Document Comparison
pci_saq_a.pdf
→
SAQ_A_v3.pdf
21% similar
15 → 19
Pages
3121 → 3883
Words
32
Content Changes
From Revision History
- October 2008 1.2 To align content with new PCI DSS v1.2 and to implement minor changes noted since original v1.1.
Content Changes
32 content changes. 25 administrative changes (dates, page numbers) hidden.
Added
p. 4
SAQ A merchants may be either e-commerce or mail/telephone-order merchants (card-not-present), and do not store, process, or transmit any cardholder data in electronic format on their systems or premises.
SAQ A merchants confirm that, for this payment channel:
Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions; All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party service providers; Your company has no direct control of the manner in which cardholder data is captured, processed, transmitted, or stored; Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions; Your company has confirmed that all third party(s) handling acceptance, storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and Your company retains only paper reports or receipts with cardholder data, and these documents …
SAQ A merchants confirm that, for this payment channel:
Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions; All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party service providers; Your company has no direct control of the manner in which cardholder data is captured, processed, transmitted, or stored; Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions; Your company has confirmed that all third party(s) handling acceptance, storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and Your company retains only paper reports or receipts with cardholder data, and these documents …
Added
p. 5
Additional resources that provide guidance on PCI DSS requirements and how to complete the self- assessment questionnaire have been provided to assist with the assessment process. An overview of some of these resources is provided below:
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
Expected Testing The instructions provided in …
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
Expected Testing The instructions provided in …
Added
p. 6
No Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before it will be known if they are in place.
(Not Applicable) The requirement does not apply to the organization’s environment. (See Guidance for Non-Applicability of Certain, Specific Requirements below for examples.) All responses in this column require a supporting explanation in Appendix C of the SAQ.
Legal Exception If your organization is subject to a legal restriction that prevents the organization from meeting a PCI DSS requirement, check the “No” column for that requirement and complete the relevant attestation in Part 3.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring …
(Not Applicable) The requirement does not apply to the organization’s environment. (See Guidance for Non-Applicability of Certain, Specific Requirements below for examples.) All responses in this column require a supporting explanation in Appendix C of the SAQ.
Legal Exception If your organization is subject to a legal restriction that prevents the organization from meeting a PCI DSS requirement, check the “No” column for that requirement and complete the relevant attestation in Part 3.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring …
Added
p. 8
Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
Additionally, for e-commerce channels:
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
Additionally, for e-commerce channels:
Added
p. 9
Note: Requirement 12.8 applies to all entities in this list.
Merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions); All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party service providers; Merchant has no direct control of the manner in which cardholder data is captured, processed, transmitted, or stored; Merchant does not electronically store, process, or transmit any cardholder data on merchant systems or premises, but relies entirely on a third party(s) to handle all these functions; Merchant has confirmed that all third party(s) handling acceptance, storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and Merchant retains only paper reports or receipts with cardholder data, and these documents are not received electronically.
The entirety of all payment pages delivered to the consumer’s browser originates directly from a third- party PCI DSS validated service provider(s).
Section 2: Self-Assessment Questionnaire A
Note: The following questions are numbered according to PCI DSS …
Merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions); All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party service providers; Merchant has no direct control of the manner in which cardholder data is captured, processed, transmitted, or stored; Merchant does not electronically store, process, or transmit any cardholder data on merchant systems or premises, but relies entirely on a third party(s) to handle all these functions; Merchant has confirmed that all third party(s) handling acceptance, storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and Merchant retains only paper reports or receipts with cardholder data, and these documents are not received electronically.
The entirety of all payment pages delivered to the consumer’s browser originates directly from a third- party PCI DSS validated service provider(s).
Section 2: Self-Assessment Questionnaire A
Note: The following questions are numbered according to PCI DSS …
Added
p. 11
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons? Review periodic media destruction policies and procedures (c) Is media destruction performed as follows:
Added
p. 11
Review periodic media destruction policies and procedures Interview personnel Observe processes (b) Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents? Examine security of storage containers
Requirement 12: Maintain a policy that addresses information security for all personnel
Note: For the purposes of Requirement 12, “personnel” refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
Requirement 12: Maintain a policy that addresses information security for all personnel
Note: For the purposes of Requirement 12, “personnel” refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
Added
p. 12
Observe processes Review policies and procedures and supporting documentation 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually? Observe processes Review policies and procedures and supporting documentation
Added
p. 13
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity? Observe processes Review policies and procedures and supporting documentation
Added
p. 15
Refer to Appendices B, C, and D of PCI DSS for information about compensating controls and guidance on how to complete this worksheet.
Added
p. 17
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation Based on the results noted in the SAQ A dated (completion date), the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document as of (date): (check one):
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before …
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before …
Added
p. 18
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name) Part 3b. Merchant Attestation Signature of Merchant Executive Officer Date:
Merchant Executive Officer Name: Title:
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Signature of QSA Date:
QSA Name: QSA Company:
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Signature of ISA Date:
Merchant Executive Officer Name: Title:
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Signature of QSA Date:
QSA Name: QSA Company:
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Signature of ISA Date:
Added
p. 19
Check with your acquirer or the payment brand(s) before completing Part 4.
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance No Electronic Storage, Processing, or Transmission of Cardholder Data Version 1.2
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced Version 3.0
Removed
p. 4
PCI Data Security Standard: Related Documents The following documents were created to assist merchants and service providers in understanding the PCI Data Security Standard and the PCI DSS SAQ.
PCI Data Security Standard Requirements and Security Assessment Procedures All merchants and service providers Navigating PCI DSS: Understanding the Intent of the Requirements All merchants and service providers
PCI Data Security Standard: Self-Assessment Guidelines and Instructions All merchants and service providers
PCI Data Security Standard: Self-Assessment Questionnaire A and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire B and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire C and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire D and Attestation Merchants1 and all service providers
PCI Data Security Standard DSS and Payment Application Data Security Standard Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 1 To determine the appropriate Self-Assessment Questionnaire, see PCI Data Security Standard: Self- Assessment Guidelines and Instructions, “Selecting the SAQ and …
PCI Data Security Standard Requirements and Security Assessment Procedures All merchants and service providers Navigating PCI DSS: Understanding the Intent of the Requirements All merchants and service providers
PCI Data Security Standard: Self-Assessment Guidelines and Instructions All merchants and service providers
PCI Data Security Standard: Self-Assessment Questionnaire A and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire B and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire C and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire D and Attestation Merchants1 and all service providers
PCI Data Security Standard DSS and Payment Application Data Security Standard Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 1 To determine the appropriate Self-Assessment Questionnaire, see PCI Data Security Standard: Self- Assessment Guidelines and Instructions, “Selecting the SAQ and …
Removed
p. 5
Your company handles only card-not-present (e-commerce or mail/telephone-order) transactions; Your company does not store, process, or transmit any cardholder data on your premises, but relies entirely on third party service provider(s) to handle these functions; Your company has confirmed that the third party service provider(s) handling storage, processing, and/or transmission of cardholder data is PCI DSS compliant; Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically; and Your company does not store any cardholder data in electronic format. This option would never apply to merchants with a face-to-face POS environment.
1. Complete the Self-Assessment Questionnaire (SAQ A) according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines. 2. Complete the Attestation of Compliance in its entirety. 3. Submit the SAQ and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
1. Complete the Self-Assessment Questionnaire (SAQ A) according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines. 2. Complete the Attestation of Compliance in its entirety. 3. Submit the SAQ and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
Modified
p. 5 → 4
PCI DSS Compliance
• Completion Steps
•
PCI DSS Self-Assessment Completion Steps
Modified
p. 5 → 6
Guidance for Non-Applicability of Certain, Specific Requirements Non-Applicability: Requirements deemed not applicable to your environment must be indicated with “N/A” in the “Special” column of the SAQ. Accordingly, complete the “Explanation of Non-Applicability” worksheet in the Appendix for each “N/A” entry.
Guidance for Non-Applicability of Certain, Specific Requirements If any requirements are deemed not applicable to your environment, select the “N/A” option for that specific requirement, and complete the “Explanation of Non-Applicability” worksheet in Appendix C for each “N/A” entry.
Removed
p. 6
Part 2. Merchant Organization Information Company Name: DBA(S):
Part 2a. Type of merchant business (check all that apply):
List facilities and locations included in PCI DSS review:
Part 2b. Relationships Does your company have a relationship with one or more third-party service providers (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Does your company have a relationship with more than one acquirer? Yes No
Part 2a. Type of merchant business (check all that apply):
List facilities and locations included in PCI DSS review:
Part 2b. Relationships Does your company have a relationship with one or more third-party service providers (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Does your company have a relationship with more than one acquirer? Yes No
Modified
p. 6 → 7
Part 1. Qualified Security Assessor Company Information (if applicable) Company Name:
Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Company Name: DBA (doing business as):
Modified
p. 6 → 7
State/Province: Country: ZIP:
State/Province: Country: Zip:
Modified
p. 6 → 7
State/Province: Country: ZIP:
State/Province: Country: Zip:
Modified
p. 6 → 7
Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail/Telephone-Order Others (please specify):
Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail order/telephone order (MOTO) Others (please specify):
Removed
p. 7
Merchant does not store, process, or transmit any cardholder data on merchant premises but relies entirely on third party service provider(s) to handle these functions; The third party service provider(s) handling storage, processing, and/or transmission of cardholder data is confirmed to be PCI DSS compliant; Merchant does not store any cardholder data in electronic format; and If Merchant does store cardholder data, such data is only in paper reports or copies of receipts and is not received electronically.
Part 3. PCI DSS Validation Based on the results noted in the SAQ A dated (completion date), (Merchant Company Name) asserts the following compliance status (check one):
Compliant: All sections of the PCI SAQ are complete, and all questions answered “yes,” resulting in an overall COMPLIANT rating, thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI SAQ are complete, or some questions are answered “no,” …
Part 3. PCI DSS Validation Based on the results noted in the SAQ A dated (completion date), (Merchant Company Name) asserts the following compliance status (check one):
Compliant: All sections of the PCI SAQ are complete, and all questions answered “yes,” resulting in an overall COMPLIANT rating, thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI SAQ are complete, or some questions are answered “no,” …
Removed
p. 8
PCI DSS Requirement Description of Requirement Compliance Status (Select One) Remediation Date and Actions (if Compliance Status is “NO”) YES NO 9 Restrict physical access to cardholder data 12 Maintain a policy that addresses information security
Implement Strong Access Control Measures
Implement Strong Access Control Measures
Modified
p. 9 → 10
Requirement 9: Restrict physical access to cardholder data Question Response: Yes No Special 9.6 Are all paper and electronic media that contain cardholder data physically secure?
Requirement 9: Restrict physical access to cardholder data
Removed
p. 10
Requirement 12: Maintain a policy that addresses information security for employees and contractors Question Response: Yes No Special 12.8 If cardholder data is shared with service providers, are policies and procedures maintained and implemented to manage service providers, and do the policies and procedures include the following? 12.8.1 A list of service providers is maintained.
Removed
p. 10
“Not Applicable” (N/A) or “Compensating Control Used.” Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix.
Removed
p. 12
1. Meet the intent and rigor of the original PCI DSS requirement.
2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.) 3. Be “above and beyond” other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) When evaluating “above and beyond” for compensating controls, consider the following:
Note: The items at a) through c) below are intended as examples only. All compensating controls must be reviewed and validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the …
2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.) 3. Be “above and beyond” other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) When evaluating “above and beyond” for compensating controls, consider the following:
Note: The items at a) through c) below are intended as examples only. All compensating controls must be reviewed and validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the …
Modified
p. 13 → 15
Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance. Requirement Number and Definition:
Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.
Removed
p. 14
Requirement Number: 8.1•Are all users identified with a unique user name before allowing them to access system components or cardholder data? Information Required Explanation
1. Constraints List constraints precluding compliance with the original requirement.
Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action.
3. Identified Risk Identify any additional risk posed by the lack of the original control.
Additional risk is introduced to the access control system …
1. Constraints List constraints precluding compliance with the original requirement.
Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action.
3. Identified Risk Identify any additional risk posed by the lack of the original control.
Additional risk is introduced to the access control system …
Modified
p. 15 → 16
Requirement Reason Requirement is Not Applicable Example: 12.8 Cardholder data is never shared with service providers.
Requirement Reason Requirement is Not Applicable 3.4 Cardholder data is never stored electronically