PCI DSS 4.0 — Payment Card Industry Data Security Standard
PCI DSS 4.0 — Payment Card Industry Data Security Standard
PCI DSS 4.0 — Payment Card Industry Data Security Standard — 82% covered.
146 requirements · 111 enforced · 1 designed · 34 advisory · 0 deferred.
Source: PCI Security Standards Council — Payment Card Industry Data Security Standard v4.0 (March 2022, future-dated requirements effective 31 March 2025)
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Req 1-2 Network Security & Secure Configuration | 19 | 9 | 0 | 10 | 0 | 61% |
| Req 11-12 Testing & Information Security Policy | 26 | 15 | 0 | 11 | 0 | 68% |
| Req 3-4 Cardholder Data Protection | 23 | 21 | 0 | 2 | 0 | 93% |
| Req 5-6 Vulnerability Management | 20 | 16 | 0 | 4 | 0 | 85% |
| Req 7-8 Access Control & Authentication | 33 | 31 | 1 | 1 | 0 | 96% |
| Req 9-10 Physical Access & Logging | 25 | 19 | 0 | 6 | 0 | 82% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
pci-dss.1.1 |
Install and maintain network security controls (NSCs) protecting the cardholder data environment (CDE) — Req 1.1 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md, constitution/51-NO-SPOF.md |
pci-dss.1.2 |
Configuration of network security controls — documented rule-set with explicit business justification — Req 1.2 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.1.2.5 |
Documented and approved ports, protocols, and services for all NSCs — Req 1.2.5 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.1.3 |
Restrict network access between trusted/untrusted networks (deny-all default, explicit allow-list) — Req 1.3 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.1.3.1 |
Inbound CDE traffic restricted to that necessary for cardholder-data services — Req 1.3.1 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.1.3.2 |
Outbound CDE traffic restricted to that necessary — Req 1.3.2 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.1.4 |
Network connections between trusted and untrusted networks are controlled — Req 1.4 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.1.4.4 |
Stored-PAN system components are not directly accessible from untrusted networks — Req 1.4.4 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md, constitution/31-DATA-GOVERNANCE-PACK.md |
pci-dss.1.5 |
Risks to the CDE from computing devices that can connect to both untrusted and CDE networks are mitigated — Req 1.5 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.2.1 |
Processes and mechanisms for applying secure configurations to all system components are defined — Req 2.1 | enforced | audit_events: kye.compliance.attestation.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.2.2 |
Apply secure configurations to all system components (no vendor defaults, hardening baselines) — Req 2.2 | enforced | audit_events: kye.compliance.attestation.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/25-EDGE-GOVERNANCE.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.2.2.1 |
Configuration standards developed for all system components — Req 2.2.1 | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.2.2.2 |
Vendor default accounts are managed — disabled or accounts removed before deployment — Req 2.2.2 | enforced | audit_events: kye.admin.api_key.issued.v1, kye.admin.api_key.revoked.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.2.2.3 |
Primary functions requiring different security levels are managed — Req 2.2.3 | enforced | audit_events: kye.purpose.permission.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/25-EDGE-GOVERNANCE.md |
pci-dss.2.2.4 |
Only necessary services, protocols, daemons, and functions enabled — Req 2.2.4 | enforced | audit_events: kye.evidence.decision_map.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.2.2.5 |
If insecure services/protocols are present, business justification is documented and additional security features deployed — Req 2.2.5 | enforced | audit_events: kye.compliance.attestation.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.2.2.6 |
System security parameters configured to prevent misuse — Req 2.2.6 | enforced | audit_events: kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.2.2.7 |
All non-console administrative access is encrypted using strong cryptography — Req 2.2.7 | enforced | audit_events: kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.2.3 |
Wireless environments — secure configuration of any wireless networks attached to the CDE — Req 2.3 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.11.1 |
Processes and mechanisms for regularly testing security of systems and networks are defined — Req 11.1 | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.11.2 |
Wireless access points are identified and monitored, unauthorised wireless access points are addressed — Req 11.2 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.11.3 |
External and internal vulnerability scans run at least quarterly and after any significant change (ASV scans for external) — Req 11.3 | advisory | constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.11.3.1 |
Internal vulnerability scans performed at least every 3 months — Req 11.3.1 | advisory | constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.11.3.2 |
External vulnerability scans performed at least every 3 months by an ASV — Req 11.3.2 | advisory | constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.11.4 |
External and internal penetration testing at least annually and after significant change — Req 11.4 | advisory | constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.11.4.1 |
Penetration-test methodology is defined, documented, and implemented — Req 11.4.1 | advisory | constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.11.4.2 |
Internal penetration testing performed at least once every 12 months — Req 11.4.2 | advisory | constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.11.4.3 |
External penetration testing performed at least once every 12 months — Req 11.4.3 | advisory | constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.11.5 |
Intrusion-detection and/or intrusion-prevention techniques detect and alert on suspicious activity in the CDE — Req 11.5 | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
pci-dss.11.5.2 |
Change-detection mechanism deployed to alert on unauthorised modifications to critical files — Req 11.5.2 | enforced | audit_events: kye.signal.drift.detected.v1, kye.resilience.drift.detected.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
pci-dss.11.6 |
Unauthorised changes on payment pages are detected and responded to — Req 11.6 | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.incident.opened.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.12.1 |
Comprehensive information-security policy is established, published, maintained, disseminated — Req 12.1 | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/00-INDEX.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.12.2 |
Acceptable-use policies for end-user technologies are defined and implemented — Req 12.2 | enforced | audit_events: kye.consent.acceptance.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.12.3 |
Risk assessment of the CDE performed and documented at least annually — Req 12.3 | enforced | audit_events: kye.compliance.attestation.v1, kye.assurance.risk_assessment.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.12.4 |
PCI DSS compliance is managed — Req 12.4 | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.12.5 |
PCI DSS scope is documented and validated — Req 12.5 | enforced | audit_events: kye.compliance.attestation.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.12.6 |
Security awareness education is an ongoing activity — Req 12.6 | advisory | constitution_refs: constitution/10-PARTNER.md, constitution/39-LEARN-RAIL.md |
pci-dss.12.7 |
Personnel are screened to reduce risks from insider threats — Req 12.7 | advisory | constitution_refs: constitution/10-PARTNER.md |
pci-dss.12.8 |
Risk to information assets associated with third-party service-provider (TPSP) relationships is managed — Req 12.8 | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.subprocessor.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/51-NO-SPOF.md |
pci-dss.12.9 |
Third-party service providers (TPSPs) support customers' PCI DSS compliance — Req 12.9 | enforced | audit_events: kye.subprocessor.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
pci-dss.12.10 |
Incident response plan — implemented, tested, and exercised at least annually — Req 12.10 | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
pci-dss.12.10.1 |
An incident response plan exists and is ready to activate in the event of a suspected/confirmed security incident — Req 12.10.1 | enforced | audit_events: kye.signal.incident.opened.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
pci-dss.12.10.2 |
Incident response plan reviewed + tested at least every 12 months — Req 12.10.2 | enforced | audit_events: kye.compliance.attestation.v1, kye.assurance.audit_replay_report.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
pci-dss.12.10.4 |
Personnel with incident-response responsibilities are appropriately trained — Req 12.10.4 | advisory | constitution_refs: constitution/39-LEARN-RAIL.md |
pci-dss.12.10.5 |
Incident response plan includes monitoring + responding to alerts from critical security control systems — Req 12.10.5 | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
pci-dss.3.1 |
Processes and mechanisms for protecting stored account data are defined and documented — Req 3.1 | enforced | audit_events: kye.compliance.attestation.v1, kye.audit_retention_policy.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/31-DATA-GOVERNANCE-PACK.md |
pci-dss.3.2 |
Minimise storage of account data (data-retention and disposal policy with hard-deletion proof) — Req 3.2 | enforced | audit_events: kye.compliance.attestation.v1, kye.evidence.decision_map.v1, kye.audit_retention_policy.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/31-DATA-GOVERNANCE-PACK.md |
pci-dss.3.2.1 |
Account-data retention and disposal policies, procedures, and processes are defined — Req 3.2.1 | enforced | audit_events: kye.audit_retention_policy.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.3.3 |
SAD (sensitive authentication data) — never retained after authorisation, even if encrypted — Req 3.3 | enforced | audit_events: kye.evidence.tool_call_pin.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/31-DATA-GOVERNANCE-PACK.md |
pci-dss.3.3.1 |
SAD not retained after authorisation, even if encrypted — Req 3.3.1 | enforced | audit_events: kye.evidence.tool_call_pin.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.3.3.2 |
SAD encrypted during pre-authorisation processing using strong cryptography — Req 3.3.2 | enforced | audit_events: kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.3.4 |
PAN access by personnel restricted; masking for display — Req 3.4 | enforced | audit_events: kye.purpose.permission.v1, kye.evidence.tool_call_pin.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/31-DATA-GOVERNANCE-PACK.md |
pci-dss.3.4.1 |
PAN masked when displayed (≤ first 6 + last 4 visible) unless legitimate business need — Req 3.4.1 | enforced | audit_events: kye.purpose.permission.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.3.5 |
Render PAN unreadable wherever stored (strong cryptography, key-management lifecycle) — Req 3.5 | enforced | audit_events: kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/51-NO-SPOF.md |
pci-dss.3.5.1 |
PAN rendered unreadable by hashing, truncation, tokenisation, or strong encryption — Req 3.5.1 | enforced | audit_events: kye.evidence.pack.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.3.5.1.2 |
Disk-level or partition-level encryption used only for removable electronic media — Req 3.5.1.2 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.3.5.1.3 |
Logical-access management for disk-encryption keys — Req 3.5.1.3 | enforced | audit_events: kye.authority.grant.v1, kye.purpose.permission.v1, kye.admin.api_key.issued.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.3.6 |
Cryptographic keys used to protect stored account data are secured — Req 3.6 | enforced | audit_events: kye.admin.api_key.issued.v1, kye.admin.api_key.revoked.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/51-NO-SPOF.md |
pci-dss.3.6.1 |
Procedures defined for cryptographic-key lifecycle (generation, secure distribution, storage, retirement, …) — Req 3.6.1 | enforced | audit_events: kye.compliance.attestation.v1, kye.admin.api_key.issued.v1, kye.admin.api_key.revoked.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.3.7 |
Where cryptography is used to protect stored account data, key-management processes are defined — Req 3.7 | enforced | audit_events: kye.admin.api_key.issued.v1, kye.admin.api_key.revoked.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.3.7.1 |
Key-management policies for strong-cryptographic-key generation — Req 3.7.1 | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.3.7.4 |
Key-management policies for periodic cryptoperiod-bound key changes — Req 3.7.4 | enforced | audit_events: kye.admin.api_key.issued.v1, kye.admin.api_key.revoked.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.3.7.6 |
Where manual cleartext key-management operations exist, dual-control / split-knowledge is required — Req 3.7.6 | enforced | audit_events: kye.governedui.approval.v1, kye.governedui.action_proposal.v1engines: internalconstitution_refs: constitution/36-GOVERNEDUI.md, constitution/51-NO-SPOF.md |
pci-dss.4.1 |
Protect cardholder data with strong cryptography during transmission over open/public networks (TLS 1.2+ mandatory) — Req 4.1 | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.4.1.1 |
Processes and mechanisms for protecting cardholder data with strong cryptography during transmission are defined — Req 4.1.1 | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.4.1.2 |
Roles and responsibilities for transmission protection are documented, assigned, and understood — Req 4.1.2 | enforced | audit_events: kye.authority.grant.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.4.2 |
Strong cryptography for end-user messaging technologies transmitting PAN — Req 4.2 | advisory | constitution_refs: constitution/38-COMMS-RAIL.md |
pci-dss.4.2.1 |
Certificates protecting PAN during transmission over open networks are confirmed valid — Req 4.2.1 | enforced | audit_events: kye.compliance.attestation.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.5.1 |
Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood — Req 5.1 | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.5.2 |
Anti-malware solutions deployed on all system components with regular updates — Req 5.2 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.5.2.1 |
An anti-malware solution is deployed on all system components — Req 5.2.1 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.5.2.3 |
Any system components not at risk for malware are evaluated periodically — Req 5.2.3 | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.5.3 |
Anti-malware mechanisms and processes are active, maintained, and monitored — Req 5.3 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.5.4 |
Anti-phishing mechanisms protect users against phishing attacks — Req 5.4 | enforced | audit_events: kye.authority.grant.v1, kye.signal.drift.detected.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.6.1 |
Processes and mechanisms for developing and maintaining secure systems and software are defined — Req 6.1 | enforced | audit_events: kye.compliance.attestation.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md, constitution/41-ERROR-HORIZONS.md |
pci-dss.6.2 |
Bespoke and custom software developed securely (SSDLC, code review, static + dynamic analysis) — Req 6.2 | enforced | audit_events: kye.compliance.attestation.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md, constitution/41-ERROR-HORIZONS.md |
pci-dss.6.2.1 |
Bespoke / custom software developed using industry-recognised secure-development standards — Req 6.2.1 | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.6.2.2 |
Software-development personnel trained at least annually in secure coding — Req 6.2.2 | advisory | constitution_refs: constitution/10-PARTNER.md |
pci-dss.6.2.3 |
Bespoke / custom software reviewed prior to release for vulnerabilities — Req 6.2.3 | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.6.2.4 |
Software-engineering techniques used to prevent or mitigate common attacks (injection, broken access, …) — Req 6.2.4 | enforced | audit_events: kye.compliance.attestation.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.6.3 |
Security vulnerabilities are identified and addressed — Req 6.3 | enforced | audit_events: kye.compliance.attestation.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
pci-dss.6.3.1 |
Security vulnerabilities identified using industry-recognised sources, risk-ranked, with documented coverage — Req 6.3.1 | enforced | audit_events: kye.signal.drift.detected.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
pci-dss.6.3.2 |
Inventory of bespoke / custom software, including third-party software components — Req 6.3.2 | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.6.3.3 |
All system components are protected from known vulnerabilities by installing applicable security patches — Req 6.3.3 | enforced | audit_events: kye.signal.drift.detected.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
pci-dss.6.4 |
Public-facing web applications protected against attacks (WAF or equivalent automated technical solution) — Req 6.4 | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/16-EDGE-RUNTIME.md, constitution/35-STREAMING-LOGS.md |
pci-dss.6.4.1 |
Public-facing web applications reviewed via specialised tools (DAST) at least annually — Req 6.4.1 | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.6.4.3 |
All payment-page scripts loaded and executed in consumer browser are managed — Req 6.4.3 | enforced | audit_events: kye.compliance.attestation.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.6.5 |
Changes to all system components are managed securely — Req 6.5 | enforced | audit_events: kye.evidence.decision_map.v1, kye.compliance.attestation.v1, kye.governedui.approval.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.7.1 |
Processes and mechanisms for restricting access by business need-to-know are defined — Req 7.1 | enforced | audit_events: kye.purpose.permission.v1, kye.purpose.admissibility.v1, kye.purpose.grant.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.7.2 |
Define and assign access by role/job function with default deny-all — Req 7.2 | enforced | audit_events: kye.authority.grant.v1, kye.purpose.grant.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/25-EDGE-GOVERNANCE.md |
pci-dss.7.2.1 |
An access-control model defines access based on job classification + function — Req 7.2.1 | enforced | audit_events: kye.authority.grant.v1, kye.purpose.grant.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.7.2.2 |
Access assigned based on the principles of least privilege — Req 7.2.2 | enforced | audit_events: kye.purpose.permission.v1, kye.evidence.decision_map.v1engines: internal, internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/25-EDGE-GOVERNANCE.md |
pci-dss.7.2.4 |
User-access reviews performed at least every 6 months — Req 7.2.4 | enforced | audit_events: kye.compliance.attestation.v1, kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.7.2.5 |
All application and system accounts and related access privileges are assigned and managed — Req 7.2.5 | enforced | audit_events: kye.admin.api_key.issued.v1, kye.admin.api_key.revoked.v1, kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.7.2.6 |
All access to query repositories of stored cardholder data is restricted via programmatic methods — Req 7.2.6 | enforced | audit_events: kye.purpose.permission.v1, kye.evidence.tool_call_pin.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.7.3 |
Access to system components and data is managed via an access-control system — Req 7.3 | enforced | audit_events: kye.purpose.permission.v1, kye.evidence.decision_map.v1, kye.evidence.tool_call_pin.v1engines: internal, internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/25-EDGE-GOVERNANCE.md |
pci-dss.7.3.1 |
Access-control system covers all system components — Req 7.3.1 | enforced | audit_events: kye.purpose.permission.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.7.3.2 |
Access-control system configured to enforce assigned access — Req 7.3.2 | enforced | audit_events: kye.purpose.permission.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.7.3.3 |
Access-control system configured with a default deny-all setting — Req 7.3.3 | enforced | audit_events: kye.purpose.admissibility.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.1 |
Processes and mechanisms for identifying users and authenticating access are defined — Req 8.1 | enforced | audit_events: kye.authority.grant.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.2 |
User identification and related accounts for users and administrators are strictly managed — Req 8.2 | enforced | audit_events: kye.authority.grant.v1, kye.admin.entitlement.expired.v1, kye.admin.entitlement.renewed.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.2.1 |
All users are assigned a unique ID before access to system components or cardholder data — Req 8.2.1 | enforced | audit_events: kye.authority.grant.v1engines: internal, internalconstitution_refs: constitution/01-NAMING.md |
pci-dss.8.2.2 |
Group, shared, or generic accounts are not used unless documented and managed — Req 8.2.2 | enforced | audit_events: kye.authority.grant.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.2.4 |
Addition, deletion, modification of user IDs / accounts managed with appropriate approval — Req 8.2.4 | enforced | audit_events: kye.governedui.approval.v1, kye.governedui.action_proposal.v1, kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/36-GOVERNEDUI.md |
pci-dss.8.2.5 |
Access for terminated users is immediately revoked — Req 8.2.5 | enforced | audit_events: kye.signal.revocation.cascaded.v1, kye.admin.tenant.revoked.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.2.6 |
Inactive user accounts are removed or disabled within 90 days — Req 8.2.6 | enforced | audit_events: kye.admin.entitlement.expired.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.2.7 |
Accounts used by third parties are managed (enabled only during use, monitored) — Req 8.2.7 | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.3 |
Strong authentication for all users (MFA, FIDO2/WebAuthn, no shared accounts) — Req 8.3 | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.3.1 |
All user access to system components for users and administrators authenticated via at least one of: knowledge, possession, biometrics — Req 8.3.1 | enforced | audit_events: kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.3.4 |
Invalid authentication attempts limited (≤10) with account lockout for ≥30 minutes — Req 8.3.4 | enforced | audit_events: kye.authority.grant.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.3.6 |
Passwords/passphrases meet minimum complexity (12 characters, alphanumeric) — Req 8.3.6 | designed | constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.3.7 |
Individuals not permitted to submit a new password identical to any of the last 4 passwords — Req 8.3.7 | advisory | constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.4 |
MFA for all non-console access to the CDE and all remote access — Req 8.4 | enforced | audit_events: kye.authority.grant.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.4.1 |
MFA is implemented for non-console admin access — Req 8.4.1 | enforced | audit_events: kye.authority.grant.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.4.2 |
MFA is implemented for all access into the CDE — Req 8.4.2 | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.4.3 |
MFA implemented for all remote access originating from outside the entity's network — Req 8.4.3 | enforced | audit_events: kye.authority.grant.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.5 |
MFA systems configured to prevent misuse (not susceptible to replay; bypass requires explicit re-authorisation) — Req 8.5 | enforced | audit_events: kye.authority.grant.v1, kye.replay.proof.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.6 |
Application and system accounts (machine identities) inventoried, scoped, and rotated — Req 8.6 | enforced | audit_events: kye.admin.api_key.issued.v1, kye.admin.api_key.revoked.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.8.6.1 |
Application/system accounts authenticated by passwords/passphrases not used interactively — Req 8.6.1 | enforced | audit_events: kye.admin.api_key.issued.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
pci-dss.8.6.2 |
Authentication factors for any application/system accounts are not hard-coded in scripts or source — Req 8.6.2 | enforced | audit_events: kye.compliance.attestation.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
pci-dss.8.6.3 |
Passwords/passphrases for application/system accounts changed periodically + immediately upon suspicion of compromise — Req 8.6.3 | enforced | audit_events: kye.admin.api_key.revoked.v1, kye.admin.api_key.issued.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/13-RESILIENCE-LOOP.md |
pci-dss.9.1 |
Restrict physical access to systems in the cardholder data environment — Req 9.1 | advisory | constitution_refs: constitution/51-NO-SPOF.md |
pci-dss.9.2 |
Physical access controls manage entry into facilities and systems containing cardholder data — Req 9.2 | advisory | constitution_refs: constitution/51-NO-SPOF.md |
pci-dss.9.3 |
Physical access for personnel and visitors is authorised and managed — Req 9.3 | advisory | constitution_refs: constitution/51-NO-SPOF.md |
pci-dss.9.4 |
Media inventoried, classified, and destroyed when no longer needed — Req 9.4 | advisory | constitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
pci-dss.9.4.1 |
All media with cardholder data is physically secured — Req 9.4.1 | advisory | constitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
pci-dss.9.5 |
Point-of-interaction (POI) devices are protected from tampering and substitution — Req 9.5 | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
pci-dss.10.1 |
Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined — Req 10.1 | enforced | audit_events: kye.audit.event.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/35-STREAMING-LOGS.md |
pci-dss.10.2 |
Audit logs implemented to support detection of anomalies and forensic analysis (all user activity, all auth events, all admin actions) — Req 10.2 | enforced | audit_events: kye.audit.event.v1, kye.evidence.decision_map.v1, kye.evidence.tool_call_pin.v1engines: internal, internalworkers: kye-audit-chain-workerconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/35-STREAMING-LOGS.md |
pci-dss.10.2.1 |
Audit logs enabled and active for all system components and cardholder data — Req 10.2.1 | enforced | audit_events: kye.audit.event.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.10.2.1.1 |
Audit logs capture all individual user access to cardholder data — Req 10.2.1.1 | enforced | audit_events: kye.audit.event.v1, kye.evidence.tool_call_pin.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.10.2.1.2 |
Audit logs capture all actions taken by any individual with root or admin privileges — Req 10.2.1.2 | enforced | audit_events: kye.audit.event.v1, kye.governedui.approval.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/36-GOVERNEDUI.md |
pci-dss.10.2.1.3 |
Audit logs capture all access to audit logs — Req 10.2.1.3 | enforced | audit_events: kye.audit.event.v1, kye.evidence.tool_call_pin.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.10.2.1.4 |
Audit logs capture all invalid logical access attempts — Req 10.2.1.4 | enforced | audit_events: kye.audit.event.v1, kye.evidence.decision_map.v1, kye.signal.decision.denied.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.10.2.1.5 |
Audit logs capture all changes to identification and authentication credentials — Req 10.2.1.5 | enforced | audit_events: kye.admin.api_key.issued.v1, kye.admin.api_key.revoked.v1, kye.authority.grant.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.10.2.2 |
Audit records include who, what, when, where, source, identity, outcome — Req 10.2.2 | enforced | audit_events: kye.audit.event.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.10.3 |
Audit-log integrity — logs cannot be altered or deleted (append-only, tamper-evident) — Req 10.3 | enforced | audit_events: kye.audit.event.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.10.3.1 |
Read access to audit logs is limited to those with a job-related need — Req 10.3.1 | enforced | audit_events: kye.purpose.permission.v1, kye.evidence.decision_map.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.10.3.2 |
Audit log files protected against unauthorised modifications — Req 10.3.2 | enforced | audit_events: kye.audit.event.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.10.3.3 |
Audit-log files promptly backed up to a centralised log server or media that is difficult to alter — Req 10.3.3 | enforced | audit_events: kye.audit.event.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/35-STREAMING-LOGS.md |
pci-dss.10.3.4 |
File-integrity monitoring or change-detection on audit logs — Req 10.3.4 | enforced | audit_events: kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.10.4 |
Audit logs reviewed to identify anomalies or suspicious activity — Req 10.4 | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.incident.opened.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
pci-dss.10.4.1 |
Daily review of security events and logs of all CDE system components — Req 10.4.1 | enforced | audit_events: kye.signal.drift.detected.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
pci-dss.10.5 |
Audit logs retained ≥ 12 months with 3 months immediately available for analysis — Req 10.5 | enforced | audit_events: kye.compliance.attestation.v1, kye.audit_retention_policy.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
pci-dss.10.6 |
Time-synchronisation mechanisms support consistent time settings across all systems — Req 10.6 | enforced | audit_events: kye.signal.drift.detected.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/35-STREAMING-LOGS.md |
pci-dss.10.7 |
Failures of critical security control systems are detected, alerted, and addressed promptly — Req 10.7 | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.drift.detected.v1, kye.signal.incident.closed.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/51-NO-SPOF.md |