Document Comparison
PCI-DSS-v4-0-SAQ-A-r2.pdf
→
PCI-DSS-v4_0_1-SAQ-A-r1.pdf
88% similar
38 → 38
Pages
10471 → 10300
Words
72
Content Changes
Content Changes
72 content changes. 35 administrative changes (dates, page numbers) hidden.
Added
p. 2
Updated an SAQ Eligibility Criteria that the merchant has confirmed “their TPSP(s) are PCI DSS compliant for the services used by the merchant” rather than that the merchant has reviewed the TPSP(s)’ AOCs.
Added ASV Resource Guide to section “Additional PCI SSC Resources.” Added SAQ Completion Guidance for Requirement 6.4.3.
Added Requirement 12.3.1, as the completion of this requirement is specified in Requirement 11.6.1.
January 2025 4.0.1 1 Removed Requirements 6.4.3, 11.6.1, and 12.3.1 and added an Eligibility Criteria for merchants to confirm that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
Added ASV Resource Guide to section “Additional PCI SSC Resources.” Added SAQ Completion Guidance for Requirement 6.4.3.
Added Requirement 12.3.1, as the completion of this requirement is specified in Requirement 11.6.1.
January 2025 4.0.1 1 Removed Requirements 6.4.3, 11.6.1, and 12.3.1 and added an Eligibility Criteria for merchants to confirm that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
Added
p. 7
Note: A legal exception is a legal restriction due to a local or regional law, regulation, or regulatory requirement, where meeting a PCI DSS requirement would violate that law, regulation, or regulatory requirement.
PCI Data Security Standard Requirements and Testing Procedures (PCI DSS) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls Appendix G: Glossary of Terms, Abbreviations, and Acronyms SAQ Instructions and Guidelines Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization Frequently Asked Questions (FAQs) Guidance and information about SAQs.
PCI Data Security Standard Requirements and Testing Procedures (PCI DSS) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls Appendix G: Glossary of Terms, Abbreviations, and Acronyms SAQ Instructions and Guidelines Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization Frequently Asked Questions (FAQs) Guidance and information about SAQs.
Added
p. 13
The merchant has confirmed that their site is not susceptible to attacks from scripts that could affect the merchant’s e-commerce system(s).
Added
p. 16
Applicability Notes Part of this Applicability Note was intentionally removed as it does not apply to SAQ A assessments.
Note: For SAQ A, Requirement 6 applies to merchant server(s) with a webpage that either 1) redirects customers from the merchant webpage to a TPSP/payment processor for payment processing (for example, with a URL redirect) or 2) includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frames or iframes).
• Patches/updates for critical vulnerabilities (identified according to the risk ranking processes at Requirement 6.3.1) are installed within one month of release.
♦ Refer to the “Requirement Responses” section (page v) for information about these response options.
Note: For SAQ A, Requirement 6 applies to merchant server(s) with a webpage that either 1) redirects customers from the merchant webpage to a TPSP/payment processor for payment processing (for example, with a URL redirect) or 2) includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frames or iframes).
• Patches/updates for critical vulnerabilities (identified according to the risk ranking processes at Requirement 6.3.1) are installed within one month of release.
♦ Refer to the “Requirement Responses” section (page v) for information about these response options.
Added
p. 22
Applicability Notes (continued)
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place This requirement does not apply to in-scope system components where MFA is used.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place This requirement does not apply to in-scope system components where MFA is used.
Added
p. 29
The TPSP’s written acknowledgment is a confirmation that states the TPSP is responsible for the security of the account data it may store, process, or transmit on behalf of the customer or to the extent the TPSP may impact the security of a customer’s cardholder data and/or sensitive authentication data.
Added
p. 38
Note: The PCI Security Standards Council is a global standards body that provides resources for payment security professionals developed collaboratively with our stakeholder community. Our materials are accepted in numerous compliance programs worldwide. Please check with your individual compliance-accepting organization to ensure that this form is acceptable in its program. For more information about PCI SSC and our stakeholder community please visit: https://www.pcisecuritystandards.org/about_us/.
Modified
p. 2
Rearranged, retitled, and expanded information in the “Completing the Self- Assessment Questionnaire” section (previously titled “Before You Begin”).
Rearranged, retitled, and expanded information in the “Completing the Self-Assessment Questionnaire” section (previously titled “Before You Begin”).
Modified
p. 2
Aligned content in Sections 1 and 3 of Attestation of Compliance (AOC) with PCI DSS v4.0 Report on Compliance AOC.
Aligned content in Sections 1 and 3 of Attestation of Compliance (AOC) with PCI DSS v4.0 Repo on Compliance AOC.
Modified
p. 2
Clarified note under Eligibility Criteria on page iv that addresses applicability of Requirements 2, 6, 8, and 11 to e-commerce merchants.
Clarified note under Eligibility Criteria on page iv that addresses applicability of Requirements 2, 6 8, and 11 to e-commerce merchants.
Modified
p. 2
Clarified notes that address applicability to e-commerce merchants for Requirements 6.4.3, 8, 11, and 11.6.1.
Clarified notes that address applicability to e-commerce merchants for Requirements 6.4.3, 8, 11 and 11.6.1.
Modified
p. 4
The merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions; All processing of account data is entirely outsourced to PCI DSS compliant third-party service provider (TPSP)/payment processor; The merchant does not electronically store, process, or transmit any account data on merchant systems or premises, but relies entirely on a TPSP(s) to handle all these functions; The merchant has confirmed that TPSP(s) are PCI DSS compliant for the services being used by the merchant; and Any account …
Modified
p. 4
All elements of the payment page(s)/form(s) delivered to the customer’s browser originate only and directly from a PCI DSS compliant TPSP/payment processor.
Modified
p. 4
Those with a webpage(s) that redirects customers from their website to a TPSP/payment processor for payment processing, and specifically to the merchant webpage upon which the redirection mechanism is located.
Modified
p. 4
Those with a webpage(s) that includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frames or iframes), and specifically to the merchant webpage that includes the embedded payment page/form.
Modified
p. 4
These PCI DSS requirements are applicable because the above merchant websites impact how the account data is transmitted, even though the websites themselves do not receive account data.
These PCI DSS requirements are applicable because the above merchant webpages impact how the account data is transmitted, even though the webpages themselves do not receive account data.
Modified
p. 5
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). Cardholder data and sensitive authentication data are considered account data and are defined as follows:
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of cardholder data and/or sensitive authentication data. Cardholder data and sensitive authentication data are considered account data and are defined as follows:
Modified
p. 5
Section 1: Assessment Information (Parts 1 & 2 of the Attestation of Compliance (AOC) • Contact Information and Executive Summary).
Modified
p. 5
• Self-Assessment Questionnaire A.
Section 2
• Self-Assessment Questionnaire A.
• Self-Assessment Questionnaire A.
Modified
p. 5
Section 3: Validation and Attestation Details (Parts 3 & 4 of the AOC • PCI DSS Validation and Action Plan for Non-Compliant Requirements (if Part 4 is applicable)).
Modified
p. 5
5. Submit the SAQ and AOC, along with any other requested documentation•such as ASV scan reports•to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).
5. Submit the SAQ and AOC, along with any other requested documentation
•such as ASV scan reports
•to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).
•such as ASV scan reports
•to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).
Modified
p. 5
Examine: The merchant critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.
Modified
p. 5
Observe: The merchant watches an action or views something in the environment. Examples of observation subjects include personnel performing a task or process, system components performing a function or responding to input, environmental conditions, and physical controls.
Removed
p. 7
Note: A legal restriction is one where meeting the PCI DSS requirement would violate a local or regional law or regulation.
Removed
p. 8
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization Frequently Asked Questions (FAQs)
• Guidance and information about SAQs.
Online PCI DSS Glossary
• PCI DSS Terms, Abbreviations, and Acronyms Information Supplements and Guidelines
• Guidance on a variety of PCI DSS topics including:
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization Frequently Asked Questions (FAQs)
• Guidance and information about SAQs.
Online PCI DSS Glossary
• PCI DSS Terms, Abbreviations, and Acronyms Information Supplements and Guidelines
• Guidance on a variety of PCI DSS topics including:
Modified
p. 8
Online PCI DSS Glossary PCI DSS Terms, Abbreviations, and Acronyms Information Supplements and Guidelines Guidance on a variety of PCI DSS topics including:
Modified
p. 8
− Understanding PCI DSS Scoping and Network Segmentation − Third-Party Security Assurance − Multi-Factor Authentication Guidance − Best Practices for Maintaining PCI DSS Compliance Getting Started with PCI • Resources for smaller merchants including:
− Understanding PCI DSS Scoping and Network Segmentation − Third-Party Security Assurance − Multi-Factor Authentication Guidance − Best Practices for Maintaining PCI DSS Compliance Getting Started with PCI Resources for smaller merchants including:
Modified
p. 8
− Guide to Safe Payments − Common Payment Systems − Questions to Ask Your Vendors − Glossary of Payment and Information Security Terms − PCI Firewall Basics These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org).
− Guide to Safe Payments − Common Payment Systems − Questions to Ask Your Vendors − Glossary of Payment and Information Security Terms − PCI Firewall Basics − ASV Resource Guide These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org).
Modified
p. 11
Facility Type Total number of locations (How many locations of this type are in scope) Location(s) of facility (city, country) Example: Data centers 3 Boston, MA, USA Part 2e. PCI SSC Validated Products and Solutions Does the merchant use any item identified on any PCI SSC Lists of Validated Products and Solutions? Provide the following information regarding each item the merchant uses from PCI SSC’s Lists of Validated Products and Solutions.
Facility Type Total number of locations (How many locations of this type are in scope) Location(s) of facility (city, country) Example: Data centers 3 Boston, MA, USA Part 2e. PCI SSC Validated Products and Solutions Does the merchant use any item identified on any PCI SSC Lists of Validated Products and Solutions♦? Provide the following information regarding each item the merchant uses from PCI SSC’s Lists of Validated Products and Solutions.
Modified
p. 11
Name of PCI SSC- validated Product or Version of Product or
Name of PCI SSC validated Product or Version of Product or
Modified
p. 11
PCI SSC listing Expiry date of listing (YYYY-MM-DD) YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)⎯for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment Applications (PA- DSS), Point to Point Encryption (P2PE) solutions, Software-Based PIN Entry on COTS (SPoC) solutions, and Contactless Payments on COTS (CPoC) …
PCI SSC listing Expiry date of listing (YYYY-MM-DD) YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD ♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components, appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Point to Point Encryption (P2PE) solutions, Software-Based PIN Entry on COTS (SPoC) solutions, Contactless Payments on COTS (CPoC) solutions, and Mobile Payments on …
Modified
p. 12
• Manage system components included in the scope of the merchant’s PCI DSS assessment⎯for example, via network security control services, anti-malware services, security incident and event management (SIEM), contact and call centers, web-hosting services, and IaaS, PaaS, SaaS, and FaaS cloud providers.
• Manage system components included in the scope of the merchant’s PCI DSS assessmentfor example, via network security control services, anti-malware services, security incident and event management (SIEM), contact and call centers, web-hosting services, and IaaS, PaaS, SaaS, and FaaS cloud providers.
Modified
p. 13
The merchant has reviewed the PCI DSS Attestation of Compliance form(s) for its TPSP(s) and confirmed that TPSP(s) are PCI DSS compliant for the services being used by the merchant.
The merchant has confirmed that TPSP(s) are PCI DSS compliant for the services being used by the merchant.
Modified
p. 13
Additionally, for e-commerce channels:
Additionally, for e-commerce channels, merchant certifies:
Modified
p. 14
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with Not Applicable Not in Place 2.2 System components are configured and managed securely.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with Not Applicable Not in Place 2.2 System components are configured and managed securely.
Modified
p. 15
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with Not Applicable Not in Place 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with Not Applicable Not in Place 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
Modified
p. 16
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with Not Applicable Not in Place 3.2 Storage of account data is kept to a minimum.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with Not Applicable Not in Place 3.2 Storage of account data is kept to a minimum.
Modified
p. 16
The bullet above (for coverage of SAD stored prior to completion of authorization) is a best practice until 31 March 2025, after which it will be required as part of Requirement 3.2.1 and must be fully considered during a PCI DSS assessment.
Modified
p. 17
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with Not Applicable Not in Place SAQ Completion Guidance:
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with Not Applicable Not in Place SAQ Completion Guidance:
Removed
p. 18
Note: For SAQ A, Requirement 6 applies to web servers that host the page(s) on the merchant’s website(s) that provide the address (the URL) of the TPSP’s payment page/form to the merchant’s customers.
Modified
p. 18
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 6.3 Security vulnerabilities are identified and addressed.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 6.3 Security vulnerabilities are identified and addressed.
Modified
p. 18
Applicability Notes This requirement is not achieved by, nor is it the same as, vulnerability scans performed for Requirements 11.3.1 and 11.3.2. This requirement is for a process to actively monitor industry sources for vulnerability information and for the entity to determine the risk ranking to be associated with each vulnerability.
Applicability Notes This requirement is not achieved by, and is in addition to, performing vulnerability scans according to Requirements 11.3.1 and 11.3.2. This requirement is for a process to actively monitor industry sources for vulnerability information and for the entity to determine the risk ranking to be associated with each vulnerability.
Removed
p. 19
• Critical or high-security patches/updates are installed within one month of release.
Removed
p. 19
Note: For SAQ A, Requirement 6.4.3 applies to a merchant’s website(s) that includes a TPSP’s/payment processor’s embedded payment page/form (for example, an inline frame or iFrame).
Removed
p. 19
• A method is implemented to confirm that each script is authorized.
• Examine policies and procedures.
• Interview responsible personnel.
• Examine inventory records.
• Examine system configurations.
• A method is implemented to assure the integrity of each script.
• An inventory of all scripts is maintained with written justification as to why each is necessary.
Applicability Notes This requirement applies to all scripts loaded from the entity’s environment and scripts loaded from third and fourth parties.
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
• Examine policies and procedures.
• Interview responsible personnel.
• Examine inventory records.
• Examine system configurations.
• A method is implemented to assure the integrity of each script.
• An inventory of all scripts is maintained with written justification as to why each is necessary.
Applicability Notes This requirement applies to all scripts loaded from the entity’s environment and scripts loaded from third and fourth parties.
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Modified
p. 19
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:
Removed
p. 20
Refer to the “Requirement Responses” section (page v) for information about these response options.
Modified
p. 20
Note: For SAQ A, Requirement 8 applies to merchant web servers that host the page(s) that either 1) redirects customers from the merchant website to a TPSP/payment processor for payment processing (for example, with a URL redirect) or 2) includes a TPSP’s/payment processor’s embedded payment page/form (for example, an inline frame or iFrame).
Note: For SAQ A, Requirement 8 applies to merchant servers with a webpage that either 1) redirects customers from the merchant website to a TPSP/payment processor for payment processing (for example, with a URL redirect) or 2) includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frames or iframes).
Modified
p. 20
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place Not Applicable Not in Place 8.2 User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place 8.2 User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.
Modified
p. 20
Applicability Notes This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
Applicability Notes This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction.
Modified
p. 21 → 20
• Account use is prevented unless needed for an exceptional circumstance.
• ID use is prevented unless needed for an exceptional circumstance.
Modified
p. 21
Applicability Notes This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place Applicability Notes This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction.
Modified
p. 22 → 21
Applicability Notes This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction.
Modified
p. 22
• User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
• User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction.
Removed
p. 23
Applicability Notes This requirement applies to in-scope system components that are not in the CDE because these components are not subject to MFA requirements.
Modified
p. 23 → 22
Applicability Notes This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction.
Modified
p. 23
This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction.
Modified
p. 24
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place Not Applicable Not in Place 9.4 Media with cardholder data is securely stored, accessed, distributed, and destroyed.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place 9.4 Media with cardholder data is securely stored, accessed, distributed, and destroyed.
Modified
p. 25
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place Not Applicable Not in Place 9.4.6 Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows:
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place 9.4.6 Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows:
Modified
p. 26
Note: For SAQ A, Requirement 11 applies to merchant web servers that host the page(s) that either 1) redirects customers from the merchant website to a TPSP/payment processor for payment processing (for example, with a URL redirect) or 2) includes a TPSP’s/payment processor’s embedded payment page/form (for example, an inline frame or iFrame).
Note: For SAQ A, Requirement 11 applies to merchant server(s) with a webpage that either 1) redirects customers from the merchant website to a TPSP/payment processor for payment processing (for example, with a URL redirect) or 2) includes a TPSP’s/payment processor’s embedded payment page/form (for example, one or more inline frames or iframes).
Modified
p. 26
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place Not Applicable Not in Place 11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place 11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed.
Modified
p. 26
Applicability Notes For initial PCI DSS compliance, it is not required that four passing scans be completed within 12 months if the assessor verifies: 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring scanning at least once every three months, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s).
Applicability Notes For the initial PCI DSS assessment against this requirement, it is not required that four passing scans be completed within 12 months if the assessor verifies: 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring scanning at least once every three months, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s).
Modified
p. 27
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place Not Applicable Not in Place 11.3.2.1 External vulnerability scans are performed after any significant change as follows:
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place 11.3.2.1 External vulnerability scans are performed after any significant change as follows:
Removed
p. 28
• Interview responsible personnel.
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place Not Applicable Not in Place 11.6 Unauthorized changes on payment pages are detected and responded to.
Note: For SAQ A, Requirement 11.6.1 applies to a merchant’s website that includes a TPSP’s/payment processor’s embedded payment page/form (for example, an inline frame or iFrame).
This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place Not Applicable Not in Place 11.6 Unauthorized changes on payment pages are detected and responded to.
Note: For SAQ A, Requirement 11.6.1 applies to a merchant’s website that includes a TPSP’s/payment processor’s embedded payment page/form (for example, an inline frame or iFrame).
Removed
p. 28
• To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser.
• Examine system settings and mechanism configuration settings.
• Examine monitored payment pages.
• Examine results from monitoring activities.
• Examine the mechanism configuration settings.
• Examine configuration settings.
• If applicable, examine the targeted risk analysis.
• The mechanism is configured to evaluate the received HTTP header and payment page.
• The mechanism functions are performed as follows:
• At least once every seven days OR
• Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).
Applicability Notes The intention of this requirement is not that an entity installs software in the systems or browsers of its consumers, but rather that the entity uses techniques such as those described under Examples in the PCI DSS Guidance …
• Examine system settings and mechanism configuration settings.
• Examine monitored payment pages.
• Examine results from monitoring activities.
• Examine the mechanism configuration settings.
• Examine configuration settings.
• If applicable, examine the targeted risk analysis.
• The mechanism is configured to evaluate the received HTTP header and payment page.
• The mechanism functions are performed as follows:
• At least once every seven days OR
• Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).
Applicability Notes The intention of this requirement is not that an entity installs software in the systems or browsers of its consumers, but rather that the entity uses techniques such as those described under Examples in the PCI DSS Guidance …
Modified
p. 29 → 28
Note: Requirement 12 specifies that merchants have information security policies for their personnel, but these policies can be as simple or complex as needed for the size and complexity of the merchant’s operations. The policy document must be provided to all personnel, so they are aware of their responsibilities for protecting payment terminals, any paper documents with account data, etc. If a merchant has no employees, then it is expected that the merchant understands and acknowledges their responsibility for security …
Note: Requirement 12 specifies that merchants have information security policies for their personnel, but these policies can be as simple or complex as needed for the size and complexity of the merchant’s operations. The policy document must be provided to all personnel, so they are aware of their responsibilities for protecting payment terminals, any paper documents with cardholder data and/or sensitive authentication data, etc. If a merchant has no employees, then it is expected that the merchant understands and acknowledges …
Modified
p. 29 → 28
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place Not Applicable Not in Place 12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place 12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
Modified
p. 30 → 29
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place Not Applicable Not in Place 12.8.2 Written agreements with TPSPs are maintained as follows:
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place Not Applicable Not in Place 12.8.2 Written agreements with TPSPs are maintained as follows:
Modified
p. 30 → 29
• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.
• Written agreements include acknowledgments from TPSPs that TPSPs are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that the TPSP could impact the security of the entity’s cardholder data and/or sensitive authentication data.
Modified
p. 30 → 29
Applicability Notes The exact wording of an acknowledgment will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgment does not have to include the exact wording provided in this requirement.
Applicability Notes The exact wording of an agreement will depend on the details of the service being provided, and the responsibilities assigned to each party. The agreement does not have to include the exact wording provided in this requirement.
Modified
p. 30 → 29
Evidence that a TPSP is meeting PCI DSS requirements (for example, a PCI DSS Attestation of Compliance (AOC) or a declaration on a company’s website) is not the same as a written agreement specified in this requirement.
Evidence that a TPSP is meeting PCI DSS requirements (is not the same as a written acknowledgment specified in this requirement. For example, a PCI DSS Attestation of Compliance (AOC), a declaration on a company’s website, a policy statement, a responsibility matrix, or other evidence not included in a written agreement is not a written acknowledgment.
Modified
p. 37
PCI DSS Self-Assessment Questionnaire A, Version 4.0, was completed according to the instructions therein.
PCI DSS Self-Assessment Questionnaire A, Version 4.0.1, was completed according to the instructions therein.