PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI-DSS-v3-2-1-SAQ-B-IP-r2.pdf PCI-DSS-v4-0-SAQ-B-IP-r2.pdf
32% similar
36 → 46 Pages
8975 → 12362 Words
180 Content Changes

Content Changes

180 content changes. 60 administrative changes (dates, page numbers) hidden.

Added p. 2
Added “In Place with CCW” to AOC Section 3.

Added guidance for responding to future-dated requirements.

Added minor clarifications and addressed typographical errors.
Added p. 4
An exception applies for PTS POI devices classified as Secure Card Readers (SCR) and Secure Card Readers for PIN (SCRPs); merchants using SCRs or SCRPs are not eligible for this SAQ.

This SAQ is not applicable to service providers.
Added p. 5
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). Cardholder data and sensitive authentication data are considered account data and are defined as follows:

Account Data Cardholder Data includes: Sensitive Authentication Data includes:

• Full track data (magnetic-stripe data or equivalent on a chip)

• Card verification code

• PINs/PIN blocks Refer to PCI DSS Section 2, PCI DSS Applicability Information, for further details.

1. Confirm by review of the eligibility criteria in this SAQ and the Self-Assessment Questionnaire Instructions and Guidelines document on the PCI SSC website that this is the correct SAQ for the merchant’s environment.

2. Confirm that the merchant environment is properly scoped.

• Section 1: Assessment Information (Parts 1 & 2 of the Attestation of Compliance (AOC)

Expected Testing The instructions provided in the “Expected Testing” column are based on the …
Added p. 6
• Interview: The merchant converses with individual personnel. Interview objectives may include confirmation of whether an activity is performed, descriptions of how an activity is performed, and whether personnel have particular knowledge or understanding.

The testing methods are intended to allow the merchant to demonstrate how it has met a requirement. The specific items to be examined or observed and personnel to be interviewed should be appropriate for both the requirement being assessed and the merchant’s particular implementation.

Full details of testing procedures for each requirement can be found in PCI DSS.

Requirement Responses For each requirement item, there is a choice of responses to indicate the merchant’s status regarding that requirement. Only one response should be selected for each requirement item.

A description of the meaning for each response and when to use each response is provided in the table below:

In Place The expected testing has been performed, and all elements of the …
Added p. 7
For each response where Not Applicable is selected in this SAQ, complete Appendix C: Explanation of Requirements Noted as Not Applicable.
Added p. 7
Legal Exception If your organization is subject to a legal restriction that prevents the organization from meeting a PCI DSS requirement, select Not in Place for that requirement and complete the relevant attestation in Section 3, Part 3 of this SAQ.

Note: A legal restriction is one where meeting the PCI DSS requirement would violate a local or regional law or regulation.

Contractual obligations or legal advice are not legal restrictions.

Use of the Customized Approach SAQs cannot be used to document use of the Customized Approach to meet PCI DSS requirements. For this reason, the Customized Approach Objectives are not included in SAQs. Entities wishing to validate using the Customized Approach may be able to use the PCI DSS Report on Compliance (ROC) Template to document the results of their assessment.

The use of the customized approach may be regulated by organizations that manage compliance programs, such as payment brands and acquirers. Questions …
Added p. 10
Indicate all payment channels used by the business that are included in this assessment.

Mail order/telephone order (MOTO) E-Commerce Card-present Are any payment channels not included in this assessment? If yes, indicate which channel(s) is not included in the assessment and provide a brief explanation about why the channel was excluded.

Part 2b. Description of Role with Payment Cards For each payment channel included in this assessment as selected in Part 2a above, describe how the business stores, processes and/or transmits account data.

Channel How Business Stores, Processes, and/or Transmits Account Data Part 2c. Description of Payment Card Environment Provide a high-level description of the environment covered by this assessment. For example:

• Connections into and out of the cardholder data environment (CDE).

• Critical system components within the CDE, such as POI devices, databases, web servers, etc., and any other necessary payment components, as applicable.

• System components that could impact the security of account …
Added p. 11
Facility Type Total number of locations (How many locations of this type are in scope) Location(s) of facility (city, country) Example: Data centers 3 Boston, MA, USA Part 2e. PCI SSC Validated Products and Solutions Does the merchant use any item identified on any PCI SSC Lists of Validated Products and Solutions? Provide the following information regarding each item the merchant uses from PCI SSC’s Lists of Validated Products and Solutions.

Name of PCI SSC- validated Product or Version of Product or

PCI SSC Standard to which product or solution was validated

PCI SSC listing reference number Expiry date of listing (YYYY-MM-DD)  For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)⎯for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment Applications (PA-DSS), Point to Point Encryption (P2PE) solutions, Software-Based PIN Entry …
Added p. 13
PCI DSS Requirement * Requirement Responses More than one response may be selected for a given requirement.

Indicate all responses that apply.

In Place In Place with CCW Not Applicable Not in Place

* PCI DSS Requirements indicated above refer to the requirements in Section 2 of this SAQ.
Added p. 14
The merchant uses only standalone, PCI-listed approved PTS POI devices (excludes SCRs and SCRPs) connected via IP to merchant’s payment processor to take customers’ payment card information.

The standalone IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs and SCRPs).

The standalone IP-connected PTS POI devices are not connected to any other systems within the merchant environment (this can be achieved via network segmentation to isolate PTS POI devices from other systems).

The only transmission of account data is from the approved PTS POI devices to the payment processor.

The PTS POI device does not rely on any other device (e.g., computer, mobile phone, tablet, etc.) to connect to the payment processor.

The merchant does not store account data in electronic format.

Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically.

PCI DSS …
Added p. 15
• Examine network diagrams.

Applicability Notes A current network diagram(s) or other technical or topological solution that identifies network connections and devices can be used to meet this requirement.
Added p. 15
• Examine configuration settings.

♦ Refer to the “Requirement Responses” section (page v) for information about the meaning of these response options.

• Examine network diagrams.

• Examine configuration settings.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 1.3 Network access to and from the cardholder data environment is restricted.
Added p. 16
• To only traffic that is necessary.

• To only traffic that is necessary.

• All other traffic is specifically denied.

• All other traffic is specifically denied.

• Examine NSC configuration standards.

• Examine NSC configuration standards.
Added p. 16
• All wireless traffic from wireless networks into the CDE is denied by default.

• Only wireless traffic with an authorized business purpose is allowed into the CDE.
Added p. 16
• Examine NSC documentation.

Requirement 2: Apply Secure Configurations to All System Components

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 2.2 System components are configured and managed securely.
Added p. 17
• If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6.

• If the vendor default account(s) will not be used, the account is removed or disabled.

• Observe a system administrator logging on using vendor default accounts.

• Examine configuration files.

Applicability Notes This applies to ALL vendor default accounts and passwords, including, but not limited to, those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, and Simple Network Management Protocol (SNMP) defaults. This requirement also applies where a system component is not installed within an entity’s environment, for example, software and applications that are part of the CDE and are accessed via a cloud subscription service.

Note: For SAQ B-IP, this requirement applies to firewall/router devices on the merchant’s network that connect its PTS POI devices to the payment processor.
Added p. 17
• Examine vendor documentation.

Applicability Notes This includes administrative access via browser-based interfaces and application programming interfaces (APIs).
Added p. 18
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 2.3 Wireless environments are configured and managed securely.
Added p. 18
• Default wireless encryption keys.

• Passwords on wireless access points.

• Any other security-related wireless vendor defaults.
Added p. 18
Applicability Notes This includes, but is not limited to, default wireless encryption keys, passwords on wireless access points, SNMP defaults, and any other security-related wireless vendor defaults.

• Whenever personnel with knowledge of the key leave the company or the role for which the knowledge was necessary.

• Whenever a key is suspected of or known to be compromised.
Added p. 19
Requirement 3: Protect Stored Account Data

Note: For SAQ B-IP, Requirement 3 applies only to merchants with paper records that include account data (for example, receipts or printed reports).

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) Not Applicable Not in Place 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
Added p. 19
Selection of any of the In Place responses for Requirement 3.1.1 means that, if the merchant has paper storage of account data, the merchant has policies and procedures in place that govern merchant activities for Requirement 3. This helps to ensure personnel are aware of and following security policies and documented operational procedures for managing the secure storage of any paper records with account data.

If merchant does not store paper records with account data, mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
Added p. 19
• Observe the secure data deletion processes.
Added p. 20
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) Not Applicable Not in Place 3.3.1 (cont.) Part of this Applicability Note was intentionally removed for this SAQ as it does not apply to merchant assessments. Sensitive authentication data includes the data cited in Requirements 3.3.1.1 through 3.3.1.2.
Added p. 20
Applicability Notes In the normal course of business, the following data elements from the track may need to be retained:

• Primary account number (PAN).

• Service code. To minimize risk, store securely only these data elements as needed for business.
Added p. 20
Applicability Notes The card verification code is the three- or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions.

Selection of any of the In Place responses for Requirement 3.3.1.2 means that if the merchant writes down the card verification code while a transaction is being conducted, the merchant either securely destroys the paper (for example, with a shredder) immediately after the transaction is complete, or obscures the code (for example, by “blacking it out” with a marker) before the paper is stored.

If the merchant never requests the three-digit or four-digit number printed on the front or back of a payment card (“card verification code”), mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) Not Applicable Not in Place 3.3.1.3 The personal identification number …
Added p. 21
• Examine the documented list of roles that need access to more than the BIN and last four digits of the PAN (includes full PAN).

• Examine displays of PAN (for example, on screen, on paper receipts).

Applicability Notes This requirement does not supersede stricter requirements in place for displays of cardholder data• for example, legal or payment brand requirements for point-of-sale (POS) receipts.

This requirement relates to protection of PAN where it is displayed on screens, paper receipts, printouts, etc., and is not to be confused with Requirement 3.5.1 for protection of PAN when stored, processed, or transmitted.

Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 4.2 PAN is protected with strong cryptography during transmission.
Added p. 22
• Only trusted keys and certificates are accepted.

• Examine cardholder data transmissions.

• Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.

• The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.

• The encryption strength is appropriate for the encryption methodology in use.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 4.2.1 (cont.) Part of this Applicability Note was intentionally removed as it does not apply to this SAQ. The bullet above (for confirming that certificates used to safeguard PAN during transmission over open, public networks are valid and are not expired …
Added p. 24
• New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs).

• Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.

• Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment.
Added p. 24
Applicability Notes This requirement is not achieved by, nor is it the same as, vulnerability scans performed for Requirements 11.3.1 and 11.3.2. This requirement is for a process to actively monitor industry sources for vulnerability information and for the entity to determine the risk ranking to be associated with each vulnerability.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:

Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know ♦ Refer to the “Requirement Responses” section (page v) for information about these response options.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 7.2 Access to system components and data is appropriately defined …
Added p. 26
• Job classification and function.

• Examine user access settings, including for privileged users.

• Interview personnel responsible for assigning access.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.

Selection of any of the In Place responses for Requirement 8.1.1 means that the merchant has policies and procedures in place that govern merchant activities for Requirement 8.
Added p. 27
• Account use is prevented unless needed for an exceptional circumstance.

• Use is limited to the time needed for the exceptional circumstance.

• Business justification for use is documented.

• Use is explicitly approved by management.

• Individual user identity is confirmed before access to an account is granted.

• Every action taken is attributable to an individual user.

• Examine user account lists on system components and applicable documentation.

• Examine authentication policies and procedures.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.2.2 (cont.) This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
Added p. 28
• Enabled only during the time period needed and disabled when not in use.

• Use is monitored for unexpected activity.

• Examine documentation for managing accounts.
Added p. 28
• All remote access by all personnel, both users and administrators, originating from outside the entity’s network.

• All remote access by third parties and vendors.

• Examine network and/or system configurations for remote access servers and systems.

Applicability Notes The requirement for MFA for remote access originating from outside the entity’s network applies to all user accounts that can access the network remotely, where that remote access leads to or could lead to access into the CDE.

If remote access is to a part of the entity’s network that is properly segmented from the CDE, such that remote users cannot access or impact the CDE, MFA for remote access to that part of the network is not required. However, MFA is required for any remote access to networks with access to the CDE and is recommended for all remote access to the entity’s networks.

The MFA requirements apply for all types of system components, …
Added p. 29
• Observe locations of publicly accessible network jacks.
Added p. 29
Note: For SAQ B-IP, Requirements at 9.4 only apply to merchants with paper records (for example, receipts or printed reports) with account data, including primary account numbers (PANs).
Added p. 29
• Interview responsible personnel at the storge location(s).

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.4.2 All media with cardholder data is classified in accordance with the sensitivity of the data.
Added p. 30
• Examine offsite tracking logs for all media.

• Examine offsite media tracking logs.

Applicability Notes Individuals approving media movements should have the appropriate level of management authority to grant this approval. However, it is not specifically required that such individuals have “manager” as part of their title.

• Materials are stored in secure storage containers prior to destruction.

• Examine the periodic media destruction policy.

• Observe storage containers.

Applicability Notes These requirements for media destruction when that media is no longer needed for business or legal reasons are separate and distinct from PCI DSS Requirement 3.2.1, which is for securely deleting cardholder data when no longer needed per the entity’s cardholder data retention policies.

Selection of any of the In Place responses for Requirements at 9.4 means that the merchant securely stores any paper media with account data, for example by storing the paper in a locked drawer, cabinet, or safe, and that the merchant …
Added p. 32
• Maintaining a list of POI devices.

• Periodically inspecting POI devices to look for tampering or unauthorized substitution.

Applicability Notes These requirements apply to deployed POI devices used in card-present transactions (that is, a payment card form factor such as a card that is swiped, tapped, or dipped). This requirement is not intended to apply to manual PAN key-entry components such as computer keyboards.

This requirement is recommended, but not required, for manual PAN key-entry components such as computer keyboards. This requirement does not apply to commercial off-the-shelf (COTS) devices (for example, smartphones or tablets), which are mobile merchant-owned devices designed for mass-market distribution.
Added p. 32
• Make and model of the device.

• Location of device.

• Device serial number or other methods of unique identification.

• Observe POI devices and device locations.
Added p. 33
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.5.1.3 Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes:

• Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, before granting them access to modify or troubleshoot devices.

• Procedures to ensure devices are not installed, replaced, or returned without verification.

• Being aware of suspicious behavior around devices.

• Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel.

Selection of any of the In Place responses for Requirements at 9.5 means that the merchant has policies and procedures in place for Requirements 9.5.1, 9.5.1.1, 9.5.1.2, and 9.5.1.3, and that they maintain a current list of devices, conduct periodic device inspections, and train employees about what to look for to …
Added p. 34
• At least once every three months.

• By a PCI SSC Approved Scanning Vendor (ASV).

• Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met.

• Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan.

Applicability Notes For initial PCI DSS compliance, it is not required that four passing scans be completed within 12 months if the assessor verifies: 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring scanning at least once every three months, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s).

However, for subsequent years after the initial PCI DSS assessment, passing scans at least every three months must have occurred.

ASV scanning tools can scan a vast array of network types and topologies. Any specifics about the …
Added p. 35
• At least once every 12 months and after any changes to segmentation controls/methods.

• Covering all segmentation controls/methods in use.

• Bullet intentionally left blank for this SAQ

• Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3).

• Performed by a qualified internal resource or qualified external third party.

• Organizational independence of the tester exists (not required to be a QSA or ASV).

Requirement 12: Support Information Security with Organizational Policies and Programs

Note: Requirement 12 specifies that merchants have information security policies for their personnel, but these policies can be as simple or complex as needed for the size and complexity of the merchant’s operations. The policy document must be provided to all personnel so they are aware of their responsibilities for protecting payment terminals, any paper documents with account data, etc. If a merchant has no employees, then it is expected that the merchant …
Added p. 36
• Disseminated to all relevant personnel, as well as to relevant vendors and business partners.
Added p. 36
• Updated as needed to reflect changes to business objectives or risks to the environment.

Selection of any of the In Place responses for Requirements 12.1.1 and 12.1.2 means that the merchant has a security policy that is reasonable for the size and complexity of the merchant’s operations, and that the policy is reviewed at least once every 12 months and updated if needed.

For example, such a policy could be a simple document that covers how to protect the store and payment devices in accordance with the solution provider’s guidance/instruction manual, and who to call in an emergency.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.1.3 The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities.

• Examine documented evidence.

Selection of any …
Added p. 37
• Examine the security awareness program.

Selection of any of the In Place responses for Requirement 12.6.1 means that the merchant has a security awareness program in place, consistent with the size and complexity of the merchant’s business operations. For example, a simple awareness program could be a flyer posted in the back office, or a periodic e-mail sent to all employees. Examples of awareness program messaging include descriptions of security tips all employees should follow, such as how to lock doors and storage containers, how to determine whether a payment terminal has been tampered with, and processes to confirm the identity and verify there is a legitimate business reason for any service workers when they arrive to service payment terminals.
Added p. 37
• Examine list of TPSPs.

Applicability Notes The use of a PCI DSS compliant TPSP does not make an entity PCI DSS compliant, nor does it remove the entity’s responsibility for its own PCI DSS compliance.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.8.2 Written agreements with TPSPs are maintained as follows:

• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.

Applicability Notes The exact wording of an acknowledgment will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgment does not have to include the exact wording …
Added p. 38
Applicability Notes Where an entity has an agreement with a TPSP for meeting PCI DSS requirements on behalf of the entity (for example, via a firewall service), the entity must work with the TPSP to make sure the applicable PCI DSS requirements are met. If the TPSP does not meet those applicable PCI DSS requirements, then those requirements are also “not in place” for the entity.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.8.5 Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity.

Selection of any of the In Place responses for requirements at 12.8.1 through 12.8.5 means that the merchant has a list of, and agreements with, service providers it shares account data with …
Added p. 39
• Examine documentation from previously reported incidents.

Selection of any of the In Place responses for Requirement 12.10.1 means that the merchant has documented an incident response and escalation plan to be used for emergencies, consistent with the size and complexity of the merchant’s operations. For example, such a plan could be a simple document posted in the back office that lists who to call in the event of various situations with an annual review to confirm it is still accurate, but could extend all the way to a full incident response plan including backup “hotsite” facilities and thorough annual testing. This plan should be readily available to all personnel as a resource in an emergency.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place A2.1 POI terminals using SSL and/or early TLS are not susceptible to known …
Added p. 44
Target Date for Compliance: YYYY-MM-DD A merchant submitting this form with a Non-Compliant status may be required to complete the Action Plan in Part 4 of this document. Confirm with the entity to which this AOC will be submitted before completing Part 4.

Compliant but with Legal exception: One or more requirements in the PCI DSS SAQ are marked as Not in Place due to a legal restriction that prevents the requirement from being met and all other requirements are marked as being either 1) In Place, 2) In Place with CCW, or 3) Not Applicable, resulting in an overall COMPLIANT BUT WITH LEGAL EXCEPTION rating; thereby (Merchant Company Name) has demonstrated compliance with all PCI DSS requirements included in this SAQ except those noted as Not in Place due to a legal restriction.

This option requires additional review from the entity to which this AOC will be submitted. If selected, complete …
Added p. 45
PCI DSS controls will be maintained at all times, as applicable to the merchant’s environment.

QSA performed testing procedures.

QSA provided other assistance.

If selected, describe all role(s) performed:

If selected, describe all role(s) performed:

Signature of Lead QSA  Date: YYYY-MM-DD Lead QSA Name:

ISA(s) performed testing procedures.

ISA(s) provided other assistance.
Added p. 46
If asked to complete this section, select the appropriate response for “Compliant to PCI DSS Requirements” for each requirement below. For any “No” responses, include the date the merchant expects to be compliant with the requirement and a brief description of the actions being taken to meet the requirement.

PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain network security controls 2 Apply secure configurations to all system components 3 Protect stored account data 4 Protect cardholder data with strong cryptography during transmission over open, public networks 6 Develop and maintain secure systems and software 7 Restrict access to system components and cardholder data by business need to know 8 Identify users and authenticate access to system components 9 Restrict physical access to cardholder data 11 Test security systems and networks …
Removed p. 2
This document aligns with PCI DSS v3.2.1 r1.
Removed p. 4
1. Identify the applicable SAQ for your environment⎯refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.

2. Confirm that your environment is properly scoped and meets the eligibility criteria for the SAQ you are using (as defined in Part 2g of the Attestation of Compliance).
Modified p. 4
SAQ B-IP merchants may be either brick-and-mortar (card-present) or mail/telephone-order (card-not- present) merchants, and do not store cardholder data on any computer system.
SAQ B-IP merchants may be either brick-and-mortar (card-present) or mail/telephone-order (card-not- present) merchants, and do not store account data on any computer system.
Modified p. 4
Your company uses only standalone, PTS-approved point-of-interaction (POI) devices (excludes SCRs) connected via IP to your payment processor to take your customers’ payment card information;
The merchant uses only standalone, PCI-listed approved1 PTS POI devices (excludes SCRs and SCRPs) connected via IP to merchant’s payment processor to take customers’ payment card information;
Modified p. 4
• The standalone IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs);
• The standalone, IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs and SCRPs);
Modified p. 4
• The standalone IP-connected POI devices are not connected to any other systems within your environment (this can be achieved via network segmentation to isolate POI devices from other systems)1;
• The standalone, IP-connected PTS POI devices are not connected to any other systems within the merchant environment (this can be achieved via network segmentation to isolate PTS POI devices from other systems)2;
Modified p. 4
• The only transmission of cardholder data is from the PTS-approved POI devices to the payment processor;
• The only transmission of account data is from the approved PTS POI devices to the payment processor;
Modified p. 4
• The POI device does not rely on any other device (e.g., computer, mobile phone, tablet, etc.) to connect to the payment processor;
• The PTS POI device does not rely on any other device (e.g., computer, mobile phone, tablet, etc.) to connect to the payment processor;
Modified p. 4
• Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and
• Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically.
Modified p. 4
Your company does not store cardholder data in electronic format.
The merchant does not store account data in electronic format; and
Modified p. 4
This shortened version of the SAQ includes questions that apply to a specific type of small merchant environment, as defined in the above eligibility criteria. If there are PCI DSS requirements applicable to your environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for your environment. Additionally, you must still comply with all applicable PCI DSS requirements in order to be PCI DSS compliant.
This SAQ includes only those requirements that apply to a specific type of merchant environment, as defined in the above eligibility criteria. If there are PCI DSS requirements applicable to the cardholder data environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for the merchant’s environment.
Modified p. 4 → 5
3. Assess your environment for compliance with applicable PCI DSS requirements.
3. Assess the environment for compliance with PCI DSS requirements.
Removed p. 5
• Section 3 (Parts 3 & 4 of the AOC)

Understanding the Self-Assessment Questionnaire The questions contained in the “PCI DSS Question” column in this self-assessment questionnaire are based on the requirements in the PCI DSS.

PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms

• Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.

Expected Testing The instructions provided in the “Expected Testing” column are based on the testing procedures in the PCI DSS, and provide a high-level description of the types of testing activities that should be performed in order to verify that a requirement has been met. Full details of testing procedures for each requirement can be found in the PCI DSS.
Modified p. 5
• Section 1 (Parts 1 & 2 of the AOC)
• Section 3: Validation and Attestation Details (Parts 3 & 4 of the AOC
Modified p. 5
Assessment Information and Executive Summary
Contact Information and Executive Summary).
Modified p. 5
PCI DSS Self-Assessment Questionnaire (SAQ B-IP)
Section 2: Self-Assessment Questionnaire B-IP.
Modified p. 5
• Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable)
PCI DSS Validation and Action Plan for Non-Compliant Requirements (if Part 4 is applicable)).
Modified p. 5
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation

•such as ASV scan reports

•to your acquirer, payment brand, or other requester.
5. Submit the SAQ and AOC, along with any other requested documentation•such as ASV scan reports•to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).
Modified p. 5 → 8
(PCI Data Security Standard Requirements and Security Assessment Procedures)
PCI Data Security Standard Requirements and Testing Procedures (PCI DSS)
Modified p. 5 → 8
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Guidance on Compensating Controls
Modified p. 5 → 8
• How to determine which SAQ is right for your organization
• How to determine which SAQ is right for your organization Frequently Asked Questions (FAQs)

• Guidance and information about SAQs.
Removed p. 6
A description of the meaning for each response is provided in the table below:

Yes The expected testing has been performed, and all elements of the requirement have been met as stated.

Yes with CCW (Compensating Control Worksheet) The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.

All responses in this column require completion of a Compensating Control Worksheet (CCW) in Appendix B of the SAQ.

Information on the use of compensating controls and guidance on how to complete the worksheet is provided in the PCI DSS.

No Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before it will be known if they are in place.

(Not Applicable) The requirement does not apply to the organization’s environment. (See Guidance for Non-Applicability of Certain, Specific Requirements below for examples.) All responses in …
Modified p. 7 → 9
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment against the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures. Complete all sections. The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the entity(ies) to which the Attestation of Compliance (AOC) will be submitted for reporting and submission procedures.
Modified p. 7 → 9
Part 1b. Qualified Security Assessor Company Information (if applicable) Company Name:
Qualified Security Assessor Company name:
Modified p. 7 → 10
Note: If your organization has a payment channel or process that is not covered by this SAQ, consult your acquirer or payment brand about validation for the other channels.
Note: If the organization has a payment channel that is not covered by this SAQ, consult with the entity(ies) to which this AOC will be submitted about validation for the other channels.
Removed p. 8
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Applications Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:

Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.

For example:

• Connections into and out of the cardholder data environment (CDE).

• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Modified p. 8 → 10
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation.)
Indicate whether the environment includes segmentation to reduce the scope of the assessment. (Refer to “Segmentation” section of PCI DSS for guidance on segmentation.)
Removed p. 9
Description of services provided by QIR:

Does your company share cardholder data with any third-party service providers (for example, Qualified Integrator & Resellers (QIR), gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.)? Name of service provider: Description of services provided:

Part 2g. Eligibility to Complete SAQ B-IP Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:

Merchant uses only standalone, PTS-approved point-of-interaction (POI) devices (excludes SCRs) connected via IP to merchant’s payment processor to take customers’ payment card information; The standalone IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs); The standalone IP-connected POI devices are not connected to any other systems within the merchant environment (this can be achieved via network segmentation to isolate POI devices from other systems); The only transmission of cardholder data is …
Removed p. 10
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.1.2 (a) Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks?

• Review current network diagram.

(b) Is there a process to ensure the diagram is kept current?

• Interview responsible personnel.
Removed p. 10
• Observe network configurations to verify that a firewall(s) is in place.

(b) Is the current network diagram consistent with the firewall configuration standards?

• Compare firewall configuration standards to current network diagram.
Removed p. 10
(b) Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service?

• Review firewall and router configuration standards.
Modified p. 10 → 15
Note: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document.
Note: The following requirements mirror the requirements in the PCI DSS Requirements and Testing Procedures document.
Modified p. 10 → 15
Self-assessment completion date: Build and Maintain a Secure Network and Systems
Self-assessment completion date: YYYY-MM-DD Build and Maintain a Secure Network and Systems
Modified p. 10 → 15
Requirement 1: Install and maintain a firewall configuration to protect data
Requirement 1: Install and Maintain Network Security Controls
Modified p. 10 → 15
Examine network configurations.
Examine network configurations.
Removed p. 11
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:

Note: An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage.
Removed p. 11
Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)?

• Review firewall and router configuration standards.
Modified p. 11 → 15
• Examine firewall and router configurations.
• Examine configuration settings.
Modified p. 11 → 17
• Examine firewall and router configurations.
• Examine system configuration standards.
Removed p. 12
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
Removed p. 12
Are unnecessary default accounts removed or disabled before installing a system on the network?

• Review policies and procedures.

(a) Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions?

• Review policies and procedures.

(b) Are default SNMP community strings on wireless devices changed at installation?

• Review policies and procedures.

(c) Are default passwords/passphrases on access points changed at installation?

• Review policies and procedures.
Modified p. 12 → 17
Observe system configurations and account settings.
Examine system configuration standards.
Modified p. 12 → 18
• Examine system configurations and account settings.
• Examine wireless configuration settings.
Modified p. 12 → 18
Review vendor documentation.
Examine key-management documentation.
Modified p. 12 → 19
Review vendor documentation.
Examine documentation.
Removed p. 13
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1.1 (cont.) (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks?

• Review policies and procedures.
Removed p. 13
(e) Are other security-related wireless vendor defaults changed, if applicable?

• Review policies and procedures.
Removed p. 13
(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?

• Examine system components.

(b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands?

• Examine system components.

• Examine services and files.

(c) Is administrator access to web-based management interfaces encrypted with strong cryptography?

• Examine system components.

(d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?

• Examine system components.
Removed p. 14
Requirement 3: Protect stored cardholder data

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process?

• Review policies and procedures.

• Examine deletion processes.

(d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
Removed p. 14
Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained:

• The cardholder’s name,

• Primary account number (PAN),

• Expiration date, and

• Service code To minimize risk, store only these data elements as needed for business.

• Examine data sources including:
Removed p. 14
- Database contents 3.2.2 The card verification code or value (three-digit or four- digit number printed on the front or back of a payment card) is not stored after authorization?

• Examine data sources including:
Removed p. 15
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization?

• Examine data sources including:

- Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand requirements for point-of-sale (POS) receipts.

• Review roles that need access to displays of full PAN.

• Observe displays of PAN.
Removed p. 16
Requirement 4: Encrypt transmission of cardholder data across open, public networks

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).

• Review documented standards.

• Review all locations where CHD is transmitted or received.

(b) Are only trusted keys and/or certificates accepted?

• Observe inbound and outbound transmissions.

(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?

• Examine system configurations.

(d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?

• Review vendor documentation.

(e) For …
Removed p. 16
• Review wireless networks.

• Examine system configuration settings.
Modified p. 16 → 24
• Examine system configurations.
• Examine documentation.
Modified p. 16 → 25
• Examine system configurations.
• Examine system components and related software.
Removed p. 17
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.2 Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies?

• Review policies and procedures.

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.1 Is there a process to identify security vulnerabilities, including the following:

• Using reputable outside sources for vulnerability information?

• Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities? Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score and/or the classification by the vendor, and/or type of systems affected.

Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization’s environment and risk assessment strategy. Risk rankings should, …
Modified p. 18 → 24
Requirement 6: Develop and maintain secure systems and applications
Requirement 6: Develop and Maintain Secure Systems and Software
Removed p. 19
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?

• Review policies and procedures.

• Examine system components.
Modified p. 19 → 25
Are critical security patches installed within one month of release? Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.
Removed p. 20
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows:
Removed p. 20
• Assigned only to roles that specifically require that privileged access?

• Examine written access control

• Review privileged user IDs.
Modified p. 20 → 26
To least privileges necessary to perform job responsibilities?
Least privileges necessary to perform job responsibilities.
Modified p. 20 → 26
• Interview management.
• Interview responsible management personnel.
Modified p. 20 → 29
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 9: Restrict Physical Access to Cardholder Data
Modified p. 20 → 29
• Interview management.
• Interview personnel.
Removed p. 21
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.1.5 (a) Are accounts used by third parties to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use?

• Review password procedures.

Are third-party remote access accounts monitored when in use?

• Interview personnel.
Removed p. 21
Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
Removed p. 21
• Generic user IDs and accounts are disabled or removed;

• Shared user IDs for system administration activities and other critical functions do not exist; and

• Shared and generic user IDs are not used to administer any system components?

• Review policies and procedures.
Modified p. 21 → 27
Requirement 8: Identify and authenticate access to system components
Requirement 8: Identify Users and Authenticate Access to System Components
Modified p. 21 → 27
Observe administrator logging into CDE.
Interview system administrators.
Modified p. 21 → 28
• Observe personnel connecting remotely.
• Observe personnel (for example, users and administrators) connecting remotely to the network.
Modified p. 21 → 34
• Examine user ID lists.
• Examine ASV scan reports.
Removed p. 22
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.1.2 Are physical and/or logical controls in place to restrict access to publicly accessible network jacks? For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.
Removed p. 22
• Review policies and procedures for physically securing media.
Removed p. 22
Do controls include the following:
Modified p. 22 → 29
• Interview security personnel.
• Interview responsible personnel.
Modified p. 22 → 29
• Examine media distribution tracking logs and documentation.
• Examine logs or other documentation.
Modified p. 22 → 30
• Examine media distribution tracking logs and documentation.
• Examine media logs or other documentation.
Removed p. 23
(c) Is media destruction performed as follows:

Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?

• Examine security of storage containers.
Removed p. 23
(a) Do policies and procedures require that a list of such devices be maintained?

• Review policies and procedures.

(b) Do policies and procedures require that devices are periodically inspected to look for tampering or substitution?

• Review policies and procedures.
Modified p. 23 → 31
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons?

• Review periodic media destruction policies and procedures.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.4.6 Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows:
Modified p. 23 → 32
(c) Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices?

• Review policies and procedures.
• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices.
Removed p. 24
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.1 (a) Does the list of devices include the following? - Make, model of device - Location of device (for example, the address of the site or facility where the device is located) - Device serial number or other method of unique identification

(b) Is the list accurate and up to date?

• Observe devices and device locations and compare to list.

(c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?

• Interview personnel.
Removed p. 24
Are personnel aware of procedures for inspecting devices?

• Interview personnel.
Modified p. 24 → 32
• Examine the list of devices.
• Examine the list of POI devices.
Modified p. 24 → 32
• Observe inspection processes and compare to defined processes.
• Observe inspection processes.
Removed p. 25
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following? (a) Do training materials for personnel at point-of-sale locations include the following? - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. - Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). - Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).

(b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices?

• Interview personnel at POS locations.
Modified p. 25 → 33
• Review training materials.
• Review training materials for personnel in POI environments.
Removed p. 26
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.2.2 (a) Are quarterly external vulnerability scans performed? Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).

• Review results from the four most recent quarters of external vulnerability scans.

(b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)?

• Review results of each external quarterly scan and rescan.

(c) Are quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV?

• Review results of each external quarterly scan and rescan.
Modified p. 26 → 34
Requirement 11: Regularly test security systems and processes
Requirement 11: Test Security of Systems and Networks Regularly
Removed p. 27
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A If segmentation is used to isolate the CDE from other networks:

(b) Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods.

- Covers all segmentation controls/methods in use.

- Verifies that segmentation methods are operational and effective, and isolate all out-of- scope systems from systems in the CDE.

(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?

• Interview responsible personnel.
Modified p. 27 → 35
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of- scope systems from systems in the CDE?

• Examine segmentation controls.
• Confirming that the segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems.
Modified p. 27 → 35
• Examine results from the most recent penetration test.
• Examine the results from the most recent penetration test.
Removed p. 28
Requirement 12: Maintain a policy that addresses information security for all personnel

Note: For the purposes of Requirement 12, “personnel” refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment.

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?

• Review the information security policy.
Removed p. 28
Note: Examples of critical technologies include, but are not limited to, remote access and wireless technologies, laptops, tablets, removable electronic media, e-mail usage and Internet usage.
Removed p. 29
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel?

• Review information security policy and procedures.
Modified p. 29 → 36
Review list of service providers.
Reviewed at least once every 12 months.
Modified p. 29 → 38
Observe written agreements.
Examine written agreements with TPSPs.
Modified p. 29 → 39
• Interview a sample of responsible personnel.
• Interview responsible personnel.
Removed p. 30
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?

• Review policies and procedures and supporting documentation.
Modified p. 30 → 39
Review incident response plan procedures.
Examine the incident response plan.
Removed p. 31
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (at the merchant or payment- acceptance location) using SSL and/or early TLS: Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS? Note: This requirement is intended to apply to the entity with the POS POI terminal, such as a merchant. This requirement is not intended for service providers who serve as the termination or connection point to those POS POI terminals. Requirements A2.2 and A2.3 apply to POS POI service providers.
Modified p. 31 → 40
Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS.
Examine documentation (for example, vendor documentation, system/network configuration details) that verifies the devices are not susceptible to any known exploits for SSL/early TLS.
Modified p. 32 → 41
Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.
Note: Only entities that have a legitimate and documented technological or business constraint can consider the use of compensating controls to achieve compliance.
Modified p. 32 → 41
Refer to Appendices B, C, and D of PCI DSS for information about compensating controls and guidance on how to complete this worksheet.
Refer to Appendices B and C in PCI DSS for information about compensating controls and guidance on how to complete this worksheet.
Modified p. 32 → 41
1. Constraints List constraints precluding compliance with the original requirement.
1. Constraints Document the legitimate technical or business constraints precluding compliance with the original requirement.
Modified p. 32 → 41
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
3. Objective Define the objective of the original control.
Modified p. 32 → 41
3. Identified Risk Identify any additional risk posed by the lack of the original control.
4. Identified Risk Identify any additional risk posed by the lack of the original control.
Modified p. 32 → 41
4. Definition of Compensating Controls Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.
2. Definition of Compensating Controls Define the compensating controls: explain how they address the objectives of the original control and the increased risk, if any.
Modified p. 32 → 41
6. Maintenance Define process and controls in place to maintain compensating controls.
6. Maintenance Define process(es) and controls in place to maintain compensating controls.
Modified p. 33 → 42
Requirement Reason Requirement is Not Applicable 3.4 Cardholder data is never stored electronically
Requirement Reason Requirement is Not Applicable
Removed p. 34
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4.

Compliant but with Legal exception: One or more requirements are marked “No” due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand.

If checked, complete the following:

I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization.

I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times.

If my environment changes, I recognize I must reassess my environment and implement any additional PCI DSS requirements that apply.
Modified p. 34 → 44
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ B-IP (Section 2), dated (SAQ completion date).
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ B-IP (Section 2), dated (Self-assessment completion date YYYY-MM-DD).
Modified p. 34 → 44
Based on the results documented in the SAQ B-IP noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (check one):
Based on the results documented in the SAQ B-IP noted above, each signatory identified in any of Parts 3b−3d, as applicable, assert(s) the following compliance status for the merchant identified in Part 2 of this document.
Modified p. 34 → 44
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Compliant: All sections of the PCI DSS SAQ are complete and all requirements are marked as being either 1) In Place, 2) In Place with CCW, or 3) Not Applicable, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated compliance with all PCI DSS requirements included in this SAQ.
Modified p. 34 → 44
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or one or more requirements are marked as Not in Place, resulting in an overall NON-COMPLIANT rating; thereby (Merchant Company Name) has not demonstrated compliance with the PCI DSS requirements included in this SAQ.
Modified p. 34 → 44
Affected Requirement Details of how legal constraint prevents requirement being met Part 3a. Acknowledgement of Status Signatory(s) confirms:
Affected Requirement Details of how legal constraint prevents requirement from being met
Modified p. 34 → 45
(Check all that apply)
(Select all that apply)
Modified p. 34 → 45
PCI DSS Self-Assessment Questionnaire B-IP, Version (version of SAQ), was completed according to the instructions therein.
PCI DSS Self-Assessment Questionnaire B-IP, Version 4.0, was completed according to the instructions therein.
Modified p. 34 → 45
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment in all material respects.
All information within the above-referenced SAQ and in this attestation fairly represents the results of the merchant’s assessment in all material respects.
Removed p. 35
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name).
Modified p. 35 → 45
Part 3b. Merchant Attestation Signature of Merchant Executive Officer  Date:
Part 3b. Merchant Attestation Signature of Merchant Executive Officer  Date: YYYY-MM-DD Merchant Executive Officer Name: Title:
Modified p. 35 → 45
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement If a QSA was involved or assisted with this assessment, indicate the role performed:
Modified p. 35 → 45
Signature of Duly Authorized Officer of QSA Company  Date:
Signature of Duly Authorized Officer of QSA Company  Date: YYYY-MM-DD Duly Authorized Officer Name: QSA Company:
Modified p. 35 → 45
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Part 3d. PCI SSC Internal Security Assessor (ISA) Involvement If an ISA(s) was involved or assisted with this assessment, indicate the role performed:
Removed p. 36
Check with your acquirer or the payment brand(s) before completing Part 4.

PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data.

Do not use vendor-supplied defaults for system passwords and other security parameters.
Modified p. 36 → 46
* PCI DSS Requirements indicated here refer to the questions in Section 2 of the SAQ.
* PCI DSS Requirements indicated above refer to the requirements in Section 2 of this SAQ.