PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

SAQ_C-VT_v3.pdf PCI_DSS_v3-1_SAQ_C-VT_rev1-1.pdf
90% similar
32 → 35 Pages
7495 → 8540 Words
23 Content Changes

From Revision History

  • October 2008 1.2

Content Changes

23 content changes. 23 administrative changes (dates, page numbers) hidden.

Added p. 2
July 2015 3.1 1.1 Updated version numbering to align with other SAQs.
Added p. 8
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Application Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Added p. 14
 Review configuration standards  Examine configuration settings If SSL/early TLS is used:

 Review system configuration standards (c) Are security parameter settings set appropriately on system components?
Added p. 16
Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS?  Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (f) For all other environments using SSL and/or early TLS:

Does the documented Risk Mitigation and Migration Plan include the following?  Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment;  Risk assessment results and risk reduction controls in place;  Description of processes to monitor for new vulnerabilities associated with SSL/early TLS;  Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments;  Overview of migration project plan including target migration completion date no later than 30th June 2016.

 Review Risk Mitigation and …
Added p. 19
Does the documented Risk Mitigation and Migration Plan include the following?  Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment;  Risk assessment results and risk reduction controls in place;  Description of processes to monitor for new vulnerabilities associated with SSL/early TLS;  Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments;  Overview of migration project plan including target migration completion date no later than 30th June 2016.

 Review Risk Mitigation and Migration Plan

 Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:

Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies …
Modified p. 13
 Review configuration standards  Examine system configurations (b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?
 Review configuration standards  Examine system configurations (b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?  Review configuration standards  Interview personnel  Examine configuration settings  Compare enabled services, etc. to documented justifications
Modified p. 13 → 14
 Review configuration standards  Interview personnel  Examine configuration settings  Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? For example, use secured technologies such as SSH, S- FTP, SSL or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? For example, use secured technologies such as SSH, S- FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
Modified p. 13 → 14
 Review configuration standardsExamine configuration settings 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
 Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLSReview Risk Mitigation and Migration Plan 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Modified p. 13 → 14
 Interview personnel (b) Are common system security parameters settings included in the system configuration standards?  Review system configuration standards
 Interview personnel (b) Are common system security parameters settings included in the system configuration standards?
Removed p. 14
 Examine security parameters on system components (b) Are enabled functions documented and do they support secure configuration?
Modified p. 14
 Examine system components  Examine security parameter settings  Compare settings to system configuration standards 2.2.5 (a) Has all unnecessary functionality•such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers•been removed?
 Examine system components  Examine security parameter settings  Compare settings to system configuration standards 2.2.5 (a) Has all unnecessary functionality•such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers•been removed?  Examine security parameters on system components
Modified p. 14 → 15
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (c) Are security parameter settings set appropriately on system components?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (b) Are enabled functions documented and do they support secure configuration?
Modified p. 14 → 15
Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
Use technologies such as SSH, VPN, or TLS for web-based management and other non-console administrative access.
Modified p. 14 → 15
 Examine system components  Examine services and files (c) Is administrator access to web-based management interfaces encrypted with strong cryptography?
 Examine system components  Examine services and files (c) Is administrator access to web-based management interfaces encrypted with strong cryptography?  Examine system components  Observe an administrator log on
Modified p. 14 → 16
 Examine system components  Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?  Examine system components  Review vendor documentation  Interview personnel
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?  Examine system components  Review vendor documentation  Interview personnel (e) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Modified p. 16 → 18
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service …
Modified p. 16 → 18
 Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?
 Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?  Review vendor documentation  Examine system configurations
Modified p. 16 → 19
 Review vendor documentation  Examine system configurations (e) For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified p. 20 → 23
 Review policies and procedures  Interview personnel  Observe processes 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?  Review policies and procedures (c) Are critical security patches installed within one month of release? Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
 Review policies and procedures  Interview personnel  Observe processes 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?  Review policies and procedures (b) Are critical security patches installed within one month of release? Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
Modified p. 22 → 25
 Review policies and procedures for physically securing media  Interview personnel 9.6 (a) Is strict control maintained over the internal or external distribution of any kind of media?  Review policies and procedures for distribution of media (d) Do controls include the following:
 Review policies and procedures for physically securing media  Interview personnel 9.6 (a) Is strict control maintained over the internal or external distribution of any kind of media?  Review policies and procedures for distribution of media (b) Do controls include the following:
Modified p. 31 → 34
Signature of QSA  Date:
Signature of Duly Authorized Officer of QSA Company  Date:
Modified p. 31 → 34
QSA Name: QSA Company:
Duly Authorized Officer Name: QSA Company:
Modified p. 32 → 35
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti- virus software or programs 6 Develop and maintain secure …
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti- virus software or programs 6 Develop and maintain secure …