Every control, clearly explained

Restrict logical access to systems and data so only authorized personnel can access protected information assets, with documented policies and periodic review.

Require multi-factor authentication for access to systems and data that support the entity's objectives, enforced organization-wide, not only for privileged users.

Protect data in transit using encryption and secure transmission protocols to prevent unauthorized interception.

Monitor system components for anomalies and security events, with alerts routed to personnel who can investigate and respond.

Assess and manage risks associated with vendors and business partners who have access to confidential information or provide services to the entity.

Demonstrate commitment to integrity and ethical values through tone at the top, standards of conduct, and enforcement mechanisms.

Establish and implement rules governing physical and logical access to information and associated assets based on business need and least privilege.

Implement secure authentication technologies and procedures commensurate with information access restrictions and the access control policy.

Define and implement rules for the effective use of cryptography to protect information confidentiality, authenticity, and integrity.

Monitor networks, systems, and applications for anomalous behavior and take appropriate action to evaluate potential information security incidents.

Require management to demonstrate commitment to the ISMS and ensure personnel understand their information security responsibilities.

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, resilience, restore capability, and regular testing.

When engaging processors, use only those providing sufficient guarantees and execute a Data Processing Agreement with required Article 28(3) clauses.

Establish procedures to respond to data subject access requests within one month, providing prescribed information about processing activities.

Restrict access to system components and cardholder data to only those individuals whose job requires it, based on least privilege.

Require MFA for all access into the cardholder data environment and for all remote network access originating from outside the entity's network.

Never send primary account numbers over end-user messaging technologies and use strong cryptography for transmission over open, public networks.

Do not store sensitive authentication data after authorization and protect stored cardholder data with strong cryptography.