data through encryption and other mechanisms",[68,5661,5662,5664],{},[71,5663,4221],{}," — control A.8.24 addresses use of cryptography",[68,5666,5667,5669],{},[71,5668,4235],{}," — encryption is an addressable implementation specification for ePHI at rest (45 CFR 164.312(a)(2)(iv)) and a requirement for ePHI in transit (45 CFR 164.312(e)(1))",[68,5671,5672,5674],{},[71,5673,44],{}," — Requirement 3 requires encryption of stored PAN, and Requirement 4 requires encryption of PAN in transit over open networks",[860,5676,5678],{"id":5677},"what-are-common-mistakes-with-encryption","What are common mistakes with encryption?",[200,5680,5681,5684,5687,5690,5693],{},[68,5682,5683],{},"Using outdated algorithms (DES, 3DES, RC4, SSL, TLS 1.0\u002F1.1)",[68,5685,5686],{},"Storing encryption keys alongside encrypted data",[68,5688,5689],{},"Failing to encrypt backups",[68,5691,5692],{},"Not encrypting data in transit within internal networks",[68,5694,5695],{},"Hardcoding keys in application source code",[860,5697,5699],{"id":5698},"how-does-episki-help-with-encryption","How does episki help with encryption?",[37,5701,5702,5703,79],{},"episki tracks your encryption implementations across systems, monitors certificate expirations, and documents encryption policies and key management practices for audit evidence. Learn more on our ",[41,5704,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":5706},[5707],{"id":5533,"depth":448,"text":5534,"children":5708},[5709,5710,5711,5712,5713,5714,5715],{"id":5540,"depth":1179,"text":5541},{"id":5562,"depth":1179,"text":5563},{"id":5586,"depth":1179,"text":5587},{"id":5612,"depth":1179,"text":5613},{"id":5651,"depth":1179,"text":5652},{"id":5677,"depth":1179,"text":5678},{"id":5698,"depth":1179,"text":5699},{},[4607,4608,4609,4610,528],[3699,5719,95,4619,5720],"phi","data-classification",{"title":5722,"description":5723},"What is Encryption? Definition & Compliance Guide","Encryption transforms data into unreadable ciphertext to protect confidentiality. Learn about encryption at rest, in transit, and compliance requirements.","8.glossary\u002Fencryption","8HTAhzLPBjGJKnlguz6mBT1ob6J8h2KVZGzAJtWJEHM",{"id":5727,"title":5728,"body":5729,"description":447,"extension":473,"lastUpdated":819,"meta":5929,"navigation":510,"path":5930,"relatedFrameworks":5931,"relatedTerms":5932,"seo":5934,"slug":5067,"stem":5937,"term":5734,"__hash__":5938},"glossary\u002F8.glossary\u002Fevidence-collection.md","Evidence Collection",{"type":29,"value":5730,"toc":5919},[5731,5735,5738,5742,5745,5759,5763,5766,5816,5820,5823,5829,5835,5841,5845,5889,5893,5910,5914],[32,5732,5734],{"id":5733},"what-is-evidence-collection","What is Evidence Collection?",[37,5736,5737],{},"Evidence collection is the systematic process of gathering, organizing, and maintaining documentation that demonstrates security controls are implemented and operating effectively. It is a critical activity for any compliance program — without evidence, an organization cannot prove to auditors, customers, or regulators that its controls actually work.",[860,5739,5741],{"id":5740},"why-does-evidence-collection-matter","Why does evidence collection matter?",[37,5743,5744],{},"Controls that exist only in policy documents are insufficient. Auditors and assessors require proof that controls are executed consistently. Evidence collection bridges the gap between \"we have a policy\" and \"we follow the policy.\" Without organized evidence:",[200,5746,5747,5750,5753,5756],{},[68,5748,5749],{},"Audits take longer and cost more due to scrambling for documentation",[68,5751,5752],{},"Control gaps go undetected until audit time",[68,5754,5755],{},"Audit opinions may be qualified due to insufficient evidence",[68,5757,5758],{},"Customer trust erodes when security claims cannot be substantiated",[860,5760,5762],{"id":5761},"what-are-the-types-of-evidence-in-compliance-audits","What are the types of evidence in compliance audits?",[37,5764,5765],{},"Evidence takes many forms depending on the control being demonstrated:",[200,5767,5768,5774,5780,5786,5792,5798,5804,5810],{},[68,5769,5770,5773],{},[71,5771,5772],{},"Screenshots"," — system configurations, access control settings, dashboard views",[68,5775,5776,5779],{},[71,5777,5778],{},"Logs"," — audit logs, access logs, change management logs, security event logs",[68,5781,5782,5785],{},[71,5783,5784],{},"Documents"," — policies, procedures, meeting minutes, training records",[68,5787,5788,5791],{},[71,5789,5790],{},"Tickets"," — change management tickets, incident response tickets, access request tickets",[68,5793,5794,5797],{},[71,5795,5796],{},"Reports"," — vulnerability scan reports, penetration test reports, risk assessment reports",[68,5799,5800,5803],{},[71,5801,5802],{},"Certifications"," — employee training certificates, vendor SOC 2 reports, compliance attestations",[68,5805,5806,5809],{},[71,5807,5808],{},"Configurations"," — infrastructure-as-code files, system configuration exports",[68,5811,5812,5815],{},[71,5813,5814],{},"Interviews"," — auditor interviews with control owners (for live audits)",[860,5817,5819],{"id":5818},"what-are-common-evidence-collection-approaches","What are common evidence collection approaches?",[37,5821,5822],{},"Organizations typically use one of three approaches:",[37,5824,5825,5828],{},[71,5826,5827],{},"Manual collection"," — control owners manually gather screenshots, exports, and documents on a scheduled basis. This is the most common starting point but is labor-intensive and error-prone.",[37,5830,5831,5834],{},[71,5832,5833],{},"Semi-automated collection"," — integrations with key systems (cloud providers, identity providers, ticketing systems) automatically pull evidence, supplemented by manual collection for controls without integration support.",[37,5836,5837,5840],{},[71,5838,5839],{},"Continuous automated collection"," — deep integrations with infrastructure and applications automatically collect and organize evidence on an ongoing basis, with minimal manual intervention.",[860,5842,5844],{"id":5843},"what-are-best-practices-for-evidence-collection","What are best practices for evidence collection?",[200,5846,5847,5853,5859,5865,5871,5877,5883],{},[68,5848,5849,5852],{},[71,5850,5851],{},"Define evidence requirements upfront"," — for each control, specify what evidence is needed, how often it should be collected, and who is responsible",[68,5854,5855,5858],{},[71,5856,5857],{},"Collect continuously, not just before audits"," — evidence collected throughout the period is more credible than evidence gathered in a rush before the audit",[68,5860,5861,5864],{},[71,5862,5863],{},"Timestamp everything"," — evidence must demonstrate when the control was operating, not just that it exists",[68,5866,5867,5870],{},[71,5868,5869],{},"Organize by control"," — structure evidence so it maps directly to controls and framework requirements",[68,5872,5873,5876],{},[71,5874,5875],{},"Maintain chain of custody"," — ensure evidence cannot be tampered with after collection",[68,5878,5879,5882],{},[71,5880,5881],{},"Review evidence quality"," — periodically verify that collected evidence actually demonstrates the control is working",[68,5884,5885,5888],{},[71,5886,5887],{},"Retain evidence appropriately"," — keep evidence for the required retention period (typically matching the audit cycle plus any regulatory requirements)",[860,5890,5892],{"id":5891},"what-are-common-challenges-with-evidence-collection","What are common challenges with evidence collection?",[200,5894,5895,5898,5901,5904,5907],{},[68,5896,5897],{},"Evidence collection is distributed across many teams and systems",[68,5899,5900],{},"Control owners forget to collect on schedule",[68,5902,5903],{},"Evidence quality varies — screenshots may be unclear or incomplete",[68,5905,5906],{},"Evidence becomes stale if not collected at the right frequency",[68,5908,5909],{},"Storing and organizing large volumes of evidence is difficult without proper tooling",[860,5911,5913],{"id":5912},"how-does-episki-help-with-evidence-collection","How does episki help with evidence collection?",[37,5915,5916,5917,79],{},"episki automates evidence collection through integrations with cloud providers, identity systems, and development tools. The platform assigns collection tasks to control owners, sends reminders, validates evidence quality, and organizes everything by control and framework. When audit time arrives, evidence is already collected and organized. Learn more on our ",[41,5918,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":5920},[5921],{"id":5733,"depth":448,"text":5734,"children":5922},[5923,5924,5925,5926,5927,5928],{"id":5740,"depth":1179,"text":5741},{"id":5761,"depth":1179,"text":5762},{"id":5818,"depth":1179,"text":5819},{"id":5843,"depth":1179,"text":5844},{"id":5891,"depth":1179,"text":5892},{"id":5912,"depth":1179,"text":5913},{},"\u002Fglossary\u002Fevidence-collection",[4608,4609,4610,528],[4614,5933,5068,5519],"soc2-type-2",{"title":5935,"description":5936},"What is Evidence Collection? Definition & Compliance Guide","Evidence collection is the process of gathering documentation that proves security controls are implemented and operating effectively for compliance audits.","8.glossary\u002Fevidence-collection","-4Die8_TxT3p7plrS5QfBm3mjx6_FZQa79Sl58zqSnw",{"id":5940,"title":5941,"body":5942,"description":447,"extension":473,"lastUpdated":819,"meta":6058,"navigation":510,"path":6059,"relatedFrameworks":6060,"relatedTerms":6061,"seo":6062,"slug":1582,"stem":6065,"term":5947,"__hash__":6066},"glossary\u002F8.glossary\u002Ffirewall.md","Firewall",{"type":29,"value":5943,"toc":6050},[5944,5948,5951,5955,5987,5991,5994,6016,6020,6041,6045],[32,5945,5947],{"id":5946},"what-is-a-firewall","What is a Firewall?",[37,5949,5950],{},"A firewall is a security system that monitors and controls network traffic based on predefined rules. It acts as a barrier between trusted internal networks and untrusted external ones, inspecting incoming and outgoing packets to enforce an organization's security policy.",[860,5952,5954],{"id":5953},"what-are-the-types-of-firewalls","What are the types of firewalls?",[200,5956,5957,5963,5969,5975,5981],{},[68,5958,5959,5962],{},[71,5960,5961],{},"Packet-filtering firewalls"," — inspect individual packets against a set of rules based on IP addresses, ports, and protocols. Simple and fast but limited in context.",[68,5964,5965,5968],{},[71,5966,5967],{},"Stateful inspection firewalls"," — track the state of active connections and make decisions based on the context of traffic, not just individual packets.",[68,5970,5971,5974],{},[71,5972,5973],{},"Next-generation firewalls (NGFW)"," — combine traditional firewall capabilities with intrusion prevention, application awareness, and deep packet inspection.",[68,5976,5977,5980],{},[71,5978,5979],{},"Web application firewalls (WAF)"," — specifically protect web applications by filtering and monitoring HTTP traffic between the application and the internet.",[68,5982,5983,5986],{},[71,5984,5985],{},"Cloud firewalls"," — delivered as a service to protect cloud-based infrastructure and applications.",[860,5988,5990],{"id":5989},"how-do-compliance-frameworks-address-firewalls","How do compliance frameworks address firewalls?",[37,5992,5993],{},"Firewalls are a foundational control across compliance standards:",[200,5995,5996,6001,6006,6011],{},[68,5997,5998,6000],{},[71,5999,44],{}," — Requirement 1 mandates installing and maintaining firewall configurations to protect cardholder data.",[68,6002,6003,6005],{},[71,6004,4221],{}," — Network security controls (A.8.20, A.8.21) require network segmentation and filtering.",[68,6007,6008,6010],{},[71,6009,4256],{}," — PR.AC and PR.PT cover network protection and access enforcement.",[68,6012,6013,6015],{},[71,6014,4212],{}," — CC6.6 requires restricting access through network security controls.",[860,6017,6019],{"id":6018},"what-are-best-practices-for-firewalls","What are best practices for firewalls?",[200,6021,6022,6025,6028,6031,6034],{},[68,6023,6024],{},"Define explicit allow and deny rules rather than relying on default configurations",[68,6026,6027],{},"Segment networks to limit lateral movement in the event of a breach",[68,6029,6030],{},"Review and update firewall rules regularly to remove stale or overly permissive entries",[68,6032,6033],{},"Log all firewall activity and monitor logs for anomalies",[68,6035,6036,6037],{},"Test firewall configurations as part of regular ",[41,6038,6040],{"href":6039},"\u002Fglossary\u002Fpenetration-testing","penetration testing",[860,6042,6044],{"id":6043},"how-does-episki-help-with-firewalls","How does episki help with firewalls?",[37,6046,6047,6048,79],{},"episki tracks firewall-related controls, links them to evidence like configuration exports and rule reviews, and sends reminders when periodic reviews are due. Learn more on our ",[41,6049,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":6051},[6052],{"id":5946,"depth":448,"text":5947,"children":6053},[6054,6055,6056,6057],{"id":5953,"depth":1179,"text":5954},{"id":5989,"depth":1179,"text":5990},{"id":6018,"depth":1179,"text":6019},{"id":6043,"depth":1179,"text":6044},{},"\u002Fglossary\u002Ffirewall",[4607,528,4609,4611],[4619,1583,828],{"title":6063,"description":6064},"What is a Firewall? Definition & Compliance Guide","A firewall is a security system that monitors and controls network traffic based on predefined rules, acting as a barrier between trusted internal networks and untrusted external ones.","8.glossary\u002Ffirewall","d_tDCxyFul3bT18aYdQvTB0Erzn8iM00wNVDbeNQM1Y",{"id":6068,"title":6069,"body":6070,"description":447,"extension":473,"lastUpdated":819,"meta":6174,"navigation":510,"path":6175,"relatedFrameworks":6176,"relatedTerms":6177,"seo":6179,"slug":6182,"stem":6183,"term":6075,"__hash__":6184},"glossary\u002F8.glossary\u002Fframework.md","Framework",{"type":29,"value":6071,"toc":6166},[6072,6076,6079,6083,6110,6114,6117,6136,6140,6143,6157,6161],[32,6073,6075],{"id":6074},"what-is-a-framework","What is a Framework?",[37,6077,6078],{},"A framework is a structured set of guidelines, controls, and best practices that organizations follow to manage security, risk, and compliance. Frameworks provide a common language and systematic approach for identifying risks, implementing safeguards, and demonstrating due diligence to auditors, customers, and regulators.",[860,6080,6082],{"id":6081},"what-are-common-compliance-frameworks","What are common compliance frameworks?",[200,6084,6085,6090,6095,6100,6105],{},[68,6086,6087,6089],{},[71,6088,4221],{}," — an international standard for information security management systems (ISMS) with a risk-based approach to protecting information assets.",[68,6091,6092,6094],{},[71,6093,4212],{}," — a reporting framework developed by the AICPA based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.",[68,6096,6097,6099],{},[71,6098,4235],{}," — a US law that sets requirements for protecting health information, including the Security Rule and Privacy Rule.",[68,6101,6102,6104],{},[71,6103,44],{}," — a set of security standards for organizations that handle payment card data.",[68,6106,6107,6109],{},[71,6108,4256],{}," — a voluntary framework published by the National Institute of Standards and Technology that provides a common taxonomy for managing cybersecurity risk.",[860,6111,6113],{"id":6112},"what-is-the-difference-between-a-framework-a-standard-and-a-regulation","What is the difference between a framework, a standard, and a regulation?",[37,6115,6116],{},"These terms are often used interchangeably but have important distinctions:",[200,6118,6119,6124,6130],{},[68,6120,6121,6123],{},[71,6122,6069],{}," — a flexible structure of guidelines that can be adapted to an organization's context (e.g., NIST CSF).",[68,6125,6126,6129],{},[71,6127,6128],{},"Standard"," — a more prescriptive set of requirements that can be certified against (e.g., ISO 27001).",[68,6131,6132,6135],{},[71,6133,6134],{},"Regulation"," — a legally binding requirement enforced by a governing body (e.g., HIPAA, GDPR).",[860,6137,6139],{"id":6138},"how-do-you-choose-a-framework","How do you choose a framework?",[37,6141,6142],{},"When selecting a framework, consider:",[200,6144,6145,6148,6151,6154],{},[68,6146,6147],{},"Customer and market requirements — enterprise buyers often require SOC 2 or ISO 27001",[68,6149,6150],{},"Industry regulations — healthcare organizations must comply with HIPAA; payment processors with PCI DSS",[68,6152,6153],{},"Geographic scope — GDPR for organizations handling EU data",[68,6155,6156],{},"Organizational maturity — NIST CSF is often a good starting point for organizations new to formal security programs",[860,6158,6160],{"id":6159},"how-does-episki-help-with-compliance-frameworks","How does episki help with compliance frameworks?",[37,6162,6163,6164,79],{},"episki supports multiple frameworks in a single workspace, allowing organizations to map controls across standards and reuse evidence. Learn more on our ",[41,6165,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":6167},[6168],{"id":6074,"depth":448,"text":6075,"children":6169},[6170,6171,6172,6173],{"id":6081,"depth":1179,"text":6082},{"id":6112,"depth":1179,"text":6113},{"id":6138,"depth":1179,"text":6139},{"id":6159,"depth":1179,"text":6160},{},"\u002Fglossary\u002Fframework",[4608,4609,4610,528,4611],[6178,5519,1212],"control-framework",{"title":6180,"description":6181},"What is a Framework? Definition & Compliance Guide","A framework is a structured set of guidelines and controls organizations follow to manage security and compliance. Common examples include ISO 27001, SOC 2, and NIST CSF.","framework","8.glossary\u002Fframework","CdMCpQrbry3zSa1fdtsyViYMvkP88wOS8pALWkyZ5Mo",{"id":6186,"title":6187,"body":6188,"description":447,"extension":473,"lastUpdated":819,"meta":6297,"navigation":510,"path":6298,"relatedFrameworks":6299,"relatedTerms":6300,"seo":6302,"slug":1212,"stem":6305,"term":6193,"__hash__":6306},"glossary\u002F8.glossary\u002Fgrc.md","Grc",{"type":29,"value":6189,"toc":6288},[6190,6194,6201,6205,6208,6222,6226,6229,6243,6247,6260,6264,6267,6281,6285],[32,6191,6193],{"id":6192},"what-is-grc","What is GRC?",[37,6195,6196,6197,6200],{},"GRC stands for ",[71,6198,6199],{},"governance, risk, and compliance"," — a coordinated approach to aligning IT and security practices with business objectives, managing risk, and meeting regulatory requirements.",[860,6202,6204],{"id":6203},"what-is-governance-in-grc","What is governance in GRC?",[37,6206,6207],{},"Governance defines the policies, roles, and decision-making structures that guide how an organization operates. In a security context, governance includes:",[200,6209,6210,6213,6216,6219],{},[68,6211,6212],{},"Establishing security policies and standards",[68,6214,6215],{},"Assigning ownership for controls and programs",[68,6217,6218],{},"Setting risk appetite and tolerance levels",[68,6220,6221],{},"Board-level oversight of security posture",[860,6223,6225],{"id":6224},"what-is-risk-management-in-grc","What is risk management in GRC?",[37,6227,6228],{},"Risk management is the process of identifying, assessing, and treating threats that could affect the organization. Common activities include:",[200,6230,6231,6234,6237,6240],{},[68,6232,6233],{},"Maintaining a risk register with likelihood and impact scores",[68,6235,6236],{},"Prioritizing remediation based on business impact",[68,6238,6239],{},"Tracking treatment plans with owners and deadlines",[68,6241,6242],{},"Reviewing risk posture on a recurring schedule",[860,6244,6246],{"id":6245},"what-is-compliance-in-grc","What is compliance in GRC?",[37,6248,6249,6250,6252,6253,6252,6255,6257,6258,79],{},"Compliance means meeting the requirements of external standards, regulations, and contractual obligations. Common compliance frameworks include ",[41,6251,4212],{"href":4211},", ",[41,6254,4221],{"href":4220},[41,6256,4235],{"href":4234},", and ",[41,6259,44],{"href":511},[860,6261,6263],{"id":6262},"why-does-grc-matter","Why does GRC matter?",[37,6265,6266],{},"Without a coordinated approach, organizations end up with fragmented policies, duplicated controls, and gaps between what auditors expect and what teams actually do. A GRC program brings these disciplines together so that:",[200,6268,6269,6272,6275,6278],{},[68,6270,6271],{},"Controls are mapped once and reused across frameworks",[68,6273,6274],{},"Risk decisions inform which controls get priority",[68,6276,6277],{},"Evidence is collected continuously rather than scrambled before audits",[68,6279,6280],{},"Leadership has visibility into security posture and compliance status",[860,6282,6284],{"id":6283},"what-is-grc-software","What is GRC software?",[37,6286,6287],{},"GRC platforms like episki centralize controls, evidence, risk registers, and auditor collaboration in one workspace. Instead of managing compliance in spreadsheets, teams can assign owners, track evidence, and run programs across multiple frameworks simultaneously.",{"title":447,"searchDepth":448,"depth":448,"links":6289},[6290],{"id":6192,"depth":448,"text":6193,"children":6291},[6292,6293,6294,6295,6296],{"id":6203,"depth":1179,"text":6204},{"id":6224,"depth":1179,"text":6225},{"id":6245,"depth":1179,"text":6246},{"id":6262,"depth":1179,"text":6263},{"id":6283,"depth":1179,"text":6284},{},"\u002Fglossary\u002Fgrc",[4608,4609,4610,528,4611],[6301,6178,4614,5067],"risk-register",{"title":6303,"description":6304},"What is GRC? Governance, Risk, and Compliance Explained","GRC stands for governance, risk, and compliance. Learn how GRC programs help organizations manage risk, meet regulatory requirements, and align security with business goals.","8.glossary\u002Fgrc","6r8Pzm3RtrpbRSlELLbyQ2mEbI0Rv-73CiQlZaZiv9g",{"id":6308,"title":6309,"body":6310,"description":447,"extension":473,"lastUpdated":819,"meta":6415,"navigation":510,"path":6416,"relatedFrameworks":6417,"relatedTerms":6418,"seo":6419,"slug":6422,"stem":6423,"term":6315,"__hash__":6424},"glossary\u002F8.glossary\u002Fjob-separation.md","Job Separation",{"type":29,"value":6311,"toc":6406},[6312,6316,6319,6323,6326,6330,6355,6359,6376,6380,6383,6397,6401],[32,6313,6315],{"id":6314},"what-is-job-separation","What is Job Separation?",[37,6317,6318],{},"Job separation, also known as segregation of duties (SoD), is the practice of dividing critical responsibilities among multiple people to reduce the risk of fraud, error, or abuse of privilege. The principle ensures that no single individual has end-to-end control over a sensitive process.",[860,6320,6322],{"id":6321},"why-does-job-separation-matter","Why does job separation matter?",[37,6324,6325],{},"When one person controls an entire workflow — such as approving and executing financial transactions, or deploying code and managing production access — the risk of undetected mistakes or intentional misuse increases significantly. Segregation of duties creates natural checkpoints where different individuals must independently verify or authorize actions.",[860,6327,6329],{"id":6328},"what-are-common-examples-of-job-separation","What are common examples of job separation?",[200,6331,6332,6338,6343,6349],{},[68,6333,6334,6337],{},[71,6335,6336],{},"Financial controls"," — the person who requests a purchase should not be the same person who approves payment",[68,6339,6340,6342],{},[71,6341,1381],{}," — developers who write code should not be the same people who approve and deploy it to production",[68,6344,6345,6348],{},[71,6346,6347],{},"User access management"," — the person who requests access should not be the one who grants it",[68,6350,6351,6354],{},[71,6352,6353],{},"Audit and review"," — internal auditors should be independent of the processes they audit",[860,6356,6358],{"id":6357},"how-do-compliance-frameworks-address-job-separation","How do compliance frameworks address job separation?",[200,6360,6361,6366,6371],{},[68,6362,6363,6365],{},[71,6364,4212],{}," — CC5.2 and CC6.1 address segregation of duties as part of control activities and access controls",[68,6367,6368,6370],{},[71,6369,4221],{}," — A.5.3 requires segregation of duties to reduce opportunities for unauthorized modification or misuse",[68,6372,6373,6375],{},[71,6374,44],{}," — Requirement 6.5.6 addresses separation of development, testing, and production environments",[860,6377,6379],{"id":6378},"what-compensating-controls-apply-when-job-separation-is-not-possible","What compensating controls apply when job separation is not possible?",[37,6381,6382],{},"In smaller organizations where strict separation is not always feasible, compensating controls can help:",[200,6384,6385,6388,6391,6394],{},[68,6386,6387],{},"Detailed audit logging of all actions",[68,6389,6390],{},"Regular management review of activity logs",[68,6392,6393],{},"Automated alerts for high-risk activities",[68,6395,6396],{},"Periodic access reviews to verify role appropriateness",[860,6398,6400],{"id":6399},"how-does-episki-help-with-job-separation","How does episki help with job separation?",[37,6402,6403,6404,79],{},"episki maps segregation of duties requirements across frameworks, tracks who has access to what, and provides evidence trails for auditors. Learn more on our ",[41,6405,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":6407},[6408],{"id":6314,"depth":448,"text":6315,"children":6409},[6410,6411,6412,6413,6414],{"id":6321,"depth":1179,"text":6322},{"id":6328,"depth":1179,"text":6329},{"id":6357,"depth":1179,"text":6358},{"id":6378,"depth":1179,"text":6379},{"id":6399,"depth":1179,"text":6400},{},"\u002Fglossary\u002Fjob-separation",[4608,4609,528],[4619,6301,5519],{"title":6420,"description":6421},"What is Job Separation? Definition & Compliance Guide","Job separation (segregation of duties) is the practice of dividing critical responsibilities among multiple people to reduce the risk of fraud or error.","job-separation","8.glossary\u002Fjob-separation","NGlRTvMi7wGdE1a4aqRDvGWJqatS66pV0ZpUqXQPEGI",{"id":6426,"title":6427,"body":6428,"description":447,"extension":473,"lastUpdated":819,"meta":6960,"navigation":510,"path":6961,"relatedFrameworks":6962,"relatedTerms":6963,"seo":6964,"slug":3701,"stem":6967,"term":6433,"__hash__":6968},"glossary\u002F8.glossary\u002Fkey-management.md","Key Management",{"type":29,"value":6429,"toc":6948},[6430,6434,6437,6441,6479,6483,6486,6489,6515,6518,6522,6525,6530,6533,6559,6568,6571,6575,6578,6604,6607,6626,6629,6633,6636,6650,6653,6664,6671,6682,6686,6689,6784,6789,6816,6820,6823,6873,6877,6918,6922,6939,6943],[32,6431,6433],{"id":6432},"what-is-key-management","What is Key Management?",[37,6435,6436],{},"Key management is the process of creating, storing, distributing, rotating, and retiring cryptographic keys used to protect encrypted data. Effective key management ensures that encryption actually delivers the confidentiality and integrity it promises — poorly managed keys can render even strong encryption useless.",[860,6438,6440],{"id":6439},"what-are-the-stages-of-the-key-lifecycle","What are the stages of the key lifecycle?",[200,6442,6443,6449,6455,6461,6467,6473],{},[68,6444,6445,6448],{},[71,6446,6447],{},"Generation"," — creating keys using cryptographically secure methods with appropriate key lengths",[68,6450,6451,6454],{},[71,6452,6453],{},"Distribution"," — securely delivering keys to authorized systems or users",[68,6456,6457,6460],{},[71,6458,6459],{},"Storage"," — protecting keys at rest using hardware security modules (HSMs), key vaults, or other secure storage",[68,6462,6463,6466],{},[71,6464,6465],{},"Rotation"," — periodically replacing keys to limit the impact of a potential compromise",[68,6468,6469,6472],{},[71,6470,6471],{},"Revocation"," — disabling keys that are no longer trusted or have been compromised",[68,6474,6475,6478],{},[71,6476,6477],{},"Destruction"," — securely deleting keys that are no longer needed, ensuring they cannot be recovered",[860,6480,6482],{"id":6481},"why-does-key-management-matter-for-security","Why does key management matter for security?",[37,6484,6485],{},"Encryption is only as strong as the key management behind it. A 256-bit AES key offers no protection if it's stored in the same database as the data it encrypts — an attacker who compromises the database gets both the ciphertext and the key to decrypt it. This is not a theoretical concern; it's one of the most common encryption failures found in penetration tests and compliance assessments.",[37,6487,6488],{},"Key management failures create several categories of risk:",[200,6490,6491,6497,6503,6509],{},[68,6492,6493,6496],{},[71,6494,6495],{},"Exposure of historical data"," — Without regular key rotation, a single key compromise exposes every record encrypted with that key, potentially spanning years of sensitive data. Rotating keys limits the blast radius of any individual compromise.",[68,6498,6499,6502],{},[71,6500,6501],{},"Insider threats"," — If one administrator holds all key material with no split knowledge or dual control, that person can access every encrypted record in the organization. Proper key management distributes trust across multiple individuals.",[68,6504,6505,6508],{},[71,6506,6507],{},"Compliance failures"," — Auditors don't just check that encryption is enabled. They verify that keys are managed according to documented procedures, rotated on schedule, and protected with controls proportional to the sensitivity of the data they protect.",[68,6510,6511,6514],{},[71,6512,6513],{},"Incident response gaps"," — Organizations that lack documented key management procedures often cannot determine which data was exposed during a breach, which keys need emergency rotation, or how to restore encrypted backups after a key custodian leaves the company.",[37,6516,6517],{},"The bottom line: encryption without proper key management is security theater. It checks a box on a checklist without actually reducing risk. Organizations that invest in strong encryption algorithms but neglect key management are protecting data with a lock and then leaving the key under the doormat.",[860,6519,6521],{"id":6520},"what-are-common-key-management-architectures","What are common key management architectures?",[37,6523,6524],{},"There are three primary approaches to key management, each suited to different risk profiles, compliance requirements, and operational maturity levels. The right choice depends on what data you're protecting, which frameworks you're subject to, and how much operational complexity you can absorb.",[6526,6527,6529],"h4",{"id":6528},"cloud-kms","Cloud KMS",[37,6531,6532],{},"Cloud key management services — including AWS KMS, Azure Key Vault, and GCP Cloud KMS — are the most common starting point for organizations running workloads in the cloud. These services provide:",[200,6534,6535,6541,6547,6553],{},[68,6536,6537,6540],{},[71,6538,6539],{},"Envelope encryption"," — Data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a key encryption key (KEK) managed by the cloud provider. This limits the number of calls to the KMS while keeping the master key material protected.",[68,6542,6543,6546],{},[71,6544,6545],{},"Customer-managed keys (CMK)"," — You control key rotation schedules, access policies, and deletion. The cloud provider manages the underlying infrastructure but cannot use the key without your authorization.",[68,6548,6549,6552],{},[71,6550,6551],{},"Provider-managed keys"," — The cloud provider handles all key management automatically. Simpler to operate, but offers less control and may not satisfy compliance requirements that mandate customer-controlled keys.",[68,6554,6555,6558],{},[71,6556,6557],{},"Bring Your Own Key (BYOK)"," — You generate keys in your own environment (often an on-premises HSM) and import them into the cloud KMS. This satisfies requirements for key generation in a controlled environment while still leveraging cloud-native encryption integration.",[37,6560,6561,6562,6564,6565,6567],{},"Cloud KMS is appropriate for most SaaS applications, internal systems, and workloads where the cloud provider is already part of the trust boundary. For organizations subject to ",[41,6563,44],{"href":511}," or ",[41,6566,4212],{"href":4211},", cloud KMS with customer-managed keys typically satisfies key management requirements when combined with proper access policies and rotation schedules.",[37,6569,6570],{},"Most cloud KMS services also provide detailed audit logs of every key operation, which simplifies compliance evidence collection during assessments.",[6526,6572,6574],{"id":6573},"hardware-security-modules-hsms","Hardware Security Modules (HSMs)",[37,6576,6577],{},"HSMs are dedicated hardware devices designed to generate, store, and manage cryptographic keys in a tamper-resistant environment. They are validated against FIPS 140-2 or FIPS 140-3 standards at various levels:",[200,6579,6580,6586,6592,6598],{},[68,6581,6582,6585],{},[71,6583,6584],{},"Level 1"," — Basic security requirements, no physical tamper resistance",[68,6587,6588,6591],{},[71,6589,6590],{},"Level 2"," — Tamper-evident coatings or seals, role-based authentication",[68,6593,6594,6597],{},[71,6595,6596],{},"Level 3"," — Tamper-resistant with active response mechanisms (e.g., zeroization of keys upon detection of physical intrusion)",[68,6599,6600,6603],{},[71,6601,6602],{},"Level 4"," — Full physical security envelope with environmental failure protection",[37,6605,6606],{},"HSMs are required or strongly recommended in several contexts:",[200,6608,6609,6614,6620],{},[68,6610,6611,6613],{},[71,6612,44],{}," — Strongly recommended for protecting cardholder data encryption keys, and effectively required for PIN-based transaction processing",[68,6615,6616,6619],{},[71,6617,6618],{},"Government and defense"," — CMMC, FedRAMP, and similar frameworks often require FIPS 140-2 Level 3 or higher for cryptographic key storage",[68,6621,6622,6625],{},[71,6623,6624],{},"Certificate authorities"," — Root and intermediate CA private keys must be stored in HSMs per industry standards",[37,6627,6628],{},"Cloud-based HSM options (AWS CloudHSM, Azure Dedicated HSM, GCP Cloud HSM) provide FIPS 140-2 Level 3 validated hardware in cloud data centers, bridging the gap between on-premises HSM security and cloud operational convenience.",[6526,6630,6632],{"id":6631},"software-based-key-stores","Software-based key stores",[37,6634,6635],{},"Software-based solutions like HashiCorp Vault, CyberArk Conjur, or application-level key management provide flexibility without dedicated hardware. These tools offer:",[200,6637,6638,6641,6644,6647],{},[68,6639,6640],{},"Centralized secret and key management across multiple applications and environments",[68,6642,6643],{},"Dynamic secrets that are generated on demand and automatically revoked after use",[68,6645,6646],{},"Audit logging of all key access and operations",[68,6648,6649],{},"Integration with identity providers for policy-based access control",[37,6651,6652],{},"Software key stores are appropriate when:",[200,6654,6655,6658,6661],{},[68,6656,6657],{},"Compliance requirements do not mandate HSMs",[68,6659,6660],{},"You need to manage secrets and keys across hybrid or multi-cloud environments",[68,6662,6663],{},"Your threat model does not include sophisticated physical or hardware-level attacks",[37,6665,6666,6667,6670],{},"They are ",[71,6668,6669],{},"not"," appropriate when:",[200,6672,6673,6676,6679],{},[68,6674,6675],{},"Regulations explicitly require hardware-based key protection (e.g., PCI PIN security, certain government classifications)",[68,6677,6678],{},"Your risk assessment identifies nation-state or advanced persistent threats targeting cryptographic material",[68,6680,6681],{},"You need to provide cryptographic proof that keys have never been exposed to software",[860,6683,6685],{"id":6684},"what-are-the-key-management-requirements","What are the key management requirements?",[37,6687,6688],{},"Different compliance frameworks impose different key management requirements. Understanding these differences is critical when an organization is subject to multiple frameworks simultaneously — which is increasingly common. The following table provides a practical comparison across five major frameworks:",[2387,6690,6691,6708],{},[2390,6692,6693],{},[2393,6694,6695,6697,6699,6701,6703,6705],{},[2396,6696,4380],{},[2396,6698,44],{},[2396,6700,4221],{},[2396,6702,4235],{},[2396,6704,4212],{},[2396,6706,6707],{},"CMMC",[2406,6709,6710,6728,6747,6766],{},[2393,6711,6712,6715,6718,6721,6723,6725],{},[2411,6713,6714],{},"Documented key management procedures",[2411,6716,6717],{},"Req 3.6",[2411,6719,6720],{},"A.8.24",[2411,6722,4425],{},[2411,6724,4400],{},[2411,6726,6727],{},"SC.L2-3.13.10",[2393,6729,6730,6733,6736,6739,6742,6744],{},[2411,6731,6732],{},"Key rotation schedule",[2411,6734,6735],{},"Annual minimum",[2411,6737,6738],{},"Risk-based",[2411,6740,6741],{},"Not specified",[2411,6743,6738],{},[2411,6745,6746],{},"Per NIST 800-171",[2393,6748,6749,6752,6755,6758,6760,6763],{},[2411,6750,6751],{},"Split knowledge \u002F dual control",[2411,6753,6754],{},"Required for manual keys",[2411,6756,6757],{},"Recommended",[2411,6759,6741],{},[2411,6761,6762],{},"Expected",[2411,6764,6765],{},"Required",[2393,6767,6768,6771,6774,6776,6779,6781],{},[2411,6769,6770],{},"HSM or equivalent",[2411,6772,6773],{},"Strongly recommended",[2411,6775,6738],{},[2411,6777,6778],{},"Not required",[2411,6780,6738],{},[2411,6782,6783],{},"Varies by level",[37,6785,6786],{},[71,6787,6788],{},"Reading this table:",[200,6790,6791,6796,6801,6806,6811],{},[68,6792,6793,6795],{},[71,6794,44],{}," is the most prescriptive. Requirement 3.6 specifies exactly what key management procedures must include, from key generation through destruction. Annual key rotation is a minimum baseline, and split knowledge\u002Fdual control is mandatory whenever keys are managed manually.",[68,6797,6798,6800],{},[71,6799,4221],{}," takes a risk-based approach. Annex A control A.8.24 requires a policy on the use of cryptographic controls including key management, but the specific controls depend on your risk assessment and Statement of Applicability.",[68,6802,6803,6805],{},[71,6804,4235],{}," is the least prescriptive on key management specifically. Encryption of ePHI is an \"addressable\" implementation specification, meaning organizations must implement it or document why an equivalent alternative is appropriate. Key management requirements follow from the encryption decision.",[68,6807,6808,6810],{},[71,6809,4212],{}," addresses key management through the Common Criteria, particularly CC6.1 (logical access) and CC6.7 (data transmission). The specific expectations depend on the trust services criteria in scope and the auditor's interpretation.",[68,6812,6813,6815],{},[71,6814,6707],{}," references NIST SP 800-171 for key management requirements. At Level 2, control SC.L2-3.13.10 requires establishing and managing cryptographic keys when cryptography is employed. Higher levels add additional requirements.",[860,6817,6819],{"id":6818},"what-are-common-key-management-mistakes","What are common key management mistakes?",[37,6821,6822],{},"Even organizations with mature security programs make key management errors. These mistakes are found repeatedly in audit findings, penetration test reports, and breach post-mortems. The most frequent include:",[200,6824,6825,6831,6837,6843,6849,6855,6861,6867],{},[68,6826,6827,6830],{},[71,6828,6829],{},"Storing keys alongside encrypted data"," — Placing encryption keys in the same database, file system, or backup as the data they protect. If an attacker gains access to the data store, they get the keys too. Keys must be stored in a separate system with independent access controls.",[68,6832,6833,6836],{},[71,6834,6835],{},"Hardcoding keys in source code"," — Embedding encryption keys, API keys, or other secrets directly in application code. These keys end up in version control history, CI\u002FCD logs, and developer laptops. Use a secrets manager or environment variable injection instead.",[68,6838,6839,6842],{},[71,6840,6841],{},"No key rotation policy"," — Using the same encryption keys indefinitely. Without rotation, a single compromise exposes all data ever encrypted with that key. Define rotation schedules based on data sensitivity and framework requirements.",[68,6844,6845,6848],{},[71,6846,6847],{},"Single person with all key access"," — Concentrating key custody in one individual with no split knowledge or dual control. This creates both a security risk (insider threat) and an operational risk (key unavailability if that person is unreachable).",[68,6850,6851,6854],{},[71,6852,6853],{},"No documented recovery procedures"," — Failing to plan for key loss, corruption, or custodian departure. Organizations discover this gap during an incident, when they cannot decrypt backups or rotate compromised keys because the procedure was never written down or tested.",[68,6856,6857,6860],{},[71,6858,6859],{},"Using weak or predictable key generation"," — Generating keys with insufficient entropy, predictable seeds, or non-cryptographic random number generators. Always use cryptographically secure random number generators (CSPRNGs) and key lengths appropriate for the algorithm and data sensitivity.",[68,6862,6863,6866],{},[71,6864,6865],{},"Ignoring key state tracking"," — Not maintaining an inventory of which keys are active, retired, or compromised. Without a key inventory, organizations cannot answer basic questions during an audit or incident: how many keys exist, who has access, and when they were last rotated.",[68,6868,6869,6872],{},[71,6870,6871],{},"Failing to test key recovery"," — Having a documented recovery procedure that has never been exercised. Recovery procedures degrade over time as infrastructure changes, personnel rotate, and backup systems are modified. Regular testing is the only way to ensure recovery will work when it matters.",[860,6874,6876],{"id":6875},"how-do-compliance-frameworks-address-key-management","How do compliance frameworks address key management?",[200,6878,6879,6889,6898,6908],{},[68,6880,6881,6885,6886],{},[71,6882,6883],{},[41,6884,44],{"href":511}," — Requirement 3.5 and 3.6 detail specific key management procedures for protecting ",[41,6887,6888],{"href":99},"cardholder data (PAN)",[68,6890,6891,4222,6895,6897],{},[71,6892,6893],{},[41,6894,4221],{"href":4220},[41,6896,4226],{"href":4225}," control A.8.24 covers the use of cryptography including key management policies",[68,6899,6900,6904,6905,6907],{},[71,6901,6902],{},[41,6903,4235],{"href":4234}," — the Security Rule requires ",[41,6906,3700],{"href":4556}," of ePHI, which implies proper key management",[68,6909,6910,6914,6915],{},[71,6911,6912],{},[41,6913,4212],{"href":4211}," — CC6.1 and CC6.7 address encryption and key management as part of logical ",[41,6916,6917],{"href":4605},"access controls",[860,6919,6921],{"id":6920},"what-are-best-practices-for-key-management","What are best practices for key management?",[200,6923,6924,6927,6930,6933,6936],{},[68,6925,6926],{},"Use hardware security modules (HSMs) or cloud key management services (AWS KMS, Azure Key Vault, GCP Cloud KMS) rather than storing keys in application code or configuration files",[68,6928,6929],{},"Enforce separation of duties so that key custodians cannot access the data those keys protect",[68,6931,6932],{},"Document key rotation schedules and automate rotation where possible",[68,6934,6935],{},"Maintain an inventory of all cryptographic keys, their owners, and their expiration dates",[68,6937,6938],{},"Test key recovery procedures regularly",[860,6940,6942],{"id":6941},"how-does-episki-help-with-key-management","How does episki help with key management?",[37,6944,6945,6946,79],{},"episki tracks key management policies, links them to encryption controls, and monitors rotation schedules to ensure cryptographic practices stay compliant. Learn more on our ",[41,6947,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":6949},[6950],{"id":6432,"depth":448,"text":6433,"children":6951},[6952,6953,6954,6955,6956,6957,6958,6959],{"id":6439,"depth":1179,"text":6440},{"id":6481,"depth":1179,"text":6482},{"id":6520,"depth":1179,"text":6521},{"id":6684,"depth":1179,"text":6685},{"id":6818,"depth":1179,"text":6819},{"id":6875,"depth":1179,"text":6876},{"id":6920,"depth":1179,"text":6921},{"id":6941,"depth":1179,"text":6942},{},"\u002Fglossary\u002Fkey-management",[4607,4608,4609,528,4610],[3700,5720,4619],{"title":6965,"description":6966},"Key Management: What It Is & Why Compliance Requires It","Key management covers creating, storing, rotating, and retiring cryptographic keys. Learn requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","8.glossary\u002Fkey-management","1dvRJIXp6Ctc7SOVhg5O-XyVT22CTyhIb0o8RWTqqng",{"id":6970,"title":6971,"body":6972,"description":447,"extension":473,"lastUpdated":819,"meta":7086,"navigation":510,"path":7087,"relatedFrameworks":7088,"relatedTerms":7089,"seo":7090,"slug":7093,"stem":7094,"term":6977,"__hash__":7095},"glossary\u002F8.glossary\u002Fleast-privilege.md","Least Privilege",{"type":29,"value":6973,"toc":7078},[6974,6978,6981,6985,6988,7002,7006,7038,7042,7069,7073],[32,6975,6977],{"id":6976},"what-is-least-privilege","What is Least Privilege?",[37,6979,6980],{},"Least privilege is a security principle that limits user, application, and system access to only the resources and permissions necessary to perform a specific function — nothing more. By minimizing the access footprint, organizations reduce the potential damage from compromised accounts, insider threats, and accidental misuse.",[860,6982,6984],{"id":6983},"why-does-least-privilege-matter","Why does least privilege matter?",[37,6986,6987],{},"Excessive permissions are one of the most common security weaknesses. When users have more access than they need:",[200,6989,6990,6993,6996,6999],{},[68,6991,6992],{},"A compromised account gives attackers a wider attack surface",[68,6994,6995],{},"Accidental changes to sensitive systems become more likely",[68,6997,6998],{},"Insider threats are harder to detect and contain",[68,7000,7001],{},"Audit findings for excessive access are common compliance gaps",[860,7003,7005],{"id":7004},"how-do-you-implement-least-privilege","How do you implement least privilege?",[200,7007,7008,7014,7020,7026,7032],{},[68,7009,7010,7013],{},[71,7011,7012],{},"Start with zero access"," — new accounts should have no permissions by default, with access granted based on documented role requirements",[68,7015,7016,7019],{},[71,7017,7018],{},"Use role-based access control (RBAC)"," — define roles with specific permission sets rather than assigning permissions individually",[68,7021,7022,7025],{},[71,7023,7024],{},"Conduct regular access reviews"," — quarterly reviews of user permissions help identify and remove access that is no longer needed",[68,7027,7028,7031],{},[71,7029,7030],{},"Remove access promptly"," — revoke permissions immediately when employees change roles or leave the organization",[68,7033,7034,7037],{},[71,7035,7036],{},"Apply to systems and applications too"," — service accounts, APIs, and automated processes should also follow least privilege",[860,7039,7041],{"id":7040},"how-do-compliance-frameworks-address-least-privilege","How do compliance frameworks address least privilege?",[200,7043,7044,7049,7054,7059,7064],{},[68,7045,7046,7048],{},[71,7047,4212],{}," — CC6.1 through CC6.3 require logical access controls based on least privilege",[68,7050,7051,7053],{},[71,7052,4221],{}," — A.5.15 (access control) and A.8.2 (privileged access rights) explicitly reference least privilege",[68,7055,7056,7058],{},[71,7057,4235],{}," — the minimum necessary standard (45 CFR 164.502(b)) is the healthcare equivalent of least privilege",[68,7060,7061,7063],{},[71,7062,44],{}," — Requirement 7 restricts access to cardholder data on a need-to-know basis",[68,7065,7066,7068],{},[71,7067,4256],{}," — PR.AC-4 addresses access permissions based on least privilege",[860,7070,7072],{"id":7071},"how-does-episki-help-with-least-privilege","How does episki help with least privilege?",[37,7074,7075,7076,79],{},"episki tracks access control policies, schedules periodic access reviews, and documents evidence of least privilege enforcement for auditors. Learn more on our ",[41,7077,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":7079},[7080],{"id":6976,"depth":448,"text":6977,"children":7081},[7082,7083,7084,7085],{"id":6983,"depth":1179,"text":6984},{"id":7004,"depth":1179,"text":7005},{"id":7040,"depth":1179,"text":7041},{"id":7071,"depth":1179,"text":7072},{},"\u002Fglossary\u002Fleast-privilege",[4607,4608,4609,4610,528,4611],[4619,6422,4615],{"title":7091,"description":7092},"What is Least Privilege? Definition & Compliance Guide","Least privilege is a security principle that limits user access to only what they need to perform their job — nothing more.","least-privilege","8.glossary\u002Fleast-privilege","BuEghGm4HKbs1Es9DQ4mpHlellA4mL_s5KedD9Qs9_s",{"id":7097,"title":7098,"body":7099,"description":447,"extension":473,"lastUpdated":819,"meta":7611,"navigation":510,"path":7612,"relatedFrameworks":7613,"relatedTerms":7614,"seo":7615,"slug":7618,"stem":7619,"term":7104,"__hash__":7620},"glossary\u002F8.glossary\u002Flog-management.md","Log Management",{"type":29,"value":7100,"toc":7599},[7101,7105,7108,7112,7115,7151,7155,7158,7162,7165,7203,7207,7210,7242,7246,7249,7275,7279,7282,7308,7312,7315,7380,7383,7387,7390,7394,7408,7412,7426,7430,7444,7448,7462,7466,7488,7492,7495,7539,7543,7569,7573,7590,7594],[32,7102,7104],{"id":7103},"what-is-log-management","What is Log Management?",[37,7106,7107],{},"Log management is the process of collecting, storing, analyzing, and retaining system activity records to detect security incidents, troubleshoot issues, and support compliance audits. Logs provide a chronological record of events across servers, applications, network devices, and security tools.",[860,7109,7111],{"id":7110},"what-gets-logged-in-a-log-management-program","What gets logged in a log management program?",[37,7113,7114],{},"Effective log management covers:",[200,7116,7117,7123,7129,7134,7140,7146],{},[68,7118,7119,7122],{},[71,7120,7121],{},"Authentication events"," — successful and failed login attempts, password changes, MFA challenges",[68,7124,7125,7128],{},[71,7126,7127],{},"Authorization events"," — access grants, denials, privilege escalations",[68,7130,7131,7133],{},[71,7132,4874],{}," — configuration changes, service starts and stops, errors",[68,7135,7136,7139],{},[71,7137,7138],{},"Network events"," — firewall decisions, DNS queries, connection attempts",[68,7141,7142,7145],{},[71,7143,7144],{},"Application events"," — user actions, API calls, data access patterns",[68,7147,7148,7150],{},[71,7149,4898],{}," — malware detections, vulnerability scan results, intrusion alerts",[860,7152,7154],{"id":7153},"what-is-log-management-architecture","What is log management architecture?",[37,7156,7157],{},"A mature log management program combines multiple components into a pipeline that moves raw event data from source to searchable, retained storage.",[6526,7159,7161],{"id":7160},"log-sources","Log sources",[37,7163,7164],{},"Logs originate from every layer of the technology stack:",[200,7166,7167,7173,7179,7185,7191,7197],{},[68,7168,7169,7172],{},[71,7170,7171],{},"Servers and operating systems"," — Linux auth logs, Windows Event Log, macOS Unified Log",[68,7174,7175,7178],{},[71,7176,7177],{},"Cloud platforms"," — AWS CloudTrail, Azure Activity Log, GCP Admin Activity audit logs",[68,7180,7181,7184],{},[71,7182,7183],{},"SaaS applications"," — Microsoft 365 Unified Audit Log, Google Workspace audit logs, Salesforce event monitoring",[68,7186,7187,7190],{},[71,7188,7189],{},"Endpoints"," — EDR telemetry, local application logs, mobile device management events",[68,7192,7193,7196],{},[71,7194,7195],{},"Network devices"," — firewalls, routers, switches, load balancers, VPN concentrators",[68,7198,7199,7202],{},[71,7200,7201],{},"Security tools"," — IDS\u002FIPS alerts, vulnerability scanners, DLP engines, email gateways",[6526,7204,7206],{"id":7205},"collection-methods","Collection methods",[37,7208,7209],{},"Getting logs from source to a central platform requires reliable collection mechanisms:",[200,7211,7212,7218,7224,7230,7236],{},[68,7213,7214,7217],{},[71,7215,7216],{},"Agents"," — lightweight forwarders installed on hosts (Fluentd, Filebeat, NXLog, Splunk Universal Forwarder) that ship logs in near real time",[68,7219,7220,7223],{},[71,7221,7222],{},"Syslog"," — the legacy standard (RFC 5424) still widely used by network devices; syslog-ng and rsyslog add filtering and reliable delivery",[68,7225,7226,7229],{},[71,7227,7228],{},"API polling"," — scheduled calls to SaaS and cloud provider APIs to pull audit logs (e.g., Microsoft Graph API, AWS CloudTrail Lake queries)",[68,7231,7232,7235],{},[71,7233,7234],{},"Cloud-native streams"," — managed pipelines like AWS Kinesis Data Firehose, Azure Event Hubs, or GCP Pub\u002FSub that deliver logs without managing agents",[68,7237,7238,7241],{},[71,7239,7240],{},"Webhooks"," — event-driven push from SaaS applications that support real-time notification (Slack audit API, GitHub audit log streaming)",[6526,7243,7245],{"id":7244},"centralization","Centralization",[37,7247,7248],{},"Logs are only useful when they are searchable in one place:",[200,7250,7251,7257,7263,7269],{},[68,7252,7253,7256],{},[71,7254,7255],{},"Commercial SIEM"," — Splunk Enterprise Security, Microsoft Sentinel, IBM QRadar provide correlation, detection rules, and case management",[68,7258,7259,7262],{},[71,7260,7261],{},"Cloud-native logging"," — AWS CloudWatch Logs, Azure Monitor, Google Cloud Logging offer tight integration with their respective platforms",[68,7264,7265,7268],{},[71,7266,7267],{},"Open-source stacks"," — the Elastic Stack (Elasticsearch, Logstash, Kibana), Grafana Loki, and OpenSearch provide cost-effective alternatives with community-driven detection content",[68,7270,7271,7274],{},[71,7272,7273],{},"Security data lakes"," — Snowflake, Amazon Security Lake, and similar platforms store massive volumes at low cost using the Open Cybersecurity Schema Framework (OCSF) for normalization",[6526,7276,7278],{"id":7277},"storage-tiers","Storage tiers",[37,7280,7281],{},"Log storage strategies balance search speed against cost and compliance retention:",[200,7283,7284,7290,7296,7302],{},[68,7285,7286,7289],{},[71,7287,7288],{},"Hot storage"," — fully indexed, real-time searchable data for active investigations and alerting (typically 30–90 days)",[68,7291,7292,7295],{},[71,7293,7294],{},"Warm storage"," — recent history available for on-demand search with slightly slower query times (typically 90 days to 12 months)",[68,7297,7298,7301],{},[71,7299,7300],{},"Cold storage"," — compressed, archived logs in object storage (S3, Azure Blob, GCS) retained for compliance and forensic purposes (1–7 years depending on framework requirements)",[68,7303,7304,7307],{},[71,7305,7306],{},"Immutable storage"," — write-once, read-many storage that prevents tampering, critical for audit trail integrity and legal hold requirements",[860,7309,7311],{"id":7310},"what-are-the-log-retention-requirements","What are the log retention requirements?",[37,7313,7314],{},"Different compliance frameworks set varying expectations for how long logs must be kept. The table below summarizes key requirements:",[2387,7316,7317,7329],{},[2390,7318,7319],{},[2393,7320,7321,7323,7326],{},[2396,7322,6069],{},[2396,7324,7325],{},"Minimum retention",[2396,7327,7328],{},"Key requirements",[2406,7330,7331,7341,7351,7360,7370],{},[2393,7332,7333,7335,7338],{},[2411,7334,44],{},[2411,7336,7337],{},"12 months (3 months immediately available)",[2411,7339,7340],{},"Req 10.7 — retain audit trail history",[2393,7342,7343,7345,7348],{},[2411,7344,4212],{},[2411,7346,7347],{},"Based on risk assessment",[2411,7349,7350],{},"CC7.2 — monitor system components",[2393,7352,7353,7355,7357],{},[2411,7354,4221],{},[2411,7356,7347],{},[2411,7358,7359],{},"A.8.15 — log retention policy required",[2393,7361,7362,7364,7367],{},[2411,7363,4235],{},[2411,7365,7366],{},"6 years for policies; log retention not specified but implied",[2411,7368,7369],{},"Audit controls for ePHI access",[2393,7371,7372,7374,7377],{},[2411,7373,4256],{},[2411,7375,7376],{},"Based on organizational needs",[2411,7378,7379],{},"DE.CM — continuous monitoring",[37,7381,7382],{},"Organizations subject to multiple frameworks should align retention to the most stringent requirement. For most companies handling payment card data alongside health information, a 12-month hot\u002Fwarm retention period with 6-year cold archival provides adequate coverage.",[860,7384,7386],{"id":7385},"what-should-you-alert-on-in-log-management","What should you alert on in log management?",[37,7388,7389],{},"Collecting logs without monitoring them defeats the purpose. Effective alerting focuses on high-fidelity signals across several categories:",[6526,7391,7393],{"id":7392},"authentication-anomalies","Authentication anomalies",[200,7395,7396,7399,7402,7405],{},[68,7397,7398],{},"Brute-force attempts — multiple failed logins against the same account within a short window",[68,7400,7401],{},"Impossible travel — successful logins from geographically distant locations within an implausible time frame",[68,7403,7404],{},"New device or location — first-time access from an unrecognized device, IP range, or country",[68,7406,7407],{},"Credential stuffing patterns — failed logins across many accounts from a small set of source IPs",[6526,7409,7411],{"id":7410},"privilege-escalation","Privilege escalation",[200,7413,7414,7417,7420,7423],{},[68,7415,7416],{},"Sudo or run-as usage outside of expected maintenance windows",[68,7418,7419],{},"Admin role assignments or membership changes in identity providers (Azure AD, Okta, Google Workspace)",[68,7421,7422],{},"Permission changes on sensitive resources — S3 bucket policies, database grants, file share ACLs",[68,7424,7425],{},"Service account creation or key generation",[6526,7427,7429],{"id":7428},"data-exfiltration-signals","Data exfiltration signals",[200,7431,7432,7435,7438,7441],{},[68,7433,7434],{},"Unusual download volumes — user downloading significantly more data than their baseline",[68,7436,7437],{},"Access outside business hours — especially to sensitive repositories, databases, or file shares",[68,7439,7440],{},"Mass file access — sequential reads across large numbers of records in short succession",[68,7442,7443],{},"Outbound data transfers to uncommon destinations — cloud storage services, personal email, file-sharing sites",[6526,7445,7447],{"id":7446},"configuration-changes","Configuration changes",[200,7449,7450,7453,7456,7459],{},[68,7451,7452],{},"Firewall rule modifications — new allow rules, disabled security groups, removed deny entries",[68,7454,7455],{},"Security group changes in cloud environments — opening ports, widening IP ranges",[68,7457,7458],{},"IAM policy changes — new inline policies, permission boundary modifications, role trust policy updates",[68,7460,7461],{},"DNS changes — new records, zone transfers, nameserver modifications",[6526,7463,7465],{"id":7464},"compliance-specific-events","Compliance-specific events",[200,7467,7468,7475,7482,7485],{},[68,7469,7470,7471,7474],{},"Access to ",[41,7472,7473],{"href":43},"cardholder data"," environments — any read, write, or copy operation",[68,7476,7477,7478,7481],{},"PHI access in ",[41,7479,4235],{"href":7480},"\u002Fglossary\u002Fhipaa","-regulated systems — views, exports, or modifications of protected health information",[68,7483,7484],{},"Encryption key operations — key creation, rotation, deletion, or export",[68,7486,7487],{},"Audit log access or modification attempts — anyone trying to read, delete, or alter the logs themselves",[860,7489,7491],{"id":7490},"what-are-common-log-management-mistakes","What are common log management mistakes?",[37,7493,7494],{},"Even organizations that invest in logging often fall into patterns that undermine the value of their program:",[65,7496,7497,7503,7509,7515,7521,7527,7533],{},[68,7498,7499,7502],{},[71,7500,7501],{},"Logging too much"," — capturing every debug-level event creates massive storage costs and drowns analysts in noise. Focus on security-relevant events and tune verbosity by source.",[68,7504,7505,7508],{},[71,7506,7507],{},"Logging too little"," — the opposite problem is equally dangerous. Missing authentication events, not capturing cloud control plane activity, or skipping DNS logs leaves blind spots that attackers exploit.",[68,7510,7511,7514],{},[71,7512,7513],{},"Not protecting log integrity"," — if an attacker can delete or modify logs, they can cover their tracks. Logs should be forwarded to a separate system with immutable storage, and access to log management platforms should be tightly controlled.",[68,7516,7517,7520],{},[71,7518,7519],{},"No correlation across sources"," — reviewing logs from individual systems in isolation misses the bigger picture. A failed VPN login followed by a successful cloud console login from the same IP tells a story that neither log tells alone.",[68,7522,7523,7526],{},[71,7524,7525],{},"Alert fatigue from untuned rules"," — deploying default SIEM detection rules without tuning them to the environment generates hundreds of false positives per day. Analysts stop investigating, and real incidents get buried.",[68,7528,7529,7532],{},[71,7530,7531],{},"Not testing log pipeline reliability"," — log collection silently fails more often than most teams realize. Agents crash, API tokens expire, syslog forwarding breaks after a network change. Regularly validate that expected log sources are still delivering data.",[68,7534,7535,7538],{},[71,7536,7537],{},"Ignoring time synchronization"," — logs from systems with drifting clocks are nearly impossible to correlate during incident response. Enforce NTP across all log sources and normalize timestamps to UTC.",[860,7540,7542],{"id":7541},"how-do-compliance-frameworks-address-log-management","How do compliance frameworks address log management?",[200,7544,7545,7550,7555,7560,7564],{},[68,7546,7547,7549],{},[71,7548,4212],{}," — CC7.1 through CC7.4 require monitoring, detection, and response capabilities that depend on logging",[68,7551,7552,7554],{},[71,7553,4221],{}," — A.8.15 (logging) and A.8.16 (monitoring activities) address log collection and analysis",[68,7556,7557,7559],{},[71,7558,4235],{}," — the Security Rule requires audit controls to record and examine activity in systems containing ePHI",[68,7561,7562,4951],{},[71,7563,44],{},[68,7565,7566,7568],{},[71,7567,4256],{}," — DE.CM (continuous monitoring) and DE.AE (anomaly detection) rely on log data",[860,7570,7572],{"id":7571},"what-are-best-practices-for-log-management","What are best practices for log management?",[200,7574,7575,7578,7581,7584,7587],{},[68,7576,7577],{},"Centralize logs in a SIEM or log aggregation platform for correlation and analysis",[68,7579,7580],{},"Set retention periods that meet both compliance requirements and operational needs (typically 90 days to one year)",[68,7582,7583],{},"Protect log integrity with immutable storage or tamper-evident mechanisms",[68,7585,7586],{},"Establish alerting rules for high-risk events like failed authentication spikes or unauthorized access attempts",[68,7588,7589],{},"Regularly review and tune logging to ensure coverage without excessive noise",[860,7591,7593],{"id":7592},"how-does-episki-help-with-log-management","How does episki help with log management?",[37,7595,7596,7597,79],{},"episki documents log management policies, tracks retention schedules, and links logging controls to evidence for audit readiness. Learn more on our ",[41,7598,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":7600},[7601],{"id":7103,"depth":448,"text":7104,"children":7602},[7603,7604,7605,7606,7607,7608,7609,7610],{"id":7110,"depth":1179,"text":7111},{"id":7153,"depth":1179,"text":7154},{"id":7310,"depth":1179,"text":7311},{"id":7385,"depth":1179,"text":7386},{"id":7490,"depth":1179,"text":7491},{"id":7541,"depth":1179,"text":7542},{"id":7571,"depth":1179,"text":7572},{"id":7592,"depth":1179,"text":7593},{},"\u002Fglossary\u002Flog-management",[4607,4608,4609,4610,528,4611],[4614,5068,5069],{"title":7616,"description":7617},"What is Log Management? Definition & Compliance Guide","Log management is the process of collecting, storing, and analyzing system activity records to detect security incidents and support compliance audits.","log-management","8.glossary\u002Flog-management","B9IH1ixHXCqDKqAdQBwGDpwLFnfLwuxW5KyltQCbFmk",{"id":7622,"title":7623,"body":7624,"description":447,"extension":473,"lastUpdated":819,"meta":7742,"navigation":510,"path":7743,"relatedFrameworks":7744,"relatedTerms":7745,"seo":7746,"slug":7749,"stem":7750,"term":7629,"__hash__":7751},"glossary\u002F8.glossary\u002Fmalware.md","Malware",{"type":29,"value":7625,"toc":7734},[7626,7630,7633,7637,7675,7679,7701,7705,7725,7729],[32,7627,7629],{"id":7628},"what-is-malware","What is Malware?",[37,7631,7632],{},"Malware (malicious software) is any software intentionally designed to damage, disrupt, or gain unauthorized access to computer systems, networks, or data. Malware is one of the most persistent threats organizations face and a primary driver behind many compliance requirements for endpoint protection and monitoring.",[860,7634,7636],{"id":7635},"what-are-the-types-of-malware","What are the types of malware?",[200,7638,7639,7645,7651,7657,7663,7669],{},[68,7640,7641,7644],{},[71,7642,7643],{},"Viruses"," — attach to legitimate programs and spread when the infected program runs",[68,7646,7647,7650],{},[71,7648,7649],{},"Ransomware"," — encrypts data and demands payment for the decryption key",[68,7652,7653,7656],{},[71,7654,7655],{},"Trojans"," — disguise themselves as legitimate software to trick users into installation",[68,7658,7659,7662],{},[71,7660,7661],{},"Spyware"," — silently collects information about user activity and sends it to an attacker",[68,7664,7665,7668],{},[71,7666,7667],{},"Worms"," — self-replicate across networks without requiring user interaction",[68,7670,7671,7674],{},[71,7672,7673],{},"Rootkits"," — hide deep within the operating system to maintain persistent, undetected access",[860,7676,7678],{"id":7677},"how-do-compliance-frameworks-address-malware-protection","How do compliance frameworks address malware protection?",[200,7680,7681,7686,7691,7696],{},[68,7682,7683,7685],{},[71,7684,4212],{}," — CC6.8 requires controls to prevent and detect malicious software",[68,7687,7688,7690],{},[71,7689,4221],{}," — A.8.7 addresses protection against malware",[68,7692,7693,7695],{},[71,7694,44],{}," — Requirement 5 mandates deploying anti-malware solutions on all commonly affected systems",[68,7697,7698,7700],{},[71,7699,4256],{}," — DE.CM-4 specifically addresses malicious code detection",[860,7702,7704],{"id":7703},"what-are-common-malware-defense-strategies","What are common malware defense strategies?",[200,7706,7707,7710,7713,7716,7719,7722],{},[68,7708,7709],{},"Deploy endpoint detection and response (EDR) tools across all endpoints",[68,7711,7712],{},"Keep operating systems and applications patched and up to date",[68,7714,7715],{},"Implement email filtering to block phishing and malicious attachments",[68,7717,7718],{},"Restrict administrative privileges to reduce malware installation risk",[68,7720,7721],{},"Train employees to recognize social engineering and phishing attempts",[68,7723,7724],{},"Maintain tested backup and recovery procedures to mitigate ransomware impact",[860,7726,7728],{"id":7727},"how-does-episki-help-with-malware","How does episki help with malware?",[37,7730,7731,7732,79],{},"episki tracks anti-malware controls, monitors policy compliance, and documents endpoint protection evidence for auditors. Learn more on our ",[41,7733,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":7735},[7736],{"id":7628,"depth":448,"text":7629,"children":7737},[7738,7739,7740,7741],{"id":7635,"depth":1179,"text":7636},{"id":7677,"depth":1179,"text":7678},{"id":7703,"depth":1179,"text":7704},{"id":7727,"depth":1179,"text":7728},{},"\u002Fglossary\u002Fmalware",[4607,4608,4609,528,4611],[5069,828,5068],{"title":7747,"description":7748},"What is Malware? Definition & Compliance Guide","Malware is malicious software designed to damage, disrupt, or gain unauthorized access to systems. It includes viruses, ransomware, spyware, and trojans.","malware","8.glossary\u002Fmalware","YC-GrrHk9-an6NjJOaLQttw4tAbXovhasUaJzWZ9d-4",{"id":7753,"title":7754,"body":7755,"description":447,"extension":473,"lastUpdated":819,"meta":7864,"navigation":510,"path":7865,"relatedFrameworks":7866,"relatedTerms":7867,"seo":7868,"slug":7871,"stem":7872,"term":7760,"__hash__":7873},"glossary\u002F8.glossary\u002Fmonitoring.md","Monitoring",{"type":29,"value":7756,"toc":7856},[7757,7761,7764,7768,7800,7804,7826,7830,7847,7851],[32,7758,7760],{"id":7759},"what-is-monitoring","What is Monitoring?",[37,7762,7763],{},"Monitoring is the continuous observation of systems, networks, and controls to detect threats, unusual activity, or compliance gaps in real time. In a security and compliance context, monitoring goes beyond uptime checks — it encompasses the processes and tools that ensure an organization's security posture remains effective over time.",[860,7765,7767],{"id":7766},"what-are-the-types-of-monitoring","What are the types of monitoring?",[200,7769,7770,7776,7782,7788,7794],{},[68,7771,7772,7775],{},[71,7773,7774],{},"Security monitoring"," — detecting threats, intrusions, and malicious activity through SIEM tools, IDS\u002FIPS, and endpoint detection",[68,7777,7778,7781],{},[71,7779,7780],{},"Compliance monitoring"," — tracking whether controls are operating effectively and whether the organization remains aligned with framework requirements",[68,7783,7784,7787],{},[71,7785,7786],{},"Infrastructure monitoring"," — observing system health, performance, and availability across servers, networks, and cloud services",[68,7789,7790,7793],{},[71,7791,7792],{},"User activity monitoring"," — tracking user behavior to detect insider threats, policy violations, or compromised accounts",[68,7795,7796,7799],{},[71,7797,7798],{},"Vulnerability monitoring"," — continuously scanning for known vulnerabilities across the technology stack",[860,7801,7803],{"id":7802},"how-do-compliance-frameworks-address-monitoring","How do compliance frameworks address monitoring?",[200,7805,7806,7811,7816,7821],{},[68,7807,7808,7810],{},[71,7809,4212],{}," — CC7.1 requires the use of detection and monitoring activities to identify anomalies",[68,7812,7813,7815],{},[71,7814,4221],{}," — A.8.16 covers monitoring activities across networks and systems",[68,7817,7818,7820],{},[71,7819,44],{}," — Requirement 10 and 11 address logging, monitoring, and regular security testing",[68,7822,7823,7825],{},[71,7824,4256],{}," — the Detect function (DE.CM, DE.AE) is entirely focused on continuous monitoring and anomaly detection",[860,7827,7829],{"id":7828},"what-are-best-practices-for-monitoring","What are best practices for monitoring?",[200,7831,7832,7835,7838,7841,7844],{},[68,7833,7834],{},"Define clear thresholds and alerting rules to minimize alert fatigue",[68,7836,7837],{},"Centralize monitoring data for correlation across systems",[68,7839,7840],{},"Establish escalation procedures so alerts lead to timely investigation",[68,7842,7843],{},"Review and tune monitoring rules regularly as the environment changes",[68,7845,7846],{},"Document monitoring coverage and gaps as part of risk assessments",[860,7848,7850],{"id":7849},"how-does-episki-help-with-monitoring","How does episki help with monitoring?",[37,7852,7853,7854,79],{},"episki tracks monitoring controls, documents coverage, and links monitoring evidence to framework requirements for continuous audit readiness. Learn more on our ",[41,7855,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":7857},[7858],{"id":7759,"depth":448,"text":7760,"children":7859},[7860,7861,7862,7863],{"id":7766,"depth":1179,"text":7767},{"id":7802,"depth":1179,"text":7803},{"id":7828,"depth":1179,"text":7829},{"id":7849,"depth":1179,"text":7850},{},"\u002Fglossary\u002Fmonitoring",[4607,4608,4609,528,4611],[5068,7618,5069],{"title":7869,"description":7870},"What is Monitoring? Definition & Compliance Guide","Monitoring is the continuous observation of systems and controls to detect threats, unusual activity, or compliance gaps in real time.","monitoring","8.glossary\u002Fmonitoring","QXZ4W_vuU7Y88VE8xwlReLlBVCa0cNFk0XPiqgd_4bc",{"id":7875,"title":7876,"body":7877,"description":447,"extension":473,"lastUpdated":819,"meta":7985,"navigation":510,"path":7986,"relatedFrameworks":7987,"relatedTerms":7988,"seo":7989,"slug":7992,"stem":7993,"term":7882,"__hash__":7994},"glossary\u002F8.glossary\u002Fmulti-factor-authentication.md","Multi Factor Authentication",{"type":29,"value":7878,"toc":7977},[7879,7883,7886,7890,7893,7913,7917,7920,7947,7951,7968,7972],[32,7880,7882],{"id":7881},"what-is-multi-factor-authentication","What is Multi-Factor Authentication?",[37,7884,7885],{},"Multi-Factor Authentication (MFA) is a security mechanism that requires users to verify their identity using two or more independent factors before gaining access to a system or application. By combining multiple factors, MFA significantly reduces the risk of unauthorized access even if one factor (such as a password) is compromised.",[860,7887,7889],{"id":7888},"what-are-the-authentication-factors-used-in-mfa","What are the authentication factors used in MFA?",[37,7891,7892],{},"MFA combines factors from different categories:",[200,7894,7895,7901,7907],{},[68,7896,7897,7900],{},[71,7898,7899],{},"Something you know"," — passwords, PINs, security questions",[68,7902,7903,7906],{},[71,7904,7905],{},"Something you have"," — mobile phones (SMS or authenticator apps), hardware tokens, smart cards",[68,7908,7909,7912],{},[71,7910,7911],{},"Something you are"," — biometrics such as fingerprints, facial recognition, or iris scans",[860,7914,7916],{"id":7915},"how-do-compliance-frameworks-address-mfa","How do compliance frameworks address MFA?",[37,7918,7919],{},"MFA is required or strongly recommended across all major frameworks:",[200,7921,7922,7927,7932,7937,7942],{},[68,7923,7924,7926],{},[71,7925,4212],{}," — CC6.1 requires multi-factor authentication for access to sensitive systems",[68,7928,7929,7931],{},[71,7930,4221],{}," — A.8.5 addresses secure authentication including multi-factor methods",[68,7933,7934,7936],{},[71,7935,4235],{}," — while not explicitly mandating MFA, the Security Rule requires access controls that effectively necessitate it for ePHI systems",[68,7938,7939,7941],{},[71,7940,44],{}," — Requirement 8.3 mandates MFA for all remote access to the cardholder data environment",[68,7943,7944,7946],{},[71,7945,4256],{}," — PR.AC-7 recommends multi-factor authentication as part of identity management",[860,7948,7950],{"id":7949},"what-are-implementation-best-practices","What are implementation best practices?",[200,7952,7953,7956,7959,7962,7965],{},[68,7954,7955],{},"Require MFA for all user accounts, not just administrators",[68,7957,7958],{},"Prefer authenticator apps or hardware tokens over SMS-based codes (which are vulnerable to SIM swapping)",[68,7960,7961],{},"Implement MFA on VPN, cloud console, email, and any system containing sensitive data",[68,7963,7964],{},"Provide backup recovery methods (recovery codes, backup devices) to prevent lockouts",[68,7966,7967],{},"Monitor and alert on MFA bypass attempts or disabled MFA",[860,7969,7971],{"id":7970},"how-does-episki-help-with-mfa","How does episki help with MFA?",[37,7973,7974,7975,79],{},"episki tracks MFA policies, monitors enforcement across systems, and documents MFA evidence for compliance audits. Learn more on our ",[41,7976,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":7978},[7979],{"id":7881,"depth":448,"text":7882,"children":7980},[7981,7982,7983,7984],{"id":7888,"depth":1179,"text":7889},{"id":7915,"depth":1179,"text":7916},{"id":7949,"depth":1179,"text":7950},{"id":7970,"depth":1179,"text":7971},{},"\u002Fglossary\u002Fmulti-factor-authentication",[4607,4608,4609,4610,528,4611],[4619,7093,3700],{"title":7990,"description":7991},"What is Multi-Factor Authentication (MFA)? Definition & Compliance Guide","Multi-Factor Authentication (MFA) is a login method that requires users to verify their identity using two or more factors, such as a password plus a code sent to their phone.","multi-factor-authentication","8.glossary\u002Fmulti-factor-authentication","UJQZ8l9dqE7trtvjUWb1iVTulmNQa1j2-kVTUOaUB34",{"id":7996,"title":7997,"body":7998,"description":447,"extension":473,"lastUpdated":819,"meta":8118,"navigation":510,"path":8119,"relatedFrameworks":8120,"relatedTerms":8121,"seo":8122,"slug":1583,"stem":8125,"term":8003,"__hash__":8126},"glossary\u002F8.glossary\u002Fnetwork-security.md","Network Security",{"type":29,"value":7999,"toc":8110},[8000,8004,8007,8011,8048,8052,8074,8078,8101,8105],[32,8001,8003],{"id":8002},"what-is-network-security","What is Network Security?",[37,8005,8006],{},"Network security refers to the tools, policies, and practices used to protect the integrity, confidentiality, and availability of a computer network and its data. It encompasses both hardware and software technologies as well as the processes organizations use to prevent unauthorized access, misuse, and disruption of network resources.",[860,8008,8010],{"id":8009},"what-are-the-core-components-of-network-security","What are the core components of network security?",[200,8012,8013,8019,8025,8030,8036,8042],{},[68,8014,8015,8018],{},[71,8016,8017],{},"Firewalls"," — filter traffic between trusted and untrusted networks based on security rules",[68,8020,8021,8024],{},[71,8022,8023],{},"Intrusion detection and prevention systems (IDS\u002FIPS)"," — monitor network traffic for suspicious activity and can automatically block threats",[68,8026,8027,8029],{},[71,8028,2748],{}," — divides the network into isolated zones to contain breaches and limit lateral movement",[68,8031,8032,8035],{},[71,8033,8034],{},"Virtual private networks (VPN)"," — encrypt traffic between remote users and the corporate network",[68,8037,8038,8041],{},[71,8039,8040],{},"Network access control (NAC)"," — enforces policies about which devices and users can connect to the network",[68,8043,8044,8047],{},[71,8045,8046],{},"DNS security"," — protects against DNS-based attacks like spoofing and cache poisoning",[860,8049,8051],{"id":8050},"how-do-compliance-frameworks-address-network-security","How do compliance frameworks address network security?",[200,8053,8054,8059,8064,8069],{},[68,8055,8056,8058],{},[71,8057,44],{}," — Requirements 1 and 2 address firewall configuration and secure network architecture",[68,8060,8061,8063],{},[71,8062,4221],{}," — A.8.20 (network security), A.8.21 (security of network services), and A.8.22 (segregation of networks)",[68,8065,8066,8068],{},[71,8067,4212],{}," — CC6.6 requires security controls for network boundaries",[68,8070,8071,8073],{},[71,8072,4256],{}," — PR.AC and PR.PT cover network access control and protective technology",[860,8075,8077],{"id":8076},"what-are-best-practices-for-network-security","What are best practices for network security?",[200,8079,8080,8083,8086,8089,8092,8095],{},[68,8081,8082],{},"Implement defense in depth with multiple layers of network controls",[68,8084,8085],{},"Regularly scan for open ports and unnecessary services",[68,8087,8088],{},"Encrypt data in transit using TLS\u002FSSL",[68,8090,8091],{},"Monitor network traffic for anomalies and potential intrusions",[68,8093,8094],{},"Document network architecture and maintain up-to-date network diagrams",[68,8096,8097,8098,8100],{},"Conduct regular ",[41,8099,6040],{"href":6039}," to identify network vulnerabilities",[860,8102,8104],{"id":8103},"how-does-episki-help-with-network-security","How does episki help with network security?",[37,8106,8107,8108,79],{},"episki tracks network security controls, links them to framework requirements, and documents evidence like network diagrams and firewall reviews for auditors. Learn more on our ",[41,8109,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":8111},[8112],{"id":8002,"depth":448,"text":8003,"children":8113},[8114,8115,8116,8117],{"id":8009,"depth":1179,"text":8010},{"id":8050,"depth":1179,"text":8051},{"id":8076,"depth":1179,"text":8077},{"id":8103,"depth":1179,"text":8104},{},"\u002Fglossary\u002Fnetwork-security",[4607,4608,4609,528,4611],[1582,4619,3700,828],{"title":8123,"description":8124},"What is Network Security? Definition & Compliance Guide","Network security refers to the tools, policies, and practices used to protect the integrity and confidentiality of a computer network and its data.","8.glossary\u002Fnetwork-security","X-GwLwvpQPWv1-bV4i1pW3X_eNNKctzmhG2CWCYFOe8",{"id":8128,"title":8129,"body":8130,"description":447,"extension":473,"lastUpdated":819,"meta":8264,"navigation":510,"path":8265,"relatedFrameworks":8266,"relatedTerms":8267,"seo":8268,"slug":8271,"stem":8272,"term":8135,"__hash__":8273},"glossary\u002F8.glossary\u002Foffboarding.md","Offboarding",{"type":29,"value":8131,"toc":8255},[8132,8136,8139,8143,8146,8160,8164,8202,8206,8228,8232,8246,8250],[32,8133,8135],{"id":8134},"what-is-offboarding","What is Offboarding?",[37,8137,8138],{},"Offboarding is the formal process of revoking an employee's or contractor's access to systems, applications, and data when they leave an organization or change roles. A well-executed offboarding process is critical for preventing unauthorized access after separation and is a key control auditors review during compliance assessments.",[860,8140,8142],{"id":8141},"why-does-offboarding-matter","Why does offboarding matter?",[37,8144,8145],{},"Delayed or incomplete offboarding creates significant security risks:",[200,8147,8148,8151,8154,8157],{},[68,8149,8150],{},"Former employees retaining access to sensitive systems and data",[68,8152,8153],{},"Orphaned accounts that attackers can discover and exploit",[68,8155,8156],{},"Shared credentials that remain active after a team member departs",[68,8158,8159],{},"Compliance findings for inadequate access termination procedures",[860,8161,8163],{"id":8162},"what-are-the-key-offboarding-activities","What are the key offboarding activities?",[200,8165,8166,8172,8178,8184,8190,8196],{},[68,8167,8168,8171],{},[71,8169,8170],{},"Disable user accounts"," — immediately deactivate accounts in identity providers (SSO, Active Directory) to cascade access revocation",[68,8173,8174,8177],{},[71,8175,8176],{},"Revoke application access"," — remove access to SaaS applications, cloud consoles, code repositories, and internal tools",[68,8179,8180,8183],{},[71,8181,8182],{},"Recover assets"," — collect laptops, mobile devices, badges, hardware tokens, and other company property",[68,8185,8186,8189],{},[71,8187,8188],{},"Transfer ownership"," — reassign shared resources, documents, and project ownership",[68,8191,8192,8195],{},[71,8193,8194],{},"Remove from communication channels"," — remove from email distribution lists, Slack channels, and shared drives",[68,8197,8198,8201],{},[71,8199,8200],{},"Review privileged access"," — ensure any administrative or elevated access is fully revoked",[860,8203,8205],{"id":8204},"how-do-compliance-frameworks-address-offboarding","How do compliance frameworks address offboarding?",[200,8207,8208,8213,8218,8223],{},[68,8209,8210,8212],{},[71,8211,4212],{}," — CC6.2 requires timely revocation of access when personnel leave",[68,8214,8215,8217],{},[71,8216,4221],{}," — A.6.5 covers responsibilities after termination or change of employment",[68,8219,8220,8222],{},[71,8221,4235],{}," — the Security Rule requires procedures for terminating access to ePHI when employment ends",[68,8224,8225,8227],{},[71,8226,44],{}," — Requirement 8.1.3 mandates immediate revocation of access for terminated users",[860,8229,8231],{"id":8230},"what-are-best-practices-for-offboarding","What are best practices for offboarding?",[200,8233,8234,8237,8240,8243],{},[68,8235,8236],{},"Automate offboarding checklists triggered by HR termination events",[68,8238,8239],{},"Set a target of same-day access revocation for all departures",[68,8241,8242],{},"Conduct post-offboarding audits to verify no residual access remains",[68,8244,8245],{},"Document the offboarding process and retain evidence for audit review",[860,8247,8249],{"id":8248},"how-does-episki-help-with-offboarding","How does episki help with offboarding?",[37,8251,8252,8253,79],{},"episki tracks offboarding policies, links them to access control evidence, and provides checklists to ensure complete access revocation. Learn more on our ",[41,8254,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":8256},[8257],{"id":8134,"depth":448,"text":8135,"children":8258},[8259,8260,8261,8262,8263],{"id":8141,"depth":1179,"text":8142},{"id":8162,"depth":1179,"text":8163},{"id":8204,"depth":1179,"text":8205},{"id":8230,"depth":1179,"text":8231},{"id":8248,"depth":1179,"text":8249},{},"\u002Fglossary\u002Foffboarding",[4608,4609,4610,528],[4619,7093,6422],{"title":8269,"description":8270},"What is Offboarding? Definition & Compliance Guide","Offboarding is the formal process of revoking an employee's or contractor's access to systems and data when they leave an organization.","offboarding","8.glossary\u002Foffboarding","Rz5QFRP5_SeeZAbasnNVFWLvYnrzwxu8rDWO1Kpf4lI",{"id":8275,"title":8276,"body":8277,"description":447,"extension":473,"lastUpdated":819,"meta":8496,"navigation":510,"path":99,"relatedFrameworks":8497,"relatedTerms":8498,"seo":8499,"slug":3699,"stem":8502,"term":8282,"__hash__":8503},"glossary\u002F8.glossary\u002Fpan.md","Pan",{"type":29,"value":8278,"toc":8485},[8279,8283,8286,8290,8293,8313,8317,8320,8343,8346,8350,8353,8359,8373,8379,8385,8389,8392,8412,8415,8419,8422,8446,8450,8453,8473,8476,8480],[32,8280,8282],{"id":8281},"what-is-a-primary-account-number-pan","What is a Primary Account Number (PAN)?",[37,8284,8285],{},"The Primary Account Number (PAN) is the unique number embossed or printed on a payment card (credit or debit card) that identifies the card issuer and the cardholder's account. The PAN is the defining data element in PCI DSS — if your systems store, process, or transmit PAN data, PCI DSS requirements apply.",[860,8287,8289],{"id":8288},"what-is-the-structure-of-a-pan","What is the structure of a PAN?",[37,8291,8292],{},"A PAN typically consists of 13 to 19 digits:",[200,8294,8295,8301,8307],{},[68,8296,8297,8300],{},[71,8298,8299],{},"Issuer Identification Number (IIN)"," — the first 6-8 digits identify the card issuer and payment network (e.g., Visa cards start with 4, Mastercard with 51-55 or 2221-2720)",[68,8302,8303,8306],{},[71,8304,8305],{},"Account number"," — the middle digits identify the individual cardholder account",[68,8308,8309,8312],{},[71,8310,8311],{},"Check digit"," — the last digit is calculated using the Luhn algorithm and serves as a validation check",[860,8314,8316],{"id":8315},"how-does-pan-affect-pci-dss-scope","How does PAN affect PCI DSS scope?",[37,8318,8319],{},"The presence of PAN is the primary factor that brings systems into PCI DSS scope. PCI DSS defines cardholder data as:",[200,8321,8322,8327,8333,8338],{},[68,8323,8324,8326],{},[71,8325,100],{}," — always triggers PCI DSS scope",[68,8328,8329,8332],{},[71,8330,8331],{},"Cardholder name"," — protected when stored with PAN",[68,8334,8335,8332],{},[71,8336,8337],{},"Expiration date",[68,8339,8340,8332],{},[71,8341,8342],{},"Service code",[37,8344,8345],{},"If PAN is not stored, processed, or transmitted, the other data elements alone do not trigger PCI DSS requirements. This is why many organizations focus on eliminating PAN from their environment wherever possible.",[860,8347,8349],{"id":8348},"how-do-you-protect-pan","How do you protect PAN?",[37,8351,8352],{},"PCI DSS specifies several requirements for protecting PAN:",[37,8354,8355,8358],{},[71,8356,8357],{},"Rendering PAN unreadable when stored"," — PAN must be rendered unreadable anywhere it is stored using one of these methods:",[200,8360,8361,8364,8367,8370],{},[68,8362,8363],{},"One-way hashing with strong cryptography",[68,8365,8366],{},"Truncation (retaining no more than the first 6 and last 4 digits)",[68,8368,8369],{},"Index tokens and pads (tokenization)",[68,8371,8372],{},"Strong cryptography with associated key management",[37,8374,8375,8378],{},[71,8376,8377],{},"Masking PAN when displayed"," — PAN must be masked when displayed, showing no more than the first 6 and last 4 digits. Only personnel with a legitimate business need should see more than the masked PAN.",[37,8380,8381,8384],{},[71,8382,8383],{},"Encrypting PAN in transit"," — PAN must be encrypted when transmitted across open, public networks using strong cryptography.",[860,8386,8388],{"id":8387},"what-is-the-difference-between-pan-and-sensitive-authentication-data","What is the difference between PAN and sensitive authentication data?",[37,8390,8391],{},"PCI DSS distinguishes between cardholder data (which includes PAN) and sensitive authentication data:",[200,8393,8394,8400,8406],{},[68,8395,8396,8399],{},[71,8397,8398],{},"Full track data"," — magnetic stripe or chip data",[68,8401,8402,8405],{},[71,8403,8404],{},"CAV2\u002FCVC2\u002FCVV2\u002FCID"," — the card verification code",[68,8407,8408,8411],{},[71,8409,8410],{},"PIN\u002FPIN block"," — personal identification number",[37,8413,8414],{},"Sensitive authentication data must never be stored after authorization, even if encrypted. This is stricter than PAN storage rules, which permit storage if the PAN is rendered unreadable.",[860,8416,8418],{"id":8417},"how-do-you-minimize-pan-exposure","How do you minimize PAN exposure?",[37,8420,8421],{},"Organizations should minimize PAN exposure through:",[200,8423,8424,8429,8435,8440],{},[68,8425,8426,8428],{},[71,8427,2795],{}," — replace PAN with non-sensitive tokens for downstream processing",[68,8430,8431,8434],{},[71,8432,8433],{},"Point-to-point encryption"," — encrypt PAN from the point of capture to the payment processor",[68,8436,8437,8439],{},[71,8438,2923],{}," — avoid storing PAN when not necessary for business purposes",[68,8441,8442,8445],{},[71,8443,8444],{},"Scope reduction"," — isolate systems that must handle PAN from the rest of the network",[860,8447,8449],{"id":8448},"how-does-data-discovery-support-pan-protection","How does data discovery support PAN protection?",[37,8451,8452],{},"Organizations should regularly scan their environments for unintended PAN storage. PAN can end up in unexpected locations such as:",[200,8454,8455,8458,8461,8464,8467,8470],{},[68,8456,8457],{},"Log files",[68,8459,8460],{},"Email systems",[68,8462,8463],{},"Backup tapes",[68,8465,8466],{},"Test and development environments",[68,8468,8469],{},"Spreadsheets and reports",[68,8471,8472],{},"Helpdesk ticket systems",[37,8474,8475],{},"Data discovery tools that recognize PAN patterns (using the Luhn algorithm) can identify these hidden exposures.",[860,8477,8479],{"id":8478},"how-does-episki-help-with-pan","How does episki help with PAN?",[37,8481,8482,8483,79],{},"episki tracks where PAN exists in your environment, documents protection measures, and monitors compliance with PAN handling requirements. The platform helps you maintain a current inventory of PAN storage locations and flags any gaps in protection. Learn more on our ",[41,8484,4823],{"href":511},{"title":447,"searchDepth":448,"depth":448,"links":8486},[8487],{"id":8281,"depth":448,"text":8282,"children":8488},[8489,8490,8491,8492,8493,8494,8495],{"id":8288,"depth":1179,"text":8289},{"id":8315,"depth":1179,"text":8316},{"id":8348,"depth":1179,"text":8349},{"id":8387,"depth":1179,"text":8388},{"id":8417,"depth":1179,"text":8418},{"id":8448,"depth":1179,"text":8449},{"id":8478,"depth":1179,"text":8479},{},[528],[823,1584,95,3700,824],{"title":8500,"description":8501},"PAN (Primary Account Number): PCI DSS Scope & Protection","The PAN is the card number that triggers PCI DSS scope. Learn how to mask, tokenize, and encrypt PAN data to meet PCI DSS requirements.","8.glossary\u002Fpan","FlcQKUGWd0bBXg66e4ctE8t9fskfCazvztWujJSzk3s",{"id":8505,"title":8506,"body":8507,"description":447,"extension":473,"lastUpdated":819,"meta":8660,"navigation":510,"path":43,"relatedFrameworks":8661,"relatedTerms":8662,"seo":8663,"slug":823,"stem":8666,"term":35,"__hash__":8667},"glossary\u002F8.glossary\u002Fpci-dss.md","Pci Dss",{"type":29,"value":8508,"toc":8652},[8509,8511,8514,8518,8521,8547,8550,8553,8612,8616,8619,8643,8647],[32,8510,35],{"id":34},[37,8512,8513],{},"PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements designed to ensure that all organizations that accept, process, store, or transmit credit card information maintain a secure environment. It is managed by the PCI Security Standards Council (PCI SSC).",[860,8515,8517],{"id":8516},"what-are-the-12-pci-dss-requirements","What are the 12 PCI DSS requirements?",[37,8519,8520],{},"PCI DSS organizes controls into 12 high-level requirements:",[65,8522,8523,8525,8527,8529,8531,8533,8535,8537,8539,8541,8543,8545],{},[68,8524,73],{},[68,8526,84],{},[68,8528,90],{},[68,8530,106],{},[68,8532,112],{},[68,8534,118],{},[68,8536,124],{},[68,8538,130],{},[68,8540,136],{},[68,8542,142],{},[68,8544,148],{},[68,8546,154],{},[860,8548,478],{"id":8549},"what-are-the-pci-dss-compliance-levels",[37,8551,8552],{},"PCI DSS defines four merchant levels based on annual transaction volume:",[2387,8554,8555,8568],{},[2390,8556,8557],{},[2393,8558,8559,8562,8565],{},[2396,8560,8561],{},"Level",[2396,8563,8564],{},"Transactions per year",[2396,8566,8567],{},"Validation",[2406,8569,8570,8581,8592,8602],{},[2393,8571,8572,8575,8578],{},[2411,8573,8574],{},"1",[2411,8576,8577],{},"Over 6 million",[2411,8579,8580],{},"Annual on-site audit by QSA",[2393,8582,8583,8586,8589],{},[2411,8584,8585],{},"2",[2411,8587,8588],{},"1-6 million",[2411,8590,8591],{},"Annual SAQ + quarterly network scan",[2393,8593,8594,8597,8600],{},[2411,8595,8596],{},"3",[2411,8598,8599],{},"20,000-1 million (e-commerce)",[2411,8601,8591],{},[2393,8603,8604,8607,8610],{},[2411,8605,8606],{},"4",[2411,8608,8609],{},"Under 20,000 (e-commerce) or up to 1 million (other)",[2411,8611,8591],{},[860,8613,8615],{"id":8614},"what-is-new-in-pci-dss-40","What is new in PCI DSS 4.0?",[37,8617,8618],{},"Version 4.0, released in March 2022, introduced significant changes:",[200,8620,8621,8626,8631,8637],{},[68,8622,8623,8625],{},[71,8624,2283],{}," — organizations can meet objectives with alternative controls if they can demonstrate equivalent security",[68,8627,8628,8630],{},[71,8629,2289],{}," — more flexibility in defining control frequencies based on risk",[68,8632,8633,8636],{},[71,8634,8635],{},"Enhanced authentication"," — multi-factor authentication required for all access to the cardholder data environment",[68,8638,8639,8642],{},[71,8640,8641],{},"Expanded scope"," — additional requirements for e-commerce, phishing protections, and automated log reviews",[860,8644,8646],{"id":8645},"how-does-episki-help-with-pci-dss","How does episki help with PCI DSS?",[37,8648,8649,8650,79],{},"episki maps controls to PCI DSS requirements, tracks evidence for QSA reviews, and connects cardholder data environment documentation to relevant controls. Learn more on our ",[41,8651,4823],{"href":511},{"title":447,"searchDepth":448,"depth":448,"links":8653},[8654],{"id":34,"depth":448,"text":35,"children":8655},[8656,8657,8658,8659],{"id":8516,"depth":1179,"text":8517},{"id":8549,"depth":1179,"text":478},{"id":8614,"depth":1179,"text":8615},{"id":8645,"depth":1179,"text":8646},{},[528],[2136,2135,822,1584,95],{"title":8664,"description":8665},"What is PCI DSS? Payment Card Compliance Explained","PCI DSS is the security standard for organizations that handle credit card data. Learn about compliance levels, requirements, and what changed in PCI DSS 4.0.","8.glossary\u002Fpci-dss","04BQ4jnTGUK4b8xsKhVX0TesFlkRePr82-ayCBuUDgI",{"id":8669,"title":8670,"body":8671,"description":447,"extension":473,"lastUpdated":819,"meta":8908,"navigation":510,"path":279,"relatedFrameworks":8909,"relatedTerms":8910,"seo":8911,"slug":824,"stem":8914,"term":8676,"__hash__":8915},"glossary\u002F8.glossary\u002Fpci-scope.md","Pci Scope",{"type":29,"value":8672,"toc":8898},[8673,8677,8680,8684,8687,8692,8706,8711,8725,8730,8744,8748,8751,8795,8799,8802,8830,8834,8837,8868,8872,8875,8889,8893],[32,8674,8676],{"id":8675},"what-is-pci-scope","What is PCI Scope?",[37,8678,8679],{},"PCI scope refers to the collection of systems, people, processes, and technologies that are subject to PCI DSS requirements for a given assessment. Accurately defining scope is one of the most consequential decisions in PCI DSS compliance — it determines the extent of controls required, the volume of evidence to collect, and the cost of the assessment.",[860,8681,8683],{"id":8682},"what-falls-in-pci-dss-scope","What falls in PCI DSS scope?",[37,8685,8686],{},"PCI DSS scope includes three categories of systems:",[37,8688,8689,8691],{},[71,8690,2726],{}," — systems that directly store, process, or transmit cardholder data:",[200,8693,8694,8697,8700,8703],{},[68,8695,8696],{},"Payment processing servers",[68,8698,8699],{},"Databases containing PAN",[68,8701,8702],{},"Point-of-sale terminals",[68,8704,8705],{},"Payment applications",[37,8707,8708,8710],{},[71,8709,2733],{}," — systems that connect to or could affect the security of the CDE:",[200,8712,8713,8716,8719,8722],{},[68,8714,8715],{},"Firewalls and routers protecting the CDE",[68,8717,8718],{},"Authentication and directory servers used by CDE systems",[68,8720,8721],{},"Security monitoring systems (SIEM, IDS\u002FIPS)",[68,8723,8724],{},"Administrative workstations used to manage CDE systems",[37,8726,8727,8729],{},[71,8728,2740],{}," — systems that could impact the security of the CDE even without direct connectivity:",[200,8731,8732,8735,8738,8741],{},[68,8733,8734],{},"DNS servers",[68,8736,8737],{},"NTP servers",[68,8739,8740],{},"Patch management systems",[68,8742,8743],{},"Configuration management tools",[860,8745,8747],{"id":8746},"what-is-the-pci-scoping-methodology","What is the PCI scoping methodology?",[37,8749,8750],{},"Defining PCI scope follows a structured approach:",[65,8752,8753,8759,8765,8771,8777,8783,8789],{},[68,8754,8755,8758],{},[71,8756,8757],{},"Identify all cardholder data flows"," — trace every path that cardholder data takes through your environment",[68,8760,8761,8764],{},[71,8762,8763],{},"Identify all data storage"," — locate every place where cardholder data is stored, including backups and logs",[68,8766,8767,8770],{},[71,8768,8769],{},"Identify all processing systems"," — document every system that processes cardholder data",[68,8772,8773,8776],{},[71,8774,8775],{},"Map network connectivity"," — determine which systems have network access to the CDE",[68,8778,8779,8782],{},[71,8780,8781],{},"Identify supporting systems"," — find systems that provide security services or administration to the CDE",[68,8784,8785,8788],{},[71,8786,8787],{},"Document scope boundaries"," — clearly define what is in scope and what is out of scope",[68,8790,8791,8794],{},[71,8792,8793],{},"Validate with data discovery"," — use tools to verify that cardholder data does not exist outside the defined scope",[860,8796,8798],{"id":8797},"how-do-you-reduce-scope","How do you reduce scope?",[37,8800,8801],{},"Scope reduction is a primary strategy for managing PCI DSS compliance costs and complexity:",[200,8803,8804,8809,8814,8819,8824],{},[68,8805,8806,8808],{},[71,8807,2748],{}," — isolate the CDE on dedicated network segments, preventing other systems from being in scope",[68,8810,8811,8813],{},[71,8812,2795],{}," — replace PAN with tokens so downstream systems never handle actual cardholder data",[68,8815,8816,8818],{},[71,8817,8433],{}," — encrypt cardholder data from the point of interaction, reducing the number of systems that handle unencrypted data",[68,8820,8821,8823],{},[71,8822,5212],{}," — shift payment processing to PCI-compliant third-party providers",[68,8825,8826,8829],{},[71,8827,8828],{},"Eliminating unnecessary storage"," — stop storing cardholder data that is not required for business purposes",[860,8831,8833],{"id":8832},"what-are-common-scoping-mistakes","What are common scoping mistakes?",[37,8835,8836],{},"Organizations frequently make errors that expand scope unnecessarily:",[200,8838,8839,8844,8850,8856,8862],{},[68,8840,8841,8843],{},[71,8842,1495],{}," — without proper segmentation, the entire network may be in scope",[68,8845,8846,8849],{},[71,8847,8848],{},"Unnecessary data retention"," — storing PAN when it is no longer needed",[68,8851,8852,8855],{},[71,8853,8854],{},"Shared infrastructure"," — running CDE systems on shared infrastructure with non-CDE systems",[68,8857,8858,8861],{},[71,8859,8860],{},"Overlooked data locations"," — PAN in log files, test environments, or email",[68,8863,8864,8867],{},[71,8865,8866],{},"Incomplete flow diagrams"," — missing data flows that bring additional systems into scope",[860,8869,8871],{"id":8870},"how-do-you-validate-pci-scope","How do you validate PCI scope?",[37,8873,8874],{},"PCI DSS requires organizations to confirm their scope at least annually and after any significant changes. A QSA or ISA should review and validate scope as part of each assessment. Scope validation includes:",[200,8876,8877,8880,8883,8886],{},[68,8878,8879],{},"Reviewing data flow diagrams for accuracy",[68,8881,8882],{},"Confirming network segmentation controls",[68,8884,8885],{},"Performing data discovery scans",[68,8887,8888],{},"Verifying that scope documentation reflects the current environment",[860,8890,8892],{"id":8891},"how-does-episki-help-with-pci-scope","How does episki help with PCI scope?",[37,8894,8895,8896,79],{},"episki maintains your PCI scope documentation including data flow diagrams, system inventories, and segmentation records. The platform flags changes that could affect scope and prompts validation reviews. Learn more on our ",[41,8897,4823],{"href":511},{"title":447,"searchDepth":448,"depth":448,"links":8899},[8900],{"id":8675,"depth":448,"text":8676,"children":8901},[8902,8903,8904,8905,8906,8907],{"id":8682,"depth":1179,"text":8683},{"id":8746,"depth":1179,"text":8747},{"id":8797,"depth":1179,"text":8798},{"id":8832,"depth":1179,"text":8833},{"id":8870,"depth":1179,"text":8871},{"id":8891,"depth":1179,"text":8892},{},[528],[823,1584,3699,95,2135],{"title":8912,"description":8913},"What is PCI Scope? Definition & Compliance Guide","PCI scope defines which systems, people, and processes are subject to PCI DSS requirements. Learn how to accurately determine and reduce your PCI scope.","8.glossary\u002Fpci-scope","bLRhCfwv8W5lhV_xP4BB1TxwiPzNpYGtxUFAbmM-HHo",{"id":8917,"title":8918,"body":8919,"description":447,"extension":473,"lastUpdated":819,"meta":9160,"navigation":510,"path":6039,"relatedFrameworks":9161,"relatedTerms":9162,"seo":9164,"slug":828,"stem":9167,"term":8924,"__hash__":9168},"glossary\u002F8.glossary\u002Fpenetration-testing.md","Penetration Testing",{"type":29,"value":8920,"toc":9150},[8921,8925,8928,8932,8935,8940,8984,8989,9009,9013,9016,9064,9068,9071,9093,9097,9117,9121,9124,9141,9145],[32,8922,8924],{"id":8923},"what-is-penetration-testing","What is Penetration Testing?",[37,8926,8927],{},"Penetration testing (pen testing) is a controlled, simulated cyberattack conducted by security professionals to identify vulnerabilities and weaknesses in an organization's systems, networks, and applications before malicious actors can exploit them. Unlike automated vulnerability scanning, penetration testing involves manual techniques, creative thinking, and the ability to chain multiple findings together to demonstrate real-world attack scenarios.",[860,8929,8931],{"id":8930},"what-are-the-types-of-penetration-testing","What are the types of penetration testing?",[37,8933,8934],{},"Penetration tests are categorized by scope and approach:",[37,8936,8937],{},[71,8938,8939],{},"By target:",[200,8941,8942,8948,8954,8960,8966,8972,8978],{},[68,8943,8944,8947],{},[71,8945,8946],{},"External testing"," — targets internet-facing assets such as web applications, APIs, email servers, and firewalls",[68,8949,8950,8953],{},[71,8951,8952],{},"Internal testing"," — simulates an attacker who has gained access to the internal network",[68,8955,8956,8959],{},[71,8957,8958],{},"Web application testing"," — focuses specifically on web application vulnerabilities (injection, authentication flaws, etc.)",[68,8961,8962,8965],{},[71,8963,8964],{},"API testing"," — evaluates the security of application programming interfaces",[68,8967,8968,8971],{},[71,8969,8970],{},"Mobile application testing"," — assesses mobile apps for security weaknesses",[68,8973,8974,8977],{},[71,8975,8976],{},"Wireless testing"," — tests wireless network security",[68,8979,8980,8983],{},[71,8981,8982],{},"Social engineering"," — tests human vulnerabilities through phishing, pretexting, or physical access attempts",[37,8985,8986],{},[71,8987,8988],{},"By knowledge level:",[200,8990,8991,8997,9003],{},[68,8992,8993,8996],{},[71,8994,8995],{},"Black box"," — the tester has no prior knowledge of the target environment, simulating an external attacker",[68,8998,8999,9002],{},[71,9000,9001],{},"White box"," — the tester has full access to source code, architecture documentation, and credentials",[68,9004,9005,9008],{},[71,9006,9007],{},"Gray box"," — the tester has partial knowledge, such as user-level credentials or limited documentation",[860,9010,9012],{"id":9011},"what-is-the-penetration-testing-process","What is the penetration testing process?",[37,9014,9015],{},"A professional penetration test follows a structured methodology:",[65,9017,9018,9023,9029,9035,9041,9047,9053,9058],{},[68,9019,9020,9022],{},[71,9021,1942],{}," — define the targets, objectives, rules of engagement, and testing window",[68,9024,9025,9028],{},[71,9026,9027],{},"Reconnaissance"," — gather information about the target through passive and active techniques",[68,9030,9031,9034],{},[71,9032,9033],{},"Vulnerability identification"," — discover potential weaknesses using automated tools and manual analysis",[68,9036,9037,9040],{},[71,9038,9039],{},"Exploitation"," — attempt to exploit identified vulnerabilities to demonstrate real-world impact",[68,9042,9043,9046],{},[71,9044,9045],{},"Post-exploitation"," — if access is gained, assess how far an attacker could go (lateral movement, data access, privilege escalation)",[68,9048,9049,9052],{},[71,9050,9051],{},"Reporting"," — document all findings with severity ratings, evidence, and remediation recommendations",[68,9054,9055,9057],{},[71,9056,2020],{}," — assist the organization in understanding and addressing findings",[68,9059,9060,9063],{},[71,9061,9062],{},"Retest"," — verify that remediation efforts have effectively addressed the vulnerabilities",[860,9065,9067],{"id":9066},"how-do-compliance-frameworks-address-penetration-testing","How do compliance frameworks address penetration testing?",[37,9069,9070],{},"Multiple frameworks require or recommend penetration testing:",[200,9072,9073,9078,9083,9088],{},[68,9074,9075,9077],{},[71,9076,4212],{}," — while not explicitly mandated, penetration testing supports CC7.1 (detection of vulnerabilities) and CC4.1 (monitoring)",[68,9079,9080,9082],{},[71,9081,44],{}," — Requirement 11.4 requires annual penetration testing of the CDE, plus testing after significant changes",[68,9084,9085,9087],{},[71,9086,4256],{}," — DE.CM (continuous monitoring) and ID.RA (risk assessment) are supported by penetration testing",[68,9089,9090,9092],{},[71,9091,4221],{}," — control A.8.8 addresses management of technical vulnerabilities, which penetration testing supports",[860,9094,9096],{"id":9095},"how-often-should-penetration-tests-be-performed","How often should penetration tests be performed?",[200,9098,9099,9105,9111],{},[68,9100,9101,9104],{},[71,9102,9103],{},"Annual testing"," is the minimum standard for most compliance frameworks",[68,9106,9107,9110],{},[71,9108,9109],{},"After significant changes"," — major infrastructure changes, application releases, or acquisitions should trigger additional testing",[68,9112,9113,9116],{},[71,9114,9115],{},"Continuous testing programs"," — some organizations implement bug bounty programs or periodic testing throughout the year",[860,9118,9120],{"id":9119},"how-do-you-select-a-penetration-testing-firm","How do you select a penetration testing firm?",[37,9122,9123],{},"When choosing a penetration testing provider:",[200,9125,9126,9129,9132,9135,9138],{},[68,9127,9128],{},"Look for relevant certifications (OSCP, OSCE, CREST, GPEN)",[68,9130,9131],{},"Request sample reports to evaluate reporting quality",[68,9133,9134],{},"Verify the firm carries appropriate insurance",[68,9136,9137],{},"Confirm experience with your technology stack and industry",[68,9139,9140],{},"Ensure clear rules of engagement and communication protocols",[860,9142,9144],{"id":9143},"how-does-episki-help-with-penetration-testing","How does episki help with penetration testing?",[37,9146,9147,9148,79],{},"episki tracks penetration testing schedules, stores reports, and manages remediation of identified findings. The platform links pen test results to compliance framework requirements and monitors remediation progress. Learn more on our ",[41,9149,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":9151},[9152],{"id":8923,"depth":448,"text":8924,"children":9153},[9154,9155,9156,9157,9158,9159],{"id":8930,"depth":1179,"text":8931},{"id":9011,"depth":1179,"text":9012},{"id":9066,"depth":1179,"text":9067},{"id":9095,"depth":1179,"text":9096},{"id":9119,"depth":1179,"text":9120},{"id":9143,"depth":1179,"text":9144},{},[4607,4608,528,4611],[822,9163,5068,4619],"remediation",{"title":9165,"description":9166},"What is Penetration Testing? Definition & Compliance Guide","Penetration testing is a simulated cyberattack that identifies vulnerabilities in your systems before real attackers can exploit them. Learn the types and process.","8.glossary\u002Fpenetration-testing","-DYPrBzNiyBknfyn7jeCgBrDE39XjynFvEKprLlba4U",{"id":9170,"title":9171,"body":9172,"description":447,"extension":473,"lastUpdated":819,"meta":9365,"navigation":510,"path":179,"relatedFrameworks":9366,"relatedTerms":9367,"seo":9368,"slug":2135,"stem":9371,"term":9177,"__hash__":9372},"glossary\u002F8.glossary\u002Fqsa.md","Qsa",{"type":29,"value":9173,"toc":9355},[9174,9178,9181,9185,9188,9193,9210,9215,9229,9233,9236,9274,9278,9281,9301,9305,9308,9339,9343,9346,9350],[32,9175,9177],{"id":9176},"what-is-a-qualified-security-assessor-qsa","What is a Qualified Security Assessor (QSA)?",[37,9179,9180],{},"A Qualified Security Assessor (QSA) is a security professional employed by a QSA company that has been certified by the PCI Security Standards Council (PCI SSC) to perform on-site PCI DSS assessments. QSAs evaluate whether merchants and service providers meet PCI DSS requirements and produce the Report on Compliance (ROC) that documents their findings.",[860,9182,9184],{"id":9183},"what-are-the-qsa-certification-requirements","What are the QSA certification requirements?",[37,9186,9187],{},"To become a QSA, both the individual and their employing organization must meet PCI SSC requirements:",[37,9189,9190],{},[71,9191,9192],{},"QSA company requirements:",[200,9194,9195,9198,9201,9204,9207],{},[68,9196,9197],{},"Apply to and be approved by the PCI SSC",[68,9199,9200],{},"Maintain appropriate insurance coverage",[68,9202,9203],{},"Employ certified QSA individuals",[68,9205,9206],{},"Follow PCI SSC quality assurance procedures",[68,9208,9209],{},"Undergo annual requalification",[37,9211,9212],{},[71,9213,9214],{},"Individual QSA requirements:",[200,9216,9217,9220,9223,9226],{},[68,9218,9219],{},"Complete PCI SSC QSA training and pass the certification exam",[68,9221,9222],{},"Demonstrate relevant information security experience",[68,9224,9225],{},"Maintain the certification through annual requalification and continuing education",[68,9227,9228],{},"Adhere to the PCI SSC Code of Professional Responsibility",[860,9230,9232],{"id":9231},"what-do-qsas-do","What do QSAs do?",[37,9234,9235],{},"During a PCI DSS assessment, a QSA:",[200,9237,9238,9244,9250,9256,9262,9268],{},[68,9239,9240,9243],{},[71,9241,9242],{},"Defines scope"," — works with the organization to identify the cardholder data environment and all connected systems",[68,9245,9246,9249],{},[71,9247,9248],{},"Reviews documentation"," — examines policies, procedures, network diagrams, and data flow diagrams",[68,9251,9252,9255],{},[71,9253,9254],{},"Tests controls"," — verifies that required security controls are in place and operating effectively through observation, interview, and technical testing",[68,9257,9258,9261],{},[71,9259,9260],{},"Identifies gaps"," — documents areas where the organization does not meet PCI DSS requirements",[68,9263,9264,9267],{},[71,9265,9266],{},"Produces the ROC"," — creates the formal Report on Compliance documenting the assessment findings",[68,9269,9270,9273],{},[71,9271,9272],{},"Issues the AOC"," — provides the Attestation of Compliance confirming the assessment results",[860,9275,9277],{"id":9276},"when-is-a-qsa-required","When is a QSA required?",[37,9279,9280],{},"Not all organizations need a QSA-led assessment. The requirement depends on transaction volume and payment brand rules:",[200,9282,9283,9289,9295],{},[68,9284,9285,9288],{},[71,9286,9287],{},"Level 1 merchants"," — typically defined as processing over 6 million transactions annually (thresholds vary by payment brand). These merchants must have an annual on-site assessment by a QSA.",[68,9290,9291,9294],{},[71,9292,9293],{},"Level 1 service providers"," — service providers that store, process, or transmit large volumes of cardholder data must also undergo QSA assessments.",[68,9296,9297,9300],{},[71,9298,9299],{},"Lower-level merchants"," — may self-assess using SAQs, though they can optionally engage a QSA for guidance.",[860,9302,9304],{"id":9303},"how-do-you-choose-a-qsa","How do you choose a QSA?",[37,9306,9307],{},"Selecting the right QSA impacts the quality and efficiency of your assessment. Consider:",[200,9309,9310,9316,9322,9328,9334],{},[68,9311,9312,9315],{},[71,9313,9314],{},"Industry experience"," — a QSA familiar with your industry understands typical payment flows and common risks",[68,9317,9318,9321],{},[71,9319,9320],{},"Technical depth"," — the QSA should understand modern architectures including cloud, containers, and microservices",[68,9323,9324,9327],{},[71,9325,9326],{},"Communication"," — the QSA should clearly explain findings and work collaboratively, not adversarially",[68,9329,9330,9333],{},[71,9331,9332],{},"Availability"," — confirm the QSA's schedule aligns with your assessment timeline",[68,9335,9336,9338],{},[71,9337,705],{}," — ask for references from organizations of similar size and complexity",[860,9340,9342],{"id":9341},"what-is-the-difference-between-a-qsa-and-an-isa","What is the difference between a QSA and an ISA?",[37,9344,9345],{},"An Internal Security Assessor (ISA) is an alternative for organizations that want to conduct assessments internally. ISAs complete PCI SSC training similar to QSAs but are employed by the organization being assessed. ISAs can perform assessments for their own organization but cannot assess external entities.",[860,9347,9349],{"id":9348},"how-does-episki-help-with-a-qsa","How does episki help with a QSA?",[37,9351,9352,9353,79],{},"episki organizes your PCI DSS controls and evidence in a format aligned with QSA expectations, reducing the time and friction during assessment fieldwork. The platform provides a secure portal for QSA access to documentation and evidence. Learn more on our ",[41,9354,4823],{"href":511},{"title":447,"searchDepth":448,"depth":448,"links":9356},[9357],{"id":9176,"depth":448,"text":9177,"children":9358},[9359,9360,9361,9362,9363,9364],{"id":9183,"depth":1179,"text":9184},{"id":9231,"depth":1179,"text":9232},{"id":9276,"depth":1179,"text":9277},{"id":9303,"depth":1179,"text":9304},{"id":9341,"depth":1179,"text":9342},{"id":9348,"depth":1179,"text":9349},{},[528],[823,2136,822,1584,824],{"title":9369,"description":9370},"What is a Qualified Security Assessor (QSA)? Definition & Compliance Guide","A Qualified Security Assessor (QSA) is a PCI SSC-certified professional who conducts on-site PCI DSS assessments. Learn how QSAs work and how to choose one.","8.glossary\u002Fqsa","QUiR54zJ_sm0UuFzITbB89CJ1p694JOhIKyCsVv3h5M",{"id":9374,"title":621,"body":9375,"description":447,"extension":473,"lastUpdated":819,"meta":9652,"navigation":510,"path":9653,"relatedFrameworks":9654,"relatedTerms":9655,"seo":9657,"slug":9163,"stem":9660,"term":9380,"__hash__":9661},"glossary\u002F8.glossary\u002Fremediation.md",{"type":29,"value":9376,"toc":9641},[9377,9381,9384,9388,9391,9455,9459,9462,9511,9515,9518,9556,9560,9563,9584,9588,9591,9608,9611,9615,9632,9636],[32,9378,9380],{"id":9379},"what-is-remediation","What is Remediation?",[37,9382,9383],{},"Remediation is the process of identifying, prioritizing, and resolving security weaknesses, compliance gaps, audit findings, or vulnerabilities in an organization's systems and processes. It is a fundamental component of any security program — identifying risks and gaps is only valuable if the organization takes action to address them.",[860,9385,9387],{"id":9386},"where-do-remediation-items-come-from","Where do remediation items come from?",[37,9389,9390],{},"Remediation needs arise from multiple sources:",[200,9392,9393,9407,9416,9422,9431,9437,9443,9449],{},[68,9394,9395,9398,9399,6252,9401,9403,9404,9406],{},[71,9396,9397],{},"Audit findings"," — gaps identified during ",[41,9400,4212],{"href":4211},[41,9402,4221],{"href":4220},", or ",[41,9405,44],{"href":511}," audits",[68,9408,9409,9412,9413],{},[71,9410,9411],{},"Vulnerability scans"," — technical vulnerabilities discovered by automated scanning tools or ",[41,9414,9415],{"href":340},"approved scanning vendors (ASVs)",[68,9417,9418,9421],{},[71,9419,9420],{},"Penetration tests"," — weaknesses identified through manual security testing",[68,9423,9424,9430],{},[71,9425,9426],{},[41,9427,9429],{"href":9428},"\u002Fglossary\u002Frisk-register","Risk assessments"," — risks that require new or improved controls",[68,9432,9433,9436],{},[71,9434,9435],{},"Incident investigations"," — root cause analysis revealing underlying security weaknesses",[68,9438,9439,9442],{},[71,9440,9441],{},"Compliance gap assessments"," — differences between current controls and framework requirements",[68,9444,9445,9448],{},[71,9446,9447],{},"Customer security questionnaires"," — gaps exposed through vendor assessment processes",[68,9450,9451,9454],{},[71,9452,9453],{},"Regulatory changes"," — new requirements that existing controls do not address",[860,9456,9458],{"id":9457},"what-is-the-remediation-process","What is the remediation process?",[37,9460,9461],{},"An effective remediation process follows a structured approach:",[65,9463,9464,9470,9476,9482,9488,9494,9499,9505],{},[68,9465,9466,9469],{},[71,9467,9468],{},"Identification"," — document the gap, vulnerability, or finding with sufficient detail to understand the issue",[68,9471,9472,9475],{},[71,9473,9474],{},"Assessment"," — evaluate the severity, risk, and potential impact of the issue",[68,9477,9478,9481],{},[71,9479,9480],{},"Prioritization"," — rank remediation items based on risk severity, exploitability, and business impact",[68,9483,9484,9487],{},[71,9485,9486],{},"Assignment"," — designate a responsible owner for each remediation item",[68,9489,9490,9493],{},[71,9491,9492],{},"Planning"," — define the specific actions needed, required resources, and target completion date",[68,9495,9496,9498],{},[71,9497,5389],{}," — execute the remediation plan",[68,9500,9501,9504],{},[71,9502,9503],{},"Verification"," — confirm that the remediation effectively addresses the issue (through retesting, review, or evidence collection)",[68,9506,9507,9510],{},[71,9508,9509],{},"Documentation"," — record the remediation actions taken and their results",[860,9512,9514],{"id":9513},"how-do-you-prioritize-remediation-items","How do you prioritize remediation items?",[37,9516,9517],{},"Not all remediation items carry equal urgency. Common prioritization factors include:",[200,9519,9520,9526,9532,9538,9544,9550],{},[68,9521,9522,9525],{},[71,9523,9524],{},"Severity"," — how significant is the risk or vulnerability (e.g., CVSS score for technical vulnerabilities)",[68,9527,9528,9531],{},[71,9529,9530],{},"Exploitability"," — how easily could the weakness be exploited",[68,9533,9534,9537],{},[71,9535,9536],{},"Business impact"," — what would happen if the weakness were exploited",[68,9539,9540,9543],{},[71,9541,9542],{},"Compliance deadline"," — are there regulatory or contractual deadlines driving urgency",[68,9545,9546,9549],{},[71,9547,9548],{},"Effort required"," — how much work is needed to remediate",[68,9551,9552,9555],{},[71,9553,9554],{},"Dependencies"," — does remediation depend on other work being completed first",[860,9557,9559],{"id":9558},"how-do-you-track-remediation","How do you track remediation?",[37,9561,9562],{},"Effective tracking ensures accountability and progress:",[200,9564,9565,9572,9575,9578,9581],{},[68,9566,9567,9568,9571],{},"Maintain a centralized remediation tracker (often integrated with the ",[41,9569,9570],{"href":9428},"risk register"," or GRC platform)",[68,9573,9574],{},"Set clear deadlines and milestone dates",[68,9576,9577],{},"Send regular reminders to owners",[68,9579,9580],{},"Escalate overdue items to management",[68,9582,9583],{},"Report on remediation metrics (open items, aging, completion rates)",[860,9585,9587],{"id":9586},"how-does-remediation-work-in-audit-contexts","How does remediation work in audit contexts?",[37,9589,9590],{},"During compliance audits, auditors expect to see:",[200,9592,9593,9596,9599,9602,9605],{},[68,9594,9595],{},"A defined process for managing remediation items",[68,9597,9598],{},"Evidence of timely resolution",[68,9600,9601],{},"Follow-up verification that fixes are effective",[68,9603,9604],{},"Escalation procedures for items that miss deadlines",[68,9606,9607],{},"Management oversight of the remediation program",[37,9609,9610],{},"Auditors view an organization's ability to remediate findings as an indicator of program maturity. A long list of aging, unresolved findings suggests the compliance program is not being actively managed.",[860,9612,9614],{"id":9613},"what-are-common-challenges-with-remediation","What are common challenges with remediation?",[200,9616,9617,9620,9623,9626,9629],{},[68,9618,9619],{},"Competing priorities between security remediation and business initiatives",[68,9621,9622],{},"Insufficient resources to address all findings in a timely manner",[68,9624,9625],{},"Lack of clear ownership for remediation items",[68,9627,9628],{},"Remediation that addresses symptoms rather than root causes",[68,9630,9631],{},"No verification step to confirm effectiveness",[860,9633,9635],{"id":9634},"how-does-episki-help-with-remediation","How does episki help with remediation?",[37,9637,9638,9639,79],{},"episki provides remediation workflows that track findings from identification through verification. The platform assigns owners, sets deadlines, sends reminders, and reports on progress. Auditors can see the full remediation history for any finding. Learn more on our ",[41,9640,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":9642},[9643],{"id":9379,"depth":448,"text":9380,"children":9644},[9645,9646,9647,9648,9649,9650,9651],{"id":9386,"depth":1179,"text":9387},{"id":9457,"depth":1179,"text":9458},{"id":9513,"depth":1179,"text":9514},{"id":9558,"depth":1179,"text":9559},{"id":9586,"depth":1179,"text":9587},{"id":9613,"depth":1179,"text":9614},{"id":9634,"depth":1179,"text":9635},{},"\u002Fglossary\u002Fremediation",[4608,4609,528],[6301,9656,5067,5068,828],"risk-treatment-plan",{"title":9658,"description":9659},"Remediation in Compliance: Definition, Process & Best Practices","Compliance remediation is the process of fixing security gaps and audit findings. Learn how to prioritize, track, and close remediation items efficiently.","8.glossary\u002Fremediation","gUhGasusB5qoXZyMJcWGEC3m1KU4Hcwyqjc-ZpOaaho",{"id":9663,"title":9664,"body":9665,"description":447,"extension":473,"lastUpdated":819,"meta":9843,"navigation":510,"path":196,"relatedFrameworks":9844,"relatedTerms":9845,"seo":9846,"slug":2136,"stem":9849,"term":9670,"__hash__":9850},"glossary\u002F8.glossary\u002Fsaq.md","Saq",{"type":29,"value":9666,"toc":9833},[9667,9671,9674,9678,9681,9724,9728,9731,9745,9748,9752,9755,9780,9784,9787,9803,9807,9810,9824,9828],[32,9668,9670],{"id":9669},"what-is-a-self-assessment-questionnaire-saq","What is a Self-Assessment Questionnaire (SAQ)?",[37,9672,9673],{},"A Self-Assessment Questionnaire (SAQ) is a PCI DSS validation tool designed for merchants and service providers who are eligible to self-assess their compliance with the Payment Card Industry Data Security Standard. Instead of undergoing a full on-site audit by a Qualified Security Assessor (QSA), eligible organizations complete an SAQ to document their compliance status.",[860,9675,9677],{"id":9676},"what-are-the-saq-types","What are the SAQ types?",[37,9679,9680],{},"The PCI Security Standards Council provides multiple SAQ types, each designed for a specific merchant or service provider environment:",[200,9682,9683,9688,9693,9698,9703,9708,9713,9719],{},[68,9684,9685,9687],{},[71,9686,206],{}," — for merchants that have fully outsourced all cardholder data functions to PCI-compliant third parties (e-commerce with redirect or iframe)",[68,9689,9690,9692],{},[71,9691,212],{}," — for e-commerce merchants that partially outsource payment processing but whose website may impact transaction security",[68,9694,9695,9697],{},[71,9696,218],{}," — for merchants using only imprint machines or standalone dial-out payment terminals",[68,9699,9700,9702],{},[71,9701,224],{}," — for merchants using standalone PTS-approved payment terminals connected via IP",[68,9704,9705,9707],{},[71,9706,236],{}," — for merchants with payment application systems connected to the internet",[68,9709,9710,9712],{},[71,9711,230],{}," — for merchants manually entering single transactions via a virtual terminal on an isolated computer",[68,9714,9715,9718],{},[71,9716,9717],{},"SAQ D"," — the most comprehensive questionnaire, for merchants and service providers that do not qualify for any other SAQ type",[68,9720,9721,9723],{},[71,9722,242],{}," — for merchants using validated point-to-point encryption solutions",[860,9725,9727],{"id":9726},"how-do-you-determine-which-saq-applies","How do you determine which SAQ applies?",[37,9729,9730],{},"The correct SAQ depends on how your organization processes, stores, and transmits cardholder data. Key factors include:",[200,9732,9733,9736,9739,9742],{},[68,9734,9735],{},"Whether you store cardholder data or only transmit it",[68,9737,9738],{},"Whether payment processing is fully outsourced",[68,9740,9741],{},"What types of payment channels you use (e-commerce, point-of-sale, mail\u002Ftelephone)",[68,9743,9744],{},"Whether you use validated P2PE solutions",[37,9746,9747],{},"Selecting the wrong SAQ type can lead to either unnecessary work (choosing a more restrictive SAQ) or inadequate coverage (choosing one that does not address your actual risk).",[860,9749,9751],{"id":9750},"what-does-the-saq-contain","What does the SAQ contain?",[37,9753,9754],{},"Each SAQ includes:",[200,9756,9757,9763,9769,9775],{},[68,9758,9759,9762],{},[71,9760,9761],{},"Questions aligned to PCI DSS requirements"," — the number of questions varies by SAQ type, from approximately 22 (SAQ A) to over 300 (SAQ D)",[68,9764,9765,9768],{},[71,9766,9767],{},"Response options"," — yes, no, N\u002FA, or compensating control for each requirement",[68,9770,9771,9774],{},[71,9772,9773],{},"Compensating control documentation"," — if a requirement cannot be met directly, a compensating control worksheet documents the alternative approach",[68,9776,9777,9779],{},[71,9778,938],{}," — a formal statement signed by the organization's executive management attesting to the accuracy of the SAQ",[860,9781,9783],{"id":9782},"who-requires-saqs","Who requires SAQs?",[37,9785,9786],{},"Acquiring banks and payment brands determine whether a merchant or service provider must submit an SAQ based on transaction volume:",[200,9788,9789,9794,9800],{},[68,9790,9791,9793],{},[71,9792,9287],{}," (highest transaction volumes) typically require an on-site assessment by a QSA rather than an SAQ",[68,9795,9796,9799],{},[71,9797,9798],{},"Level 2-4 merchants"," are generally eligible for self-assessment via SAQ",[68,9801,9802],{},"Requirements may vary by payment brand (Visa, Mastercard, etc.)",[860,9804,9806],{"id":9805},"what-are-common-challenges-with-an-saq","What are common challenges with an SAQ?",[37,9808,9809],{},"Organizations often encounter challenges with SAQs:",[200,9811,9812,9815,9818,9821],{},[68,9813,9814],{},"Difficulty determining the correct SAQ type",[68,9816,9817],{},"Incomplete understanding of the cardholder data environment",[68,9819,9820],{},"Gaps between the organization's actual practices and SAQ requirements",[68,9822,9823],{},"Lack of documentation to support \"yes\" answers",[860,9825,9827],{"id":9826},"how-does-episki-help-with-an-saq","How does episki help with an SAQ?",[37,9829,9830,9831,79],{},"episki guides you through SAQ selection based on your payment processing environment and helps you document controls and evidence for each applicable requirement. The platform tracks completion status and flags gaps before submission. Learn more on our ",[41,9832,4823],{"href":511},{"title":447,"searchDepth":448,"depth":448,"links":9834},[9835],{"id":9669,"depth":448,"text":9670,"children":9836},[9837,9838,9839,9840,9841,9842],{"id":9676,"depth":1179,"text":9677},{"id":9726,"depth":1179,"text":9727},{"id":9750,"depth":1179,"text":9751},{"id":9782,"depth":1179,"text":9783},{"id":9805,"depth":1179,"text":9806},{"id":9826,"depth":1179,"text":9827},{},[528],[823,2135,1584,824,3699],{"title":9847,"description":9848},"What is a Self-Assessment Questionnaire (SAQ)? Definition & Compliance Guide","A PCI DSS Self-Assessment Questionnaire (SAQ) is a validation tool for merchants and service providers to self-evaluate their cardholder data security.","8.glossary\u002Fsaq","y_WJFBksFDBE_V8Nh6vFjLR3Rd6B5-7EGQdgVtSFqCs",{"id":9852,"title":9853,"body":9854,"description":447,"extension":473,"lastUpdated":819,"meta":10077,"navigation":510,"path":10078,"relatedFrameworks":10079,"relatedTerms":10080,"seo":10081,"slug":10084,"stem":10085,"term":9859,"__hash__":10086},"glossary\u002F8.glossary\u002Fsecurity-awareness-training.md","Security Awareness Training",{"type":29,"value":9855,"toc":10066},[9856,9860,9863,9867,9870,9887,9891,9894,9944,9948,9970,9974,9977,10009,10013,10016,10033,10037,10040,10057,10061],[32,9857,9859],{"id":9858},"what-is-security-awareness-training","What is Security Awareness Training?",[37,9861,9862],{},"Security awareness training is an educational program designed to teach employees about cybersecurity threats, security best practices, and their responsibilities for protecting organizational data and systems. Human error remains one of the leading causes of security incidents, making awareness training a critical control for reducing risk. Every major compliance framework requires or strongly recommends security awareness training.",[860,9864,9866],{"id":9865},"why-does-security-awareness-training-matter","Why does security awareness training matter?",[37,9868,9869],{},"Technology controls alone cannot prevent all security incidents. Employees interact with sensitive data, click links, open attachments, and make decisions that affect security every day. Effective training:",[200,9871,9872,9875,9878,9881,9884],{},[68,9873,9874],{},"Reduces the likelihood of successful phishing and social engineering attacks",[68,9876,9877],{},"Helps employees recognize and report suspicious activity",[68,9879,9880],{},"Builds a security-conscious culture throughout the organization",[68,9882,9883],{},"Meets compliance requirements across multiple frameworks",[68,9885,9886],{},"Reduces the frequency and impact of human-caused security incidents",[860,9888,9890],{"id":9889},"what-are-the-core-security-awareness-training-topics","What are the core security awareness training topics?",[37,9892,9893],{},"A comprehensive security awareness program typically covers:",[200,9895,9896,9902,9908,9914,9920,9926,9932,9938],{},[68,9897,9898,9901],{},[71,9899,9900],{},"Phishing and social engineering"," — how to identify and respond to phishing emails, phone-based pretexting, and other manipulation techniques",[68,9903,9904,9907],{},[71,9905,9906],{},"Password security"," — creating strong passwords, using password managers, and understanding multi-factor authentication",[68,9909,9910,9913],{},[71,9911,9912],{},"Data handling"," — proper classification, storage, transmission, and disposal of sensitive data",[68,9915,9916,9919],{},[71,9917,9918],{},"Physical security"," — securing workstations, preventing tailgating, and protecting physical access badges",[68,9921,9922,9925],{},[71,9923,9924],{},"Remote work security"," — securing home networks, using VPNs, and protecting devices outside the office",[68,9927,9928,9931],{},[71,9929,9930],{},"Incident reporting"," — how and when to report suspected security incidents",[68,9933,9934,9937],{},[71,9935,9936],{},"Acceptable use"," — organizational policies on technology use, internet access, and personal devices",[68,9939,9940,9943],{},[71,9941,9942],{},"Regulatory requirements"," — specific requirements based on the organization's compliance obligations (HIPAA for healthcare, PCI DSS for payment card handling)",[860,9945,9947],{"id":9946},"what-training-requirements-apply-by-framework","What training requirements apply by framework?",[200,9949,9950,9955,9960,9965],{},[68,9951,9952,9954],{},[71,9953,4212],{}," — CC1.4 requires that the organization demonstrates a commitment to attract, develop, and retain competent individuals, including security training",[68,9956,9957,9959],{},[71,9958,4221],{}," — control A.6.3 requires information security awareness, education, and training",[68,9961,9962,9964],{},[71,9963,4235],{}," — the Security Rule requires security awareness and training for all workforce members (45 CFR 164.308(a)(5))",[68,9966,9967,9969],{},[71,9968,44],{}," — Requirement 12.6 requires security awareness training for all personnel upon hire and at least annually",[860,9971,9973],{"id":9972},"how-often-should-training-be-delivered-and-how","How often should training be delivered, and how?",[37,9975,9976],{},"Best practices for training delivery include:",[200,9978,9979,9985,9991,9997,10003],{},[68,9980,9981,9984],{},[71,9982,9983],{},"Upon hire"," — all new employees should complete security awareness training during onboarding",[68,9986,9987,9990],{},[71,9988,9989],{},"Annual refresher"," — all employees should complete refresher training at least annually",[68,9992,9993,9996],{},[71,9994,9995],{},"Role-specific training"," — employees in high-risk roles (developers, administrators, finance) should receive additional targeted training",[68,9998,9999,10002],{},[71,10000,10001],{},"Continuous reinforcement"," — supplement formal training with simulated phishing campaigns, security tips, and brief micro-learning modules throughout the year",[68,10004,10005,10008],{},[71,10006,10007],{},"Triggered training"," — require additional training when an employee fails a phishing simulation or is involved in a security incident",[860,10010,10012],{"id":10011},"how-do-you-measure-training-effectiveness","How do you measure training effectiveness?",[37,10014,10015],{},"Training effectiveness should be measured through:",[200,10017,10018,10021,10024,10027,10030],{},[68,10019,10020],{},"Phishing simulation click rates (tracked over time to show improvement)",[68,10022,10023],{},"Training completion rates",[68,10025,10026],{},"Security incident trends related to human factors",[68,10028,10029],{},"Employee knowledge assessments (quizzes or surveys)",[68,10031,10032],{},"Time to report suspicious activity",[860,10034,10036],{"id":10035},"what-training-evidence-do-auditors-look-for","What training evidence do auditors look for?",[37,10038,10039],{},"Auditors expect to see:",[200,10041,10042,10045,10048,10051,10054],{},[68,10043,10044],{},"Training policy documenting requirements and frequency",[68,10046,10047],{},"Records of training completion for all employees",[68,10049,10050],{},"Training content covering relevant topics",[68,10052,10053],{},"Phishing simulation results and trends",[68,10055,10056],{},"Evidence of new hire training",[860,10058,10060],{"id":10059},"how-does-episki-help-with-security-awareness-training","How does episki help with security awareness training?",[37,10062,10063,10064,79],{},"episki tracks security awareness training completion, sends reminders to employees and managers, and maintains training records as compliance evidence. The platform integrates with popular training providers and maps training requirements to framework controls. Learn more on our ",[41,10065,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":10067},[10068],{"id":9858,"depth":448,"text":9859,"children":10069},[10070,10071,10072,10073,10074,10075,10076],{"id":9865,"depth":1179,"text":9866},{"id":9889,"depth":1179,"text":9890},{"id":9946,"depth":1179,"text":9947},{"id":9972,"depth":1179,"text":9973},{"id":10011,"depth":1179,"text":10012},{"id":10035,"depth":1179,"text":10036},{"id":10059,"depth":1179,"text":10060},{},"\u002Fglossary\u002Fsecurity-awareness-training",[4607,4608,4609,4610,528],[4619,5069,5067,5719],{"title":10082,"description":10083},"What is Security Awareness Training? Definition & Compliance Guide","Security awareness training educates employees about cybersecurity threats and best practices. Learn what to include and how it satisfies compliance requirements.","security-awareness-training","8.glossary\u002Fsecurity-awareness-training","xgD6bzRoOy6RZm_k9NAZRMfP5cKo0j-xLN3LeofSjwI",{"id":10088,"title":2795,"body":10089,"description":447,"extension":473,"lastUpdated":819,"meta":10287,"navigation":510,"path":94,"relatedFrameworks":10288,"relatedTerms":10289,"seo":10290,"slug":95,"stem":10293,"term":10094,"__hash__":10294},"glossary\u002F8.glossary\u002Ftokenization.md",{"type":29,"value":10090,"toc":10276},[10091,10095,10098,10102,10105,10137,10141,10144,10156,10159,10163,10166,10177,10180,10184,10210,10214,10217,10243,10247,10250,10267,10271],[32,10092,10094],{"id":10093},"what-is-tokenization","What is Tokenization?",[37,10096,10097],{},"Tokenization is a data protection technique that replaces sensitive data elements — most commonly the Primary Account Number (PAN) — with non-sensitive substitutes called tokens. The tokens retain the format and certain properties of the original data but have no exploitable value if compromised. The actual sensitive data is stored securely in a token vault maintained by the tokenization provider.",[860,10099,10101],{"id":10100},"how-does-tokenization-work","How does tokenization work?",[37,10103,10104],{},"The tokenization process follows a straightforward flow:",[65,10106,10107,10113,10119,10125,10131],{},[68,10108,10109,10112],{},[71,10110,10111],{},"Data capture"," — the original sensitive data (such as a PAN) is captured at the point of entry",[68,10114,10115,10118],{},[71,10116,10117],{},"Token generation"," — the tokenization system generates a unique token to represent the data",[68,10120,10121,10124],{},[71,10122,10123],{},"Secure storage"," — the original data is stored in a secure token vault with strict access controls",[68,10126,10127,10130],{},[71,10128,10129],{},"Token distribution"," — the token is returned to the requesting system and used in place of the original data for all downstream processing",[68,10132,10133,10136],{},[71,10134,10135],{},"Detokenization"," — when the original data is needed (such as for settlement), authorized systems request detokenization from the vault",[860,10138,10140],{"id":10139},"what-is-the-difference-between-tokenization-and-encryption","What is the difference between tokenization and encryption?",[37,10142,10143],{},"While both tokenization and encryption protect sensitive data, they work differently:",[200,10145,10146,10151],{},[68,10147,10148,10150],{},[71,10149,5528],{}," transforms data using a mathematical algorithm and a key. The encrypted data (ciphertext) can be reversed to the original data using the correct key. If the key is compromised, all encrypted data is at risk.",[68,10152,10153,10155],{},[71,10154,2795],{}," replaces data with an unrelated token. There is no mathematical relationship between the token and the original data. Compromising a token provides no path to the original data.",[37,10157,10158],{},"Both approaches are recognized by PCI DSS for rendering PAN unreadable, but tokenization offers a unique advantage: systems that only handle tokens are not processing actual cardholder data and may be removed from PCI DSS scope.",[860,10160,10162],{"id":10161},"what-are-scope-reduction-benefits","What are scope reduction benefits?",[37,10164,10165],{},"The primary driver for tokenization in PCI DSS environments is scope reduction:",[200,10167,10168,10171,10174],{},[68,10169,10170],{},"Systems that receive and process tokens instead of PAN are not part of the cardholder data environment",[68,10172,10173],{},"Fewer systems in scope means fewer controls to implement and less evidence to collect",[68,10175,10176],{},"Reduced scope translates directly to lower compliance costs and shorter assessment timelines",[37,10178,10179],{},"For example, if a merchant's e-commerce platform receives a token from a payment gateway and passes that token to its order management and fulfillment systems, those downstream systems may be out of PCI DSS scope because they never handle actual PAN.",[860,10181,10183],{"id":10182},"what-are-the-types-of-tokenization","What are the types of tokenization?",[200,10185,10186,10192,10198,10204],{},[68,10187,10188,10191],{},[71,10189,10190],{},"Payment tokenization"," — specifically designed for payment card data, often provided by payment processors or gateways",[68,10193,10194,10197],{},[71,10195,10196],{},"Network tokenization"," — issued by payment networks (Visa, Mastercard) to replace PAN for specific merchant-consumer relationships",[68,10199,10200,10203],{},[71,10201,10202],{},"Vault-based tokenization"," — uses a central token vault to store the mapping between tokens and original data",[68,10205,10206,10209],{},[71,10207,10208],{},"Vaultless tokenization"," — generates tokens algorithmically without a central mapping database, using format-preserving techniques",[860,10211,10213],{"id":10212},"how-is-tokenization-used-in-practice","How is tokenization used in practice?",[37,10215,10216],{},"Common tokenization implementations include:",[200,10218,10219,10225,10231,10237],{},[68,10220,10221,10224],{},[71,10222,10223],{},"Payment gateways"," — Stripe, Braintree, and similar providers tokenize card data so merchants never handle raw PAN",[68,10226,10227,10230],{},[71,10228,10229],{},"Mobile wallets"," — Apple Pay and Google Pay use network tokenization to protect card data during mobile payments",[68,10232,10233,10236],{},[71,10234,10235],{},"Recurring billing"," — merchants store tokens to enable subscription billing without retaining PAN",[68,10238,10239,10242],{},[71,10240,10241],{},"Data warehousing"," — tokenize PAN in analytics and reporting systems to remove them from scope",[860,10244,10246],{"id":10245},"how-do-you-choose-a-tokenization-solution","How do you choose a tokenization solution?",[37,10248,10249],{},"When evaluating tokenization solutions, consider:",[200,10251,10252,10255,10258,10261,10264],{},[68,10253,10254],{},"Whether the solution is PCI DSS validated",[68,10256,10257],{},"Token vault security and access controls",[68,10259,10260],{},"Integration capabilities with your existing systems",[68,10262,10263],{},"Support for detokenization when needed",[68,10265,10266],{},"Format-preserving options if downstream systems require specific data formats",[860,10268,10270],{"id":10269},"how-does-episki-help-with-tokenization","How does episki help with tokenization?",[37,10272,10273,10274,79],{},"episki helps you document your tokenization implementation, track which systems handle tokens versus PAN, and maintain your scope reduction documentation for PCI DSS assessments. Learn more on our ",[41,10275,4823],{"href":511},{"title":447,"searchDepth":448,"depth":448,"links":10277},[10278],{"id":10093,"depth":448,"text":10094,"children":10279},[10280,10281,10282,10283,10284,10285,10286],{"id":10100,"depth":1179,"text":10101},{"id":10139,"depth":1179,"text":10140},{"id":10161,"depth":1179,"text":10162},{"id":10182,"depth":1179,"text":10183},{"id":10212,"depth":1179,"text":10213},{"id":10245,"depth":1179,"text":10246},{"id":10269,"depth":1179,"text":10270},{},[528],[823,3699,1584,824,3700],{"title":10291,"description":10292},"What is Tokenization? Definition & Compliance Guide","Tokenization replaces sensitive data like credit card numbers with non-sensitive tokens to reduce PCI DSS scope and protect cardholder data.","8.glossary\u002Ftokenization","yVKUeTM8Vxw66Ob6GPnS9Wye4I-5bNqg_bNV_V5C2xo",{"id":10296,"title":10297,"body":10298,"description":447,"extension":473,"lastUpdated":819,"meta":10463,"navigation":510,"path":10464,"relatedFrameworks":10465,"relatedTerms":10466,"seo":10468,"slug":825,"stem":10471,"term":10303,"__hash__":10472},"glossary\u002F8.glossary\u002Fvulnerability-management.md","Vulnerability Management",{"type":29,"value":10299,"toc":10454},[10300,10304,10307,10311,10314,10348,10352,10355,10382,10386,10412,10416,10419,10445,10449],[32,10301,10303],{"id":10302},"what-is-vulnerability-management","What is Vulnerability Management?",[37,10305,10306],{},"Vulnerability management is the continuous process of identifying, classifying, prioritizing, and remediating security vulnerabilities in an organization's systems, software, and infrastructure. Unlike one-time assessments, vulnerability management is an ongoing program that adapts as new threats emerge and your environment changes.",[860,10308,10310],{"id":10309},"what-is-the-vulnerability-management-lifecycle","What is the vulnerability management lifecycle?",[37,10312,10313],{},"An effective program follows a repeating cycle:",[65,10315,10316,10322,10328,10333,10338,10343],{},[68,10317,10318,10321],{},[71,10319,10320],{},"Asset discovery"," — maintain an accurate inventory of all hardware, software, and cloud resources in scope",[68,10323,10324,10327],{},[71,10325,10326],{},"Vulnerability scanning"," — use automated tools to detect known vulnerabilities across your environment on a regular schedule",[68,10329,10330,10332],{},[71,10331,9480],{}," — rank findings by severity (CVSS score), exploitability, asset criticality, and business context — not every \"critical\" CVE is critical to your organization",[68,10334,10335,10337],{},[71,10336,621],{}," — apply patches, configuration changes, or compensating controls to address vulnerabilities within defined SLAs",[68,10339,10340,10342],{},[71,10341,9503],{}," — rescan to confirm that remediation was effective and didn't introduce new issues",[68,10344,10345,10347],{},[71,10346,9051],{}," — track metrics like mean time to remediate (MTTR), vulnerability aging, and coverage rates",[860,10349,10351],{"id":10350},"how-do-compliance-frameworks-address-vulnerability-management","How do compliance frameworks address vulnerability management?",[37,10353,10354],{},"Most security frameworks require a formal vulnerability management program:",[200,10356,10357,10362,10367,10372,10377],{},[68,10358,10359,10361],{},[71,10360,44],{}," — Requirement 6.3 requires patching critical vulnerabilities within defined timeframes; Requirement 11.3 requires internal and external vulnerability scanning",[68,10363,10364,10366],{},[71,10365,4212],{}," — CC7.1 covers detection of vulnerabilities and CC8.1 addresses change management for remediation",[68,10368,10369,10371],{},[71,10370,4221],{}," — A.8.8 (management of technical vulnerabilities) requires timely identification and remediation of vulnerabilities",[68,10373,10374,10376],{},[71,10375,4256],{}," — ID.RA (risk assessment) and PR.IP (information protection) directly relate to vulnerability identification and remediation",[68,10378,10379,10381],{},[71,10380,6707],{}," — RA.L2-3.11.2 requires remediation of vulnerabilities in accordance with risk assessments",[860,10383,10385],{"id":10384},"what-are-common-vulnerability-scanning-tools","What are common vulnerability scanning tools?",[200,10387,10388,10394,10400,10406],{},[68,10389,10390,10393],{},[71,10391,10392],{},"Infrastructure scanners"," — Nessus, Qualys, Rapid7 InsightVM for network and host-level vulnerabilities",[68,10395,10396,10399],{},[71,10397,10398],{},"Application scanners"," — OWASP ZAP, Burp Suite for web application vulnerabilities",[68,10401,10402,10405],{},[71,10403,10404],{},"Dependency scanners"," — Snyk, Dependabot, Trivy for software composition analysis (SCA)",[68,10407,10408,10411],{},[71,10409,10410],{},"Cloud security posture"," — AWS Inspector, Azure Defender, GCP Security Command Center for cloud misconfigurations",[860,10413,10415],{"id":10414},"what-are-sla-best-practices-for-vulnerability-management","What are SLA best practices for vulnerability management?",[37,10417,10418],{},"Define remediation timelines based on severity:",[200,10420,10421,10427,10433,10439],{},[68,10422,10423,10426],{},[71,10424,10425],{},"Critical"," — remediate within 24–72 hours",[68,10428,10429,10432],{},[71,10430,10431],{},"High"," — remediate within 7–14 days",[68,10434,10435,10438],{},[71,10436,10437],{},"Medium"," — remediate within 30 days",[68,10440,10441,10444],{},[71,10442,10443],{},"Low"," — remediate within 90 days or accept risk with documented justification",[860,10446,10448],{"id":10447},"how-does-episki-help-with-vulnerability-management","How does episki help with vulnerability management?",[37,10450,10451,10452,79],{},"episki tracks vulnerability findings, manages remediation workflows with due dates and ownership, and maps vulnerabilities to compliance framework requirements. The platform provides dashboards showing remediation progress and aging metrics for auditors. Learn more on our ",[41,10453,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":10455},[10456],{"id":10302,"depth":448,"text":10303,"children":10457},[10458,10459,10460,10461,10462],{"id":10309,"depth":1179,"text":10310},{"id":10350,"depth":1179,"text":10351},{"id":10384,"depth":1179,"text":10385},{"id":10414,"depth":1179,"text":10415},{"id":10447,"depth":1179,"text":10448},{},"\u002Fglossary\u002Fvulnerability-management",[4608,4609,528,4611,4607],[828,9163,5068,10467],"web-application-security",{"title":10469,"description":10470},"What is Vulnerability Management? Definition & Compliance Guide","Vulnerability management is the ongoing process of identifying, classifying, prioritizing, and remediating security vulnerabilities across your systems and applications.","8.glossary\u002Fvulnerability-management","uzdMPlyqCfawsSDUCyB5DBUfYbPo1BYxc5FJB7wJDgM",{"id":10474,"title":10475,"body":10476,"description":447,"extension":473,"lastUpdated":819,"meta":10599,"navigation":510,"path":10600,"relatedFrameworks":10601,"relatedTerms":10602,"seo":10603,"slug":10467,"stem":10606,"term":10481,"__hash__":10607},"glossary\u002F8.glossary\u002Fweb-application-security.md","Web Application Security",{"type":29,"value":10477,"toc":10591},[10478,10482,10485,10489,10492,10530,10534,10556,10560,10582,10586],[32,10479,10481],{"id":10480},"what-is-web-application-security","What is Web Application Security?",[37,10483,10484],{},"Web application security is the practice of protecting websites and web applications from attacks that exploit vulnerabilities in application code, configuration, or infrastructure. As organizations increasingly deliver services through web applications, securing these applications has become a critical component of any compliance program.",[860,10486,10488],{"id":10487},"what-are-common-web-application-threats","What are common web application threats?",[37,10490,10491],{},"The OWASP Top 10 provides a widely recognized list of the most critical web application security risks:",[200,10493,10494,10500,10506,10512,10518,10524],{},[68,10495,10496,10499],{},[71,10497,10498],{},"Injection attacks"," — including SQL injection, where attackers insert malicious code through input fields to manipulate databases",[68,10501,10502,10505],{},[71,10503,10504],{},"Cross-site scripting (XSS)"," — injecting malicious scripts into web pages viewed by other users",[68,10507,10508,10511],{},[71,10509,10510],{},"Broken authentication"," — weaknesses in authentication mechanisms that allow unauthorized access",[68,10513,10514,10517],{},[71,10515,10516],{},"Insecure direct object references"," — exposing internal implementation objects through URLs or parameters",[68,10519,10520,10523],{},[71,10521,10522],{},"Security misconfiguration"," — default credentials, unnecessary features enabled, or missing security headers",[68,10525,10526,10529],{},[71,10527,10528],{},"Cross-site request forgery (CSRF)"," — tricking authenticated users into performing unintended actions",[860,10531,10533],{"id":10532},"how-do-compliance-frameworks-address-web-application-security","How do compliance frameworks address web application security?",[200,10535,10536,10541,10546,10551],{},[68,10537,10538,10540],{},[71,10539,44],{}," — Requirement 6 addresses secure development practices and web application firewalls for applications handling cardholder data",[68,10542,10543,10545],{},[71,10544,4212],{}," — CC7.1 and CC8.1 cover vulnerability management and change management for applications",[68,10547,10548,10550],{},[71,10549,4221],{}," — A.8.25 through A.8.28 address secure development lifecycle, testing, and application security",[68,10552,10553,10555],{},[71,10554,4256],{}," — PR.IP covers security in development and information protection processes",[860,10557,10559],{"id":10558},"what-are-web-application-defense-strategies","What are web application defense strategies?",[200,10561,10562,10565,10568,10571,10576,10579],{},[68,10563,10564],{},"Implement a secure development lifecycle (SDLC) with security reviews at each stage",[68,10566,10567],{},"Use static application security testing (SAST) and dynamic application security testing (DAST) in CI\u002FCD pipelines",[68,10569,10570],{},"Deploy a web application firewall (WAF) to filter malicious traffic",[68,10572,8097,10573,10575],{},[41,10574,6040],{"href":6039}," focused on application-layer vulnerabilities",[68,10577,10578],{},"Keep application frameworks and dependencies patched and up to date",[68,10580,10581],{},"Validate and sanitize all user input on the server side",[860,10583,10585],{"id":10584},"how-does-episki-help-with-web-application-security","How does episki help with web application security?",[37,10587,10588,10589,79],{},"episki tracks web application security controls, manages vulnerability remediation workflows, and documents security testing evidence for auditors. Learn more on our ",[41,10590,4589],{"href":4588},{"title":447,"searchDepth":448,"depth":448,"links":10592},[10593],{"id":10480,"depth":448,"text":10481,"children":10594},[10595,10596,10597,10598],{"id":10487,"depth":1179,"text":10488},{"id":10532,"depth":1179,"text":10533},{"id":10558,"depth":1179,"text":10559},{"id":10584,"depth":1179,"text":10585},{},"\u002Fglossary\u002Fweb-application-security",[4608,4609,528,4611],[828,1582,3700,825],{"title":10604,"description":10605},"What is Web Application Security? Definition & Compliance Guide","Web application security is the practice of protecting websites and web apps from attacks such as SQL injection, cross-site scripting (XSS), and unauthorized access.","8.glossary\u002Fweb-application-security","qOQ02_z-vhAF1v25Yq_MRSjVS7VEGJjSiQUC3OPdzkc",[10609,11114,11695,12189,12812,13100],{"id":10610,"title":10611,"advantages":10612,"body":10634,"checklist":11045,"cta":11054,"description":447,"extension":473,"faq":11057,"hero":11075,"lastUpdated":508,"meta":11084,"name":6707,"navigation":510,"path":11085,"resources":11086,"seo":11099,"slug":4607,"stats":11102,"stem":11112,"__hash__":11113},"frameworks\u002F5.frameworks\u002Fcmmc.md","Cmmc",[10613,10620,10627],{"title":10614,"description":10615,"bullets":10616},"NIST 800-171 control mapping","Every CMMC Level 2 practice is linked to its NIST SP 800-171 source requirement with pre-written narratives.",[10617,10618,10619],"14 control families mapped to 110 security requirements","AI-drafted implementation narratives and testing procedures","Gap analysis highlights missing controls before your assessment",{"title":10621,"description":10622,"bullets":10623},"Assessment preparation workspace","Whether you self-assess or engage a C3PAO, episki organizes evidence and scoring in one place.",[10624,10625,10626],"POA&M tracking with 180-day close-out reminders","Scoring methodology aligned to DoD assessment guide","Assessor portal with scoped read-only access",{"title":10628,"description":10629,"bullets":10630},"Cross-framework reuse","Controls mapped to CMMC automatically satisfy overlapping NIST CSF, ISO 27001, and FedRAMP requirements.",[10631,10632,10633],"Unified control graph eliminates duplicate documentation","Evidence collected once, reused across every framework","Framework coverage dashboard shows gaps at a glance",{"type":29,"value":10635,"toc":11028},[10636,10640,10643,10646,10650,10657,10668,10679,10683,10691,10723,10726,10730,10742,10753,10757,10760,10777,10790,10793,10797,10800,10811,10818,10822,10836,10839,10843,10851,10877,10881,10908,10912,10920,10924,10932,10936,10944,10948,10951,10989,10993,11025],[32,10637,10639],{"id":10638},"what-is-cmmc","What is CMMC?",[37,10641,10642],{},"The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's verification program for ensuring that every organization in the defense industrial base adequately protects sensitive federal information. CMMC takes the cybersecurity standards the DoD has required for years and turns them into a verifiable certification that contractors must hold before a contract can be awarded.",[37,10644,10645],{},"Before CMMC, defense contractors were expected to comply with DFARS clause 252.204-7012 and the 110 security requirements in NIST SP 800-171 on the honor system. They self-attested. A 2018 DoD Inspector General report and the 2019 MITRE \"Deliver Uncompromised\" study both found the self-attestation model was failing — contractors claimed compliance they had not achieved, and nation-state adversaries were quietly stealing terabytes of Controlled Unclassified Information (CUI) from the supply chain. CMMC is the DoD's response: instead of trust, the Pentagon now requires verification.",[860,10647,10649],{"id":10648},"cmmc-10-to-cmmc-20","CMMC 1.0 to CMMC 2.0",[37,10651,10652,10653,10656],{},"The first version of CMMC — sometimes called CMMC 1.0 — was announced in January 2020. It had ",[71,10654,10655],{},"five maturity levels",", added its own unique practices and maturity processes on top of NIST SP 800-171, and would have required third-party assessment for almost everyone in the defense supply chain. Industry pushback was substantial. Small businesses said the compliance burden was unaffordable. Cybersecurity teams argued that the custom CMMC practices and \"maturity processes\" diverged from established standards without clear security benefit.",[37,10658,10659,10660,10663,10664,10667],{},"In November 2021 the DoD announced ",[71,10661,10662],{},"CMMC 2.0",", a streamlined successor. CMMC 2.0 collapsed the five levels into ",[71,10665,10666],{},"three",", eliminated the custom CMMC practices, and aligned Level 2 directly with NIST SP 800-171 so there is no daylight between the two. It also re-introduced self-assessment as a compliant path for many contracts — a concession to cost that CMMC 1.0 did not allow.",[37,10669,10670,10671,10674,10675,10678],{},"The CMMC 2.0 program rule (32 CFR Part 170) was published in the Federal Register on October 15, 2024, and took effect on ",[71,10672,10673],{},"December 16, 2024",". The companion DFARS rule (48 CFR) was published on September 10, 2025, and took effect on ",[71,10676,10677],{},"November 10, 2025"," — the moment CMMC moved from a program on paper to an enforceable contract requirement. When we talk about \"CMMC\" today, we mean CMMC 2.0 as enforced through DFARS.",[860,10680,10682],{"id":10681},"the-three-cmmc-levels","The three CMMC levels",[37,10684,10685,10686,10690],{},"CMMC uses a tiered model so that a small contractor handling a bill of materials gets a proportionate requirement, while a prime contractor engineering a weapons system gets a much heavier one. Each CMMC level builds on the one below it. ",[41,10687,10689],{"href":10688},"\u002Fframeworks\u002Fcmmc\u002Flevels","See the full breakdown of CMMC levels"," for control counts, assessment types, and scoping rules.",[200,10692,10693,10703,10713],{},[68,10694,10695,10698,10699,10702],{},[71,10696,10697],{},"Level 1 — Foundational."," Covers the basic safeguarding of Federal Contract Information (FCI). It requires 17 practices drawn directly from FAR 52.204-21. Any organization that processes FCI under a DoD contract must meet Level 1. It is verified through an ",[71,10700,10701],{},"annual self-assessment"," with a senior official affirming the results in the Supplier Performance Risk System (SPRS).",[68,10704,10705,10708,10709,10712],{},[71,10706,10707],{},"Level 2 — Advanced."," Protects Controlled Unclassified Information (CUI). It requires all ",[71,10710,10711],{},"110 security requirements"," from NIST SP 800-171 Rev 2 across 14 control families. Level 2 has two assessment paths — self-assessment for less sensitive CUI, and third-party C3PAO assessment for more sensitive CUI or critical programs. Level 2 is where most defense contractors will land.",[68,10714,10715,10718,10719,10722],{},[71,10716,10717],{},"Level 3 — Expert."," Reserved for the most sensitive DoD programs where advanced persistent threats are a credible risk. It includes every Level 2 requirement ",[71,10720,10721],{},"plus 24 enhanced requirements"," selected from NIST SP 800-172. Level 3 is verified through a government-led DIBCAC assessment and requires a valid Level 2 C3PAO certification as a prerequisite.",[37,10724,10725],{},"The CMMC level you need is determined by the specific solicitation or contract — not by company size or industry. A small engineering firm with a CUI-sensitive subcontract may need Level 2 C3PAO, while a larger prime on a less sensitive contract may only need Level 1.",[860,10727,10729],{"id":10728},"nist-sp-800-171-is-the-heart-of-cmmc","NIST SP 800-171 is the heart of CMMC",[37,10731,10732,10733,10736,10737,10741],{},"CMMC Level 2 is a ",[71,10734,10735],{},"direct one-to-one mapping"," to NIST SP 800-171 Rev 2. There are no extra practices, no CMMC-specific maturity processes, no layered-on requirements. Every CMMC Level 2 practice corresponds to a single NIST SP 800-171 security requirement. This alignment was intentional: it made CMMC easier to implement and easier to audit, and it meant organizations that had been working toward ",[41,10738,10740],{"href":10739},"\u002Fglossary\u002Fnist","NIST"," SP 800-171 compliance since 2017 did not have to start over.",[37,10743,10744,10745,10749,10750,10752],{},"The 110 requirements are organized into 14 control families including Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, System and Communications Protection, and System and Information Integrity. CMMC Level 3 layers 24 additional enhanced requirements on top, drawn from NIST SP 800-172. ",[41,10746,10748],{"href":10747},"\u002Fframeworks\u002Fcmmc\u002Fnist-800-171-mapping","See the detailed NIST SP 800-171 mapping"," for the full control family breakdown and cross-framework overlap with ",[41,10751,4256],{"href":4255}," and ISO 27001.",[860,10754,10756],{"id":10755},"who-needs-cmmc","Who needs CMMC?",[37,10758,10759],{},"Any organization that processes, stores, or transmits FCI or CUI as part of a DoD contract or subcontract will need CMMC certification. That is a much broader population than \"defense contractors\" in the traditional sense. CMMC applies to:",[200,10761,10762,10765,10768,10771,10774],{},[68,10763,10764],{},"Prime contractors holding contracts directly with the DoD",[68,10766,10767],{},"Subcontractors at every tier in the supply chain",[68,10769,10770],{},"Cloud service providers hosting DoD contractor data",[68,10772,10773],{},"Managed service providers and IT vendors with access to FCI or CUI",[68,10775,10776],{},"Foreign suppliers in the defense industrial base handling covered information",[37,10778,10779,10780,10784,10785,10789],{},"CMMC flow-down is one of the most important operational realities. If a prime contractor shares CUI with a subcontractor, that subcontractor must hold the same CMMC level. If that subcontractor further shares CUI with a tier-three supplier, the tier-three supplier must also be certified. CMMC's reach extends deep into the supply chain. ",[41,10781,10783],{"href":10782},"\u002Fframeworks\u002Fcmmc\u002Fwho-needs-cmmc","See who needs CMMC"," for detailed scoping guidance, and our ",[41,10786,10788],{"href":10787},"\u002Findustry\u002Fgovernment","government industry page"," for broader public-sector compliance context.",[37,10791,10792],{},"Roughly 80,000 organizations are expected to pursue CMMC Level 2, and a few thousand the most stringent CMMC Level 3 — numbers from the DoD's own economic analysis of the CMMC rule.",[860,10794,10796],{"id":10795},"the-cmmc-assessment-process","The CMMC assessment process",[37,10798,10799],{},"CMMC assessments come in three flavors that align to the three CMMC levels: self-assessment, C3PAO third-party assessment, and DIBCAC government-led assessment. Regardless of type, the assessment methodology is the same — scoring is based on the DoD Assessment Methodology and NIST SP 800-171A objectives.",[37,10801,10802,10803,10806,10807,10810],{},"A CMMC Level 2 C3PAO assessment typically runs through five stages: scoping, readiness review, evidence collection and review, on-site or virtual assessment, and scoring with any final findings. A Level 2 assessment starts with a score of 110 and subtracts points for each unmet objective. A score of 110 yields full certification. A score of ",[71,10804,10805],{},"88 or above"," with remaining gaps documented in a Plan of Action and Milestones (POA&M) yields a ",[71,10808,10809],{},"conditional"," certification with a 180-day remediation window. A score below 88 yields no certification at all.",[37,10812,10813,10817],{},[41,10814,10816],{"href":10815},"\u002Fframeworks\u002Fcmmc\u002Fassessment-process","See the full CMMC assessment process"," for scoring details, POA&M rules, and what you can and cannot defer.",[860,10819,10821],{"id":10820},"c3paos-and-certified-assessors","C3PAOs and certified assessors",[37,10823,10824,10825,10828,10829,249,10832,10835],{},"Third-party CMMC assessments are conducted by ",[71,10826,10827],{},"CMMC Third-Party Assessment Organizations (C3PAOs)"," accredited by the Cyber AB (the Cyber Accreditation Body, formerly the CMMC Accreditation Body). C3PAOs employ ",[71,10830,10831],{},"Certified CMMC Assessors (CCAs)",[71,10833,10834],{},"Certified CMMC Professionals (CCPs)"," who conduct the actual assessment work. CCAs must pass a certification exam administered by the Cyber AB and complete ongoing professional development.",[37,10837,10838],{},"The pool of accredited C3PAOs is deliberately limited — growing from just a handful at the start of 2024 to several dozen by early 2026. That scarcity matters. As CMMC Phase 2 enforcement begins in November 2026 and more contracts require C3PAO assessment, assessor availability will tighten. Organizations that wait to begin CMMC preparation until a contract requires it will likely find assessment slots booked six to twelve months out.",[860,10840,10842],{"id":10841},"cmmc-implementation-timeline","CMMC implementation timeline",[37,10844,10845,10846,10850],{},"CMMC enforcement follows a four-phase rollout under the DFARS rule. The rollout gradually expands CMMC requirements over four years so the assessor ecosystem can scale and contractors have time to prepare. ",[41,10847,10849],{"href":10848},"\u002Fframeworks\u002Fcmmc\u002Fimplementation-timeline","See the full CMMC implementation timeline"," for dates and milestones.",[200,10852,10853,10859,10865,10871],{},[68,10854,10855,10858],{},[71,10856,10857],{},"Phase 1 (November 2025 – November 2026)."," Active now. CMMC Level 1 and Level 2 self-assessments appear as conditions of award in select solicitations. A limited number of contracts require Level 2 C3PAO assessments at DoD discretion.",[68,10860,10861,10864],{},[71,10862,10863],{},"Phase 2 (November 2026 – November 2027)."," CMMC Level 2 C3PAO certification requirements expand significantly. Level 3 requirements begin appearing in select solicitations.",[68,10866,10867,10870],{},[71,10868,10869],{},"Phase 3 (November 2027 – November 2028)."," CMMC Level 2 and Level 3 requirements appear broadly across applicable DoD contracts.",[68,10872,10873,10876],{},[71,10874,10875],{},"Phase 4 (November 2028 onward)."," All DoD contracts requiring FCI or CUI handling include the appropriate CMMC level as a condition of award. Full CMMC enforcement.",[860,10878,10880],{"id":10879},"cmmc-and-dfars","CMMC and DFARS",[37,10882,10883,10884,10887,10888,249,10891,10894,10895,10898,10899,10903,10904,79],{},"CMMC is the certification. DFARS is the contractual mechanism that makes the certification binding. ",[71,10885,10886],{},"DFARS 252.204-7012"," has required safeguarding of covered defense information and rapid incident reporting since 2017. ",[71,10889,10890],{},"DFARS 252.204-7019",[71,10892,10893],{},"-7020"," added the requirement to post NIST SP 800-171 assessment scores to SPRS. ",[71,10896,10897],{},"DFARS 252.204-7021",", effective November 10, 2025, added the requirement to hold the specific CMMC level called out in the solicitation before contract award. ",[41,10900,10902],{"href":10901},"\u002Fframeworks\u002Fcmmc\u002Fdfars-relationship","See how CMMC and DFARS relate"," for the full clause-by-clause picture. For blog-length coverage of DFARS and CMMC in context, see our ",[41,10905,10907],{"href":10906},"\u002Fnow\u002Fcompliance-framework-comparison","compliance framework comparison",[860,10909,10911],{"id":10910},"self-assessment-vs-third-party-assessment","Self-assessment vs third-party assessment",[37,10913,10914,10915,10919],{},"Not every CMMC obligation requires bringing in a C3PAO. CMMC Level 1 is always a self-assessment. CMMC Level 2 splits — some contracts accept self-assessment, and some require C3PAO certification. CMMC Level 3 is always government-led by DIBCAC. Self-assessment is cheaper and faster, but it comes with False Claims Act exposure if the attestation misrepresents your posture. Third-party CMMC assessment is more expensive but produces a defensible certification. ",[41,10916,10918],{"href":10917},"\u002Fframeworks\u002Fcmmc\u002Fself-assessment-vs-third-party","Compare CMMC self-assessment vs third-party"," to decide which applies to you and how to budget.",[860,10921,10923],{"id":10922},"handling-cui-the-cmmc-way","Handling CUI the CMMC way",[37,10925,10926,10927,10931],{},"Controlled Unclassified Information sits at the center of CMMC Level 2 and CMMC Level 3. Identifying CUI in your environment, marking it correctly, applying the right access controls, and documenting the CUI boundary are all preconditions for a successful CMMC assessment. FCI and CUI are not the same thing, and the differences drive which CMMC level you need. ",[41,10928,10930],{"href":10929},"\u002Fframeworks\u002Fcmmc\u002Fcui-handling","See CUI handling under CMMC"," for marking rules, scoping guidance, and common mistakes.",[860,10933,10935],{"id":10934},"subcontractor-requirements","Subcontractor requirements",[37,10937,10938,10939,10943],{},"CMMC flow-down affects nearly every defense prime. If you share FCI or CUI with a subcontractor, the subcontractor must hold the required CMMC level before you share the data. That means primes need to track subcontractor CMMC status across their supply chain, verify SPRS entries, and plan for the long tail of small suppliers that may not have started their CMMC journey. ",[41,10940,10942],{"href":10941},"\u002Fframeworks\u002Fcmmc\u002Fsubcontractor-requirements","See CMMC subcontractor requirements"," for the full flow-down model and how to reduce the burden.",[860,10945,10947],{"id":10946},"getting-cmmc-ready","Getting CMMC ready",[37,10949,10950],{},"CMMC readiness is not a last-mile sprint. Most organizations need 6 to 18 months to close gaps across all 110 NIST SP 800-171 requirements and prepare for CMMC Level 2. The high-leverage moves to start today:",[65,10952,10953,10959,10965,10971,10977,10983],{},[68,10954,10955,10958],{},[71,10956,10957],{},"Scope your CMMC environment."," Map where FCI and CUI enter, flow through, and are stored in your systems. Your CMMC assessment boundary is only as good as your scoping work.",[68,10960,10961,10964],{},[71,10962,10963],{},"Complete your SSP."," A System Security Plan that documents every NIST SP 800-171 requirement — implementation status, responsible party, and evidence reference — is the backbone of any CMMC assessment.",[68,10966,10967,10970],{},[71,10968,10969],{},"Submit a SPRS score."," Even before any contract requires CMMC, a current SPRS score demonstrates good faith and exposes gaps early. DoD agencies increasingly reference SPRS scores in source selection.",[68,10972,10973,10976],{},[71,10974,10975],{},"Stand up a POA&M register."," Track every gap with an owner, a remediation plan, and a 180-day countdown. CMMC conditional certification lives or dies on POA&M closure.",[68,10978,10979,10982],{},[71,10980,10981],{},"Review your flow-down."," Inventory every subcontractor, cloud service provider, and managed service provider that touches FCI or CUI. Confirm they are on their own CMMC path.",[68,10984,10985,10988],{},[71,10986,10987],{},"Schedule a readiness review."," A mock CMMC assessment — internal or with a consultant or C3PAO — surfaces problems while there is still time to fix them.",[860,10990,10992],{"id":10991},"common-cmmc-challenges","Common CMMC challenges",[200,10994,10995,11001,11007,11013,11019],{},[68,10996,10997,11000],{},[71,10998,10999],{},"Scoping complexity."," Determining which systems, people, and processes handle CUI is often the hardest first step and the source of the most CMMC assessment rework.",[68,11002,11003,11006],{},[71,11004,11005],{},"NIST SP 800-171 gaps."," Many contractors self-attested NIST SP 800-171 compliance for years but never closed all 110 requirements. CMMC exposes that gap.",[68,11008,11009,11012],{},[71,11010,11011],{},"POA&M management."," Tracking remediation across teams within a 180-day window is hard without tooling. CMMC conditional certifications are revoked when POA&Ms go stale.",[68,11014,11015,11018],{},[71,11016,11017],{},"Subcontractor flow-down."," Primes must verify subcontractor CMMC status continuously, not once at onboarding.",[68,11020,11021,11024],{},[71,11022,11023],{},"Evidence organization."," A CMMC assessment can touch hundreds of evidence artifacts. Without a single source of truth, assessors burn billable hours chasing documents.",[37,11026,11027],{},"A structured approach that maps controls to NIST SP 800-171, reuses evidence across CMMC and other frameworks, tracks POA&M progress, and monitors the assessment timeline removes most of this friction — and that is exactly what the episki CMMC workspace is designed for.",{"title":447,"searchDepth":448,"depth":448,"links":11029},[11030],{"id":10638,"depth":448,"text":10639,"children":11031},[11032,11033,11034,11035,11036,11037,11038,11039,11040,11041,11042,11043,11044],{"id":10648,"depth":1179,"text":10649},{"id":10681,"depth":1179,"text":10682},{"id":10728,"depth":1179,"text":10729},{"id":10755,"depth":1179,"text":10756},{"id":10795,"depth":1179,"text":10796},{"id":10820,"depth":1179,"text":10821},{"id":10841,"depth":1179,"text":10842},{"id":10879,"depth":1179,"text":10880},{"id":10910,"depth":1179,"text":10911},{"id":10922,"depth":1179,"text":10923},{"id":10934,"depth":1179,"text":10935},{"id":10946,"depth":1179,"text":10947},{"id":10991,"depth":1179,"text":10992},{"title":11046,"description":11047,"items":11048},"CMMC readiness checklist inside episki","Everything is preloaded in your free trial so you can start scoping your assessment and closing gaps immediately.",[11049,11050,11051,11052,11053],"NIST SP 800-171 control library with mapped CMMC practices","Level 1, 2, and 3 scoping guidance and practice sets","POA&M register with risk-ranked remediation priorities","System Security Plan (SSP) template with AI drafting","Evidence library organized by control family",{"title":11055,"description":11056},"Launch your CMMC workspace today","Import your NIST 800-171 controls, map them to CMMC levels, and start closing gaps before your next assessment.",{"title":11058,"items":11059},"CMMC frequently asked questions",[11060,11063,11066,11069,11072],{"label":11061,"content":11062},"What is CMMC 2.0?","CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's program for verifying that defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The final program rule took effect December 16, 2024, and DFARS contract enforcement began November 10, 2025.",{"label":11064,"content":11065},"What are the three CMMC levels?","Level 1 requires 17 basic safeguarding practices for FCI based on FAR 52.204-21. Level 2 requires 110 security practices aligned to NIST SP 800-171 Rev 2 for CUI. Level 3 adds 24 enhanced practices from NIST SP 800-172 for the most sensitive programs. Each level builds on the one below it.",{"label":11067,"content":11068},"How much does CMMC certification cost?","Costs vary by level and organization size. Level 1 requires only an annual self-assessment. Level 2 self-assessments are free but require significant preparation effort. Level 2 C3PAO assessments typically range from $50,000 to $150,000+ depending on scope. episki reduces preparation costs by automating evidence collection and control documentation.",{"label":11070,"content":11071},"When will CMMC be required in contracts?","CMMC is being phased into DoD contracts over four phases. Phase 1 began November 10, 2025, requiring Level 1 and Level 2 self-assessments in select solicitations. Phase 2 (November 2026) expands Level 2 C3PAO requirements. Phase 3 (November 2027) adds Level 3. By Phase 4 (November 2028), all applicable DoD contracts will require the appropriate CMMC level.",{"label":11073,"content":11074},"Who needs CMMC certification?","Any organization that processes, stores, or transmits FCI or CUI as part of a DoD contract or subcontract needs CMMC certification. This includes prime contractors, subcontractors at all tiers, and cloud service providers hosting DoD data. The required level depends on the sensitivity of information handled.",{"headline":11076,"title":11077,"description":11078,"links":11079},"CMMC without the guesswork","Get assessment-ready for CMMC without rebuilding your security program","episki maps NIST SP 800-171 and 800-172 controls to CMMC levels, automates evidence collection, and keeps your POA&M current so your team can focus on winning contracts.",[11080,11082],{"label":11081,"icon":499,"to":500},"Start CMMC trial",{"label":502,"icon":11083,"color":504,"variant":505,"to":506,"target":507},"i-lucide-message-circle",{},"\u002Fframeworks\u002Fcmmc",{"headline":11087,"title":11087,"description":11088,"items":11089},"CMMC acceleration resources","Give leadership and contracting officers visibility into your cybersecurity posture at every stage.",[11090,11093,11096],{"title":11091,"description":11092},"Executive scorecard","Translate control work into CMMC readiness percentages and contract eligibility status.",{"title":11094,"description":11095},"Assessment readiness kit","Pre-assessment checklist, evidence package review, and mock scoring aligned to DIBCAC methodology.",{"title":11097,"description":11098},"Subcontractor flow-down tracker","Monitor which subcontractors need their own CMMC certification and track their progress.",{"title":11100,"description":11101},"CMMC Compliance Software","Prepare for CMMC Level 1, 2, and 3 assessments with pre-mapped NIST 800-171 controls, automated evidence collection, and C3PAO-ready workspaces. Start your free 14-day trial.",[11103,11106,11109],{"value":11104,"description":11105},"3 maturity levels","Pre-mapped practices for Level 1, Level 2, and Level 3 with assessment-type guidance for each.",{"value":11107,"description":11108},"110 practices","Full NIST SP 800-171 Rev 2 control set mapped to CMMC Level 2 objectives out of the box.",{"value":11110,"description":11111},"Phase 1 live now","DFARS enforcement began November 2025. Level 1 and Level 2 self-assessments already required in select solicitations.","5.frameworks\u002Fcmmc","p5hUeZMYUGNFyYF4xjERSy0kHoJW_1ZFhsORUKeU3is",{"id":11115,"title":11116,"advantages":11117,"body":11139,"checklist":11628,"cta":11637,"description":447,"extension":473,"faq":11640,"hero":11658,"lastUpdated":508,"meta":11666,"name":4235,"navigation":510,"path":4234,"resources":11667,"seo":11680,"slug":4610,"stats":11683,"stem":11693,"__hash__":11694},"frameworks\u002F5.frameworks\u002Fhipaa.md","Hipaa",[11118,11125,11132],{"title":11119,"description":11120,"bullets":11121},"Safeguards mapped to your stack","Every HIPAA standard comes with plain-language owners, SLAs, and tests.",[11122,11123,11124],"Assign compliance, engineering, and ops leads to each safeguard","Playbooks explain what “good” looks like for each requirement","Timeline view keeps renewals and reviews on schedule",{"title":11126,"description":11127,"bullets":11128},"PHI-aware evidence locker","Secure uploads, access controls, and audit trails keep regulators satisfied.",[11129,11130,11131],"Granular permissions for internal and external reviewers","Automated retention and deletion policies","Download tracking and access audit trails",{"title":11133,"description":11134,"bullets":11135},"Vendor & incident workflows","Track BAAs, vendor attestations, and incidents from discovery to closure.",[11136,11137,11138],"BAA repository tied to vendor risk levels","Incident response runbooks with reminders","Post-incident reports aligned to HIPAA timelines",{"type":29,"value":11140,"toc":11601},[11141,11145,11148,11160,11163,11167,11170,11213,11217,11220,11225,11229,11232,11236,11244,11264,11267,11271,11278,11286,11290,11293,11297,11300,11303,11316,11320,11323,11326,11330,11348,11352,11364,11368,11371,11378,11382,11385,11388,11395,11399,11406,11409,11413,11420,11423,11446,11450,11453,11456,11462,11466,11469,11495,11498,11501,11505,11508,11526,11529,11533,11539,11543,11546,11575,11583,11587,11590,11598],[32,11142,11144],{"id":11143},"what-is-hipaa","What is HIPAA?",[37,11146,11147],{},"HIPAA, the Health Insurance Portability and Accountability Act of 1996, is the cornerstone US federal law governing the privacy and security of patient health information. Signed into law by President Bill Clinton, the act was originally designed to improve the portability of health insurance coverage when workers changed jobs, combat fraud and waste in healthcare, and simplify the administration of health insurance through standardized electronic transactions. Over the decades since, HIPAA has evolved into the defining US regulation for how healthcare organizations and their partners handle sensitive patient data.",[37,11149,11150,11151,11155,11156,11159],{},"At its core, the law establishes national standards that protect sensitive patient information — known as ",[41,11152,11154],{"href":11153},"\u002Fglossary\u002Fphi","protected health information",", or PHI — from unauthorized use and disclosure. Any organization that creates, receives, maintains, or transmits PHI must comply, whether that organization is a hospital, a health plan, a billing clearinghouse, or a SaaS vendor providing services to healthcare customers. The ",[41,11157,11158],{"href":7480},"HIPAA glossary entry"," provides a concise definition, while this page walks through the full regulatory landscape so you understand how each HIPAA rule fits together.",[37,11161,11162],{},"Enforcement falls to the US Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR). State attorneys general also have authority to bring enforcement actions under powers granted by the HITECH Act. The law applies across all 50 states and preempts weaker state privacy laws, though state laws that provide greater protection remain in force.",[32,11164,11166],{"id":11165},"a-brief-history-of-hipaa","A brief history of HIPAA",[37,11168,11169],{},"HIPAA was enacted in 1996, but its privacy and security requirements were not finalized overnight. The act directed HHS to develop implementing regulations, and the major rules were rolled out over more than a decade.",[200,11171,11172,11178,11184,11190,11201,11207],{},[68,11173,11174,11177],{},[71,11175,11176],{},"1996"," — Congress passes HIPAA, directing HHS to issue regulations on privacy, security, and electronic transactions.",[68,11179,11180,11183],{},[71,11181,11182],{},"2000"," — The HIPAA Privacy Rule is published; it takes full effect in 2003.",[68,11185,11186,11189],{},[71,11187,11188],{},"2003"," — The HIPAA Security Rule is finalized, with compliance required by 2005 for most entities.",[68,11191,11192,11195,11196,11200],{},[71,11193,11194],{},"2009"," — The Health Information Technology for Economic and Clinical Health Act (",[41,11197,11199],{"href":11198},"\u002Fframeworks\u002Fhipaa\u002Fhitech-and-omnibus","HITECH",") is signed into law as part of the American Recovery and Reinvestment Act, extending HIPAA obligations to business associates and introducing breach notification requirements.",[68,11202,11203,11206],{},[71,11204,11205],{},"2013"," — The HIPAA Omnibus Rule implements HITECH and further strengthens HIPAA enforcement, fines, and patient rights.",[68,11208,11209,11212],{},[71,11210,11211],{},"2024 and beyond"," — HHS continues to update HIPAA guidance, most recently around cybersecurity expectations, reproductive health privacy, and the proposed modernization of the HIPAA Security Rule to reflect modern threats.",[860,11214,11216],{"id":11215},"hitech-and-the-omnibus-rule","HITECH and the Omnibus Rule",[37,11218,11219],{},"The HITECH Act of 2009 was a watershed moment. Before HITECH, HIPAA obligations technically applied only to covered entities, and business associates were bound solely by contract. HITECH changed that by making business associates directly liable. It also introduced the federal Breach Notification Rule, increased civil monetary penalties, and funded the nationwide adoption of electronic health records — which dramatically expanded the volume of electronic PHI requiring protection.",[37,11221,11222,11223,79],{},"The 2013 Omnibus Rule then translated HITECH into binding regulation. It extended the Privacy and Security Rules to business associates and their subcontractors, tightened the definition of a breach, strengthened individual rights to access electronic health records, and aligned the law with the Genetic Information Nondiscrimination Act (GINA). For a deeper breakdown of what changed, read ",[41,11224,11216],{"href":11198},[32,11226,11228],{"id":11227},"who-hipaa-applies-to","Who HIPAA applies to",[37,11230,11231],{},"HIPAA applies to two broad categories of organizations: covered entities and business associates. Understanding which category your organization falls into is the first and most important step in any HIPAA compliance program.",[860,11233,11235],{"id":11234},"covered-entities","Covered entities",[37,11237,11238,11239,11243],{},"A ",[41,11240,11242],{"href":11241},"\u002Fglossary\u002Fcovered-entity","covered entity"," is any of the following:",[200,11245,11246,11252,11258],{},[68,11247,11248,11251],{},[71,11249,11250],{},"Health plans"," — health insurance companies, HMOs, employer-sponsored group health plans, government programs like Medicare and Medicaid, and long-term care insurers.",[68,11253,11254,11257],{},[71,11255,11256],{},"Healthcare providers"," — hospitals, clinics, physician practices, dentists, pharmacies, psychologists, and any other provider that transmits health information electronically for billing or eligibility purposes.",[68,11259,11260,11263],{},[71,11261,11262],{},"Healthcare clearinghouses"," — entities that process nonstandard health information into standard formats (or vice versa), such as billing services and repricing companies.",[37,11265,11266],{},"If your organization directly delivers healthcare or finances it, you are almost certainly a covered entity.",[860,11268,11270],{"id":11269},"business-associates","Business associates",[37,11272,11238,11273,11277],{},[41,11274,11276],{"href":11275},"\u002Fglossary\u002Fbusiness-associate","business associate"," is any person or organization that performs a function or activity on behalf of a covered entity that involves the use or disclosure of PHI. Typical business associates include cloud hosting providers, billing vendors, EHR vendors, IT service providers, analytics firms, legal counsel, accounting firms, transcription services, and SaaS platforms that process PHI on behalf of covered entities.",[37,11279,11280,11281,11285],{},"Most modern SaaS companies serving healthcare customers are business associates. If your product ingests, stores, processes, or transmits PHI for a covered entity, HIPAA applies to you directly — regardless of whether you consider yourself a \"healthcare company.\" Subcontractors of business associates are themselves business associates and are bound by the same obligations. Signing a ",[41,11282,11284],{"href":11283},"\u002Fglossary\u002Fbaa","business associate agreement"," with every upstream and downstream partner that touches PHI is non-negotiable.",[860,11287,11289],{"id":11288},"who-is-not-covered-by-hipaa","Who is not covered by HIPAA?",[37,11291,11292],{},"Not every organization that handles health information is subject to the law. Consumer wellness apps, fitness trackers, direct-to-consumer genetic testing services, employers (in their role as employers), life insurers, and schools generally fall outside its reach unless they act on behalf of a covered entity. That said, many of these organizations still face FTC oversight, state privacy laws, and customer expectations that mirror HIPAA protections.",[32,11294,11296],{"id":11295},"the-hipaa-privacy-rule","The HIPAA Privacy Rule",[37,11298,11299],{},"The HIPAA Privacy Rule sets national standards for the protection of PHI in all forms — electronic, paper, and oral. It establishes when PHI may be used and disclosed, defines patient rights over their own health data, and imposes the minimum necessary standard on most disclosures. The Privacy Rule applies to covered entities directly and to business associates through their BAAs.",[37,11301,11302],{},"Key Privacy Rule concepts include the Notice of Privacy Practices, patient access rights (including the right to an electronic copy of an electronic health record within 30 days), the right to request amendments and accounting of disclosures, the minimum necessary standard, permitted uses for treatment, payment, and operations, and the authorization requirements for marketing and sale of PHI.",[37,11304,11305,11306,11310,11311,11315],{},"For a comprehensive walkthrough of the HIPAA Privacy Rule, permitted disclosures, and patient rights, read the dedicated ",[41,11307,11309],{"href":11308},"\u002Fframeworks\u002Fhipaa\u002Fprivacy-rule","HIPAA Privacy Rule"," guide. For more on the narrowly tailored access principle that governs day-to-day PHI handling, see the ",[41,11312,11314],{"href":11313},"\u002Fframeworks\u002Fhipaa\u002Fminimum-necessary-rule","minimum necessary rule"," page.",[32,11317,11319],{"id":11318},"the-hipaa-security-rule","The HIPAA Security Rule",[37,11321,11322],{},"The HIPAA Security Rule establishes the national floor for protecting electronic PHI (ePHI). While the Privacy Rule covers every form of PHI, the Security Rule is scoped to electronic data — which, in 2026, is effectively every record of clinical or financial relevance inside a modern healthcare organization.",[37,11324,11325],{},"The Security Rule organizes its requirements into three categories of safeguards. Every covered entity and business associate must implement each category based on a documented HIPAA risk analysis.",[860,11327,11329],{"id":11328},"administrative-safeguards","Administrative safeguards",[37,11331,11332,11333,11337,11338,11342,11343,11347],{},"Administrative safeguards are the policies, procedures, and organizational measures that govern your HIPAA program. They include security management processes, a designated security official, ",[41,11334,11336],{"href":11335},"\u002Fframeworks\u002Fhipaa\u002Fworkforce-training","workforce training",", a ",[41,11339,11341],{"href":11340},"\u002Fframeworks\u002Fhipaa\u002Fsanctions-policy","sanctions policy"," for workforce violations, access management, ",[41,11344,11346],{"href":11345},"\u002Fframeworks\u002Fhipaa\u002Fcontingency-planning","contingency planning",", periodic evaluations, and BAAs with every downstream partner. These typically consume the most effort because they touch every corner of the business.",[860,11349,11351],{"id":11350},"physical-safeguards","Physical safeguards",[37,11353,11354,11355,6252,11359,11363],{},"Physical safeguards protect the facilities, workstations, devices, and media that house ePHI. This category covers ",[41,11356,11358],{"href":11357},"\u002Fframeworks\u002Fhipaa\u002Ffacility-access-controls","facility access controls",[41,11360,11362],{"href":11361},"\u002Fframeworks\u002Fhipaa\u002Fworkstation-and-device-controls","workstation and device controls",", and media disposal. For cloud-first SaaS companies, physical safeguards increasingly translate into inherited controls from hyperscale cloud providers, but every regulated organization still needs defensible answers for the laptops, offices, and portable media its workforce uses.",[860,11365,11367],{"id":11366},"technical-safeguards","Technical safeguards",[37,11369,11370],{},"Technical safeguards are the technology controls that protect ePHI and govern access to it. They include unique user identification, automatic logoff, encryption and decryption of ePHI at rest and in transit, audit controls that log system activity, integrity controls that prevent improper alteration, and person or entity authentication.",[37,11372,11373,11374,11377],{},"For a deep dive into the complete Security Rule standards, required versus addressable implementation specifications, and how to pass an OCR audit of your ePHI safeguards, read the ",[41,11375,11376],{"href":4239},"HIPAA Security Rule"," guide.",[32,11379,11381],{"id":11380},"the-hipaa-breach-notification-rule","The HIPAA Breach Notification Rule",[37,11383,11384],{},"The Breach Notification Rule, added by HITECH and finalized in the Omnibus Rule, requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media when unsecured PHI is breached. A breach is presumed whenever PHI is used or disclosed in a way that is not permitted under the Privacy Rule, unless the organization can demonstrate through a four-factor risk assessment that there is a low probability the PHI has been compromised.",[37,11386,11387],{},"Notifications must be made without unreasonable delay and in no case later than 60 calendar days after discovery. Business associates must notify their covered entity clients, who in turn notify affected individuals. Breaches involving 500 or more individuals must be reported to HHS within 60 days and listed on the public OCR \"Wall of Shame,\" while smaller breaches may be reported in an annual log.",[37,11389,11390,11391,11377],{},"For full details on timelines, content requirements, and documentation expectations, see the ",[41,11392,11394],{"href":11393},"\u002Fframeworks\u002Fhipaa\u002Fbreach-notification","HIPAA Breach Notification Rule",[32,11396,11398],{"id":11397},"business-associate-agreements","Business associate agreements",[37,11400,11401,11402,11405],{},"No PHI should ever leave a covered entity — or a business associate — without a properly executed BAA in place. A ",[41,11403,11284],{"href":11404},"\u002Fframeworks\u002Fhipaa\u002Fbusiness-associate-agreements"," is a legally binding contract that defines permitted uses and disclosures of PHI, requires implementation of appropriate safeguards, obligates breach notification, mandates BAA flow-down to subcontractors, and establishes termination rights when a business associate violates the agreement.",[37,11407,11408],{},"In practice, BAA management is one of the most common HIPAA failure modes for growing SaaS companies. Deals close, engineering ships, and PHI starts flowing before legal has countersigned the BAA — creating exposure for both sides. A disciplined BAA intake process, a BAA repository with renewal reminders, and clear ownership of vendor risk are table stakes for any serious compliance program.",[32,11410,11412],{"id":11411},"hipaa-compliance-checklist","HIPAA compliance checklist",[37,11414,11415,11416,11419],{},"Translating the regulatory language into day-to-day operations is where most programs struggle. The ",[41,11417,11412],{"href":11418},"\u002Fframeworks\u002Fhipaa\u002Fcompliance-checklist"," walks through every major obligation — from assigning a security official through finalizing your Notice of Privacy Practices — as a sequenced program of work.",[37,11421,11422],{},"At a high level, a complete HIPAA program includes:",[200,11424,11425,11428,11431,11434,11437,11440,11443],{},[68,11426,11427],{},"A current risk analysis and documented risk management plan.",[68,11429,11430],{},"Written policies and procedures covering Privacy, Security, and Breach Notification obligations.",[68,11432,11433],{},"A signed BAA with every vendor, subcontractor, and customer that exchanges PHI.",[68,11435,11436],{},"Workforce training at hire and at least annually thereafter, with documented completion.",[68,11438,11439],{},"Access control, audit logging, encryption, and contingency planning for every system that touches ePHI.",[68,11441,11442],{},"An incident response runbook aligned to the Breach Notification Rule.",[68,11444,11445],{},"Documentation retained for at least six years from creation or last effective date, whichever is later.",[32,11447,11449],{"id":11448},"hipaa-risk-analysis","HIPAA risk analysis",[37,11451,11452],{},"Every HIPAA Security Rule program begins with a risk analysis. Under 45 CFR §164.308(a)(1)(ii)(A), covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. HHS has repeatedly stated that a missing or superficial risk analysis is among the most common findings in OCR enforcement actions.",[37,11454,11455],{},"A defensible risk analysis inventories every system that creates, receives, maintains, or transmits ePHI, identifies threats and vulnerabilities affecting each system, measures the likelihood and impact of each risk, and feeds directly into the Security Management Process that prioritizes mitigation. Most mature programs align their methodology to NIST Special Publication 800-30, which OCR cites favorably.",[37,11457,11458,11459,11377],{},"For a full breakdown of methodology, documentation requirements, and common pitfalls, read the ",[41,11460,11449],{"href":11461},"\u002Fframeworks\u002Fhipaa\u002Frisk-analysis",[32,11463,11465],{"id":11464},"penalties-and-enforcement","Penalties and enforcement",[37,11467,11468],{},"Enforcement is administered by OCR, with parallel criminal enforcement authority held by the Department of Justice and civil enforcement authority held by state attorneys general. HIPAA penalties are tiered by culpability.",[200,11470,11471,11477,11483,11489],{},[68,11472,11473,11476],{},[71,11474,11475],{},"Tier 1 — Unknowing violation"," — $100 to $50,000 per violation; annual cap $25,000 for identical violations.",[68,11478,11479,11482],{},[71,11480,11481],{},"Tier 2 — Reasonable cause"," — $1,000 to $50,000 per violation; annual cap $100,000.",[68,11484,11485,11488],{},[71,11486,11487],{},"Tier 3 — Willful neglect, corrected"," — $10,000 to $50,000 per violation; annual cap $250,000.",[68,11490,11491,11494],{},[71,11492,11493],{},"Tier 4 — Willful neglect, uncorrected"," — $50,000 per violation; annual cap $1.5 million per violation category.",[37,11496,11497],{},"Penalty amounts are adjusted annually for inflation. Criminal penalties can reach $250,000 and 10 years of imprisonment for offenses involving intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.",[37,11499,11500],{},"OCR enforcement tends to cluster around predictable themes: missing or inadequate risk analyses, lost unencrypted devices, failure to terminate workforce access, insufficient BAAs, delayed breach notifications, and refusal to provide patient access to records. Organizations that can demonstrate a mature, well-documented program — with evidence of ongoing risk analysis, training, and monitoring — consistently receive more favorable resolutions.",[32,11502,11504],{"id":11503},"hipaa-vs-hitech-vs-hitrust","HIPAA vs HITECH vs HITRUST",[37,11506,11507],{},"These three acronyms sit close together in healthcare conversations and are often conflated. They are related but distinct.",[200,11509,11510,11515,11520],{},[68,11511,11512,11514],{},[71,11513,4235],{}," is the underlying federal law and its implementing regulations (Privacy, Security, Breach Notification, and Enforcement Rules). HIPAA defines the legal obligations.",[68,11516,11517,11519],{},[71,11518,11199],{}," is a 2009 federal law that strengthened HIPAA — extending it to business associates, introducing breach notification, increasing penalties, and funding EHR adoption. HITECH is part of HIPAA's regulatory stack, not a separate framework.",[68,11521,11522,11525],{},[71,11523,11524],{},"HITRUST"," is a private-sector certification maintained by the HITRUST Alliance. The HITRUST CSF is a control framework that maps HIPAA, NIST, ISO 27001, PCI DSS, and other standards into a single certifiable set of controls. HITRUST is a common way to demonstrate HIPAA compliance to sophisticated healthcare customers, but HITRUST certification is not itself required by HIPAA.",[37,11527,11528],{},"A healthcare SaaS company might pursue HITRUST CSF certification as a commercial asset while its underlying legal obligation remains HIPAA compliance under HITECH-amended rules.",[860,11530,11532],{"id":11531},"hipaa-and-soc-2","HIPAA and SOC 2",[37,11534,11535,11536,11538],{},"Many SaaS companies pursue ",[41,11537,4212],{"href":4211}," alongside HIPAA. The two frameworks complement each other: SOC 2 evaluates security, availability, confidentiality, processing integrity, and privacy trust services criteria, while HIPAA is a statutory requirement for handling PHI. A well-designed control environment can satisfy both with substantial overlap.",[32,11540,11542],{"id":11541},"getting-hipaa-compliant","Getting HIPAA compliant",[37,11544,11545],{},"The most successful HIPAA programs treat compliance as a continuous operating rhythm rather than a once-a-year scramble. A typical rollout for a SaaS company serving healthcare customers looks like this.",[65,11547,11548,11551,11554,11557,11560,11563,11566,11569,11572],{},[68,11549,11550],{},"Confirm your status as a covered entity, business associate, or both, and inventory the PHI you handle today.",[68,11552,11553],{},"Appoint a security official and a privacy official (the same person may hold both roles at small companies).",[68,11555,11556],{},"Conduct a risk analysis scoped to every system that creates, receives, maintains, or transmits ePHI.",[68,11558,11559],{},"Implement the administrative, physical, and technical safeguards required by the Security Rule, informed by your risk analysis.",[68,11561,11562],{},"Draft and publish policies and procedures covering Privacy, Security, and Breach Notification obligations.",[68,11564,11565],{},"Execute BAAs with every vendor that touches PHI, and require a signed BAA before onboarding any new customer that qualifies as a covered entity.",[68,11567,11568],{},"Deliver workforce training at hire and annually thereafter, and document completion.",[68,11570,11571],{},"Stand up an incident response runbook aligned to the Breach Notification Rule.",[68,11573,11574],{},"Operate the program: review access quarterly, test contingency plans at least annually, refresh your risk analysis whenever material change occurs, and retain documentation for at least six years.",[37,11576,11577,11578,11582],{},"For companies operating in the broader ",[41,11579,11581],{"href":11580},"\u002Findustry\u002Fhealthcare","healthcare industry",", HIPAA is rarely the only regulation in scope. State privacy laws, the 21st Century Cures Act, FDA software-as-a-medical-device requirements, and payor-specific security reviews often run in parallel — which is why most compliance programs are built into a broader GRC operating model.",[32,11584,11586],{"id":11585},"how-episki-helps-with-hipaa-compliance","How episki helps with HIPAA compliance",[37,11588,11589],{},"episki is the HIPAA compliance platform for healthtech teams that need to ship fast without losing control of PHI. We map Privacy, Security, and Breach Notification obligations directly to your systems, automate evidence collection for every safeguard, manage BAAs across your vendor ecosystem, and keep risk analyses current as your stack evolves.",[37,11591,11592,11593,11597],{},"Our platform was designed by practitioners who have led HIPAA programs at healthcare organizations and audited them as consultants. The result is a workspace that makes it obvious what is done, what is due, and what is drifting — so you can spend less time reconstructing evidence the week before a customer audit and more time building product. Read the ",[41,11594,11596],{"href":11595},"\u002Fnow\u002Fhipaa-compliance-healthtech","HIPAA for healthtech"," playbook for a closer look at how modern SaaS companies operate HIPAA at startup speed.",[37,11599,11600],{},"Ready to tighten your HIPAA program? Start a free trial or book a demo from the top of this page.",{"title":447,"searchDepth":448,"depth":448,"links":11602},[11603,11604,11607,11612,11613,11618,11619,11620,11621,11622,11623,11626,11627],{"id":11143,"depth":448,"text":11144},{"id":11165,"depth":448,"text":11166,"children":11605},[11606],{"id":11215,"depth":1179,"text":11216},{"id":11227,"depth":448,"text":11228,"children":11608},[11609,11610,11611],{"id":11234,"depth":1179,"text":11235},{"id":11269,"depth":1179,"text":11270},{"id":11288,"depth":1179,"text":11289},{"id":11295,"depth":448,"text":11296},{"id":11318,"depth":448,"text":11319,"children":11614},[11615,11616,11617],{"id":11328,"depth":1179,"text":11329},{"id":11350,"depth":1179,"text":11351},{"id":11366,"depth":1179,"text":11367},{"id":11380,"depth":448,"text":11381},{"id":11397,"depth":448,"text":11398},{"id":11411,"depth":448,"text":11412},{"id":11448,"depth":448,"text":11449},{"id":11464,"depth":448,"text":11465},{"id":11503,"depth":448,"text":11504,"children":11624},[11625],{"id":11531,"depth":1179,"text":11532},{"id":11541,"depth":448,"text":11542},{"id":11585,"depth":448,"text":11586},{"title":11629,"description":11630,"items":11631},"HIPAA launch kit","Guided steps keep privacy, security, and ops in sync from day one.",[11632,11633,11634,11635,11636],"Safeguard library with ownership matrix","Evidence tracking for access logs and configs","BAA tracker with renewal reminders","Incident and breach response templates","Stakeholder portal with PHI redaction controls",{"title":11638,"description":11639},"Launch HIPAA monitoring in minutes","Kick off the free trial and invite stakeholders before your next diligence call.",{"title":11641,"items":11642},"HIPAA compliance frequently asked questions",[11643,11646,11649,11652,11655],{"label":11644,"content":11645},"Who needs to comply with HIPAA?","HIPAA applies to covered entities (health plans, healthcare providers, clearinghouses) and business associates — any vendor or subcontractor that creates, receives, maintains, or transmits protected health information (PHI). SaaS companies serving healthcare customers almost always qualify as business associates.",{"label":11647,"content":11648},"What is a Business Associate Agreement (BAA)?","A BAA is a legally required contract between a covered entity and a business associate that establishes permitted uses and disclosures of PHI, requires appropriate safeguards, and outlines breach notification responsibilities. No PHI should be shared with a vendor before a BAA is signed.",{"label":11650,"content":11651},"What are the penalties for HIPAA violations?","HIPAA penalties range from $100 to $50,000 per violation depending on the level of negligence, with annual maximums up to $1.5 million per violation category. Criminal penalties can include fines up to $250,000 and imprisonment. The HHS Office for Civil Rights enforces compliance.",{"label":11653,"content":11654},"Does HIPAA apply to SaaS companies?","Yes. Any SaaS company that handles, stores, or transmits PHI on behalf of a healthcare organization is considered a business associate under HIPAA and must comply with the Security Rule, Privacy Rule, and Breach Notification Rule.",{"label":11656,"content":11657},"What are the three HIPAA safeguard categories?","HIPAA requires administrative safeguards (policies, training, risk assessments), physical safeguards (facility access, workstation security), and technical safeguards (access controls, encryption, audit logging) to protect electronic PHI.",{"headline":11659,"title":11660,"description":11661,"links":11662},"HIPAA-ready cloud teams","Stay HIPAA compliant while shipping product weekly","episki maps administrative, physical, and technical safeguards to your systems and keeps PHI protections verifiable.",[11663,11665],{"label":11664,"icon":499,"to":500},"Start HIPAA trial",{"label":502,"icon":11083,"color":504,"variant":505,"to":506,"target":507},{},{"headline":11668,"title":11668,"description":11669,"items":11670},"HIPAA enablement","Keep leadership, customers, and partners aligned.",[11671,11674,11677],{"title":11672,"description":11673},"Board-ready posture report","Shows maturity score, risk trends, and upcoming audits.",{"title":11675,"description":11676},"Customer FAQ pack","Answers the most common HIPAA diligence questions.",{"title":11678,"description":11679},"Ops automation guide","Explains how to plug security tasks into existing tools.",{"title":11681,"description":11682},"HIPAA Compliance Management Software","Map HIPAA safeguards, track PHI evidence, and manage BAAs in one secure workspace. Get audit-ready in 30 days with episki's free trial.",[11684,11687,11690],{"value":11685,"description":11686},"30-day rollout","Average time to production monitoring across safeguards.",{"value":11688,"description":11689},"PHI-safe sharing","Role-based portals keep sensitive documents organized and protected.",{"value":11691,"description":11692},"24\u002F7 alerts","Continuous monitoring for access, logging, and vendor risks.","5.frameworks\u002Fhipaa","9IldK-wXldOkZs8WFGmDWXYF8To1wETqwKkhsGGUW04",{"id":11696,"title":11697,"advantages":11698,"body":11720,"checklist":12121,"cta":12132,"description":447,"extension":473,"faq":12135,"hero":12153,"lastUpdated":508,"meta":12161,"name":4221,"navigation":510,"path":4220,"resources":12162,"seo":12175,"slug":4609,"stats":12178,"stem":12187,"__hash__":12188},"frameworks\u002F5.frameworks\u002Fiso27001.md","Iso27001",[11699,11706,11713],{"title":11700,"description":11701,"bullets":11702},"Statement of Applicability in minutes","Generate and maintain your SoA directly from your control graph with justification notes for every inclusion and exclusion.",[11703,11704,11705],"Auto-populate applicability status from existing controls","Link each control to risk treatment decisions","Export auditor-ready SoA documents on demand",{"title":11707,"description":11708,"bullets":11709},"Risk-driven control management","Connect your risk register to Annex A controls so treatment plans and evidence stay aligned as threats evolve.",[11710,11711,11712],"Risk assessment templates following ISO 27005 guidance","Heat maps show residual risk by domain","Treatment plans tie directly to control tasks and owners",{"title":11714,"description":11715,"bullets":11716},"Surveillance audit confidence","Keep your ISMS current between certification cycles with continuous monitoring and internal audit workflows.",[11717,11718,11719],"Automated evidence refresh and expiration alerts","Internal audit scheduling with finding tracking","Management review templates with trend data",{"type":29,"value":11721,"toc":12103},[11722,11726,11737,11740,11743,11746,11750,11753,11756,11759,11763,11766,11779,11783,11786,11793,11796,11800,11807,11810,11818,11822,11830,11833,11841,11845,11848,11892,11900,11908,11912,11915,11918,11925,11929,11932,11935,11946,11950,11953,11961,11965,11968,11975,11979,11982,12008,12014,12018,12021,12029,12033,12036,12044,12048,12051,12072,12078,12082,12085,12097,12100],[32,11723,11725],{"id":11724},"what-is-iso-27001","What is ISO 27001?",[37,11727,11728,11731,11732,11736],{},[41,11729,4221],{"href":11730},"\u002Fglossary\u002Fiso27001"," is the world's most widely adopted international standard for information security management. Formally titled ISO\u002FIEC 27001, it defines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System, or ",[41,11733,11735],{"href":11734},"\u002Fglossary\u002Fisms","ISMS",". Organizations that align with ISO 27001 commit to a risk-based, process-driven approach to protecting the confidentiality, integrity, and availability of the information they hold on behalf of customers, employees, and business partners.",[37,11738,11739],{},"The standard is published jointly by two bodies. The International Organization for Standardization (ISO), headquartered in Geneva, develops consensus-based standards across nearly every industry. The International Electrotechnical Commission (IEC) is its counterpart for electrotechnical and information technology standards. Together, their joint technical committee ISO\u002FIEC JTC 1\u002FSC 27 maintains the ISO 27001 family, which includes supporting documents such as ISO 27002 (implementation guidance) and ISO 27005 (risk management guidance).",[37,11741,11742],{},"ISO 27001 was first released in 2005, revised in 2013, and most recently updated in October 2022. The 2022 revision is now the only version against which new ISO 27001 certifications are issued. Any discussion of ISO 27001 today should default to this edition, which reorganized the control set and introduced eleven new controls addressing modern risks like threat intelligence, data masking, and secure coding.",[37,11744,11745],{},"At the heart of ISO 27001 is the concept of an ISMS. An ISMS is not a product you can buy or a checklist you can run through once. It is the living combination of policies, processes, people, and technology that your organization uses to identify information security risks, decide how to treat them, implement controls, measure effectiveness, and continually improve. ISO 27001 provides the blueprint. Your ISMS is the thing you build from that blueprint.",[32,11747,11749],{"id":11748},"why-iso-27001-matters","Why ISO 27001 matters",[37,11751,11752],{},"ISO 27001 is recognized in more than 160 countries and frequently shows up as a procurement requirement for enterprise technology contracts, financial services partnerships, public sector work, and any organization selling into European or APAC markets. Unlike self-attested programs, ISO 27001 certification is issued by an independent accredited certification body, which gives customers and regulators external assurance that your security practices are real and not marketing.",[37,11754,11755],{},"Beyond procurement, ISO 27001 brings discipline. Many organizations treat security as a reactive function that only activates after an incident or failed audit. The ISO 27001 approach forces proactive risk identification, documented decisions, and measurable effectiveness. Even teams that never pursue certification often adopt the ISO 27001 framework as an internal operating model because it is mature, well-documented, and maps cleanly to other standards.",[37,11757,11758],{},"ISO 27001 also signals organizational maturity to investors. Due diligence for Series B and later funding rounds almost always includes a security review. Holding an ISO 27001 certificate short-circuits much of that review and accelerates close.",[32,11760,11762],{"id":11761},"the-iso-27001-certification-process","The ISO 27001 certification process",[37,11764,11765],{},"ISO 27001 certification follows a standardized two-stage audit model used worldwide. A Stage 1 audit reviews your ISMS documentation and readiness. A Stage 2 audit evaluates whether your ISMS is actually implemented and effective in practice. If there are no major nonconformities, the certification body recommends certification and a three-year certificate is issued. Annual surveillance audits follow, with full recertification every three years.",[37,11767,11768,11769,11773,11774,11778],{},"For a deep walkthrough of every phase of the journey, including timelines, auditor expectations, and common pitfalls, see the ",[41,11770,11772],{"href":11771},"\u002Fframeworks\u002Fiso27001\u002Fcertification-process","ISO 27001 certification process guide",". If you are still evaluating whether to pursue ISO 27001 at all, the ",[41,11775,11777],{"href":11776},"\u002Fnow\u002Fiso27001-certification-guide","ISO 27001 certification guide"," covers the business case and sequencing decisions.",[32,11780,11782],{"id":11781},"iso-270012022-what-changed","ISO 27001:2022 — What changed",[37,11784,11785],{},"The 2022 revision is the current version of the standard. Two changes matter most for teams implementing ISO 27001 today.",[37,11787,11788,11789,11792],{},"First, the control set was restructured. The 2013 edition had 114 controls across 14 domains. ISO 27001:2022 consolidates these into ",[71,11790,11791],{},"93 controls across four themes",": organizational (37 controls), people (8 controls), physical (14 controls), and technological (34 controls). Eleven entirely new controls were introduced, including threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.",[37,11794,11795],{},"Second, the clause-level requirements in sections 4 through 10 received targeted updates around planning, leadership commitment, and operational control. The Plan-Do-Check-Act structure remains, but the language is tighter and more aligned with other ISO management system standards such as ISO 9001 and ISO 14001. Organizations holding ISO 27001:2013 certificates were given a transition window, and most have now migrated. New certifications are assessed exclusively against ISO 27001:2022.",[32,11797,11799],{"id":11798},"annex-a-controls","Annex A controls",[37,11801,11802,11803,11806],{},"Annex A of ISO 27001 is the reference control set. The ",[41,11804,11805],{"href":4225},"93 Annex A controls"," are organized under the four themes described above and represent the universe of possible safeguards your ISMS might apply. Every control must be evaluated for applicability and either implemented or formally excluded with justification.",[37,11808,11809],{},"Organizational controls cover governance, policy, third-party management, incident response, and business continuity. People controls address screening, training, responsibilities, and remote working. Physical controls protect buildings, equipment, and storage media. Technological controls handle access control, cryptography, logging, vulnerability management, secure development, and cloud security.",[37,11811,11812,11813,11817],{},"For a full breakdown of every theme, example controls in each, and how to prioritize implementation, see the ",[41,11814,11816],{"href":11815},"\u002Fframeworks\u002Fiso27001\u002Fannex-a-controls","ISO 27001 Annex A controls reference",". ISO 27002:2022 provides detailed implementation guidance for each control and is invaluable as a companion reference, though it is not mandatory to follow prescriptively.",[32,11819,11821],{"id":11820},"statement-of-applicability-soa","Statement of Applicability (SoA)",[37,11823,11824,11825,11829],{},"The ",[41,11826,11828],{"href":11827},"\u002Fglossary\u002Fstatement-of-applicability","Statement of Applicability"," is arguably the single most important document in your ISO 27001 program. The SoA lists every Annex A control, records whether it is applicable to your ISMS, explains why, and summarizes how the control is implemented. It is the document auditors will open first, and it is the document customers may ask to see.",[37,11831,11832],{},"A well-built SoA ties directly to your risk assessment output. Controls are marked applicable because they treat identified risks, satisfy legal or contractual requirements, or reflect business decisions. Controls marked not applicable require a short but credible justification. Auditors routinely sample SoA entries during Stage 2 and ask for corresponding evidence.",[37,11834,11835,11836,11840],{},"See the dedicated guide on the ",[41,11837,11839],{"href":11838},"\u002Fframeworks\u002Fiso27001\u002Fstatement-of-applicability","ISO 27001 Statement of Applicability"," for format examples, justification patterns, and common SoA mistakes.",[32,11842,11844],{"id":11843},"building-your-isms","Building your ISMS",[37,11846,11847],{},"Implementing ISO 27001 is primarily an exercise in building a functioning ISMS. The standard walks through this in clauses 4 through 10:",[200,11849,11850,11856,11862,11868,11874,11880,11886],{},[68,11851,11852,11855],{},[71,11853,11854],{},"Clause 4 — Context of the organization."," Understand internal and external issues, interested parties, and define the ISMS scope.",[68,11857,11858,11861],{},[71,11859,11860],{},"Clause 5 — Leadership."," Top management must demonstrate commitment, approve the information security policy, and assign roles.",[68,11863,11864,11867],{},[71,11865,11866],{},"Clause 6 — Planning."," Identify risks and opportunities, set information security objectives, and plan how to achieve them.",[68,11869,11870,11873],{},[71,11871,11872],{},"Clause 7 — Support."," Provide resources, competence, awareness, communication, and documented information.",[68,11875,11876,11879],{},[71,11877,11878],{},"Clause 8 — Operation."," Execute the risk assessment and risk treatment process and operate the ISMS on an ongoing basis.",[68,11881,11882,11885],{},[71,11883,11884],{},"Clause 9 — Performance evaluation."," Monitor, measure, analyze, evaluate, conduct internal audits, and hold management reviews.",[68,11887,11888,11891],{},[71,11889,11890],{},"Clause 10 — Improvement."," Handle nonconformities and drive continual improvement.",[37,11893,11894,11895,11899],{},"Each clause has mandatory documented information and mandatory activities. The ",[41,11896,11898],{"href":11897},"\u002Fframeworks\u002Fiso27001\u002Fisms-implementation","ISO 27001 ISMS implementation guide"," breaks down exactly what to produce at each stage.",[37,11901,11902,11903,11907],{},"Scope definition deserves special attention. A scope that is too narrow can fail to satisfy customers. A scope that is too broad inflates audit cost and implementation effort. The ",[41,11904,11906],{"href":11905},"\u002Fframeworks\u002Fiso27001\u002Fisms-scope","ISMS scope"," guide walks through how to draw the right boundaries for your business.",[32,11909,11911],{"id":11910},"iso-27001-risk-assessment","ISO 27001 risk assessment",[37,11913,11914],{},"Risk assessment is the engine that drives control selection in ISO 27001. The standard requires a documented, repeatable methodology. Most organizations use a qualitative or semi-quantitative approach that evaluates likelihood and impact across confidentiality, integrity, and availability. ISO 27005 provides detailed guidance but is not mandatory.",[37,11916,11917],{},"Outputs of the risk assessment feed directly into the risk treatment plan, which in turn feeds the Statement of Applicability. This chain is why ISO 27001 auditors spend significant time tracing from a risk to a treatment decision to a control to evidence of operation. Break this chain and you create nonconformities.",[37,11919,11920,11921,79],{},"For methodology, risk register structure, treatment options, and residual risk handling, see the ",[41,11922,11924],{"href":11923},"\u002Fframeworks\u002Fiso27001\u002Frisk-assessment","ISO 27001 risk assessment guide",[32,11926,11928],{"id":11927},"internal-audits-and-management-review","Internal audits and management review",[37,11930,11931],{},"Two activities inside Clause 9 are frequent failure points for first-time ISO 27001 certifiers. Clause 9.2 requires internal audits of the ISMS at planned intervals. Clause 9.3 requires a formal management review with defined inputs and outputs. Both must be complete before your Stage 2 audit.",[37,11933,11934],{},"Internal audits must cover every clause of ISO 27001 and every applicable Annex A control across your audit cycle. Auditors must be objective and impartial, which typically means the person who built a control cannot audit it. Findings must be documented, communicated, and tracked to closure.",[37,11936,11937,11938,261,11942,79],{},"Management reviews force leadership engagement. Inputs include audit results, risk changes, nonconformities, and stakeholder feedback. Outputs include decisions on resources, improvement opportunities, and changes to the ISMS. Detailed coverage lives in the ",[41,11939,11941],{"href":11940},"\u002Fframeworks\u002Fiso27001\u002Finternal-audit","internal audit guide",[41,11943,11945],{"href":11944},"\u002Fframeworks\u002Fiso27001\u002Fmanagement-review","management review guide",[32,11947,11949],{"id":11948},"nonconformities-and-corrective-action","Nonconformities and corrective action",[37,11951,11952],{},"When something in your ISMS does not meet ISO 27001 requirements, your own policies, or customer obligations, that is a nonconformity. Clauses 10.1 and 10.2 require you to react, contain the consequences, perform root cause analysis, implement corrective action, and verify effectiveness.",[37,11954,11955,11956,11960],{},"Mature organizations treat nonconformities as valuable signals rather than failures. The ",[41,11957,11959],{"href":11958},"\u002Fframeworks\u002Fiso27001\u002Fnonconformity-and-corrective-action","nonconformity and corrective action"," guide walks through the full CAPA workflow auditors expect to see.",[32,11962,11964],{"id":11963},"continual-improvement","Continual improvement",[37,11966,11967],{},"Clause 10.3 requires continual improvement of the suitability, adequacy, and effectiveness of the ISMS. This is not about constantly changing controls. It is about demonstrating measurable progress over time through metrics, KPIs, trend analysis, and lessons learned.",[37,11969,11970,11971,79],{},"Learn how to set ISMS metrics that auditors respect and leadership actually uses in the ",[41,11972,11974],{"href":11973},"\u002Fframeworks\u002Fiso27001\u002Fcontinual-improvement","continual improvement guide",[32,11976,11978],{"id":11977},"cost-and-timeline","Cost and timeline",[37,11980,11981],{},"ISO 27001 certification costs vary by scope, organization size, and maturity. A realistic budget range for a first-time certification at a small to mid-sized technology company looks like this:",[200,11983,11984,11990,11996,12002],{},[68,11985,11986,11989],{},[71,11987,11988],{},"Internal effort."," Six to twelve months of fractional time from an ISMS owner plus contributions from engineering, HR, legal, and IT. Equivalent fully loaded cost of $50,000 to $200,000.",[68,11991,11992,11995],{},[71,11993,11994],{},"External consulting (optional)."," Gap analysis and implementation support from a consultancy typically runs $20,000 to $100,000 depending on scope.",[68,11997,11998,12001],{},[71,11999,12000],{},"Certification body fees."," Stage 1 and Stage 2 audits combined usually cost $15,000 to $40,000. Annual surveillance audits run $8,000 to $20,000. Recertification in year three runs similar to the initial audit.",[68,12003,12004,12007],{},[71,12005,12006],{},"Platform and tooling."," GRC platforms like episki typically replace $30,000 or more in spreadsheet-driven consulting labor annually.",[37,12009,12010,12011,3296],{},"Total first-year ISO 27001 program cost for a 50 to 200 person company commonly lands between $60,000 and $150,000 all-in. Timeline from kickoff to certificate in hand is typically nine to fifteen months. See the ",[41,12012,12013],{"href":11771},"cost and timeline discussion in the certification process guide",[32,12015,12017],{"id":12016},"choosing-a-certification-body","Choosing a certification body",[37,12019,12020],{},"Only an accredited certification body can issue a recognized ISO 27001 certificate. Accreditation is granted by national bodies such as UKAS in the United Kingdom, ANAB in the United States, and JAS-ANZ in Australia and New Zealand, all operating under the International Accreditation Forum (IAF). A certificate from a non-accredited body has little value with enterprise customers.",[37,12022,12023,12024,12028],{},"Selection criteria include accreditation scope, industry experience, auditor availability, geographic coverage, and cost transparency. The ",[41,12025,12027],{"href":12026},"\u002Fframeworks\u002Fiso27001\u002Fcertification-body-selection","certification body selection guide"," walks through the full evaluation.",[32,12030,12032],{"id":12031},"surveillance-audits-and-recertification","Surveillance audits and recertification",[37,12034,12035],{},"Once certified, your ISO 27001 certificate is valid for three years. Certification bodies conduct a lighter annual surveillance audit in years one and two to confirm the ISMS is still operating effectively. A full recertification audit occurs in year three. Nonconformities identified during surveillance can put your certificate at risk if not resolved within the specified timeframe.",[37,12037,12038,12039,12043],{},"See the ",[41,12040,12042],{"href":12041},"\u002Fframeworks\u002Fiso27001\u002Fsurveillance-audits","surveillance audits guide"," for preparation checklists and what auditors typically sample during year-one and year-two visits.",[32,12045,12047],{"id":12046},"iso-27001-vs-soc-2-vs-nist-csf","ISO 27001 vs SOC 2 vs NIST CSF",[37,12049,12050],{},"Customers and leadership teams frequently ask how ISO 27001 compares to other frameworks. The short version:",[200,12052,12053,12061],{},[68,12054,12055,12060],{},[71,12056,12057,12058,79],{},"ISO 27001 vs ",[41,12059,4212],{"href":4211}," ISO 27001 is an international certification of an ISMS. SOC 2 is a US-centric attestation of controls aligned with the AICPA Trust Services Criteria. SOC 2 produces a detailed report; ISO 27001 produces a certificate. SOC 2 is faster to complete and often preferred by US buyers. ISO 27001 is stronger for European customers and regulated industries. Many organizations run both, mapping controls once in a tool like episki.",[68,12062,12063,12066,12067,12071],{},[71,12064,12065],{},"ISO 27001 vs NIST CSF."," NIST CSF is a voluntary US framework structured around five functions: Identify, Protect, Detect, Respond, and Recover. It is not a certification. Organizations often use NIST CSF as a maturity assessment tool and ISO 27001 as the formal certification. The two map cleanly at the control level. See ",[41,12068,12070],{"href":12069},"\u002Fframeworks\u002Fnistcsf\u002Fmapping-to-other-frameworks","NIST CSF mapping to other frameworks"," for a side-by-side comparison.",[37,12073,12074,12075,12077],{},"If you are weighing which framework to pursue first, the ",[41,12076,11777],{"href":11776}," covers framework sequencing for growing companies.",[32,12079,12081],{"id":12080},"getting-certified-with-episki","Getting certified with episki",[37,12083,12084],{},"Most teams discover that ISO 27001 certification is less about security expertise and more about sustained, organized execution across months of risk assessments, control implementation, evidence collection, and documentation. Spreadsheet-based ISO 27001 programs tend to collapse under their own weight, especially when the certification cycle extends across surveillance audits and the 2022 transition creates additional documentation churn.",[37,12086,12087,12088,249,12092,12096],{},"episki was built to collapse that effort. The platform ships with the full 93-control Annex A library pre-mapped, automatic Statement of Applicability generation, a risk register tied to ISO 27005 treatment options, internal audit workflows, management review templates, and continuous evidence collection. Customers regularly compare episki against more established vendors; see ",[41,12089,12091],{"href":12090},"\u002Fcompare\u002Fvanta","episki vs Vanta",[41,12093,12095],{"href":12094},"\u002Fcompare\u002Fdrata","episki vs Drata"," for honest side-by-side views.",[37,12098,12099],{},"Teams using episki typically cut ISO 27001 preparation time by 60 percent compared to manual approaches and arrive at Stage 2 with a clean, auditor-ready evidence pack. Whether you are starting from zero or migrating an existing ISO 27001:2013 program to the 2022 standard, the platform scales with your scope.",[37,12101,12102],{},"Start a free trial, import your controls, and run your first ISO 27001 gap analysis in under an hour.",{"title":447,"searchDepth":448,"depth":448,"links":12104},[12105,12106,12107,12108,12109,12110,12111,12112,12113,12114,12115,12116,12117,12118,12119,12120],{"id":11724,"depth":448,"text":11725},{"id":11748,"depth":448,"text":11749},{"id":11761,"depth":448,"text":11762},{"id":11781,"depth":448,"text":11782},{"id":11798,"depth":448,"text":11799},{"id":11820,"depth":448,"text":11821},{"id":11843,"depth":448,"text":11844},{"id":11910,"depth":448,"text":11911},{"id":11927,"depth":448,"text":11928},{"id":11948,"depth":448,"text":11949},{"id":11963,"depth":448,"text":11964},{"id":11977,"depth":448,"text":11978},{"id":12016,"depth":448,"text":12017},{"id":12031,"depth":448,"text":12032},{"id":12046,"depth":448,"text":12047},{"id":12080,"depth":448,"text":12081},{"title":12122,"description":12123,"items":12124},"ISO 27001 certification checklist inside episki","Everything you need to scope, implement, and certify your ISMS is preloaded in your free trial.",[12125,12126,12127,12128,12129,12130,12131],"ISMS scope definition and context of the organization templates","Full Annex A control library with implementation guidance","Risk assessment and treatment plan workflows","Statement of Applicability generator","Internal audit programme with finding management","Management review agenda and output templates","Corrective action tracking with root cause analysis",{"title":12133,"description":12134},"Start your ISO 27001 journey today","Import your controls, define your ISMS scope, and generate your first Statement of Applicability in under an hour.",{"title":12136,"items":12137},"ISO 27001 frequently asked questions",[12138,12141,12144,12147,12150],{"label":12139,"content":12140},"How long does ISO 27001 certification take?","Most organizations achieve certification in 6-12 months depending on scope and existing maturity. The process includes a Stage 1 documentation review and a Stage 2 implementation audit. episki reduces preparation time by up to 60% with pre-mapped controls and automated evidence.",{"label":12142,"content":12143},"What is the difference between ISO 27001 and SOC 2?","ISO 27001 is an international certification standard focused on building a complete information security management system (ISMS). SOC 2 is a US-based attestation that evaluates specific Trust Services Criteria. Many companies pursue both, and episki lets you map controls once and reuse them across frameworks.",{"label":12145,"content":12146},"What is an ISMS?","An Information Security Management System (ISMS) is the set of policies, procedures, controls, and processes an organization uses to manage information security risk. ISO 27001 provides the framework for establishing, implementing, maintaining, and continually improving an ISMS.",{"label":12148,"content":12149},"How much does ISO 27001 certification cost?","Certification costs vary by organization size and scope but typically range from $30,000 to $80,000 including auditor fees, with ongoing surveillance audit costs annually. episki's flat-rate pricing keeps the platform cost predictable at $500\u002Fmonth.",{"label":12151,"content":12152},"How often are ISO 27001 surveillance audits?","After initial certification, surveillance audits occur annually to confirm your ISMS remains effective. A full recertification audit is required every three years. episki's continuous monitoring keeps evidence current between audits.",{"headline":12154,"title":12155,"description":12156,"links":12157},"ISO 27001 certification on your timeline","Build and maintain your ISMS without drowning in spreadsheets","episki maps Annex A controls, tracks your Statement of Applicability, and keeps risk treatment plans linked to real evidence so certification audits run smoothly.",[12158,12160],{"label":12159,"icon":499,"to":500},"Start ISO 27001 trial",{"label":502,"icon":11083,"color":504,"variant":505,"to":506,"target":507},{},{"headline":12163,"title":12163,"description":12164,"items":12165},"ISO 27001 certification resources","Give leadership, auditors, and customers visibility into your ISMS maturity.",[12166,12169,12172],{"title":12167,"description":12168},"ISMS maturity dashboard","Visual progress across all Annex A domains with gap analysis and trending.",{"title":12170,"description":12171},"Auditor collaboration portal","Scoped access for certification bodies with evidence requests and Q&A threads.",{"title":12173,"description":12174},"Customer trust pack","Shareable ISO 27001 certification summary with scope details and control highlights.",{"title":12176,"description":12177},"ISO 27001 Compliance Platform","Build and certify your ISMS faster with episki. Annex A control mapping, SoA generation, and risk treatment plans in one workspace. Free 14-day trial.",[12179,12181,12184],{"value":11805,"description":12180},"Pre-mapped to your control graph with owners, evidence, and review cadences.",{"value":12182,"description":12183},"60% less prep","Average reduction in Stage 2 audit preparation time with episki's automation.",{"value":12185,"description":12186},"Continuous compliance","Surveillance audits stay painless with always-current evidence and risk registers.","5.frameworks\u002Fiso27001","aThn2G4vv-MUlfe5mhRJFQHtMgpdfJi3-UMVou77OZs",{"id":12190,"title":12191,"advantages":12192,"body":12214,"checklist":12745,"cta":12754,"description":447,"extension":473,"faq":12757,"hero":12774,"lastUpdated":508,"meta":12783,"name":4256,"navigation":510,"path":4255,"resources":12784,"seo":12797,"slug":4611,"stats":12800,"stem":12810,"__hash__":12811},"frameworks\u002F5.frameworks\u002Fnistcsf.md","Nistcsf",[12193,12200,12207],{"title":12194,"description":12195,"bullets":12196},"Tailored CSF roadmap","Start with opinionated baseline controls, then layer your own.",[12197,12198,12199],"Gap analysis highlights missing outcomes","Auto-generated improvement initiatives","Budget impact estimates for leadership",{"title":12201,"description":12202,"bullets":12203},"Continuous monitoring and AI ops","Stream alerts, detections, and incidents into CSF context.",[12204,12205,12206],"Connect SIEM, EDR, and cloud posture tools","AI summarizes incidents for exec updates","Workflows escalate unreviewed alerts",{"title":12208,"description":12209,"bullets":12210},"Board and customer alignment","Share progress externally with confidence.",[12211,12212,12213],"Customizable scorecards for customers or partners","Trend lines show quarter-over-quarter improvements","Trust room access with expiring links",{"type":29,"value":12215,"toc":12723},[12216,12220,12227,12230,12234,12241,12244,12248,12251,12262,12266,12269,12272,12311,12317,12321,12324,12327,12331,12340,12344,12354,12358,12368,12372,12382,12386,12396,12400,12410,12413,12417,12424,12450,12456,12460,12466,12469,12483,12486,12497,12501,12511,12528,12535,12539,12547,12553,12564,12568,12571,12618,12621,12625,12628,12660,12663,12666,12670,12673,12717,12720],[32,12217,12219],{"id":12218},"what-is-nist-csf","What is NIST CSF?",[37,12221,12222,12223,12226],{},"The NIST Cybersecurity Framework (NIST CSF) is a voluntary, outcome-based set of cybersecurity guidelines published by the ",[41,12224,12225],{"href":10739},"National Institute of Standards and Technology",". The NIST Cybersecurity Framework gives organizations a shared vocabulary and a prioritized structure for managing cybersecurity risk, measuring program maturity, and communicating security posture to executives, boards, regulators, customers, and insurers.",[37,12228,12229],{},"NIST CSF is not a certification, a control catalog, or a compliance standard. It is a framework — a model that organizes cybersecurity activities into functions, categories, and subcategories so that any organization can describe its current cybersecurity posture, describe its target cybersecurity posture, identify and prioritize opportunities for improvement, assess progress, and communicate cybersecurity risk in a consistent way. Because NIST CSF is technology- and sector-neutral, it has become one of the most widely adopted cybersecurity frameworks in the world, used by Fortune 500 companies, federal contractors, critical infrastructure operators, state and local governments, startups, nonprofits, and multinational enterprises.",[860,12231,12233],{"id":12232},"nist-origin-and-executive-order-13636","NIST origin and Executive Order 13636",[37,12235,12236,12237,12240],{},"The NIST Cybersecurity Framework was created in response to a growing wave of attacks against United States critical infrastructure. In February 2013, President Barack Obama signed ",[71,12238,12239],{},"Executive Order 13636 — Improving Critical Infrastructure Cybersecurity",", which directed NIST to work with industry, academia, and other government agencies to develop a voluntary cybersecurity framework for critical infrastructure operators. The executive order explicitly called for a flexible, repeatable, performance-based, and cost-effective approach that could scale from small municipal utilities to the largest financial institutions.",[37,12242,12243],{},"NIST published version 1.0 of the NIST Cybersecurity Framework in February 2014 after a year of public workshops, industry comment periods, and collaboration with more than three thousand individuals and organizations. The first version of NIST CSF introduced the five core functions — Identify, Protect, Detect, Respond, and Recover — along with the concept of framework profiles and implementation tiers. Even though NIST CSF was designed for critical infrastructure, organizations in every sector quickly adopted it because it filled a gap that prescriptive standards did not: a business-friendly model for talking about cybersecurity risk.",[860,12245,12247],{"id":12246},"the-evolution-of-nist-csf","The evolution of NIST CSF",[37,12249,12250],{},"In April 2018, NIST released NIST CSF version 1.1. This incremental update clarified existing guidance, added a new Supply Chain Risk Management category (ID.SC), improved the self-assessment language, and added authentication and identity proofing subcategories. NIST CSF 1.1 contained 108 subcategories grouped under 23 categories across the five functions, and it remained the dominant version of the NIST Cybersecurity Framework for six years.",[37,12252,12253,12254,12257,12258,12261],{},"In February 2024, NIST published ",[71,12255,12256],{},"NIST CSF 2.0"," — the first major revision of the NIST Cybersecurity Framework. NIST CSF 2.0 expanded the scope of the framework beyond critical infrastructure, added a brand-new sixth function called ",[71,12259,12260],{},"Govern",", reorganized several categories, and introduced a richer set of implementation resources including quick-start guides, informative references, and community profiles.",[32,12263,12265],{"id":12264},"nist-csf-20-changes","NIST CSF 2.0 changes",[37,12267,12268],{},"The jump from NIST CSF 1.1 to NIST CSF 2.0 is the most significant update the NIST Cybersecurity Framework has ever received. The changes are not cosmetic — they reshape how organizations are expected to structure and govern their cybersecurity programs.",[37,12270,12271],{},"Highlights of NIST CSF 2.0:",[200,12273,12274,12280,12286,12292,12305],{},[68,12275,12276,12279],{},[71,12277,12278],{},"A sixth function — Govern (GV)"," — elevates cybersecurity governance from a sub-category under Identify to a standalone top-level function covering organizational context, risk management strategy, roles and responsibilities, policy, oversight, and cybersecurity supply chain risk management.",[68,12281,12282,12285],{},[71,12283,12284],{},"Explicit scope expansion"," — NIST CSF 2.0 applies to organizations of any size, sector, or maturity level, not just critical infrastructure. Small-business quick-start guides, community profiles, and sector-specific profiles make the NIST Cybersecurity Framework accessible to organizations that previously found NIST CSF 1.1 too enterprise-centric.",[68,12287,12288,12291],{},[71,12289,12290],{},"Stronger supply chain focus"," — GV.SC expands the NIST CSF treatment of third-party risk, supplier due diligence, and software supply chain security, reflecting the lessons of SolarWinds, Kaseya, Log4j, and MOVEit.",[68,12293,12294,12297,12298,12301,12302,12304],{},[71,12295,12296],{},"Improved implementation guidance"," — NIST CSF 2.0 ships with a companion CSF Reference Tool, searchable informative references mapping NIST CSF subcategories to ",[41,12299,12300],{"href":10739},"NIST SP 800-53",", ISO 27001, CIS Controls, ",[41,12303,4212],{"href":4211},", and more.",[68,12306,12307,12310],{},[71,12308,12309],{},"Refreshed implementation tiers"," — the four-tier maturity model (Partial, Risk-Informed, Repeatable, Adaptive) now explicitly incorporates governance and supply chain considerations.",[37,12312,12313,12314,11377],{},"For a deep dive into every structural and categorical change between NIST CSF 1.1 and NIST CSF 2.0, see our ",[41,12315,12265],{"href":12316},"\u002Fframeworks\u002Fnistcsf\u002Fv2-changes",[32,12318,12320],{"id":12319},"the-six-core-functions-of-nist-csf-20","The six core functions of NIST CSF 2.0",[37,12322,12323],{},"The NIST Cybersecurity Framework organizes cybersecurity activity into a small number of top-level functions. NIST CSF 1.1 defined five functions; NIST CSF 2.0 defines six. Each function represents a category of outcomes that a mature cybersecurity program must deliver, and each function decomposes into categories and subcategories that describe the outcomes in progressively more specific terms.",[37,12325,12326],{},"The six NIST CSF 2.0 functions are:",[860,12328,12330],{"id":12329},"govern-gv","Govern (GV)",[37,12332,11824,12333,12335,12336,79],{},[71,12334,12260],{}," function — new in NIST CSF 2.0 — establishes, communicates, and monitors the organization's cybersecurity risk management strategy, expectations, and policy. Govern is the leadership and accountability layer of NIST CSF. It sits above the other five functions and informs everything the organization does to identify, protect, detect, respond, and recover. Deep dive: ",[41,12337,12339],{"href":12338},"\u002Fframeworks\u002Fnistcsf\u002Fgovern-function","NIST CSF Govern function",[860,12341,12343],{"id":12342},"identify-id","Identify (ID)",[37,12345,11824,12346,12349,12350,79],{},[71,12347,12348],{},"Identify"," function develops an organizational understanding of cybersecurity risk to systems, people, assets, data, and capabilities. Identify is where you inventory what you have, understand the business context in which it operates, and decide what matters most. Without Identify, the rest of the NIST Cybersecurity Framework has nothing to act on. Deep dive: ",[41,12351,12353],{"href":12352},"\u002Fframeworks\u002Fnistcsf\u002Fidentify-function","NIST CSF Identify function",[860,12355,12357],{"id":12356},"protect-pr","Protect (PR)",[37,12359,11824,12360,12363,12364,79],{},[71,12361,12362],{},"Protect"," function implements safeguards to ensure delivery of critical services and limit or contain the impact of cybersecurity events. Protect encompasses identity and access management, awareness and training, data security, information protection processes, maintenance, and protective technology. Deep dive: ",[41,12365,12367],{"href":12366},"\u002Fframeworks\u002Fnistcsf\u002Fprotect-function","NIST CSF Protect function",[860,12369,12371],{"id":12370},"detect-de","Detect (DE)",[37,12373,11824,12374,12377,12378,79],{},[71,12375,12376],{},"Detect"," function develops and implements appropriate activities to identify the occurrence of a cybersecurity event in a timely manner. Detect covers continuous monitoring, anomaly analysis, and detection processes — the telemetry, alerting, and threat-hunting capabilities that surface attacks as they happen. Deep dive: ",[41,12379,12381],{"href":12380},"\u002Fframeworks\u002Fnistcsf\u002Fdetect-function","NIST CSF Detect function",[860,12383,12385],{"id":12384},"respond-rs","Respond (RS)",[37,12387,11824,12388,12391,12392,79],{},[71,12389,12390],{},"Respond"," function contains activities to take action regarding a detected cybersecurity incident. Respond covers incident response planning, communications, analysis, containment, eradication, and lessons-learned improvements. A strong Respond capability is what separates a contained incident from a front-page breach. Deep dive: ",[41,12393,12395],{"href":12394},"\u002Fframeworks\u002Fnistcsf\u002Frespond-function","NIST CSF Respond function",[860,12397,12399],{"id":12398},"recover-rc","Recover (RC)",[37,12401,11824,12402,12405,12406,79],{},[71,12403,12404],{},"Recover"," function contains activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Recover covers recovery planning, improvements, and communications. Recover is how organizations return to normal operations while capturing lessons learned to strengthen the program. Deep dive: ",[41,12407,12409],{"href":12408},"\u002Fframeworks\u002Fnistcsf\u002Frecover-function","NIST CSF Recover function",[37,12411,12412],{},"Together, the six NIST CSF functions describe the complete cybersecurity lifecycle. Mature organizations operate all six functions simultaneously and continuously, not in a linear sequence.",[32,12414,12416],{"id":12415},"nist-csf-implementation-tiers","NIST CSF implementation tiers",[37,12418,12419,12420,12423],{},"NIST CSF uses ",[71,12421,12422],{},"implementation tiers"," to describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the NIST Cybersecurity Framework. The four tiers are not a maturity scale in the traditional sense — NIST is careful to say that Tier 4 is not required for every organization. Instead, implementation tiers help organizations choose an appropriate level of rigor given their risk tolerance, mission, regulatory obligations, threat environment, and resources.",[200,12425,12426,12432,12438,12444],{},[68,12427,12428,12431],{},[71,12429,12430],{},"Tier 1 — Partial",": Cybersecurity risk management is ad hoc and reactive. Policies are informal, risk awareness is limited, and supply chain considerations are rarely formalized.",[68,12433,12434,12437],{},[71,12435,12436],{},"Tier 2 — Risk-Informed",": Risk management practices are approved by management but may not be established organization-wide. Cybersecurity activities consider organizational risk objectives.",[68,12439,12440,12443],{},[71,12441,12442],{},"Tier 3 — Repeatable",": Formal policies exist and are applied consistently. The organization has the people, processes, and tooling to operate the NIST Cybersecurity Framework repeatably.",[68,12445,12446,12449],{},[71,12447,12448],{},"Tier 4 — Adaptive",": The organization adapts its cybersecurity practices based on lessons learned, threat intelligence, and changes in the business environment. Cybersecurity risk management is part of the organizational culture.",[37,12451,12452,12453,11377],{},"For a complete walkthrough of each tier, including how to select a target tier and move between tiers, see our ",[41,12454,12416],{"href":12455},"\u002Fframeworks\u002Fnistcsf\u002Fimplementation-tiers",[32,12457,12459],{"id":12458},"nist-csf-framework-profiles","NIST CSF framework profiles",[37,12461,11238,12462,12465],{},[71,12463,12464],{},"framework profile"," is the unique alignment of NIST CSF functions, categories, and subcategories with the organization's business requirements, risk tolerance, and resources. Profiles are the tool that turns the NIST Cybersecurity Framework from a generic model into a specific plan for a specific organization.",[37,12467,12468],{},"NIST CSF supports two kinds of profiles:",[200,12470,12471,12477],{},[68,12472,11238,12473,12476],{},[71,12474,12475],{},"Current Profile"," describes the cybersecurity outcomes the organization is achieving today.",[68,12478,11238,12479,12482],{},[71,12480,12481],{},"Target Profile"," describes the cybersecurity outcomes the organization wants to achieve.",[37,12484,12485],{},"The gap between the Current Profile and the Target Profile becomes a prioritized roadmap: which NIST CSF subcategories need investment, in what order, and at what cost. Community profiles published by NIST (for small business, healthcare, financial services, manufacturing, and others) give organizations a head start by providing pre-built Target Profiles tailored to specific sectors.",[37,12487,12488,12489,12493,12494,79],{},"For a complete framework profiles walkthrough — including how to build your first profile, how to use community profiles, and how to link profiles to your ",[41,12490,12492],{"href":12491},"\u002Fglossary\u002Fcontrol-framework","control framework"," — see ",[41,12495,12459],{"href":12496},"\u002Fframeworks\u002Fnistcsf\u002Fframework-profiles",[32,12498,12500],{"id":12499},"nist-csf-categories-and-subcategories","NIST CSF categories and subcategories",[37,12502,12503,12504,249,12507,12510],{},"Below the function layer, NIST CSF decomposes cybersecurity activity into ",[71,12505,12506],{},"categories",[71,12508,12509],{},"subcategories",". Categories group related outcomes within a function (for example, Asset Management, Access Control, Continuous Monitoring), and subcategories express specific outcome statements that a mature program should achieve.",[200,12512,12513,12523],{},[68,12514,12515,12518,12519,12522],{},[71,12516,12517],{},"NIST CSF 1.1"," defined 23 categories and ",[71,12520,12521],{},"108 subcategories"," across the five original functions.",[68,12524,12525,12527],{},[71,12526,12256],{}," reorganized the catalog around six functions. The total number of subcategories in NIST CSF 2.0 was restructured (and slightly reduced after consolidation) to roughly 106, grouped under 22 categories, with Govern contributing six new categories of its own.",[37,12529,12530,12531,12534],{},"Every NIST CSF subcategory is written as an outcome — for example, \"PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization.\" NIST intentionally avoids prescribing specific technologies, controls, or implementation details. Instead, NIST CSF provides ",[71,12532,12533],{},"informative references"," that map each subcategory to specific controls in NIST SP 800-53, ISO 27001 Annex A, CIS Critical Security Controls, COBIT, and other authoritative sources. This outcome-first design is what makes NIST CSF work across industries, company sizes, and technology stacks.",[32,12536,12538],{"id":12537},"mapping-nist-csf-to-other-frameworks","Mapping NIST CSF to other frameworks",[37,12540,12541,12542,6252,12544,12546],{},"One of the most valuable properties of the NIST Cybersecurity Framework is its ability to act as a unifying layer across multiple compliance regimes. Organizations that need to satisfy ",[41,12543,4212],{"href":4211},[41,12545,4221],{"href":4220},", HIPAA, PCI DSS, GDPR, FedRAMP, CMMC, and NIST SP 800-171 at the same time can use NIST CSF as the \"Rosetta Stone\" that maps each requirement to a common set of outcomes.",[37,12548,12549,12550,12552],{},"For federal contractors in particular, NIST CSF acts as the governance umbrella above NIST SP 800-171 and ",[41,12551,6707],{"href":10747},", both of which are derived from the NIST family of publications. A NIST CSF Target Profile that references NIST SP 800-53 informative references can be reused — with minor adjustments — as an ISO 27001 Statement of Applicability, a SOC 2 Trust Services Criteria mapping, and a HIPAA Security Rule crosswalk.",[37,12554,12555,12556,12558,12559,12563],{},"For a detailed crosswalk between NIST CSF and the major compliance frameworks — including worked examples of how a single NIST CSF subcategory maps to multiple standards — see ",[41,12557,12538],{"href":12069},". If you are actively building that mapping into a live compliance program, our ",[41,12560,12562],{"href":12561},"\u002Fnow\u002Fnist-csf-mapping-compliance","NIST CSF mapping compliance"," guide walks through the operational mechanics.",[32,12565,12567],{"id":12566},"who-uses-nist-csf","Who uses NIST CSF?",[37,12569,12570],{},"The NIST Cybersecurity Framework started as a voluntary framework for United States critical infrastructure. A decade later, NIST CSF is used by:",[200,12572,12573,12579,12588,12594,12600,12606,12612],{},[68,12574,12575,12578],{},[71,12576,12577],{},"Critical infrastructure operators"," — energy, water, transportation, communications, healthcare, and financial services organizations that fall under the 16 critical infrastructure sectors originally targeted by Executive Order 13636.",[68,12580,12581,12584,12585,79],{},[71,12582,12583],{},"Federal agencies and federal contractors"," — Executive Order 13800 required federal agencies to use NIST CSF to manage cybersecurity risk. Agencies and their contractors routinely use NIST CSF alongside ",[41,12586,12587],{"href":10747},"NIST SP 800-171 and the CMMC program",[68,12589,12590,12593],{},[71,12591,12592],{},"State, local, tribal, and territorial (SLTT) governments"," — many states have adopted NIST CSF as the baseline cybersecurity model for agencies and municipal systems.",[68,12595,12596,12599],{},[71,12597,12598],{},"Large enterprises"," — Fortune 500 companies use NIST CSF to communicate cybersecurity risk to boards, investors, insurers, and regulators.",[68,12601,12602,12605],{},[71,12603,12604],{},"Small and mid-sized businesses (SMBs)"," — especially after NIST CSF 2.0, which ships with SMB-specific quick-start guides and community profiles.",[68,12607,12608,12611],{},[71,12609,12610],{},"Non-US organizations"," — NIST CSF is widely used outside the United States as a practical cybersecurity model that complements ISO 27001 and other international standards.",[68,12613,12614,12617],{},[71,12615,12616],{},"Insurers and investors"," — cyber insurance carriers and private-equity diligence teams increasingly ask portfolio companies to report maturity against NIST CSF as evidence of disciplined cybersecurity risk management.",[37,12619,12620],{},"The common thread is that NIST CSF works for any organization that needs to manage cybersecurity risk and communicate that risk to non-technical stakeholders. That is essentially every organization.",[32,12622,12624],{"id":12623},"nist-csf-vs-nist-sp-800-53-vs-nist-sp-800-171","NIST CSF vs NIST SP 800-53 vs NIST SP 800-171",[37,12626,12627],{},"NIST publishes dozens of cybersecurity documents, and three of them — NIST CSF, NIST SP 800-53, and NIST SP 800-171 — are often confused. Here is how they differ and how they fit together.",[200,12629,12630,12640,12650],{},[68,12631,12632,12635,12636,12639],{},[71,12633,12634],{},"NIST CSF (Cybersecurity Framework)"," is an ",[71,12637,12638],{},"outcome-based framework",". It defines what cybersecurity outcomes to achieve (the subcategories) but does not tell you exactly how to achieve them. NIST CSF is voluntary, technology-neutral, and applies to any organization.",[68,12641,12642,12645,12646,12649],{},[71,12643,12644],{},"NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations)"," is a comprehensive ",[71,12647,12648],{},"control catalog",". SP 800-53 contains more than one thousand security and privacy controls organized into families such as Access Control (AC), Audit and Accountability (AU), and System and Communications Protection (SC). NIST SP 800-53 is mandatory for US federal information systems under FISMA and the Risk Management Framework (RMF).",[68,12651,12652,12655,12656,12659],{},[71,12653,12654],{},"NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)"," is a ",[71,12657,12658],{},"derived subset"," of NIST SP 800-53 focused on protecting Controlled Unclassified Information (CUI) in nonfederal systems. SP 800-171 is mandatory for any organization that handles CUI on behalf of the federal government and forms the basis for CMMC.",[37,12661,12662],{},"The relationship between the three is straightforward: NIST CSF describes the outcomes, NIST SP 800-53 and NIST SP 800-171 describe the controls that deliver those outcomes, and the NIST CSF informative references tell you which 800-53 and 800-171 controls satisfy each NIST CSF subcategory. Organizations use NIST CSF to frame the strategy and use NIST SP 800-53 or NIST SP 800-171 to implement the controls.",[37,12664,12665],{},"Federal contractors that handle CUI will typically use all three: NIST CSF for executive communication and maturity scoring, NIST SP 800-171 as the binding control baseline, and NIST SP 800-53 as the deeper reference catalog.",[32,12667,12669],{"id":12668},"getting-started-with-nist-csf","Getting started with NIST CSF",[37,12671,12672],{},"Implementing the NIST Cybersecurity Framework does not require a multi-year consulting engagement. A typical first NIST CSF implementation follows a repeatable pattern:",[65,12674,12675,12681,12687,12693,12699,12705,12711],{},[68,12676,12677,12680],{},[71,12678,12679],{},"Scope and prioritize"," — decide which parts of the organization are in scope for this iteration of NIST CSF. Startups often scope the entire company. Enterprises may scope a business unit, a product line, or a critical system.",[68,12682,12683,12686],{},[71,12684,12685],{},"Build a Current Profile"," — score the organization's current performance against each NIST CSF subcategory. Be honest. Many organizations discover that half of their NIST CSF subcategories are informal or partially implemented.",[68,12688,12689,12692],{},[71,12690,12691],{},"Build a Target Profile"," — decide what level of NIST CSF maturity the organization needs. Community profiles and sector profiles published by NIST are excellent starting points.",[68,12694,12695,12698],{},[71,12696,12697],{},"Perform a gap analysis"," — the delta between Current and Target is your NIST CSF roadmap. Prioritize by business impact, risk, and cost.",[68,12700,12701,12704],{},[71,12702,12703],{},"Select implementation tiers"," — match each part of the program to an appropriate tier. Not every subcategory needs to be Tier 4.",[68,12706,12707,12710],{},[71,12708,12709],{},"Execute and measure"," — track initiatives, re-score the NIST CSF profile quarterly, and report progress to leadership.",[68,12712,12713,12716],{},[71,12714,12715],{},"Map to other frameworks"," — reuse the NIST CSF profile as the source of truth for SOC 2, ISO 27001, HIPAA, and CMMC evidence.",[37,12718,12719],{},"episki was built for exactly this workflow. episki turns NIST CSF into a live scorecard: you import or build a Current Profile, choose a Target Profile, and episki generates the initiatives, tasks, and evidence collection needed to close the gap — all mapped to your other frameworks automatically. If you are starting from scratch or migrating from NIST CSF 1.1 to NIST CSF 2.0, episki can help you skip the spreadsheet phase entirely.",[37,12721,12722],{},"Ready to operationalize the NIST Cybersecurity Framework? Start a trial, import your controls, and share a NIST CSF scorecard with leadership the same day.",{"title":447,"searchDepth":448,"depth":448,"links":12724},[12725,12729,12730,12738,12739,12740,12741,12742,12743,12744],{"id":12218,"depth":448,"text":12219,"children":12726},[12727,12728],{"id":12232,"depth":1179,"text":12233},{"id":12246,"depth":1179,"text":12247},{"id":12264,"depth":448,"text":12265},{"id":12319,"depth":448,"text":12320,"children":12731},[12732,12733,12734,12735,12736,12737],{"id":12329,"depth":1179,"text":12330},{"id":12342,"depth":1179,"text":12343},{"id":12356,"depth":1179,"text":12357},{"id":12370,"depth":1179,"text":12371},{"id":12384,"depth":1179,"text":12385},{"id":12398,"depth":1179,"text":12399},{"id":12415,"depth":448,"text":12416},{"id":12458,"depth":448,"text":12459},{"id":12499,"depth":448,"text":12500},{"id":12537,"depth":448,"text":12538},{"id":12566,"depth":448,"text":12567},{"id":12623,"depth":448,"text":12624},{"id":12668,"depth":448,"text":12669},{"title":12746,"description":12747,"items":12748},"NIST CSF launch guide","Use episki’s free trial to benchmark, prioritize, and communicate fast.",[12749,12750,12751,12752,12753],"Baseline maturity assessment","Control library mapped to CSF categories","Initiative tracker with due dates and owners","Risk register tied to CSF outcomes","Executive report template",{"title":12755,"description":12756},"See your NIST CSF score in episki","Start the trial, import controls, and share a scorecard the same day.",{"title":12758,"items":12759},"NIST CSF frequently asked questions",[12760,12762,12765,12768,12771],{"label":12219,"content":12761},"The NIST Cybersecurity Framework (CSF) is a voluntary framework published by the National Institute of Standards and Technology that helps organizations manage and reduce cybersecurity risk. It provides a common language for understanding, managing, and expressing cybersecurity risk through five core functions.",{"label":12763,"content":12764},"What is the difference between NIST CSF and ISO 27001?","NIST CSF is a voluntary, outcome-focused maturity framework that helps organizations assess and improve their cybersecurity posture. ISO 27001 is a certifiable standard requiring a formal ISMS. Many organizations use NIST CSF as an internal maturity model alongside ISO 27001 certification for external assurance.",{"label":12766,"content":12767},"Is NIST CSF mandatory?","NIST CSF is voluntary for most private-sector organizations but is mandatory for US federal agencies under Executive Order 13800. Many industries and regulators reference it as a best-practice baseline, and customers increasingly expect suppliers to demonstrate alignment.",{"label":12769,"content":12770},"What are the NIST CSF implementation tiers?","The four tiers describe the maturity of an organization's cybersecurity risk management. Tier 1 (Partial) is ad hoc and reactive. Tier 2 (Risk-Informed) has some risk awareness. Tier 3 (Repeatable) has formal policies. Tier 4 (Adaptive) continuously improves based on lessons learned and threat intelligence.",{"label":12772,"content":12773},"How does NIST CSF relate to other compliance frameworks?","NIST CSF maps to many standards including SOC 2, ISO 27001, HIPAA, and PCI DSS. Organizations use it as a unifying layer to identify control gaps and overlaps across multiple compliance requirements, reducing duplicate work when pursuing multiple frameworks.",{"headline":12775,"title":12776,"description":12777,"links":12778},"Measure security maturity","Operationalize NIST CSF across Identify, Protect, Detect, Respond, and Recover","episki translates CSF categories into action plans with real-time scoring and executive reporting.",[12779,12781],{"label":12780,"icon":499,"to":500},"Start NIST CSF trial",{"label":502,"icon":12782,"color":504,"variant":505,"to":506,"target":507},"i-lucide-presentation",{},{"headline":12785,"title":12785,"description":12786,"items":12787},"NIST CSF toolset","Everything you need to show measurable progress.",[12788,12791,12794],{"title":12789,"description":12790},"Quarterly business review pack","Slides with KPIs, upcoming initiatives, and resource needs.",{"title":12792,"description":12793},"Customer assurance brief","Explains how NIST CSF maps to their requirements.",{"title":12795,"description":12796},"Automation cookbook","Step-by-step instructions for connecting your tooling.",{"title":12798,"description":12799},"NIST CSF Framework Software","Operationalize NIST CSF with live maturity scoring, risk registers, and executive dashboards. Benchmark and improve your cybersecurity posture with episki.",[12801,12804,12807],{"value":12802,"description":12803},"Live maturity score","Automated scoring by category, tier, and business unit.",{"value":12805,"description":12806},"Unified risk register","Link risks to CSF categories with AI-prioritized remediation.",{"value":12808,"description":12809},"Executive-ready","Dashboards turn security work into business milestones.","5.frameworks\u002Fnistcsf","Doz-LVyeK9ESsWNopGw7Kjfzq0igBKQBgD_u17qdUwk",{"id":4,"title":5,"advantages":12813,"body":12820,"checklist":13075,"cta":13077,"description":447,"extension":473,"faq":13078,"hero":13085,"lastUpdated":508,"meta":13089,"name":44,"navigation":510,"path":511,"resources":13090,"seo":13095,"slug":528,"stats":13096,"stem":539,"__hash__":540},[12814,12816,12818],{"title":8,"description":9,"bullets":12815},[11,12,13],{"title":15,"description":16,"bullets":12817},[18,19,20],{"title":22,"description":23,"bullets":12819},[25,26,27],{"type":29,"value":12821,"toc":13062},[12822,12824,12828,12830,12832,12834,12838,12894,12896,12898,12902,12904,12910,12912,12916,12952,12958,12960,12966,12968,12970,12972,12980,12982,12984,13006,13010,13012,13014,13016,13022,13024,13026,13060],[32,12823,35],{"id":34},[37,12825,39,12826,45],{},[41,12827,44],{"href":43},[37,12829,48],{},[37,12831,51],{},[32,12833,55],{"id":54},[37,12835,58,12836,63],{},[41,12837,62],{"href":61},[65,12839,12840,12846,12850,12858,12862,12866,12870,12874,12878,12882,12886,12890],{},[68,12841,12842,74,12844,79],{},[71,12843,73],{},[41,12845,78],{"href":77},[68,12847,12848,85],{},[71,12849,84],{},[68,12851,12852,91,12854,96,12856,101],{},[71,12853,90],{},[41,12855,95],{"href":94},[41,12857,100],{"href":99},[68,12859,12860,107],{},[71,12861,106],{},[68,12863,12864,113],{},[71,12865,112],{},[68,12867,12868,119],{},[71,12869,118],{},[68,12871,12872,125],{},[71,12873,124],{},[68,12875,12876,131],{},[71,12877,130],{},[68,12879,12880,137],{},[71,12881,136],{},[68,12883,12884,143],{},[71,12885,142],{},[68,12887,12888,149],{},[71,12889,148],{},[68,12891,12892,155],{},[71,12893,154],{},[37,12895,158],{},[32,12897,162],{"id":161},[37,12899,165,12900,79],{},[41,12901,169],{"href":168},[32,12903,173],{"id":172},[37,12905,176,12906,181,12908,186],{},[41,12907,180],{"href":179},[41,12909,185],{"href":184},[32,12911,190],{"id":189},[37,12913,193,12914,198],{},[41,12915,197],{"href":196},[200,12917,12918,12922,12926,12930,12934,12938,12942,12946],{},[68,12919,12920,207],{},[71,12921,206],{},[68,12923,12924,213],{},[71,12925,212],{},[68,12927,12928,219],{},[71,12929,218],{},[68,12931,12932,225],{},[71,12933,224],{},[68,12935,12936,231],{},[71,12937,230],{},[68,12939,12940,237],{},[71,12941,236],{},[68,12943,12944,243],{},[71,12945,242],{},[68,12947,12948,249,12950,253],{},[71,12949,248],{},[71,12951,252],{},[37,12953,256,12954,261,12956,266],{},[41,12955,260],{"href":259},[41,12957,265],{"href":264},[32,12959,270],{"id":269},[37,12961,273,12962,276,12964,281],{},[41,12963,78],{"href":77},[41,12965,280],{"href":279},[37,12967,284],{},[37,12969,287],{},[32,12971,291],{"id":290},[37,12973,294,12974,299,12976,304,12978,308],{},[41,12975,298],{"href":297},[41,12977,303],{"href":302},[41,12979,95],{"href":307},[32,12981,312],{"id":311},[37,12983,315],{},[200,12985,12986,12994,13002],{},[68,12987,12988,327,12992,332],{},[71,12989,322,12990,326],{},[41,12991,325],{"href":179},[41,12993,331],{"href":330},[68,12995,12996,342,13000,347],{},[71,12997,337,12998,326],{},[41,12999,341],{"href":340},[41,13001,346],{"href":345},[68,13003,13004,353],{},[71,13005,352],{},[37,13007,356,13008,361],{},[41,13009,360],{"href":359},[32,13011,365],{"id":364},[37,13013,368],{},[32,13015,372],{"id":371},[37,13017,375,13018,380,13020,385],{},[41,13019,379],{"href":378},[41,13021,384],{"href":383},[32,13023,389],{"id":388},[37,13025,392],{},[65,13027,13028,13032,13036,13040,13044,13048,13052,13056],{},[68,13029,13030,400],{},[71,13031,399],{},[68,13033,13034,406],{},[71,13035,405],{},[68,13037,13038,412],{},[71,13039,411],{},[68,13041,13042,418],{},[71,13043,417],{},[68,13045,13046,424],{},[71,13047,423],{},[68,13049,13050,430],{},[71,13051,429],{},[68,13053,13054,436],{},[71,13055,435],{},[68,13057,13058,442],{},[71,13059,441],{},[37,13061,445],{},{"title":447,"searchDepth":448,"depth":448,"links":13063},[13064,13065,13066,13067,13068,13069,13070,13071,13072,13073,13074],{"id":34,"depth":448,"text":35},{"id":54,"depth":448,"text":55},{"id":161,"depth":448,"text":162},{"id":172,"depth":448,"text":173},{"id":189,"depth":448,"text":190},{"id":269,"depth":448,"text":270},{"id":290,"depth":448,"text":291},{"id":311,"depth":448,"text":312},{"id":364,"depth":448,"text":365},{"id":371,"depth":448,"text":372},{"id":388,"depth":448,"text":389},{"title":462,"description":463,"items":13076},[465,466,467,468,469],{"title":471,"description":472},{"title":475,"items":13079},[13080,13081,13082,13083,13084],{"label":478,"content":479},{"label":481,"content":482},{"label":484,"content":485},{"label":487,"content":488},{"label":490,"content":491},{"headline":493,"title":494,"description":495,"links":13086},[13087,13088],{"label":498,"icon":499,"to":500},{"label":502,"icon":503,"color":504,"variant":505,"to":506,"target":507},{},{"headline":513,"title":513,"description":514,"items":13091},[13092,13093,13094],{"title":517,"description":518},{"title":520,"description":521},{"title":523,"description":524},{"title":526,"description":527},[13097,13098,13099],{"value":531,"description":532},{"value":534,"description":535},{"value":537,"description":538},{"id":13101,"title":13102,"advantages":13103,"body":13125,"checklist":13631,"cta":13640,"description":447,"extension":473,"faq":13643,"hero":13660,"lastUpdated":508,"meta":13668,"name":13669,"navigation":510,"path":4211,"resources":13670,"seo":13682,"slug":4608,"stats":13685,"stem":13695,"__hash__":13696},"frameworks\u002F5.frameworks\u002Fsoc2.md","Soc2",[13104,13111,13118],{"title":13105,"description":13106,"bullets":13107},"Mapped once, reused forever","Applies Trust Service Criteria to your existing controls and keeps overlaps synced.",[13108,13109,13110],"Control graph highlights reuse across security, availability, and confidentiality","AI suggests narratives and testing procedures","Version history shows every update for auditors",{"title":13112,"description":13113,"bullets":13114},"Evidence organized by control","Upload and track screenshots, configs, and exports in a structured evidence locker.",[13115,13116,13117],"Organized screenshots, configs, and test exports","Alerting when evidence expires or SLAs slip","Immutable locker with reviewer threads",{"title":13119,"description":13120,"bullets":13121},"Auditor collaboration hub","Invite your auditor with scoped access and keep Q&A right next to each control.",[13122,13123,13124],"Bulk requests & fulfillment tracking","Redacted file sharing with access controls","One-click SOC 2 summaries for customers",{"type":29,"value":13126,"toc":13613},[13127,13131,13134,13142,13150,13156,13160,13163,13169,13175,13190,13194,13199,13203,13206,13209,13217,13221,13224,13228,13235,13239,13246,13250,13253,13256,13273,13281,13285,13292,13334,13337,13341,13344,13347,13384,13392,13396,13399,13456,13459,13463,13466,13473,13480,13487,13498,13506,13510,13518,13550,13553,13557,13560,13563,13601],[32,13128,13130],{"id":13129},"what-is-soc-2","What is SOC 2?",[37,13132,13133],{},"SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how a service organization manages customer data. A SOC 2 report is the de facto security credential for modern SaaS companies — enterprise buyers request it before signing, procurement teams rely on it during vendor reviews, and auditors consult it when assessing outsourced systems. Unlike a prescriptive standard, SOC 2 is principle-based. It does not tell you which tools to deploy; it tells you which outcomes you must demonstrate and leaves the implementation details to you.",[37,13135,13136,13137,13141],{},"SOC 2 evolved from SAS 70, an older attestation framework used primarily for financial reporting systems. As technology service providers increased their role in handling sensitive data, the AICPA introduced the SOC reporting suite. SOC 1 continued to address controls relevant to financial reporting. SOC 2 and SOC 3 shifted attention to information security, availability, and related commitments. Today, SOC 2 is issued under the AICPA's AT-C 105 and AT-C 205 attestation standards, following the ",[41,13138,13140],{"href":13139},"\u002Fglossary\u002Fssae-18","SSAE 18"," framework.",[37,13143,13144,13145,13149],{},"A SOC 2 engagement produces an opinion letter from a licensed CPA firm. That letter is the report buyers ask for. It documents the system under audit, the ",[41,13146,13148],{"href":13147},"\u002Fframeworks\u002Fsoc2\u002Ftrust-services-criteria","Trust Services Criteria"," selected, the controls in place, the testing the auditor performed, and any exceptions noted. A clean SOC 2 opinion signals to the market that a third party examined your controls and found them suitable — or in the case of Type II, found them operating effectively across a defined window.",[37,13151,13152,13153,13155],{},"SOC 2 is built on five ",[71,13154,13148],{},": security, availability, processing integrity, confidentiality, and privacy. Security is mandatory. The other four are optional and chosen based on your service commitments and customer expectations. Most first-time SOC 2 audits cover security alone or security plus one or two additional criteria. Scope expansion happens later, as the program matures.",[32,13157,13159],{"id":13158},"soc-2-type-i-vs-type-ii","SOC 2 Type I vs Type II",[37,13161,13162],{},"Every SOC 2 engagement is either Type I or Type II, and the difference matters.",[37,13164,11238,13165,13168],{},[71,13166,13167],{},"SOC 2 Type I"," report evaluates whether controls are suitably designed and implemented as of a single date. Think of it as a design review. The auditor confirms your policies exist, your technical controls are configured, and your processes are in place. Type I is the fastest path to a SOC 2 report and is useful when a deal is on the line, but it does not prove your controls work day after day.",[37,13170,11238,13171,13174],{},[71,13172,13173],{},"SOC 2 Type II"," report evaluates whether controls operated effectively across an observation period, typically three to twelve months. The auditor samples evidence from throughout the period — access reviews, change approvals, incident tickets, monitoring alerts — to confirm that controls were not just designed but consistently executed. Most enterprise buyers require a Type II, and many will not accept a Type I at all.",[37,13176,13177,13178,13182,13183,249,13187,79],{},"For a full comparison including cost benchmarks, observation period tradeoffs, and decision frameworks, see ",[41,13179,13181],{"href":13180},"\u002Fframeworks\u002Fsoc2\u002Ftype-1-vs-type-2","SOC 2 Type 1 vs Type 2",". Related glossary terms: ",[41,13184,13186],{"href":13185},"\u002Fglossary\u002Fsoc2-type-2","SOC 2 Type 2",[41,13188,13148],{"href":13189},"\u002Fglossary\u002Ftrust-services-criteria",[32,13191,13193],{"id":13192},"the-five-trust-services-criteria","The five Trust Services Criteria",[37,13195,11824,13196,13198],{},[41,13197,13148],{"href":13147}," define the principles your controls must satisfy. Each criterion addresses a different aspect of how a service organization protects and manages customer data.",[860,13200,13202],{"id":13201},"security-common-criteria-required","Security (Common Criteria) — required",[37,13204,13205],{},"The security criterion, also called the Common Criteria, is required for every SOC 2 engagement. It evaluates whether the system is protected against unauthorized access — both logical and physical. The Common Criteria are organized into nine categories (CC1 through CC9) that map to the COSO internal control framework and cover governance, communication, risk assessment, monitoring, access control, system operations, change management, and vendor risk. Every SOC 2 report includes testing against these categories.",[860,13207,9332],{"id":13208},"availability",[37,13210,13211,13212,13216],{},"The availability criterion applies when an organization commits to specific uptime levels or recovery capabilities. It covers environmental protections, capacity planning, disaster recovery, and incident management for availability-impacting events. If your product has published SLAs or customers rely on continuous uptime, include availability. Read the ",[41,13213,13215],{"href":13214},"\u002Fframeworks\u002Fsoc2\u002Favailability-criteria","availability criteria deep dive"," for common controls and implementation patterns.",[860,13218,13220],{"id":13219},"processing-integrity","Processing integrity",[37,13222,13223],{},"Processing integrity focuses on whether the system processes data completely, validly, accurately, timely, and with proper authorization. This criterion is relevant for platforms that perform calculations, process financial transactions, or transform customer data. It is less common in first-time SOC 2 audits but important for fintech, billing platforms, and data pipelines that customers rely on for operational decisions.",[860,13225,13227],{"id":13226},"confidentiality","Confidentiality",[37,13229,13230,13231,945],{},"The confidentiality criterion addresses information designated as confidential — distinct from personal information. It covers data classification, access restrictions, encryption, and secure disposal of confidential data. If you handle intellectual property, business plans, or other sensitive non-personal information on behalf of clients, include confidentiality. See the ",[41,13232,13234],{"href":13233},"\u002Fframeworks\u002Fsoc2\u002Fconfidentiality-criteria","confidentiality criteria deep dive",[860,13236,13238],{"id":13237},"privacy","Privacy",[37,13240,13241,13242,79],{},"The privacy criterion applies to personal information — data that can identify an individual. It evaluates whether your data practices match your stated privacy commitments across notice, choice, collection, use, retention, disclosure, security, and accuracy. Privacy aligns closely with regulations like GDPR and CCPA and is the most demanding criterion in terms of control coverage. For a full walkthrough, see the ",[41,13243,13245],{"href":13244},"\u002Fframeworks\u002Fsoc2\u002Fprivacy-criteria","privacy criteria deep dive",[32,13247,13249],{"id":13248},"who-needs-soc-2-compliance","Who needs SOC 2 compliance?",[37,13251,13252],{},"SOC 2 is not legally mandated, but the market treats it as a cost of doing business. Any SaaS company, cloud service provider, managed service provider, or data processor that handles customer data is a likely SOC 2 candidate. If your customers are businesses and their security teams will scrutinize your controls before signing, SOC 2 is almost certainly on your roadmap.",[37,13254,13255],{},"Companies typically pursue SOC 2 when one or more of the following is true:",[200,13257,13258,13261,13264,13267,13270],{},[68,13259,13260],{},"Enterprise prospects are asking for a report during procurement or vendor reviews.",[68,13262,13263],{},"Sales cycles are slowing because buyers are blocking deals on security questionnaires.",[68,13265,13266],{},"Existing customers are requesting a current SOC 2 report during annual reviews.",[68,13268,13269],{},"Investors or partners are asking about the company's security posture.",[68,13271,13272],{},"The business is entering regulated verticals like financial services, healthcare, or government.",[37,13274,13275,13276,13280],{},"Industries that almost always require SOC 2 from their vendors include financial services, healthcare, legal technology, HR technology, martech that handles PII, and any B2B SaaS selling into enterprise accounts. For SaaS companies specifically, SOC 2 has become table stakes — see ",[41,13277,13279],{"href":13278},"\u002Fnow\u002Fsoc2-for-saas","SOC 2 for SaaS"," for a deeper discussion.",[32,13282,13284],{"id":13283},"the-soc-2-audit-process-overview","The SOC 2 audit process overview",[37,13286,11824,13287,13291],{},[41,13288,13290],{"href":13289},"\u002Fframeworks\u002Fsoc2\u002Faudit-process","SOC 2 audit process"," follows a predictable sequence. Understanding each phase prevents surprises and helps you set realistic timelines with your team and auditor.",[65,13293,13294,13310,13316,13322,13328],{},[68,13295,13296,13299,13300,13304,13305,13309],{},[71,13297,13298],{},"Scoping and readiness assessment."," Define what systems and Trust Services Criteria are in scope, then perform a ",[41,13301,13303],{"href":13302},"\u002Fframeworks\u002Fsoc2\u002Freadiness-assessment","readiness assessment"," to compare current controls against ",[41,13306,13308],{"href":13307},"\u002Fframeworks\u002Fsoc2\u002Frequirements","SOC 2 requirements",". The output is a prioritized remediation plan.",[68,13311,13312,13315],{},[71,13313,13314],{},"Remediation."," Close the gaps identified during readiness. Common items include formalizing policies, enabling MFA everywhere, centralizing logging, documenting vendor risk processes, and running tabletop exercises.",[68,13317,13318,13321],{},[71,13319,13320],{},"Auditor selection."," SOC 2 audits must be performed by a CPA firm licensed to issue SOC reports. Request proposals from two to four firms, compare scope and pricing, and check references from similar companies.",[68,13323,13324,13327],{},[71,13325,13326],{},"Audit fieldwork."," For Type I, the auditor validates control design at a point in time. For Type II, the auditor samples evidence from across the observation period and tests operating effectiveness.",[68,13329,13330,13333],{},[71,13331,13332],{},"Report delivery and ongoing operation."," Once the report is issued, plan the next observation period so you maintain continuous coverage with no bridge gaps that buyers might question.",[37,13335,13336],{},"Most organizations complete their first Type I in three to six months and their first Type II in six to eighteen months, depending on starting maturity and observation period length.",[32,13338,13340],{"id":13339},"what-does-soc-2-cost","What does SOC 2 cost?",[37,13342,13343],{},"SOC 2 cost varies widely based on scope, starting maturity, and whether you pursue Type I, Type II, or both. Auditor fees are the largest line item, but they are not the only cost. You should budget for readiness consulting, compliance tooling, internal staff time, remediation work, and penetration testing.",[37,13345,13346],{},"Typical benchmarks for a first-time SOC 2 engagement:",[200,13348,13349,13355,13361,13367,13373,13378],{},[68,13350,13351,13354],{},[71,13352,13353],{},"Type I auditor fees",": $15,000 to $40,000",[68,13356,13357,13360],{},[71,13358,13359],{},"Type II auditor fees",": $25,000 to $80,000",[68,13362,13363,13366],{},[71,13364,13365],{},"Readiness consulting"," (optional): $10,000 to $40,000",[68,13368,13369,13372],{},[71,13370,13371],{},"Compliance platform",": $6,000 to $60,000 annually depending on vendor",[68,13374,13375,13377],{},[71,13376,3007],{},": $8,000 to $30,000 per test",[68,13379,13380,13383],{},[71,13381,13382],{},"Internal staff time",": 200 to 600 hours across the first cycle",[37,13385,13386,13387,13391],{},"Total first-year cost for most growth-stage SaaS companies lands between $40,000 and $200,000. See the full ",[41,13388,13390],{"href":13389},"\u002Fframeworks\u002Fsoc2\u002Fcost","SOC 2 cost breakdown"," for detailed ranges and cost-reduction strategies.",[32,13393,13395],{"id":13394},"common-soc-2-challenges","Common SOC 2 challenges",[37,13397,13398],{},"SOC 2 programs rarely fail because the audit is unfair. They fail because organizations underestimate the operational discipline required. The challenges show up in predictable places.",[200,13400,13401,13407,13413,13419,13425,13436,13446],{},[68,13402,13403,13406],{},[71,13404,13405],{},"Scope creep."," Teams add new systems mid-audit or expand Trust Services Criteria without revisiting the control set. Every addition extends timelines and evidence requirements.",[68,13408,13409,13412],{},[71,13410,13411],{},"Evidence gaps."," Screenshots expire. Configurations change. Ownership drifts between quarters. By the time the auditor asks, the evidence trail is broken.",[68,13414,13415,13418],{},[71,13416,13417],{},"Cross-team coordination."," SOC 2 touches engineering, IT, HR, legal, and finance. Without a single source of truth for control status, teams duplicate work or miss handoffs.",[68,13420,13421,13424],{},[71,13422,13423],{},"Policy drift."," Policies written for the audit do not match how the team actually operates. Auditors detect this quickly during interviews and walkthroughs.",[68,13426,13427,13430,13431,13435],{},[71,13428,13429],{},"Vendor oversight."," Third-party vendors handle critical data but are rarely monitored with the same rigor as internal systems. See ",[41,13432,13434],{"href":13433},"\u002Fframeworks\u002Fsoc2\u002Fvendor-management","vendor management"," for how to close this gap.",[68,13437,13438,13441,13442,13445],{},[71,13439,13440],{},"Change management."," Production changes bypass approval workflows, leaving no audit trail. ",[41,13443,1381],{"href":13444},"\u002Fframeworks\u002Fsoc2\u002Fchange-management"," is a frequent source of Type II exceptions.",[68,13447,13448,13451,13452,79],{},[71,13449,13450],{},"Incident response immaturity."," Teams have an incident response plan but have never tested it. Auditors look for evidence of real incidents handled end to end. See ",[41,13453,13455],{"href":13454},"\u002Fframeworks\u002Fsoc2\u002Fincident-response","incident response",[37,13457,13458],{},"A structured approach — mapping controls, evidence, and owners from day one — removes most of these friction points before they become audit findings.",[32,13460,13462],{"id":13461},"how-soc-2-compares-to-other-frameworks","How SOC 2 compares to other frameworks",[37,13464,13465],{},"SOC 2 is not the only security framework buyers may request. Understanding how SOC 2 relates to other standards helps you plan a cohesive compliance strategy rather than running parallel audits with overlapping work.",[37,13467,13468,13472],{},[71,13469,13470],{},[41,13471,4221],{"href":4220}," is an international certification focused on information security management systems. Unlike SOC 2, which produces an auditor's opinion letter, ISO 27001 results in a certificate issued by an accredited registrar. ISO 27001 is prescriptive about building an ISMS but the control set in Annex A overlaps heavily with the SOC 2 Common Criteria. Many mature companies pursue both and reuse evidence across them. ISO 27001 tends to be preferred by European and international buyers; SOC 2 is the North American standard.",[37,13474,13475,13479],{},[71,13476,13477],{},[41,13478,4235],{"href":4234}," is a US healthcare law that mandates specific safeguards for protected health information. HIPAA is a regulatory requirement rather than a voluntary attestation — there is no HIPAA certificate, but business associates and covered entities must comply. SOC 2 controls address many HIPAA administrative and technical safeguards, and a SOC 2 Type II report is often used as evidence of HIPAA compliance in vendor due diligence.",[37,13481,13482,13486],{},[71,13483,13484],{},[41,13485,44],{"href":511}," is the payment card industry's prescriptive standard for any organization that stores, processes, or transmits cardholder data. Unlike SOC 2, PCI DSS specifies exact controls down to firewall rules and encryption key rotation cadences. SOC 2 and PCI DSS share concepts like encryption, access control, and monitoring, but PCI DSS scope is narrower (cardholder data environment) and the requirements are more specific. Companies that process payments typically need both.",[37,13488,13489,6252,13492,6257,13495,13497],{},[71,13490,13491],{},"NIST Cybersecurity Framework",[71,13493,13494],{},"FedRAMP",[71,13496,6707],{}," address additional specialized audiences — federal contractors, defense industrial base, and government-adjacent systems. These are out of scope for most commercial SaaS but worth mapping if your buyer base includes public sector.",[37,13499,13500,13501,13505],{},"If you are comparing SOC 2 tooling options, our ",[41,13502,13504],{"href":13503},"\u002Fcompare\u002Fvs\u002Fvanta-vs-drata","Vanta vs Drata comparison"," covers the leading compliance automation platforms.",[32,13507,13509],{"id":13508},"soc-2-readiness-checklist","SOC 2 readiness checklist",[37,13511,13512,13513,13517],{},"A readiness checklist keeps your team focused during the months before the audit begins. The ",[41,13514,13516],{"href":13515},"\u002Fframeworks\u002Fsoc2\u002Fchecklist","full SOC 2 checklist"," covers every category, but at a high level expect to address:",[200,13519,13520,13523,13526,13529,13532,13535,13538,13541,13544,13547],{},[68,13521,13522],{},"Governance and policies (information security policy, acceptable use, code of conduct)",[68,13524,13525],{},"Access control (SSO, MFA, role-based access, quarterly access reviews)",[68,13527,13528],{},"Change management (code review, deployment approvals, production change logs)",[68,13530,13531],{},"Vendor risk management (inventory, assessments, monitoring)",[68,13533,13534],{},"Incident response (documented plan, tested at least annually)",[68,13536,13537],{},"Business continuity and disaster recovery (plan with defined RPO\u002FRTO, tested)",[68,13539,13540],{},"Logging and monitoring (centralized logs, alerting, incident tickets)",[68,13542,13543],{},"Security awareness training (annual minimum, tracked completion)",[68,13545,13546],{},"HR controls (background checks, onboarding, offboarding, confidentiality agreements)",[68,13548,13549],{},"Risk assessment (annual risk review, risk register, treatment plans)",[37,13551,13552],{},"Most companies find that the readiness phase surfaces gaps they did not know existed. That is the point — better to discover them before the auditor arrives.",[32,13554,13556],{"id":13555},"getting-started-with-soc-2","Getting started with SOC 2",[37,13558,13559],{},"The best time to start a SOC 2 program is before the first buyer demands it. The second best time is now.",[37,13561,13562],{},"A reasonable starting sequence:",[65,13564,13565,13571,13577,13583,13589,13595],{},[68,13566,13567,13570],{},[71,13568,13569],{},"Pick your Trust Services Criteria."," Security is required. Add others only if you have customer commitments that map to them.",[68,13572,13573,13576],{},[71,13574,13575],{},"Decide Type I vs Type II."," If you need a report fast for a specific deal, start with Type I. If you have time and buyer pressure is general, skip straight to Type II.",[68,13578,13579,13582],{},[71,13580,13581],{},"Run a readiness assessment."," Either internally or with a consultant. The goal is a prioritized remediation list, not a polished report.",[68,13584,13585,13588],{},[71,13586,13587],{},"Remediate in priority order."," Address policy gaps, access control weaknesses, and logging first — these are the most common sources of findings.",[68,13590,13591,13594],{},[71,13592,13593],{},"Select an auditor."," Get proposals from two to four CPA firms. Check references from similar companies. Book early — good auditors are scheduled quarters in advance.",[68,13596,13597,13600],{},[71,13598,13599],{},"Operate, collect, and iterate."," Run your controls, collect evidence continuously, and prepare for fieldwork. Do not treat the audit as a one-time event.",[37,13602,13603,13604,6564,13609,13612],{},"episki was built for exactly this journey. The platform maps your controls to Trust Services Criteria, automates evidence collection, tracks ownership across teams, and gives your auditor structured access when fieldwork begins. ",[41,13605,13608],{"href":500,"rel":13606},[13607],"nofollow","Start a free trial",[41,13610,13611],{"href":506},"book a demo"," to see how SOC 2 looks with the scramble removed.",{"title":447,"searchDepth":448,"depth":448,"links":13614},[13615,13616,13617,13624,13625,13626,13627,13628,13629,13630],{"id":13129,"depth":448,"text":13130},{"id":13158,"depth":448,"text":13159},{"id":13192,"depth":448,"text":13193,"children":13618},[13619,13620,13621,13622,13623],{"id":13201,"depth":1179,"text":13202},{"id":13208,"depth":1179,"text":9332},{"id":13219,"depth":1179,"text":13220},{"id":13226,"depth":1179,"text":13227},{"id":13237,"depth":1179,"text":13238},{"id":13248,"depth":448,"text":13249},{"id":13283,"depth":448,"text":13284},{"id":13339,"depth":448,"text":13340},{"id":13394,"depth":448,"text":13395},{"id":13461,"depth":448,"text":13462},{"id":13508,"depth":448,"text":13509},{"id":13555,"depth":448,"text":13556},{"title":13632,"description":13633,"items":13634},"SOC 2 readiness checklist inside episki","Everything is preloaded in your free trial so you can start assigning ownership and collecting proof immediately.",[13635,13636,13637,13638,13639],"Trust Service Criteria library with mapped controls","Policy templates and AI drafting assistant","Evidence library with structured ownership and review cadences","Emulated auditor workspace with sample requests","Customer-facing compliance portal template",{"title":13641,"description":13642},"Launch your SOC 2 workspace today","Import your controls, connect evidence, and invite your auditor in under an hour.",{"title":13644,"items":13645},"SOC 2 frequently asked questions",[13646,13649,13652,13655,13657],{"label":13647,"content":13648},"How long does a SOC 2 audit take?","A SOC 2 Type I audit typically takes 4-8 weeks of preparation plus the audit itself. Type II requires a 3-12 month observation period followed by the assessment. episki's automation can cut preparation time by up to 45 days.",{"label":13650,"content":13651},"What is the difference between SOC 2 Type I and Type II?","SOC 2 Type I evaluates whether controls are suitably designed at a single point in time. Type II tests whether those controls operated effectively over a sustained period, usually 3-12 months. Most enterprise buyers require a Type II report.",{"label":13653,"content":13654},"How much does SOC 2 compliance cost?","Total costs typically range from $20,000 to $100,000+ depending on scope, readiness, and auditor fees. episki covers the platform side at a flat $500\u002Fmonth with no per-seat charges, significantly reducing the software portion of that budget.",{"label":13249,"content":13656},"Any SaaS company, cloud service provider, or data processor handling customer data is a likely candidate. Enterprise buyers in financial services, healthcare, and technology frequently require a current SOC 2 report before signing contracts.",{"label":13658,"content":13659},"What are the SOC 2 Trust Services Criteria?","The five Trust Services Criteria are security (required), availability, processing integrity, confidentiality, and privacy. Security is mandatory for every SOC 2 audit; the other four are optional and selected based on the services you provide.",{"headline":13661,"title":13662,"description":13663,"links":13664},"SOC 2 without the scramble","Ship SOC 2 audits without slowing product velocity","episki maps Trust Service Criteria, automates evidence, and keeps auditors in sync so your team can focus on building.",[13665,13667],{"label":13666,"icon":499,"to":500},"Start SOC 2 trial",{"label":502,"icon":11083,"color":504,"variant":505,"to":506,"target":507},{},"SOC 2 Type I\u002FII",{"headline":13671,"title":13671,"description":13672,"items":13673},"SOC 2 acceleration resources","Give execs and customers visibility into progress at every stage.",[13674,13676,13679],{"title":11091,"description":13675},"Summaries translate control work into risk reduction and deals unlocked.",{"title":13677,"description":13678},"Sales enablement kit","SOC 2 FAQ answers and trust collateral ready for GTM teams.",{"title":13680,"description":13681},"Audit retro template","Capture what worked, track remediations, and prep the next period.",{"title":13683,"description":13684},"SOC 2 Compliance Software","Get SOC 2 Type I and Type II audit-ready faster with episki's automated controls, evidence tracking, and auditor collaboration. Start your free 14-day trial.",[13686,13689,13692],{"value":13687,"description":13688},"45 days faster","Average time saved reaching Type II readiness with episki’s automation.",{"value":13690,"description":13691},"120+ controls","Pre-mapped control narratives with owners, evidence, and review cadences.",{"value":13693,"description":13694},"100% coverage","Auditor portal with control health dashboards and SOC 2 exports.","5.frameworks\u002Fsoc2","bJbRF5XSL9ALksj1QWkHTg9lO2E2kfmot3QsCAz1naE",1778494662428]