HATS / PCI DSS 4.0 Crosswalk
1. Scope
This crosswalk maps HATS capabilities to PCI DSS 4.0 requirements relevant to the protection of cardholder data. PCI DSS 4.0 organizes requirements into 12 principal requirements across 6 goals. This crosswalk focuses on the requirements where HATS-generated evidence can serve as primary or supporting audit artifacts.
This crosswalk is a technical mapping. It does not constitute a PCI DSS compliance validation or replace the assessment of a Qualified Security Assessor (QSA).
2. Requirement 3 -- Protect Stored Account Data
| PCI DSS Requirement | HATS Capability | Evidence Type | Verification Method |
|---|
3.5 Primary account number (PAN) is secured wherever stored | Encrypted Computation | FHE computation attestation receipts demonstrating PAN processed without decryption | Verify computation_type indicates FHE operation; confirm PAN never in plaintext in any receipt |
3.5.1 PAN rendered unreadable using cryptography | Encrypted Computation + Continuous Attestation | Encryption attestation receipts for stored PAN data | Verify encryption receipts exist for all stored PAN; confirm post-quantum key management |
3.6 Cryptographic keys used to protect stored data are secured | Evidence Chains | Key lifecycle attestation chain recording generation, distribution, rotation, and destruction | Traverse key lifecycle chain; verify all key operations attested with governance binding |
3.7 Cryptographic key management processes | Governance Replay + Evidence Chains | Key management decision attestation receipts with policy binding | Replay key management decisions; verify each decision followed documented cryptographic policy |
3. Requirement 4 -- Protect Cardholder Data with Cryptography During Transmission
| PCI DSS Requirement | HATS Capability | Evidence Type | Verification Method |
|---|
4.2.1 Strong cryptography for transmission over open networks | Encrypted Computation | Transmission encryption attestation receipts with ML-KEM-1024 key establishment | Verify PQ key encapsulation receipts for each open-network transmission |
4.2.1.1 Inventory of trusted keys and certificates | Evidence Chains | Key and certificate inventory attestation chain | Traverse inventory chain; verify completeness against active key inventory |
4. Requirement 7 -- Restrict Access to System Components and Cardholder Data
| PCI DSS Requirement | HATS Capability | Evidence Type | Verification Method |
|---|
7.2 Access to system components and data is appropriately defined and assigned | Continuous Attestation + Agent Attestation | Per-access attestation receipts binding identity, role, and resource to each access event | Verify each access receipt contains authorized identity and role; confirm no unauthorized access patterns |
7.2.5 Access assigned to application and system accounts managed appropriately | Evidence Chains | System account access attestation chain | Traverse account access chain; verify system account privileges attested at defined review intervals |
5. Requirement 8 -- Identify Users and Authenticate Access
| PCI DSS Requirement | HATS Capability | Evidence Type | Verification Method |
|---|
8.2.1 Unique ID assigned to each user | Continuous Attestation | Per-access attestation receipts with unique identity binding | Verify every access receipt contains a unique tenant_id; confirm no shared identifiers |
8.3 Strong authentication for users and administrators | Agent Attestation | Authentication event attestation receipts recording method, strength, and outcome | Verify authentication receipts demonstrate strong authentication for all CDE access |
8.6 Authentication mechanisms not shared among multiple accounts | Evidence Chains | Authentication credential attestation chain with per-account binding | Verify credential attestation chain shows unique credentials per account |
6. Requirement 10 -- Log and Monitor All Access
| PCI DSS Requirement | HATS Capability | Evidence Type | Verification Method |
|---|
10.2 Audit logs are implemented to support detection of anomalies | Continuous Attestation + Evidence Chains | Tamper-evident attestation receipt chain recording all access to CDE components | Verify evidence chain completeness; confirm three PQ signatures per receipt; validate chain integrity via predecessor hashes |
10.2.1 Audit logs capture all individual user access to cardholder data | Continuous Attestation | Per-access attestation receipts for every cardholder data access event | Verify every cardholder data access has a corresponding attestation receipt with identity binding |
10.2.2 Audit logs capture all actions taken by any individual with administrative access | Agent Attestation | Per-action attestation receipts for all administrative operations | Verify administrative action receipts cover all privileged operations; confirm identity binding |
10.3 Audit logs are protected from destruction and unauthorized modification | Evidence Chains | Cryptographically linked evidence chain where any modification breaks predecessor hash continuity | Verify chain integrity; any deletion, modification, or insertion is detectable through hash chain validation |
10.4 Audit logs are reviewed to identify anomalies or suspicious activity | Governance Replay | Log review decision attestation receipts with governance binding | Replay log review decisions; verify reviews occurred at required frequency with documented methodology |
10.5 Audit log history is retained and available for analysis | Evidence Chains | Immutable attestation receipt archive with cryptographic integrity spanning required retention period | Verify chain spans the required 12-month retention period; confirm oldest receipt accessible and valid |
10.7 Failures of critical security control systems are detected, reported, and responded to | Continuous Attestation + Governance Replay | Security control failure attestation receipts; response decision attestation receipts | Verify failure detection receipts generated within SLA; replay response decisions |
7. Requirement 11 -- Test Security of Systems and Networks Regularly
| PCI DSS Requirement | HATS Capability | Evidence Type | Verification Method |
|---|
11.3 External and internal vulnerabilities are regularly identified and addressed | Evidence Chains | Vulnerability scan and remediation attestation chain | Traverse scan-to-remediation chain; verify each finding has a corresponding remediation receipt |
11.5 Network intrusions and unexpected file changes are detected | Continuous Attestation | File integrity and network state attestation receipts at configurable intervals | Compare successive attestation receipts to detect unauthorized changes; verify attestation continuity |
11.6 Unauthorized changes on payment pages are detected | Continuous Attestation | Payment page integrity attestation receipts | Verify page integrity attestation continuity; confirm no unauthorized changes between attestation points |
8. Requirement 12 -- Support Information Security with Policies and Programs
| PCI DSS Requirement | HATS Capability | Evidence Type | Verification Method |
|---|
12.4 PCI DSS compliance is managed | Continuous Attestation + Governance Replay | Compliance management attestation receipts with governance decision binding | Replay compliance management decisions; verify continuous monitoring coverage |
12.10 Suspected and confirmed security incidents are responded to immediately | Evidence Chains + Governance Replay | Incident response evidence chain with governance decision attestation | Traverse response chain; replay decisions; verify response timing against documented procedures |
9. Coverage Notes
HATS capabilities provide primary evidence for PCI DSS Requirements 3, 10, and 11 (cryptography, logging/monitoring, and testing). Supporting evidence is provided for Requirements 4, 7, 8, and 12. Requirements 1 (network security), 2 (secure configurations), 5 (malware protection), 6 (secure development), and 9 (physical access) are outside the scope of HATS technical capabilities.
When cardholder data is processed under FHE, the H33 architecture ensures PAN is never in plaintext during computation, directly satisfying Requirement 3.5. The attestation receipt chain provides the tamper-evident audit log required by Requirement 10, with cryptographic integrity guarantees that exceed the protection requirements of Requirement 10.3.