Appendix I. PCI DSS Controls Mapping
PCI DSS 3 Requirements Mapped to APS Policies and Controls
Last Reviewed: 2025-02-17:19:44:43-UTC
Below is a list of PCI DSS 3.x Requirements and the mappings to
APS policies and controls in place.
| ID |
PCI DSS 3 Requirement |
APS Policies and Controls |
| 1 |
Configure and use firewalls to protect cardholder data |
HR and Personnel; Access; Data Protection; SDLC; Configuration & Change Management; Threat Detection and Prevention; Mobile Device Security and Media Management; Model |
| 2 |
Do not use the vendor’s default settings for system passwords and other security parameters |
Model; Roles & Responsibilities; Risk Management; Asset Inventory Management; Data Management; Data Protection; Configuration and Change Management; Mobile Device Security and Media Management |
| 3 |
Protect stored cardholder data |
Data Management; Data Protection; Mobile Device Security and Management |
| 4 |
Encrypt cardholder data when transmitting over open, public networks |
HR and Personnel Security; Data Protection; Secure Software Development and Product Security |
| 5 |
Protect all systems against malware and update anti-virus software regularly |
System Audits, Monitoring and Assessments; HR and Personnel Security; Access; Configuration and Change Management; Threat Detection and Prevention; Mobile Device Security and Management |
| 6 |
Develop secure systems and applications |
Model; Roles, Responsibilities and Training; Risk Management and Risk Assessment Process; System Audits, Monitoring and Assessments; Secure Software Development and Product Security; Configuration and Change Management; Threat Detection and Prevention; Vulnerability Management; Mobile Device Security and Media Management |
| 7 |
Restrict access to cardholder data based on business requirements |
Access; Data Management |
| 8 |
Identify and authenticate access to system components |
Roles, Responsibilities and Training; System Audits, Monitoring and Assessment; Access |
| 9 |
Restrict physical access to cardholder data |
“Facility Access and Physical Security”; Asset Inventory Management; Mobile Device Security and Media Management |
| 10 |
Track and monitor all access to network resources and cardholder data |
Roles, Responsibilities and Training; System Audits, Monitoring and Assessments; Configuration and Change Management |
| 11 |
Test security systems and processes regularly |
Roles, Responsibilities and Training; System Audits, Monitoring and Assessments; Access; Secure Software Development and Product Security; Threat Detection and Prevention; Vulnerability Management |
| 12 |
Create a policy that addresses information security for all staff |
Roles, Responsibilities and Training; Policy Management; Risk Management and Risk Assessment Process; HR and Personnel Security; Secure Software Development and Product Security; Incident Response; Breach Investigation and Notification; Third Party Security and Vendor Risk Management |