PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI-DSS-v3_2_1-SAQ-D_Merchant.pdf PCI-DSS-v3-2-1-SAQ-D-Merchant-r2.pdf
96% similar
86 → 86 Pages
21206 → 21131 Words
9 Content Changes

Content Changes

9 content changes. 25 administrative changes (dates, page numbers) hidden.

Added p. 2
This document aligns with PCI DSS v3.2.1 r1.
Added p. 21
• Review documented business justification.

PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2 (cont.) (b) For issuers and/or companies that support issuing services and store sensitive authentication data: Is the data secured?

• Examine data stores and system configuration files.
Modified p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants For use with PCI DSS Version 3.2.1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants For use with PCI DSS Version 3.2.1 Revision 2
Removed p. 21
(b) This testing procedure applies only to Issuers.
Modified p. 22
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2 (cont.) (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process?

• Review policies and procedures.
(c) For all other entities: Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process?

• Review policies and procedures.
Modified p. 22 → 23
- Database contents 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization?

• Examine data sources including:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization?

• Examine data sources including:
Modified p. 23
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization?

• Examine data sources including:
- Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization?

• Examine data sources including:
Modified p. 25 → 24
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.4.1 (cont.) (b) Are cryptographic keys stored securely (for example, stored on removable media that is adequately protected with strong access controls)?

• Interview personnel.
(b) Are cryptographic keys stored securely (for example, stored on removable media that is adequately protected with strong access controls)?

• Interview personnel.
Modified p. 25
(c) Is cardholder data on removable media encrypted wherever stored? Note: If disk encryption is not used to encrypt removable media, the data stored on this media will need to be rendered unreadable through some other method.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.4.1 (cont.) (c) Is cardholder data on removable media encrypted wherever stored? Note: If disk encryption is not used to encrypt removable media, the data stored on this media will need to be rendered unreadable through some other method.