Document Comparison
SAQ_C_v3.pdf
→
PCI_DSS_v3-1_SAQ_C_rev1-1.pdf
88% similar
46 → 51
Pages
10697 → 11845
Words
57
Content Changes
Content Changes
57 content changes. 30 administrative changes (dates, page numbers) hidden.
Added
p. 2
July 2015 3.1 1.1 Updated to remove references to “best practices” prior to June 30, 2015.
Added
p. 8
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Application Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Added
p. 13
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks?
Added
p. 15
Review configuration standards Examine configuration settings If SSL/early TLS is used:
Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS? Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (f) For all other environments using SSL and/or early TLS:
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is …
Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS? Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (f) For all other environments using SSL and/or early TLS:
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is …
Added
p. 27
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?
Added
p. 43
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity?
Modified
p. 10
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
Modified
p. 11
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.3 Is direct public access prohibited between the Internet and any system component in the cardholder data environment, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 1.3 Is direct public access prohibited between the Internet and any system component in the cardholder data environment, as follows:
Modified
p. 11 → 12
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel (b) Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures Review vendor documentation Examine system configurations and account settings Interview personnel
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel (b) Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures Review vendor documentation Examine system configurations and account settings Interview personnel 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations, as follows:
Removed
p. 12
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations, as follows:
Review policies and procedures Interview personnel Examine system configurations (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks?
Review policies and procedures Interview personnel Examine system configurations (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks?
Modified
p. 12
Review policies and procedures Review vendor documentation Interview personnel Examine system configurations (c) Are default passwords/passphrases on access points changed at installation?
Review policies and procedures Review vendor documentation Interview personnel Examine system configurations (c) Are default passwords/passphrases on access points changed at installation? Review policies and procedures Interview personnel Examine system configurations
Modified
p. 12 → 13
Review system configuration standards Review industry-accepted hardening standards Review policies and procedures Interview personnel
Review system configuration standards Review industry-accepted hardening standards Review policies and procedures Interview personnel (b) Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1?
Modified
p. 13
Review policies and procedures Interview personnel (c) Are system configuration standards applied when new systems are configured? Review policies and procedures Interview personnel (d) Do system configuration standards include all of the following:
Review policies and procedures Interview personnel (c) Are system configuration standards applied when new systems are configured? Review policies and procedures Interview personnel
Modified
p. 13 → 14
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (b) Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (d) Do system configuration standards include all of the following:
Modified
p. 13 → 14
Examine system configurations (b) If virtualization technologies are used, is only one primary function implemented per virtual system component or device? Examine system configurations
Examine system configurations (b) If virtualization technologies are used, is only one primary function implemented per virtual system component or device?
Modified
p. 14
Examine system configurations 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? Review configuration standards Examine system configurations
Modified
p. 14 → 15
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?
Modified
p. 14 → 15
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? For example, use secured technologies such as SSH, S-FTP, SSL or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? For example, use secured technologies such as SSH, S-FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
Modified
p. 14 → 15
Review configuration standards Examine configuration settings 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS Review Risk Mitigation and Migration Plan 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Modified
p. 14 → 15
Interview personnel (b) Are common system security parameters settings included in the system configuration standards?
Interview personnel (b) Are common system security parameters settings included in the system configuration standards? Review system configuration standards
Modified
p. 14 → 16
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (c) Are security parameter settings set appropriately on system components?
Modified
p. 14 → 16
Examine system components Examine security parameter settings Compare settings to system configuration standards 2.2.5 (a) Has all unnecessary functionality•such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers•been removed? Examine security parameters on system components
Examine system components Examine security parameter settings Compare settings to system configuration standards 2.2.5 (a) Has all unnecessary functionality•such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers•been removed?
Modified
p. 15 → 16
Examine security parameters on system components (b) Are enabled functions documented and do they support secure configuration?
Modified
p. 15 → 16
Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
Use technologies such as SSH, VPN, or TLS for web- based management and other non-console administrative access.
Modified
p. 15 → 17
(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?
Modified
p. 15 → 17
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components Review vendor documentation Interview personnel 2.5 Are security policies and operational procedures for managing vendor defaults and other security parameters:
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components Review vendor documentation Interview personnel (e) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Removed
p. 16
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.2 The card verification code or value (three-digit or four- digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Modified
p. 17 → 20
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.2 The card verification code or value (three-digit or four- digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Modified
p. 18 → 21
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service …
Modified
p. 18 → 21
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? Review vendor documentation Examine system configurations
Modified
p. 18 → 22
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified
p. 22 → 26
Review policies and procedures Interview personnel Observe processes 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?
Review policies and procedures Interview personnel Observe processes
Removed
p. 26
Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.
Modified
p. 26 → 31
(a) Do policies and procedures require that a list of such devices maintained?
(a) Do policies and procedures require that a list of such devices be maintained?
Modified
p. 27 → 32
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
Removed
p. 28
(a) Do training materials for personnel at point-of-sale locations include the following? Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Do not install, replace, or return devices without verification. Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).
Modified
p. 28 → 33
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following? (c) Do training materials for personnel at point-of-sale locations include the following? Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Do not install, replace, or return devices without verification. …
Modified
p. 30 → 35
All security events Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) Review security policies and procedures Observe processes Interview personnel 10.6.2 (b) Are logs of all other …
All security events Logs of all system components that store, process, or transmit CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) Review security policies and procedures Observe processes Interview personnel 10.6.2 (b) Are logs of all other system components periodically
•either manually or via log tools
•based on the …
•either manually or via log tools
•based on the …
Modified
p. 32 → 37
Evaluate the methodology (c) Is the scan to identify authorized and unauthorized wireless access points performed at least quarterly for all system components and facilities?
Evaluate the methodology (c) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities?
Modified
p. 32 → 37
Examine configuration settings 11.1.1 Is an inventory of authorized wireless access points maintained and a business justification documented for all authorized wireless access points?
Examine configuration settings 11.1.1 Is an inventory of authorized wireless access points maintained and a business justification documented for all authorized wireless access points? Examine inventory records
Modified
p. 32 → 38
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.1.2 (a) Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected?
Modified
p. 33 → 38
Examine incident response plan (see Requirement 12.10) (b) Is action taken when unauthorized wireless access points are found?
Modified
p. 33 → 39
Review scan reports (c) Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview personnel
Review scan reports (c) Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
Modified
p. 34 → 39
Interview personnel 11.2.2 (a) Are quarterly external vulnerability scans performed? Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
Modified
p. 34 → 39
PCI SSC Approved Scanning Vendor (ASV?
PCI SSC Approved Scanning Vendor (ASV? Review results of each external quarterly scan and rescan
Modified
p. 34 → 40
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.2.3 (a) Are internal and external scans, and rescans as needed, performed after any significant change? Note: Scans must be performed by qualified personnel.
Modified
p. 34 → 40
Review scan reports (c) Are scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview personnel
Review scan reports (c) Are scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview personnel 11.3.4 If segmentation is used to isolate the CDE from other networks:
Removed
p. 35
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A If segmentation is used to isolate the CDE from other networks:
Modified
p. 35 → 40
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems?
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
Modified
p. 35 → 40
Examine segmentation controls Review penetration-testing methodology (b) Does penetration testing to verify segmentation controls meet the following? Performed at least annually and after any changes to segmentation controls/methods Covers all segmentation controls/methods in use Verifies that segmentation methods are operational and effective, and isolate all out-of- scope systems from in-scope systems.
Examine segmentation controls Review penetration-testing methodology (b) Does penetration testing to verify segmentation controls meet the following? Performed at least annually and after any changes to segmentation controls/methods Covers all segmentation controls/methods in use Verifies that segmentation methods are operational and effective, and isolate all out-of- scope systems from systems in the CDE.
Modified
p. 35 → 41
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.5 (a) Is a change-detection mechanism (for example, file- integrity monitoring tools) deployed within the cardholder data environment to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:
Modified
p. 35 → 41
System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log, and audit files Additional critical files determined by entity (for example, through risk assessment or other means) Observe system settings and monitored files Examine system configuration settings
System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log, and audit files Additional critical files determined by entity (for example, through risk assessment or other means) Observe system settings and monitored files Examine system configuration settings (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical …
Removed
p. 36
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change detection mechanisms such as file-integrity monitoring products usually come pre- configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is the merchant or service provider).
Modified
p. 38 → 43
Review usage policies Interview responsible personnel 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use?
Modified
p. 45 → 50
Signature of QSA Date:
Signature of Duly Authorized Officer of QSA Company Date:
Modified
p. 45 → 50
Duly Authorized Officer Name: QSA Company:
Modified
p. 46 → 51
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure systems and …
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure systems and …