{"id":85,"date":"2022-12-04T21:47:00","date_gmt":"2022-12-05T02:47:00","guid":{"rendered":"https:\/\/terrabytefoundry.com\/blog_s\/?p=85"},"modified":"2022-12-04T13:50:16","modified_gmt":"2022-12-04T18:50:16","slug":"intro-to-pci-version-4-requirement-12","status":"publish","type":"post","link":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/12\/04\/intro-to-pci-version-4-requirement-12\/","title":{"rendered":"Intro to PCI version 4: Requirement 12"},"content":{"rendered":"\n<p>We have come to the end of our PCI version 4 by requirement journey.\u00a0 I know it has been a thrilling experience, full of ups and downs (mostly filled with bullet points, but whatever.)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overall Thoughts<\/h2>\n\n\n\n<p>Requirement 12 has been the backbone of the PCI program management process.\u00a0 The majority of the focus is on the management of processes, risk, and third parties.\u00a0 In v4 this does not change, but there are some changes and updates worth mentioning.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s New for Req 12 in v4<\/h2>\n\n\n\n<p>The new controls in requirement 12 of v4 are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>12.1.2 \u2013 So unlike all the other requirement updates, the SSC does not add in a new control for 12.1.2.&nbsp; Then why do I mention it?&nbsp; Only as an anchor to reference the lack of it, so you aren\u2019t confused and thinking I forgot it (as if!)<\/li>\n\n\n\n<li>12.3.1 &#8211; A targeted risk analysis is documented to support each PCI DSS requirement that provides flexibility for how frequently it is performed. &nbsp;Where TRAs are used, you need to determine the \u201cR\u201d and impact probabilities to use as the determining factor for how often you perform the TSA.&nbsp; Some areas this might be annually and others it could be quarterly, monthly, or every couple of years.<\/li>\n\n\n\n<li>12.3.2 &#8211; A targeted risk analysis is performed for each PCI DSS requirement that is met with the customized approach. (ie \u2013 if you are going to use the customized approach towards compliance, you need a TRA for <strong><u>EACH<\/u><\/strong> control.&nbsp; Not one per assessment, but one per control).<\/li>\n\n\n\n<li>12.3.3 &#8211; Cryptographic cipher suites and protocols in use are documented and reviewed. \u2013 Basically, you need to create an inventory type record of the different cipher suites and protocols in the environment, along with a review process to ensure that it is stays accurate.<\/li>\n\n\n\n<li>12.3.4 &#8211; Hardware and software technologies are reviewed. Be MORE proactive with your inventories and manage support contracts\/models.<\/li>\n\n\n\n<li>12.5.2 &#8211; Requirement to document and confirm scope of PCI compliance annually. Prior to your PCI assessment, the company needs to review the cardholder data environment (CDE) to validate the scope is accurate.&nbsp; This does not replace the scoping efforts required of the QSA but should make the process significantly easier (if done correctly).<\/li>\n\n\n\n<li>12.5.2.1 &#8211; PCI DSS scope is documented and confirmed at least once every six months and upon significant changes. Additional requirements for service providers.&nbsp; In a nutshell this is the same as 12.5.2, but the frequency has changed.<\/li>\n\n\n\n<li>12.5.3 &#8211; The impact of significant organizational changes on PCI DSS scope is documented and reviewed and results are communicated to executive management. Another service provider control, focusing on changes to employee resources.&nbsp; If administrative staff leave, document what was done to manage the impact to the environment.<\/li>\n\n\n\n<li>12.6.2 &#8211; The security awareness program is reviewed at least once every 12 months and updated as needed. On top of doing the required training within the company, you must also formally review the training program itself and document the process.&nbsp; Looking to improve and make corrections that have such a major impact on the security culture of the company.<\/li>\n\n\n\n<li>12.6.3.1 &#8211; Security awareness training includes awareness of threats that could impact the security of the CDE, to include phishing and related attacks and social engineering. Adding in requirements for employees to be taught about the different entry points they have some form of risk associated to them.<\/li>\n\n\n\n<li>12.6.3.2 &#8211; Security awareness training includes awareness about acceptable use of end-user technologies. (Same as above, but different topics).<\/li>\n\n\n\n<li>12.9.2 &#8211; TPSPs support customers\u2019 requests to provide PCI DSS compliance status and information about PCI DSS requirements that are the responsibility of the TPSP. This one is something I am glad about.&nbsp; It is service provider only and requires for a process to provide the proof of compliance to your clients AND the ever-elusive Responsibility Matrix.&nbsp; It is very common for me to have clients that can\u2019t get this from their providers and must create one for themselves.&nbsp; If the service provider doesn\u2019t agree with what is written, this responsibility matrix isn\u2019t worth much.<\/li>\n\n\n\n<li>12.10.4.1 &#8211; A targeted risk analysis is performed to determine frequency of periodic training for incident response personnel.<\/li>\n\n\n\n<li>12.10.5 &#8211; The security incident response plan includes alerts from the change- and tamper-detection mechanism for payment pages. The expansion of FIM, or something similar in functionality for payment pages.&nbsp; Some could make the argument that even if you are using iFrames to outsource this, you should be monitoring the pages with the links to those as well, to prevent someone from changing that page and redirecting to their own iFrame for card capture.<\/li>\n\n\n\n<li>12.10.7 &#8211; Incident response procedures are in place and initiated upon detection of PAN.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Changes to 12 in v4<\/h2>\n\n\n\n<p>Requirement 12 changes\/modifications are mostly focused on just providing additional details in what the expectations are going to be (along with the structural changes \u2013 of course).<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>12 \u2013 Clarification\/guidance \u2013 Updated principal requirement title to reflect that the focus is on organizational policies and programs that support information security.<\/li>\n\n\n\n<li>12.2 \u2013 Removed \u2013 Evolving Requirement &#8211; Removed requirement for a formal organization-wide risk assessment and replaced with specific targeted risk analyses (12.3.1 and 12.3.2).<\/li>\n\n\n\n<li>12.4 \u2013 Now 12.1.3 \u2013 Evolving Requirement &#8211; Added formal acknowledgment by personnel of their responsibilities. Executive management will now be required to sign a document confirming they are aware of their responsibilities.<\/li>\n\n\n\n<li>12.5 \/ 12.5.1 \u2013 5 \u2013 Now 12.1.4 \u2013 Clarification\/Guidance &#8211; Clarified that responsibilities are formally assigned to a Chief Information Security Officer or other knowledgeable member of executive management. Merged requirements for formally assigning responsibility for information security.<\/li>\n\n\n\n<li>12.3 \/ 12.3.1 \u2013 9 \u2013 Now 12.2.1 \u2013 Clarification\/Guidance &#8211; Clarified the intent of the requirement is for acceptable use policies for end-user technologies. Merged and removed requirements to focus on explicit management approval, acceptable uses of technologies, and a list of hardware and software products approved by the company for employee use.<\/li>\n\n\n\n<li>12.3.10 \u2013 Now 3.4.2 \u2013 Evolving Requirement &#8211; Removed requirement and added new Requirement 3.4.2 for technical controls to prevent copy and\/or relocation of PAN when using remote-access technologies.<\/li>\n\n\n\n<li>12.11 \/ 12.11.1 \u2013 Now 12.4.2 \/ 12.4.2.1 \u2013 Structure\/format &#8211; Moved requirements for reviews to confirm that personnel are performing PCI DSS tasks in accordance with policies and procedures under Requirement 12.4, to align with other requirements for managing PCI DSS compliance activities.<\/li>\n\n\n\n<li>2.4 \u2013 Now 12.5.1 \u2013 Structure\/format &#8211; Moved under Requirement 12.5 to align with other requirements for documenting and validating PCI DSS scope.<\/li>\n\n\n\n<li>12.6 \u2013 Now 12.6.1 \u2013 Clarification\/guidance &#8211; Clarified that the intent is that all personnel are aware of the entity\u2019s information security policy and their role in protecting cardholder data.<\/li>\n\n\n\n<li>12.6.1 \/ 12.6.2 \u2013 Now 12.6.3 \u2013 Structure\/format &#8211; Merged requirements for security awareness training.<\/li>\n\n\n\n<li>12.8 \u2013 Removed \u2013 Structure\/format &#8211; Removed \u201cnull\u201d requirement (all content pointed to other requirements).<\/li>\n\n\n\n<li>12.8.1 \u2013 12.8.5 \u2013 Now the same \u2013 Clarification\/guidance &#8211; Replaced \u201cService Provider\u201d with Third-Party Service Provider (TPSP). Clarified that the use of a PCI DSS compliant TPSP does not make an entity PCI DSS compliant, nor does it remove the entity\u2019s responsibility for its own PCI DSS compliance.&nbsp; Clarified that where an entity has an agreement with a TPSP for meeting PCI DSS requirements on behalf of the entity, the entity must work with the TPSP to make sure the applicable PCI DSS requirements are met. If the TPSP does not meet those applicable PCI DSS requirements, then those requirements are also \u201cnot in place\u201d for the entity. Clarified that the information about PCI DSS requirements managed by the TPSP and the entity should include any that are shared between the TPSP and the entity.<\/li>\n\n\n\n<li>12.10 \u2013 Removed \u2013 Structure\/format &#8211; Replaced \u201csystem breach\u201d and \u201ccompromise\u201d with \u201csuspected or confirmed security incident.\u201d<\/li>\n\n\n\n<li>12.10.1 \u2013 Now Same \u2013 Clarification\/guidance &#8211; Replaced \u201csystem breach\u201d and \u201ccompromise\u201d with \u201csuspected or confirmed security incident.\u201d<\/li>\n\n\n\n<li>12.10.3 \u2013 Now Same \u2013 Clarification\/guidance &#8211; Replaced \u201calerts\u201d with \u201csuspected or confirmed security incidents.\u201d<\/li>\n\n\n\n<li>12.10.4 \u2013 Now Same \u2013 Clarification\/guidance &#8211; Replaced \u201csystem breach\u201d with \u201csuspected or confirmed security incidents.\u201d<\/li>\n\n\n\n<li>12.10.5 \/ 11.1.2 \/ 11.5.1 \u2013 Now 12.10.5 \u2013 Evolving Requirement &#8211; Merged requirements and updated the security monitoring systems to be monitored and responded to as part of the incident response plan to include the following:<ul><li>Detection of unauthorized wireless access points (former 11.1.2),<\/li><\/ul><ul><li>Change-detection mechanism for critical files (former 11.5.1),<\/li><\/ul><ul><li>New requirement bullet for use of a change- and tamper-detection mechanism for payment pages (relates to new requirement 11.6.1).<\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li>(This bullet is a best practice until 31 March 2025.)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>If you have been involved in a PCI assessment and had the need to review the actual report on compliance (sorry for you on that), you have probably noticed that the majority of requirement 12 just reads as the name of the QSA doing the assessment.&nbsp; \u201cProvide the name of the assessor who confirms . . .)\u201d So, it might see like there are a LOT of changes to a requirement that is just demonstrating compliance with someone\u2019s name.&nbsp; Well, the backend work that has to be done to get that signature has always been somewhat substantial, since 12 is all about the PCI program and management thereof.&nbsp; When you look over the additions and changes you can see that from the perspective of the goals behind requirement 12 not much has changed.&nbsp; It is still about focusing on making sure the PCI program within each entity is something that is proactive in its approach and not something designed solely to skirt security and do the least amount possible to get the AoC.<\/p>\n\n\n\n<p>As always, I hope this tidbit of information gives you a base to have discussions with your internal subject matter experts and your trusted external sources for IT security and PCI knowledge.\u00a0 Feel free to reach out to me directly with questions or to have a conversation via my email and\/or social media information on the TBF website.\u00a0 Thanks for taking the time to read my thoughts on PCI v4 Requirement 12.\u00a0 We will continue to work through each of the PCI requirements each week.<\/p>\n\n\n\n<p>~ Shawn<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have come to the end of our PCI version 4 by requirement journey.\u00a0 I know it has been a thrilling experience, full of ups and downs (mostly filled with bullet points, but whatever.) Overall Thoughts Requirement 12 has been the backbone of the PCI program management process.\u00a0 The majority of the focus is on &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/12\/04\/intro-to-pci-version-4-requirement-12\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Intro to PCI version 4: Requirement 12&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","om_disable_all_campaigns":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[7],"tags":[],"class_list":["post-85","post","type-post","status-publish","format-standard","hentry","category-shawn"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Intro to PCI version 4: Requirement 12 - Shawn&#039;s Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/12\/04\/intro-to-pci-version-4-requirement-12\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Intro to PCI version 4: Requirement 12 - Shawn&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"We have come to the end of our PCI version 4 by requirement journey.\u00a0 I know it has been a thrilling experience, full of ups and downs (mostly filled with bullet points, but whatever.) Overall Thoughts Requirement 12 has been the backbone of the PCI program management process.\u00a0 The majority of the focus is on &hellip; Continue reading &quot;Intro to PCI version 4: Requirement 12&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/terrabytefoundry.com\/blog_s\/2022\/12\/04\/intro-to-pci-version-4-requirement-12\/\" \/>\n<meta property=\"og:site_name\" content=\"Shawn&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-12-05T02:47:00+00:00\" \/>\n<meta name=\"author\" content=\"TBF_Shawn\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TBF_Shawn\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/12\\\/04\\\/intro-to-pci-version-4-requirement-12\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/12\\\/04\\\/intro-to-pci-version-4-requirement-12\\\/\"},\"author\":{\"name\":\"TBF_Shawn\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"headline\":\"Intro to PCI version 4: Requirement 12\",\"datePublished\":\"2022-12-05T02:47:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/12\\\/04\\\/intro-to-pci-version-4-requirement-12\\\/\"},\"wordCount\":1615,\"articleSection\":[\"Shawn\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/12\\\/04\\\/intro-to-pci-version-4-requirement-12\\\/\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/12\\\/04\\\/intro-to-pci-version-4-requirement-12\\\/\",\"name\":\"Intro to PCI version 4: Requirement 12 - Shawn&#039;s Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\"},\"datePublished\":\"2022-12-05T02:47:00+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/12\\\/04\\\/intro-to-pci-version-4-requirement-12\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/12\\\/04\\\/intro-to-pci-version-4-requirement-12\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/2022\\\/12\\\/04\\\/intro-to-pci-version-4-requirement-12\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Intro to PCI version 4: Requirement 12\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#website\",\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/\",\"name\":\"Shawn&#039;s Blog\",\"description\":\"Shawn&#039;s Thoughts and Ramblings\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/#\\\/schema\\\/person\\\/588d52e259ebeabac260cbb21bb1aeb4\",\"name\":\"TBF_Shawn\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g\",\"caption\":\"TBF_Shawn\"},\"sameAs\":[\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\"],\"url\":\"https:\\\/\\\/terrabytefoundry.com\\\/blog_s\\\/author\\\/tbf_shawn\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Intro to PCI version 4: Requirement 12 - Shawn&#039;s Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/12\/04\/intro-to-pci-version-4-requirement-12\/","og_locale":"en_US","og_type":"article","og_title":"Intro to PCI version 4: Requirement 12 - Shawn&#039;s Blog","og_description":"We have come to the end of our PCI version 4 by requirement journey.\u00a0 I know it has been a thrilling experience, full of ups and downs (mostly filled with bullet points, but whatever.) Overall Thoughts Requirement 12 has been the backbone of the PCI program management process.\u00a0 The majority of the focus is on &hellip; Continue reading \"Intro to PCI version 4: Requirement 12\"","og_url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/12\/04\/intro-to-pci-version-4-requirement-12\/","og_site_name":"Shawn&#039;s Blog","article_published_time":"2022-12-05T02:47:00+00:00","author":"TBF_Shawn","twitter_card":"summary_large_image","twitter_misc":{"Written by":"TBF_Shawn","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/12\/04\/intro-to-pci-version-4-requirement-12\/#article","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/12\/04\/intro-to-pci-version-4-requirement-12\/"},"author":{"name":"TBF_Shawn","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"headline":"Intro to PCI version 4: Requirement 12","datePublished":"2022-12-05T02:47:00+00:00","mainEntityOfPage":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/12\/04\/intro-to-pci-version-4-requirement-12\/"},"wordCount":1615,"articleSection":["Shawn"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/12\/04\/intro-to-pci-version-4-requirement-12\/","url":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/12\/04\/intro-to-pci-version-4-requirement-12\/","name":"Intro to PCI version 4: Requirement 12 - Shawn&#039;s Blog","isPartOf":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website"},"datePublished":"2022-12-05T02:47:00+00:00","author":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4"},"breadcrumb":{"@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/12\/04\/intro-to-pci-version-4-requirement-12\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/terrabytefoundry.com\/blog_s\/2022\/12\/04\/intro-to-pci-version-4-requirement-12\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/terrabytefoundry.com\/blog_s\/2022\/12\/04\/intro-to-pci-version-4-requirement-12\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/terrabytefoundry.com\/blog_s\/"},{"@type":"ListItem","position":2,"name":"Intro to PCI version 4: Requirement 12"}]},{"@type":"WebSite","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#website","url":"https:\/\/terrabytefoundry.com\/blog_s\/","name":"Shawn&#039;s Blog","description":"Shawn&#039;s Thoughts and Ramblings","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/terrabytefoundry.com\/blog_s\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/terrabytefoundry.com\/blog_s\/#\/schema\/person\/588d52e259ebeabac260cbb21bb1aeb4","name":"TBF_Shawn","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5acf07715e5622368f9bc851369ef517917f409c14615da93434e0dcf7bbed28?s=96&d=mm&r=g","caption":"TBF_Shawn"},"sameAs":["https:\/\/terrabytefoundry.com\/blog_s"],"url":"https:\/\/terrabytefoundry.com\/blog_s\/author\/tbf_shawn\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/85","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/comments?post=85"}],"version-history":[{"count":1,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/85\/revisions"}],"predecessor-version":[{"id":86,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/posts\/85\/revisions\/86"}],"wp:attachment":[{"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/media?parent=85"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/categories?post=85"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/terrabytefoundry.com\/blog_s\/wp-json\/wp\/v2\/tags?post=85"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}