Evidence tracking by PCI DSS control for GVSU.
| PCI Req | Control Area | GVSU Policy | Evidence Needed | Frequency | Owner | Status | Notes |
|---|---|---|---|---|---|---|---|
| 1 | Network Security Controls | PCI Policies and Procedures | Network diagrams, firewall/router rule reviews, permitted services list, segmentation validation | Annual / 6 months for firewall reviews | Information Technology | Needs Evidence | Track segmentation and firewall evidence. |
| 2 | Secure Configurations | PCI Policies and Procedures | Configuration standards, hardening checklists, build records, vendor default review | At deployment / significant change | Information Technology | Needs Evidence | Track secure build evidence. |
| 3 | Protect Stored Account Data | PCI Processing Standards | No-storage attestation, retention review, destruction logs | Annual | PCI Team / Departments | Partial | Storage is generally prohibited by policy. |
| 4 | Encrypt Transmission | PCI Processing Standards | TLS configuration, payment channel documentation, vendor encryption evidence | Annual | Information Technology / Vendors | Needs Evidence | Strong cryptography required. |
| 5 | Malware Protection | GVSU PCI Malware Policy | EDR reports, malware alert review records, patch deployment records | Ongoing / Monthly | IT Security | Needs Evidence | Managed anti-malware/EDR and patch evidence. |
| 6 | Secure Software Development | Software Development Life Cycle | Code reviews, security testing, OWASP review, dependency scan results | Each release | Development Team / IT Security | Needs Evidence | Applies to payment-related applications. |
| 7 | Restrict Access by Business Need | PCI Policies and Procedures | Access request records, RBAC matrix, least privilege reviews | Annual / role change | IAM / System Owners | Needs Evidence | Track access governance. |
| 8 | Identify and Authenticate Users | PCI Policies and Procedures / CCAdmin Procedure | MFA evidence, password policy, admin access logs, user reviews | Annual | IAM / Application Owners | Needs Evidence | Unique IDs, MFA, password requirements. |
| 9 | Physical Security | Terminal Procedures / Device Inspection Guide | Device inventory, daily/monthly/annual inspection logs, left-behind-card logs | Daily / Monthly / Annual | Departments / Business & Finance | Partial | Core terminal evidence area. |
| 10 | Logging and Monitoring | PCI Policies and Procedures | Centralized logging evidence, daily log review records, investigation notes | Daily / Annual evidence review | IT Security / System Owners | Needs Evidence | Track log collection and review. |
| 11 | Security Testing | PCI Policies and Procedures / Annual Merchant Checklist | Quarterly scans, ASV scans, segmentation tests, risk assessment results | Quarterly / Annual | IT Security | Needs Evidence | Depends on PCI scope and architecture. |
| 12 | Governance and Policy Program | PCI Policies and Procedures / Awareness / Vendor / IR Plan | Policy approval, training records, TPSP AOCs, IR test, merchant checklist | Annual | PCI Team / IT Security / Business & Finance | Partial | Governance evidence across PCI program. |