Our Alignment

PCI-DSS Key Requirements

runZero provides visibility into all network devices and endpoints, helping organizations identify where security controls need to be installed and maintained. By continuously scanning and monitoring the network, it helps ensure the security posture is up-to-date and compliant with PCI DSS requirements.

runZero enables discovery of all assets within the network, allowing organizations to identify systems that need secure configurations. It assists in ensuring that all systems meet the required configuration standards by providing visibility into the entire environment.

runZero provides visibility into where cardholder data (CHD) may be stored within the network, helping organizations to implement proper protections. It does not directly protect the data, but ensures that security measures are applied to sensitive locations within the environment.

runZero helps organizations ensure the security of sensitive data during transmission by identifying network assets and their associated communication paths. This visibility allows organizations to detect potential vulnerabilities in network configuration and confirm that cryptographic protocols are in place to protect data, ensuring sensitive information remains encrypted during transit.

runZero provides continuous monitoring and asset discovery to identify systems vulnerable to malicious software. It also helps organizations ensure that security patches and updates are applied to prevent malware infections.

runZero enables vulnerability scanning and provides visibility into outdated software and unpatched systems, supporting the maintenance of secure systems. This ensures systems are regularly assessed and updated to comply with PCI DSS standards.

runZero allows organizations to identify assets and access controls on the network, helping ensure that only authorized users can access systems and sensitive data. It aids in maintaining restricted access to critical systems.

runZero helps identify all users and devices on the network, providing detailed visibility into access patterns, which supports organizations in incident response (IR) by enabling quick identification of unauthorized devices or users, allowing for prompt action to mitigate potential security breaches.

runZero’s asset discovery helps organizations locate devices that may store cardholder data and ensure that physical security controls are applied to restrict access to these devices, supporting compliance with physical access restrictions.

runZero integrates with existing logging and monitoring systems. By continuously monitoring network assets and changes, it helps ensure that access to system components is logged and ready for review, supporting PCI DSS compliance.

runZero supports vulnerability scanning and penetration testing, providing native discovery of weaknesses and security gaps in devices and networks. It helps organizations testing by ensuring all assets are included in the assessment.

runZero helps organizations implement security policies and programs by providing visibility into their entire network environment. The data it gathers can be used to inform and enforce security policies, supporting continuous security improvements and compliance.

Achieve Compliance

How runZero supports PCI DSS requirements

runZero directly supports many PCI DSS provisions related to asset visibility, inventory management, and vulnerability discovery, while also enabling programmatic approaches for protecting environments, detecting events, and responding to incidents. Its robust capabilities provide organizations with a single tool and source of truth across IT, OT, IoT, and external environments, ensuring compliance as operations and threats evolve.

Many PCI DSS provisions require the integration of multiple security controls, programs, and policies working together to achieve compliance. runZero indirectly supports several of these provisions by supplying critical elements as part of a broader approach, contributing to compliance efforts that go beyond the specific areas it directly addresses.

Interested in a guided tour?

Support Types:

All

Direct

Indirect

Install and Maintain Network Security Controls

Requirement		Support	How runZero Helps
1.2.3	An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks	Indirect	Automatically discovers all assets and network connections, including wired and wireless devices showing bridges between different network segments and identifying surface misconfigurations. runZero creates two topology maps, (Switch L2 and Network bridges). Identifies previously unknown assets and unmanaged devices that could impact the CDE. Maps relationships between internal and external networks to highlight potential security gaps. Continuously updates network topology based on real-time scanning and integrations with other data sources.
1.2.4	An accurate data-flow diagram(s) is maintained	Indirect	runZero identifies assets and their network communication paths, which helps in mapping data flows. However, it does not generate actual data-flow diagrams or classify account data movements. Additional tools for data classification and flow visualization are needed.
1.2.5	All services, protocols and ports allowed are identified, approved, and have a defined business need.	Direct	Identifies all active services, protocols, and open ports across the environment, including unmanaged and shadow IT assets. Highlights unauthorized or unexpected services that could introduce security risks. Provides continuous monitoring to detect changes in allowed services, protocols, and ports. Integrates with security tools to correlate discovered services with approved configurations and policies. Helps validate whether services and protocols align with defined business needs. Flags high-risk or legacy protocols that should be restricted or phased out.
1.2.6	Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated	Indirect	runZero can detect insecure services, protocols, and ports but does not enforce security settings. Organizations need additional security tools (e.g., firewalls, IDS/IPS) to implement necessary protections.
1.2.7	Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective	Indirect	runZero can identify network security devices and detect configuration changes, but it does not perform full configuration audits. A dedicated configuration management or security compliance tool is required for full compliance.
1.3.1	Inbound traffic to the CDE is restricted	Indirect	runZero can identify inbound network connections and help detect unauthorized inbound traffic, but it does not enforce firewall rules. A firewall or network security solution is required to enforce traffic restrictions.
1.3.2	Outbound traffic from the CDE is restricted	Indirect	runZero can discover outbound connections and help identify unauthorized or unexpected traffic, but it does not control or restrict outbound communication. Firewall policies or network access controls are needed to enforce restrictions.
1.3.3	NSCs are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE	Indirect	runZero can detect wireless network infrastructure and identify devices communicating over Wi-Fi, but it does not enforce NSC placement or traffic restrictions. Firewalls and network segmentation tools are required for full compliance.
1.4.1	NSCs are implemented between trusted and untrusted networks	Indirect	runZero can identify network segmentation gaps and misconfigurations, highlighting assets that are exposed to untrusted networks. However, it does not deploy or enforce NSC configurations—firewalls and network security controls are required for implementation.
1.4.2	Inbound traffic from untrusted networks to trusted networks is restricted	Indirect	runZero can identify unauthorized inbound connections, exposed services, and segmentation gaps, helping organizations validate network access policies. However, it does not block or restrict traffic—firewalls and access control policies must be implemented separately.
1.4.4	System components that store cardholder data are not directly accessible from untrusted networks	Indirect	runZero can identify assets storing cardholder data (if properly labeled and integrated with external data classification tools), network segmentation gaps, and detect their network exposure, but it does not enforce access restrictions. Organizations need firewalls and access control solutions to prevent direct exposure.
1.4.5	The disclosure of internal IP addresses and routing information is limited to only authorized parties	Indirect	runZero can detect internal IP addresses exposed to unauthorized networks or internet-facing assets, helping organizations mitigate risks. However, it does not restrict or mask internal IP disclosures—network security policies and NAT configurations must be implemented separately.
1.5.1	Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE	Indirect	runZero can identify missing security controls on computing devices, such as unpatched systems, absent or disabled endpoint protection, or misconfigurations, and detect devices connecting to both untrusted networks and the CDE; however, it does not enforce security configurations, manage endpoint security, or restrict user modifications.

Apply Secure Configurations to All System Components

Requirement		Support	How runZero Helps
2.2.1	Configuration standards are developed, implemented, and maintained	Indirect	runZero can detect misconfigurations, outdated software, and missing patches, but it does not enforce configuration hardening. Organizations must implement configuration management and compliance tools to apply and verify hardening standards.
2.2.2	Vendor default accounts are managed	Indirect	runZero can identify default credentials on networked devices (e.g., SNMP, Telnet), but it does not change or manage accounts. Organizations must use credential management and privileged access management (PAM) solutions.
2.2.3	Primary functions requiring different security levels are managed	Indirect	runZero can detect multiple functions running on the same system and identify potential security risks, but it does not enforce function isolation. Organizations need system hardening and segmentation controls.
2.2.4	Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled	Indirect	runZero can identify unnecessary services, protocols, and daemons running on network devices, but it does not directly control which services are enabled or disabled. It could inform security teams about unnecessary services, but it cannot directly disable or enable them.
2.2.5	If any insecure services, protocols, or daemons are present, business justification is documented	Indirect	runZero can detect insecure services or protocols in use (e.g., old SSL versions, open ports, vulnerable protocols), but does not implement security measures to mitigate risks. It helps identify insecure configurations but not implement compensating security features.
2.2.7	All non-console administrative access is encrypted using strong cryptography	Indirect	runZero can detect non-console administrative access to systems, including APIs and web interfaces, and flag them for review if encryption is not enabled, but it does not directly configure or enforce encryption of these access channels.
2.3.1	For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure	Indirect	runZero can discover wireless networks and identify security weaknesses such as default vendor settings, but it does not manage wireless settings. It can alert on weak configurations but does not directly configure or change wireless settings.
2.3.2	For wireless environments connected to the CDE or transmitting account data, wireless encryption keys are changed	Indirect	runZero detects and identifies wireless networks and can flag weak or default encryption keys, but it cannot change keys or perform encryption management. runZero can alert on insecure wireless settings but does not handle encryption key management directly.

Protect Stored Account Data

Requirement		Support	How runZero Helps
3.2.1	Account data storage is kept to a minimum through implementation of data retention and disposal policies, procedures, and processes	Indirect	runZero can help discover and inventory storage locations where account data might be stored unintentionally, such as shadow IT or forgotten systems. However, runZero does not enforce data retention and disposal policies—additional data classification, DLP (Data Loss Prevention), and SIEM solutions would be needed.
3.4.2	When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need	Indirect	runZero can identify remote access technologies that might allow for copying or relocating PAN data. It may find vulnerabilities or configurations that could lead to non-compliance. However, enforcing restrictions (like preventing copy/move operations) would be outside runZero's capabilities.

Protect Cardholder Data with Strong Cryptography During Transmission

Requirement		Support	How runZero Helps
4.2.1	Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks	Indirect	runZero helps detect and identify unencrypted traffic, deprecated cryptographic protocols (e.g., SSL/TLS 1.0/1.1), and misconfigured network services that could expose PAN over open, public networks. However, runZero does not actively enforce encryption policies or certificate validation—a TLS inspection gateway, SIEM, or network security appliance would be needed.
4.2.1.1	An inventory of the entity’s trusted keys and certificates is maintained	Indirect	runZero does not maintain an inventory of cryptographic keys or certificates but can assist in identifying servers and services that require certificate management.
4.2.1.2	Wireless networks transmitting PAN or connected to the CDE use industry best practices to implement strong cryptography for authentication and transmission	Indirect	runZero can identify unencrypted or weakly encrypted wireless networks within the cardholder data environment (CDE). However, it does not enforce encryption policies or manage wireless authentication settings—additional WPA3-compliant wireless security measures and network access controls (NAC) are needed.

Protect All Systems and Networks from Malicious Software

Requirement		Support	How runZero Helps
5.2.1	An anti-malware solution(s) is deployed on all system components	Direct	runZero can identify assets that lack anti-malware protection by scanning for missing endpoint security software and flagging unmanaged or rogue devices.
5.2.3	Any system components that are not at risk for malware are evaluated periodically	Indirect	runZero helps by providing a comprehensive inventory of system components and identifying devices that may be considered low-risk for malware (e.g., network appliances, specialized OT devices). However, full compliance requires a documented risk evaluation process conducted by security teams.
5.4.1	Processes and automated mechanisms are in place to detect and protect personnel against phishing attacks	Indirect	runZero can identify assets vulnerable to phishing attacks by detecting unmanaged email clients, unauthorized browser extensions, and missing endpoint protections. However, runZero does not actively detect phishing attacks—a secure email gateway (SEG) or phishing detection platform is needed.

Develop and Maintain Secure Systems and Software

Requirement		Support	How runZero Helps
6.3.1	Security vulnerabilities are identified and managed	Indirect	runZero helps organizations identify and prioritize security vulnerabilities by discovering outdated software versions and highlighting unpatched assets. However, organizations must implement active monitoring of vulnerability feeds and define a risk ranking process based on exploitability and asset criticality.
6.3.2	An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management	Indirect	runZero provides a real-time inventory of software assets, which helps organizations maintain a list of custom and third-party software components. However, full compliance requires tracking software dependencies using a Software Bill of Materials (SBOM) and ensuring continuous monitoring of software versions.
6.3.3	All system components are protected from known vulnerabilities by installing applicable security patches/updates	Indirect	runZero assists by detecting unpatched software and identifying outdated systems, helping organizations enforce patch management policies. However, organizations must deploy automated patch management solutions (e.g., WSUS, SCCM, Tanium) to ensure critical patches are installed within required timeframes.
6.4.1	For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attack	Indirect	runZero helps organizations identify public-facing web applications and detect unauthorized or shadow IT systems that may be vulnerable. However, organizations must deploy Web Application Firewalls (WAFs), conduct regular security assessments, and implement real-time attack prevention mechanisms.
6.5.1	Changes to all system components in the production environment are made according to established procedures	Indirect	runZero assists by tracking infrastructure changes and detecting unauthorized modifications to systems, helping organizations identify deviations from change management policies. However, full compliance requires a formalized change management process, approval workflows, and security impact assessments before deployment.
6.5.2	Upon completion of a significant change, all applicable PCI DSS requirements are confirmed to be in place on all new or changed systems and networks, and documentation is updated as applicable	Indirect	runZero can help verify that new or changed systems are in the scope of PCI DSS by providing asset visibility. It can help ensure that systems are properly documented and are operating with the required security configurations, but it does not manage the overall change confirmation process for PCI DSS compliance.
6.5.3	Pre-production environments are separated from production environments and the separation is enforced with access controls	Indirect	runZero can help with visibility into systems and can confirm whether pre-production environments are properly segregated from production systems by analyzing the network architecture. However, it does not manage access controls or enforce segregation directly.
6.5.4	Roles and functions are separated between production and pre-production environments to provide accountability such that only reviewed and approved changes are deployed	Indirect	runZero can help with visibility into systems and can confirm whether pre-production environments are properly segregated from production systems by analyzing the network architecture. However, it does not manage access controls or enforce segregation directly.
6.5.5	Live PANs are not used in pre-production environments, except where those environments are included in the CDE and protected in accordance with all applicable PCI DSS requirements	Indirect	runZero can identify pre-production systems that may be running live PAN data. It can provide visibility into whether PAN is inadvertently exposed in non-production environments, but it does not enforce the no live PAN rule directly.
6.5.6	est data and test accounts are removed from system components before the system goes into production	Indirect	runZero helps organizations identify test accounts and non-standard assets that may still be present in production environments. However, full compliance requires automated scripts for test data removal and manual validation before production deployment.

Restrict Access to System Components and Cardholder Data by Business Need to Know

Requirement		Support	How runZero Helps
7.2.1	An access control model is defined and includes granting access	Indirect	runZero helps organizations enforce least privilege by identifying devices, systems, and accounts that may have excessive or unnecessary access rights. However, full compliance requires an access control model defined within an identity and access management (IAM) system, role-based access policies, and enforcement mechanisms.
7.2.2	Access is assigned to users, including privileged users	Indirect	runZero assists by detecting privileged accounts and identifying unauthorized or excessive access to critical systems. However, organizations must implement IAM tools and access provisioning processes to ensure user roles align with job responsibilities.
7.2.4	All user accounts and related access privileges, including third-party/vendor accounts, are reviewed	Indirect	runZero can identify inactive or orphaned accounts and detect unauthorized access patterns that may indicate excessive permissions. However, organizations must conduct formal user access reviews using IAM platforms or manual audit processes to ensure compliance.
7.2.5	All application and system accounts and related access privileges are assigned and managed	Indirect	runZero provides visibility into systems and applications that may be over-provisioned with privileges. While it doesn’t manage system account privileges directly, it can help identify systems where privileges may need to be adjusted to ensure least privilege policies are in place.
7.2.5.1	All access by application and system accounts and related access privileges are reviewed	Indirect	runZero can help identify application/system accounts across the environment and provide visibility into their access configurations. This can support periodic reviews, but it does not facilitate the review process or ensure that management acknowledges the appropriateness of access.

Identify Users and Authenticate Access to System Components

Requirement		Support	How runZero Helps
8.2.6	Inactive user accounts are removed or disabled within 90 days of inactivity	Indirect	runZero can integration with Azure AD and on-premise Active Directory to identify active and inactive user accounts. Custom queries and alerting can be configured to monitor for user accounts that are still enabled after 90 days of inactivity.
8.4.1	MFA is implemented for all non-console access into the CDE for personnel with administrative access	Indirect	runZero provides visibility into administrative access points that could lead to access into the CDE. However, runZero does not directly enforce MFA on administrative accounts.
8.4.2	MFA is implemented for all access into the CDE	Indirect	runZero can help identify access points and systems where MFA might be missing or improperly implemented, but it does not enforce MFA requirements.
8.4.3	MFA is implemented for all remote network access originating from outside the entity’s network that could access or impact the CDE	Indirect	runZero offers visibility into systems and access points, which can help monitor remote access and check for MFA enforcement. However, it doesn’t directly implement or enforce MFA.
8.6.1	If accounts used by systems or applications can be used for interactive login, they are managed	Indirect	runZero can identify system and application accounts that allow interactive logins, helping organizations enforce restrictions. However, full compliance requires IAM policies and system hardening measures.

Restrict Physical Access to Cardholder Data

Requirement		Support	How runZero Helps
9.4.5.1	Inventories of electronic media with cardholder data are conducted at least once every 12 months	Indirect	runZero can help identify assets and devices that may store cardholder data. However, inventory management and tracking would still need to be conducted by a dedicated system.
9.5.1	POI devices that capture payment card data via direct physical interaction with the payment card form factor are protected from tampering and unauthorized substitution	Indirect	runZero can help organizations maintain a digital inventory of POI devices on the network, aiding in device tracking. However, organizations must document make, model, location, and serial numbers of each device manually.
9.5.1.1	An up-to-date list of POI devices is maintained	Direct	Automatically discovers and catalogs POI devices across the environment, including unmanaged and shadow assets. Identifies make, model, and firmware versions through fingerprinting. Associates devices with physical or logical locations based on network topology and asset metadata. Captures serial numbers and unique identifiers where available through integrations and scanning methods. Provides continuous asset tracking to ensure the POI device inventory remains accurate and up to date.

Log and Monitor All Access to System Components and Cardholder Data

Requirement		Support	How runZero Helps
10.2.1	Audit logs are enabled and active for all system components and cardholder data	Indirect	runZero helps by identifying assets that are not currently being logged. However, full compliance requires configuring logging policies at the OS, application, and network levels.
10.7.1	Failures of critical security control systems are detected, alerted, and addressed promptly	Indirect	runZero helps detect network segmentation failures or misconfigured security controls, aiding service providers in identifying risks. However, full compliance requires SIEM tools that detect failures in IDS/IPS, firewalls, and authentication mechanisms.
10.7.2	Failures of critical security control systems are detected, alerted, and addressed promptly	Indirect	runZero helps identify missing or failed segmentation controls by detecting improperly isolated systems. However, organizations must implement SIEM solutions and security monitoring tools to detect failures in IDS, IPS, and anti-malware solutions.
10.7.3	Failures of critical security control systems are detected, alerted, and addressed promptly	Indirect	runZero assists in identifying impacted systems and restoring visibility after a security failure, helping organizations recover more efficiently. However, full compliance requires incident response workflows and remediation tracking for security failures.

Test Security of Systems and Networks Regularly

Requirement		Support	How runZero Helps
11.2.1	Authorized and unauthorized wireless access points are managed	Direct	Continuously scans for authorized and unauthorized wireless access points, including rogue devices. Identifies Wi-Fi networks, SSIDs, and associated devices through active and passive discovery. Detects newly introduced or misconfigured access points that could pose security risks. Provides automated monitoring with alerts for newly detected or unauthorized wireless networks.
11.2.2	An inventory of authorized wireless access points is maintained,	Direct	Automatically discovers and catalogs all authorized wireless access points across the environment. Identifies SSID, MAC address, encryption type, and associated devices for each access point. Tracks changes in the wireless inventory to detect unauthorized or rogue devices. Provides exportable reports for maintaining an up-to-date inventory with business justifications.
11.3.1	Internal vulnerability scans are performed	Direct	Continuously scans internal assets for vulnerabilities, identifying high-risk and critical issues. Supports scheduled and on-demand scans to meet the three-month scanning requirement. Tracks remediation efforts and performs automated rescans to verify vulnerability resolution. Integrates with external vulnerability intelligence to ensure scan data is up to date. Provides detailed reporting on vulnerabilities, risk severity, and remediation progress. Enables independent validation of scan results through integrations and reporting tools
11.3.1.1	All other applicable vulnerabilities (those not ranked as high-risk or critical (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are managed	Indirect	runZero can provide insight into vulnerable assets, but the decision-making regarding risk analysis and prioritization of vulnerabilities is a policy-driven process that runZero does not automate. It can be used as part of the vulnerability management strategy to address vulnerabilities.
11.3.1.2	Internal vulnerability scans are performed via authenticated scanning	Indirect	runZero can provide information about networked devices and their configurations, but it doesn’t perform authenticated vulnerability scanning or handle credentials. This would typically be managed by vulnerability scanning tools with authenticated scanning capabilities which can be integrated into the runZero platform via APIs and combined with the information and exposures runZero identifies outside of authenticated scanning.
11.3.1.3	Internal vulnerability scans are performed after any significant change	Direct	Detects and assesses vulnerabilities after significant changes to the environment. Identifies high-risk and critical vulnerabilities that require remediation based on defined risk rankings. Supports automated and on-demand rescans to verify that identified vulnerabilities have been resolved. Ensures scan data is current by integrating with external vulnerability intelligence sources. Provides detailed reports on vulnerabilities, remediation status, and risk impact. Enables independent validation of scan results through role-based access and reporting tools.
11.3.2	External vulnerability scans are performed	Indirect	runZero can scan external assets to verify patching, but initial external scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV) to meet compliance.
11.3.2.1	External vulnerability scans are performed after any significant change	Direct	Conducts external vulnerability scans after significant changes to identify risks. Detects vulnerabilities with a CVSS score of 4.0 or higher for prioritized remediation. Supports automated and on-demand rescans to verify successful remediation. Integrates with threat intelligence sources to ensure scan data is up to date. Provides detailed reports on identified vulnerabilities, risk levels, and remediation status. Enables independent validation of scan results through role-based access and reporting tools.
11.4.1	A penetration testing methodology is defined, documented, and implemented by the entity	Direct	Discovers all assets within the CDE perimeter and critical systems. Identifies potential attack vectors for both internal and external penetration testing. Helps validate segmentation and scope-reduction controls by mapping network connections. Provides visibility into network-layer components, including operating systems and supporting infrastructure. Enables tracking and analysis of vulnerabilities based on past security incidents and threat intelligence. Supports documentation and reporting of penetration testing results and remediation actions.
11.4.2	Internal penetration testing is performed	Direct	Supports internal penetration testing by identifying assets, attack surfaces, and potential vulnerabilities. Assists in identifying new risks after significant infrastructure or application changes. Provides asset and network mapping to help testers plan and execute comprehensive assessments. Integrates with security tools to correlate discovered vulnerabilities with penetration test findings.
11.4.4	Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected	Direct	Helps security teams verify that systems have been patched or reconfigured after penetration testing. Detects whether vulnerable services are still running post-remediation. Provides continuous monitoring to identify reintroduced vulnerabilities or new misconfigurations. Can be used to rescan assets to ensure that all fixes have been applied before the next audit.
11.4.5	Penetration tests are performed on segmentation controls	Direct	Identifies segmentation gaps and weaknesses in environments (e.g., CDE vs. non-CDE). Provides visibility into all connected assets, ensuring that no system is inadvertently bridging segmented networks. Helps validate whether network segmentation policies are being enforced.
11.4.6	Penetration tests are performed on segmentation controls	Direct	Identifies segmentation gaps and weaknesses in environments (e.g., CDE vs. non-CDE). Provides visibility into all connected assets, ensuring that no system is inadvertently bridging segmented networks. Helps validate whether network segmentation policies are being enforced.
11.5.1	Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network	Indirect	runZero can help discover assets and map networks, providing visibility into network configurations where IDS/IPS systems should be deployed. However, runZero does not itself perform intrusion detection or intrusion prevention.

Support information security with organizational policies and programs

Requirement		Support	How runZero Helps
12.2.1	Acceptable use policies for end-user technologies are documented and implemented	Indirect	runZero can assist in identifying end-user technologies (e.g., laptops, mobile devices) and help monitor their security, but does not directly define or implement acceptable use policies.
12.3.1	Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a targeted risk analysis that is documented	Indirect	runZero helps by identifying assets and threats in the environment, aiding risk analysis efforts. However, full compliance requires organizations to document and conduct risk analysis on a recurring basis.
12.3.3	Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months	Indirect	runZero can help identify devices using outdated encryption protocols that may expose security risks. However, organizations must implement formal cryptographic reviews and response strategies.
12.3.4	Hardware and software technologies in use are reviewed at least once every 12 months	Direct	Continuously discovers and inventories all hardware and software technologies in use. Identifies outdated or end-of-life technologies based on vendor announcements and industry trends. Monitors vendor security updates to ensure technologies receive timely security fixes. Flags technologies that may impact PCI DSS compliance based on security risks or lack of vendor support. Provides detailed reports on technology lifecycle status for review and decision-making. Supports documentation of remediation plans for outdated or end-of-life technologies.
12.5.1	An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.	Direct	Provides comprehensive asset discovery to identify all system components in the Cardholder Data Environment (CDE). Provides automated asset classification to help organizations document in-scope assets. Real-time updates ensuring asset inventories remain current.
12.5.2	PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment	Direct	Provides an up-to-date inventory of in-scope components and changes, ensuring scope alignment with the environment. Maps asset connections within and outside the CDE. Identifies locations where account data is stored, processed, and transmitted. Tracks segmentation to confirm isolation of CDE from other environments.
12.5.2.1	PCI DSS scope is documented and confirmed by the entity at least once every six months and after significant changes. At a minimum, the scoping validation includes all the elements specified in Requirement 12.5.2	Indirect	runZero can assist service providers by providing visibility into the assets relevant for PCI DSS, though it does not conduct the validation itself.
12.5.3	Significant changes to organizational structure result in a documented (internal) review of the impact to PCI DSS scope and applicability of controls, with results communicated to executive management	Indirect	runZero can assist by providing an up-to-date inventory of system components, helping organizations review changes, but it does not conduct or manage scope reviews.
12.8.1	A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided	Indirect	runZero can help identify and manage third-party systems and devices by discovering assets connected to or related to third parties but does not manage the list itself.
12.8.4	A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months	Indirect	runZero can help track and monitor systems managed by third parties, but it does not manage third-party compliance directly.
12.10.1	An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident	Indirect	runZero supports incident response by providing visibility into the assets and vulnerabilities within the environment, but it does not directly handle incident response plans.
12.10.2	At least once every 12 months, the security incident response plan is, reviewed and the content is updated as needed	Indirect	While runZero does not manage incident response plans, it can aid in monitoring security posture and asset status during incidents.

Additional PCI DSS Requirements for Shared Hosting Providers

Requirement		Support	How runZero Helps
A1.1.1	Logical separation is implemented	Indirect	runZero helps identify and manage assets within different environments, which can help identify whether logical separation exists, but it doesn't directly manage or implement logical separation controls.
A1.1.2	Controls are implemented such that each customer only has permission to access its own cardholder data and CDE	Indirect	runZero can help identify systems and assets that should belong to a specific customer and ensure proper asset allocation, but it does not directly manage access controls or enforce them.
A1.1.3	Controls are implemented such that each customer can only access resources allocated to them	Indirect	runZero helps with visibility of the systems in use, allowing monitoring of customer assets and systems to ensure that access control policies are followed, but it doesn't directly implement the access control mechanisms.
A1.2.2	Processes or mechanisms are implemented to support and/or facilitate prompt forensic investigations in the event of a suspected or confirmed security incident for any customer	Indirect	runZero can assist with providing asset data during forensic investigations (e.g., identifying compromised systems), but it does not directly manage or facilitate the investigation process.
A1.2.3	Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities	Indirect	runZero allows organizations to track assets, vulnerabilities, and risks, helping to inform security incident management and response. However, it does not handle reporting or incident remediation directly.
A2.1.1	Where POS POI terminals at the merchant or payment acceptance location use SSL and/or early TLS, the entity confirms the devices are not susceptible to any known exploits for those protocols	Indirect	runZero helps by identifying POS terminals and network devices still using outdated SSL or early TLS encryption, assisting organizations in pinpointing at-risk assets. However, full compliance requires manual validation of vendor patches, security updates, and continued monitoring of new vulnerabilities.
A2.1.2	All service providers with existing connection points to POS POI terminals that use SSL and/or early TLS as defined in A2.1 have a formal Risk Mitigation and Migration Plan in place	Indirect	runZero can help service providers identify assets still using SSL or early TLS and track the migration process away from these protocols. However, full compliance requires formal risk assessments, documentation of migration strategies, and monitoring processes to prevent reimplementation of deprecated protocols.