PCI DSS v4.0

Entity identifies vulnerabilities on the external/open-source libraries that are used through the execution of regular vulnerability scans.

Entity’s Senior Management or the Information Security Officer periodically reviews and approves the list of people that have access to audit logs

Entity’s infrastructure is configured to protect the logs generated and are retained in adherence to any applicable legal, statutory or regulatory compliance obligations

Entity maintains an inventory of system components that are in scope for PCI DSS and has access to cardholder data

Entity’s Senior Management or the Information Security Officer periodically reviews and approves the list of people with access to the encryption keys

Entity periodically reviews the segmentation and scope reduction exercises completed on the production network