— R. 1 R. 2 R. 3 R. 4 R. 5 R. 6 R. 7 R. 8 R. 9 R.10 R.11 R.12 A. 1 A. 2 A. 3

— Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Additional PCI DSS Requirements for Shared Hosting Providers Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections Designated Entities Supplemental Validation (DESV)

— R1: Install and maintain a firewall configuration to protect cardholder data R2: Do not use vendor-supplied defaults for system passwords and other security parameters R3: Protect stored cardholder data R4: Encrypt transmission of cardholder data across open, public networks R5: Use and regularly update anti-virus software or programs R6: Develop and maintain secure systems and applications R7: Restrict access to cardholder data by business need to know R8: Assign a unique ID to each person with computer access R9: Restrict physical access to cardholder data R10: Track and monitor all access to network resources and cardholder data R11: Regularly test security systems and processes R12: Maintain a policy that addresses information security for all personnel A1: Secure Payment Card Applications A1.1: Secure Payment Card Applications A1.2: Secure Payment Card Applications A1.3: Secure Payment Card Applications A1.4: Secure Payment Card Applications A2.1: Secure Payment Card Applications A2.2: Be Prepared to Respond to a System Breach A2.3: Be Prepared to Respond to a System Breach A3.1: Implement a PCI DSS Compliance Program A3.2: Document and Validate PCI DSS Scope A3.3: Validate PCI DSS is incorporated into business-as-usual (BAU) activities A3.4: Control and manage logical access to the cardholder data environment A3.4: Identify and respond to suspicious events