The Safeguards module allows you to track the implementation status of security controls mapped to each of the 12 PCI-DSS requirements. Each safeguard is linked to a specific requirement number, helping you monitor coverage and identify gaps across the entire standard.
Overview of All 12 Requirements
Requirement 1: Install and Maintain Network Security Controls
Key controls: firewall configuration standards, network diagrams, DMZ implementation, personal firewall software on mobile devices, change management for network security controls.
Requirement 2: Apply Secure Configurations
Key controls: change vendor-supplied defaults, configuration standards for all system components, encryption of non-console administrative access, system inventory, PCI-DSS scope documentation.
Requirement 3: Protect Stored Account Data
Key controls: data retention and disposal policy, no SAD storage after authorisation, PAN masking, PAN rendering unreadable (encryption, truncation, tokenisation, hashing), key management procedures.
Requirement 4: Protect CHD During Transmission
Key controls: strong cryptography for transmission over open/public networks, TLS 1.2+ enforcement, never send unprotected PANs via end-user messaging (email, SMS, chat).
Requirement 5: Protect Against Malicious Software
Key controls: anti-malware on all commonly affected systems, automatic updates, periodic and real-time scans, anti-malware logs retained, protection against phishing attacks.
Requirement 6: Develop and Maintain Secure Systems
Key controls: security patching process (critical patches within one month), secure development lifecycle, code review or WAF for public-facing web applications, change control procedures, vulnerability management.
Requirement 7: Restrict Access by Business Need to Know
Key controls: role-based access control (RBAC), default deny-all, access control policies and procedures, access rights review at least every six months.
Requirement 8: Identify and Authenticate Users
Key controls: unique IDs for all users, multi-factor authentication (MFA) for CDE access and remote access, password/passphrase complexity requirements, session timeout, lockout after failed attempts.
Requirement 9: Restrict Physical Access
Key controls: physical access controls to the CDE, visitor identification and authorisation, media management (storage, transport, destruction), point-of-interaction (POI) device inspection.
Requirement 10: Log and Monitor All Access
Key controls: audit trail for all system components in the CDE, time synchronisation, log review (at least daily for security events), log retention (12 months, 3 months immediately available), intrusion detection/prevention.
Requirement 11: Test Security Regularly
Key controls: quarterly ASV scans, internal vulnerability scanning, annual (or semi-annual for SPs) penetration testing, segmentation testing, change-detection mechanisms (FIM), wireless analyser scans.
Requirement 12: Information Security Policies
Key controls: information security policy maintained and distributed, risk assessment process, acceptable use policies, security awareness training, incident response plan, service provider management, personnel screening.
Implementation Statuses
Each safeguard is tracked with one of four statuses:
| Implemented | The control is fully deployed, operational, and evidenced |
| In Progress | The control is partially implemented or actively being deployed |
| Not Started | The control has not yet been implemented |
| Not Applicable | The control does not apply to the organisation's environment (must be justified) |
Cross-Framework Mapping
PCI-DSS controls map extensively to other security frameworks. When you track safeguards in Venvera, you can see related controls in your other enabled frameworks:
| PCI-DSS Requirement | ISO 27001 | NIST CSF | SOC 2 |
|---|---|---|---|
| Req 1 (Network Security) | A.13.1 | PR.AC-5, PR.PT-4 | CC6.1, CC6.6 |
| Req 3 (Protect Stored Data) | A.10.1, A.18.1 | PR.DS-1, PR.DS-2 | CC6.1, CC6.7 |
| Req 5 (Anti-Malware) | A.12.2 | DE.CM-4 | CC6.8 |
| Req 7 (Access Control) | A.9.1, A.9.2 | PR.AC-1, PR.AC-4 | CC6.1, CC6.3 |
| Req 10 (Logging) | A.12.4 | DE.AE-3, PR.PT-1 | CC7.1, CC7.2 |
| Req 12 (Security Policy) | A.5.1 | ID.GV-1, ID.GV-4 | CC1.1, CC1.2 |