Document Comparison
PCI_DSS_v3-1_SAQ_A_rev1-1.pdf
→
PCI-DSS-v3_2-SAQ-A.pdf
86% similar
19 → 21
Pages
3997 → 4780
Words
20
Content Changes
Content Changes
20 content changes. 24 administrative changes (dates, page numbers) hidden.
Added
p. 10
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel (b) Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures Review vendor documentation Examine system configurations and account settings Interview personnel
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel (b) Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures Review vendor documentation Examine system configurations and account settings Interview personnel
Added
p. 11
Requirement 8: Identify and authenticate access to system components
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.1.1 Are all users assigned a unique ID before allowing them to access system components or cardholder data?
Review password procedures Interview personnel 8.1.3 Is access for any terminated users immediately deactivated or removed?
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures Observe authentication processes 8.2.3 (a) Are user password parameters configured to require passwords/passphrases meet the following? A minimum …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.1.1 Are all users assigned a unique ID before allowing them to access system components or cardholder data?
Review password procedures Interview personnel 8.1.3 Is access for any terminated users immediately deactivated or removed?
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures Observe authentication processes 8.2.3 (a) Are user password parameters configured to require passwords/passphrases meet the following? A minimum …
Added
p. 12
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.5 Are group, shared, or generic accounts, passwords, or other authentication methods prohibited as follows:
Generic user IDs and accounts are disabled or removed; Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components? Review policies and procedures Examine user ID lists Interview personnel
Generic user IDs and accounts are disabled or removed; Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components? Review policies and procedures Examine user ID lists Interview personnel
Added
p. 15
Observe processes Review policies and procedures and supporting documentation 12.10.1 (a) Has an incident response plan been created to be implemented in the event of system breach? Review the incident response plan Review incident response plan procedures
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS This appendix is not used for SAQ A merchant assessments Appendix A3: Designated Entities Supplemental Validation (DESV) This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. Entities required to validate to this Appendix should use the DESV Supplemental Reporting Template and Supplemental Attestation of Compliance for reporting, and consult with the applicable payment brand and/or acquirer for submission procedures.
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS This appendix is not used for SAQ A merchant assessments Appendix A3: Designated Entities Supplemental Validation (DESV) This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. Entities required to validate to this Appendix should use the DESV Supplemental Reporting Template and Supplemental Attestation of Compliance for reporting, and consult with the applicable payment brand and/or acquirer for submission procedures.
Added
p. 19
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ A (Section 2), dated (SAQ completion date).
Modified
p. 4
Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions; All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers; Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions; Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and Your …
Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions; All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers; Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions; Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and Any …
Modified
p. 4
Section 1 (Part 1 & 2 of the AOC)
• Assessment Information and Executive Summary.
• Assessment Information and Executive Summary.
Section 1 (Parts 1 & 2 of the AOC)
• Assessment Information and Executive Summary.
• Assessment Information and Executive Summary.
Modified
p. 4
5. Submit the SAQ and Attestation of Compliance, along with any other requested documentation• such as ASV scan reports•to your acquirer, payment brand or other requester.
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to your acquirer, payment brand or other requester.
•such as ASV scan reports
•to your acquirer, payment brand or other requester.
Removed
p. 7
ISA Name(s) (if applicable): Title:
Modified
p. 9
Merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions); All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers; Merchant does not electronically store, process, or transmit any cardholder data on merchant systems or premises, but relies entirely on a third party(s) to handle all these functions; Merchant has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and Merchant retains only paper reports or receipts with cardholder …
Merchant accepts only card-not-present (e-commerce or mail/telephone-order) transactions); All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers; Merchant does not electronically store, process, or transmit any cardholder data on merchant systems or premises, but relies entirely on a third party(s) to handle all these functions; Merchant has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant; and Any cardholder data the merchant retains is on paper …
Modified
p. 10
Self-assessment completion date:
Self-assessment completion date: Build and Maintain a Secure Network and Systems
Modified
p. 10 → 13
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.6.2 Is media sent by secured courier or other delivery method that can be accurately tracked?
Modified
p. 10 → 13
Interview personnel Examine media distribution tracking logs and documentation 9.7 Is strict control maintained over the storage and accessibility of media? Review policies and procedures
Interview personnel Examine media distribution tracking logs and documentation 9.7 Is strict control maintained over the storage and accessibility of media?
Modified
p. 11 → 13
Review policies and procedures 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons? Review periodic media destruction policies and procedures (c) Is media destruction performed as follows:
Modified
p. 13 → 15
Observe processes Review policies and procedures and supporting documentation 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity? Observe processes Review policies and procedures and supporting documentation
Observe processes Review policies and procedures and supporting documentation 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?
Modified
p. 17 → 19
Based on the results documented in the SAQ A noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Removed
p. 18
Signature of ISA Date:
Modified
p. 18 → 20
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Modified
p. 18 → 20
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Modified
p. 19 → 21
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel * PCI DSS Requirements indicated here refer to the questions in Section 2 of the SAQ.
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Do not use vendor-supplied defaults for system passwords and other security parameters 8 Identify and authenticate access to system components 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel * PCI DSS Requirements indicated here refer to the questions in Section 2 of the SAQ.