1

Install and maintain network security controls

Physical infra, VPC, NSC

Secures the physical network, provides Virtual Private Cloud (VPC), and manages the underlying firewall infrastructure

Configure VPC, security groups, WAF

Configures VPCs, security groups, and network ACLs; manages web application firewalls (WAF) and ensures segmentation of the cardholder data environment (CDE)

Use platform securely

Uses the platform securely, avoids risky integrations, and follows best practices for connecting to the platform

2

Apply secure configurations to all system components

Hypervisor, base OS (PaaS)

Manages the hypervisor, base operating system (for managed services), and default configurations for AWS services

Harden OS, apps, containers

Hardens operating systems, applications, and containers; applies secure configurations to all deployed resources

Secure app configs

Ensures any customizations or integrations are securely configured and do not weaken platform security

3

Protect stored account data

Physical Security, KMS, S3 encryption Tools

Provides encryption tools (e.g., AWS KMS, S3 encryption) and ensures physical security of storage infrastructure

Not Applicable

Ultra Commerce does not currently process or manage any cardholder data (CHD) on its customers behalf

Clients are responsible for the management of cardholder data

Data retention, access policies

Customers are responsible for maintaining appropriate data retention policies and procedures, encryption technologies and key management processes for maintaining PCI Data Security Standard requirements

4

Protect cardholder data with strong cryptography during transmission

Network infra, TLS support

Delivers secure network infrastructure and supports TLS for data in transit

Enforce TLS, secure APIs

Enforces TLS for all endpoints, secures APIs, and ensures secure transmission of cardholder data

Use secure endpoints

Connects only via secure endpoints and avoids insecure integrations

5

Protect all systems and networks from malicious software

Infra, managed services

Secures managed infrastructure and provides anti-malware capabilities for managed services

Endpoint protection, patching

Deploys endpoint protection, regularly patches systems, and monitors for malware

Secure endpoints

Ensures their own devices and endpoints are protected when accessing the platform

6

Develop and maintain secure systems and software

Managed services infra

Maintains security of managed service infrastructure and underlying software

SDLC, code review, patching

Follows secure software development lifecycle (SDLC), conducts code reviews, and applies timely patches

Secure customizations

Ensures any custom code or plugins maintained by the customer are securely developed and maintained

7

Restrict access by business need-to-know

IAM infra, root controls

Provides foundational IAM infrastructure and root account controls

Role-based access, least privilege

Implements role-based access, enforces least privilege, and manages user roles within the platform

User access management

Manages their own user access and permissions within the platform

8

Identify and authenticate access to system components

IAM infra, MFA support

Offers IAM, supports multi-factor authentication (MFA), and manages authentication for AWS services

User auth, MFA, logging

Enforces user authentication, MFA, and logs all access to sensitive components

User auth, MFA

Uses strong authentication and MFA for their users and administrators

9

Restrict physical access to cardholder data

Data center security

Ensures physical security of data centers and hardware

Not applicable

Not applicable

10

Log and monitor all access to system components and cardholder data

CloudTrail, CloudWatch

Provides logging services (CloudTrail, CloudWatch) and secures log storage

Log app access, SIEM integration

Integrates application logs, monitors access and connects to SIEM solutions for analysis

Review logs

Reviews log relevant to their own users and activities

11

Test security of systems and networks regularly

Infra vulnerability management

Conducts vulnerability management and security testing for managed infrastructure

Pen testing, vulnerability scans

Performs penetration testing, vulnerability scans, and remediates findings

App-level testing

Tests custom applications or integrations for security issues

12

Support information security with policies and programs

Infra policies

Maintains security policies for its infrastructure and service

Security policies, training

Develops, documents, and enforces security policies; provides staff training and compliance documentation

Security policies

Maintains their own security policies for their users and data, and ensures staff awareness