PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

SAQ_B_v3.pdf PCI_DSS_v3-1_SAQ_B_rev1-1.pdf
94% similar
24 → 24 Pages
5337 → 5494 Words
13 Content Changes

From Revision History

  • October 2008 1.2

Content Changes

13 content changes. 20 administrative changes (dates, page numbers) hidden.

Added p. 2
July 2015 3.1 1.1 Updated to remove references to “best practices” prior to June 30, 2015.
Added p. 8
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Application Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Added p. 17
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 12.5 (b) Are the following information security management responsibilities formally assigned to an individual or team:
Removed p. 14
Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.
Modified p. 14
(a) Do policies and procedures require that a list of such devices maintained?
(a) Do policies and procedures require that a list of such devices be maintained?
Modified p. 14
 Make, model of device  Location of device (for example, the address of the site or facility where the device is located)  Device serial number or other method of unique identification  Examine the list of devices (b) Is the list accurate and up to date?  Observe device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?  Interview personnel
 Make, model of device  Location of device (for example, the address of the site or facility where the device is located)  Device serial number or other method of unique identification  Examine the list of devices (b) Is the list accurate and up to date?  Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?  Interview personnel
Modified p. 16
 Review usage policies  Interview responsible personnel 12.3.3 A list of all such devices and personnel with access?  Review usage policies  Interview responsible personnel 12.3.5 Acceptable uses of the technologies?  Review usage policies  Interview responsible personnel 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel?  Review information security policy and procedures  Interview a sample of responsible 12.5 (b) Are the following information security management responsibilities formally assigned to …
 Review usage policies  Interview responsible personnel 12.3.3 A list of all such devices and personnel with access?  Review usage policies  Interview responsible personnel 12.3.5 Acceptable uses of the technologies?  Review usage policies  Interview responsible personnel 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel?  Review information security policy and procedures  Interview a sample of responsible
Modified p. 17
 Observe written agreements  Review policies and procedures 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?
 Observe written agreements  Review policies and procedures 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?  Observe processes  Review policies and procedures and supporting documentation
Modified p. 17 → 18
 Observe processes  Review policies and procedures and supporting documentation 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?  Observe processes  Review policies and procedures and supporting documentation
 Observe processes  Review policies and procedures and supporting documentation 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?
Modified p. 18
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?
Modified p. 23
Signature of QSA  Date:
Signature of Duly Authorized Officer of QSA Company  Date:
Modified p. 23
QSA Name: QSA Company:
Duly Authorized Officer Name: QSA Company:
Modified p. 24
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 7 Restrict access to cardholder data by business need to know 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 7 Restrict access to cardholder data by business need to know 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel * PCI DSS Requirements indicated here refer to the questions in Section 2 …