Document Comparison
PCI-DSS-v3_2-SAQ-A-rev1_1.pdf
→
PCI-DSS-v3-2-1-SAQ-A-r2.pdf
94% similar
21 → 22
Pages
4947 → 5174
Words
26
Content Changes
Content Changes
26 content changes. 21 administrative changes (dates, page numbers) hidden.
Added
p. 2
Added Requirement 6.2 from PCI DSS v3.2.1.
September 2022 3.2.1 2.0 Updated to reflect the inclusion of UnionPay as a Participating Payment Brand.
This document aligns with PCI DSS v3.2.1 r1.
September 2022 3.2.1 2.0 Updated to reflect the inclusion of UnionPay as a Participating Payment Brand.
This document aligns with PCI DSS v3.2.1 r1.
Added
p. 5
• Section 1 (Parts 1 & 2 of the AOC)
• Section 3 (Parts 3 & 4 of the AOC)
• Section 3 (Parts 3 & 4 of the AOC)
Added
p. 10
• Review policies and procedures.
• Examine vendor documentation.
• Observe system configurations and account settings.
• Examine vendor documentation.
• Observe system configurations and account settings.
Added
p. 10
(b) Are unnecessary default accounts removed or disabled before installing a system on the network?
• Review policies and procedures.
• Review vendor documentation.
• Examine system configurations and account settings.
• Review policies and procedures.
• Review vendor documentation.
• Examine system configurations and account settings.
Added
p. 11
Requirement 6: Develop and maintain secure systems and applications
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?
• Review policies and procedures.
(b) Are critical security patches installed within one month of release?
• Review policies and procedures.
• Examine system components.
• Compare list of security patches installed to recent vendor patch lists.
• Examine terminated users accounts.
• Review current access lists.
• Observe returned physical authentication devices.
In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?
• Something you know, such as a password or passphrase
• Something you have, such as a token device or smart card
• Something you are, such as a biometric
• Review password procedures.
• Observe authentication processes.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?
• Review policies and procedures.
(b) Are critical security patches installed within one month of release?
• Review policies and procedures.
• Examine system components.
• Compare list of security patches installed to recent vendor patch lists.
• Examine terminated users accounts.
• Review current access lists.
• Observe returned physical authentication devices.
In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?
• Something you know, such as a password or passphrase
• Something you have, such as a token device or smart card
• Something you are, such as a biometric
• Review password procedures.
• Observe authentication processes.
Added
p. 12
• Contain both numeric and alphabetic characters Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.
• Review policies and procedures for physically securing media.
• Interview security personnel.
• Examine media distribution tracking logs and documentation.
• Examine media distribution tracking logs and documentation.
• Review policies and procedures.
• Review list of service providers.
• Observe written agreements.
• Review incident response plan procedures.
• Review policies and procedures for physically securing media.
• Interview security personnel.
• Examine media distribution tracking logs and documentation.
• Examine media distribution tracking logs and documentation.
• Review policies and procedures.
• Review list of service providers.
• Observe written agreements.
• Review incident response plan procedures.
Added
p. 22
Maintain a policy that addresses information security for all personnel.
Modified
p. 4
• Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions; • All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers; • Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions; • Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and • Any …
Modified
p. 4
• All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s).
Modified
p. 4
Note: For this SAQ, PCI DSS Requirements that address the protection of computer systems (for example, Requirements 2 and 8) apply to e-commerce merchants that redirect customers from their website to a third party for payment processing, and specifically to the merchant webserver upon which the redirection mechanism is located. Mail order/telephone order (MOTO) or e-commerce merchants that have completely outsourced all operations (where there is no redirection mechanism from the merchant to the third party) and therefore do not …
Note: For this SAQ, PCI DSS Requirements that address the protection of computer systems (for example, Requirements 2, 6, and 8) apply to e-commerce merchants that redirect customers from their website to a third party for payment processing, and specifically to the merchant web server upon which the redirection mechanism is located. Mail order/telephone order (MOTO) or e-commerce merchants that have completely outsourced all operations (where there is no redirection mechanism from the merchant to the third party) and therefore …
Removed
p. 5
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
Modified
p. 5
1. Identify the applicable SAQ for your environment
• refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
• refer
1. Identify the applicable SAQ for your environment⎯refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
Modified
p. 5
• Assessment Information and Executive
• Assessment Information and Executive Summary
Modified
p. 5
• PCI DSS Self-Assessment Questionnaire (SAQ A) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable)
• Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable)
Modified
p. 5
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
(PCI Data Security Standard Requirements and Security Assessment Procedures)
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms • Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources …
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms • Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources …
Modified
p. 8
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation.)
Removed
p. 10
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel (b) Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures Review vendor documentation Examine system configurations and account settings Interview personnel
Removed
p. 11
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures Observe authentication processes 8.2.3 (a) Are user password parameters configured to require passwords/passphrases meet the following? A minimum password length of at least seven characters Contain both numeric and alphabetic characters Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures Observe authentication processes 8.2.3 (a) Are user password parameters configured to require passwords/passphrases meet the following? A minimum password length of at least seven characters Contain both numeric and alphabetic characters Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.
Modified
p. 11 → 12
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.1.1 Are all users assigned a unique ID before allowing them to access system components or cardholder data?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.1.1 Are all users assigned a unique ID before allowing them to access system components or cardholder data? • Review password procedures.
Modified
p. 11 → 12
• Examine system configuration settings to verify password parameters.
Modified
p. 12 → 13
• Generic user IDs and accounts are disabled or removed; • Shared user IDs for system administration activities and other critical functions do not exist; and • Shared and generic user IDs are not used to administer any system components? • Review policies and procedures.
• Examine user ID lists.
• Interview personnel.
• Examine user ID lists.
• Interview personnel.
Modified
p. 13 → 14
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.6.2 Is media sent by secured courier or other delivery method that can be accurately tracked?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.6.2 Is media sent by secured courier or other delivery method that can be accurately tracked? • Interview personnel.
Modified
p. 13 → 14
(b) Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents? • Examine security of storage containers.
Modified
p. 15 → 16
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually? • Review policies and procedures and supporting documentation.
Modified
p. 16 → 17
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS This appendix is not used for SAQ A merchant assessments Appendix A3: Designated Entities Supplemental Validation (DESV) This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. Entities required to validate to this Appendix should use the DESV Supplemental Reporting Template and Supplemental Attestation of Compliance for reporting, and consult with the applicable payment brand and/or acquirer …
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS for Card-Present POS POI Terminal Connections This appendix is not used for SAQ A merchant assessments Appendix A3: Designated Entities Supplemental Validation (DESV) This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. Entities required to validate to this Appendix should use the DESV Supplemental Reporting Template and Supplemental Attestation of Compliance for reporting, and consult with …
Modified
p. 21 → 22
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Do not use vendor-supplied defaults for system passwords and other security parameters 8 Identify and authenticate access to system components 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel * PCI DSS Requirements indicated here refer to the questions in Section 2 of the SAQ.
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Do not use vendor-supplied defaults for system passwords and other security parameters.