pci_dss_mapping.txt

Keensafe PCI-DSS v4.0 Mapping (LAB DOC, FAKE)

Req 1 (Network)        — perimeter Caddy, VPC SGs, DMZ docs in /infra
Req 2 (Defaults)       — golden AMI 'ks-base-2024-q4', no defaults left.
Req 3 (Stored CHD)     — PAN tokenised by Vault transit; full PAN never logged.
Req 4 (Transmission)   — TLS 1.2+ everywhere; mTLS for service mesh.
Req 6 (Secure dev)     — Jenkins pipeline runs SAST/DAST (planned: KeenSafe).
Req 8 (Auth)           — FIDO2 + 90-day rotation for service creds.
Req 10 (Logging)       — central syslog -> elastic.internal.keensafeglobalbank.com.
Req 11 (Test)          — quarterly pentest, monthly vulnscan.
Req 12 (Policy)        — see ISMS-POL-001.