PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI_DSS_v3-1_SAQ_B_rev1-1.pdf PCI-DSS-v3_2-SAQ-B.pdf
94% similar
24 → 26 Pages
5494 → 5780 Words
16 Content Changes

Content Changes

16 content changes. 21 administrative changes (dates, page numbers) hidden.

Added p. 21
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS This appendix is not used for SAQ B merchant assessments Appendix A3: Designated Entities Supplemental Validation (DESV) This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. Entities required to validate to this Appendix should use the DESV Supplemental Reporting Template and Supplemental Attestation of Compliance for reporting, and consult with the applicable payment brand and/or acquirer for submission procedures.
Added p. 24
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ B (Section 2), dated (SAQ completion date).
Modified p. 4
 Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information;  The standalone, dial-out terminals are not connected to any other systems within your environment;  The standalone, dial-out terminals are not connected to the Internet;  Your company does not transmit cardholder data over a network (either an internal network or the Internet);  Your company retains only paper reports …
 Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information;  The standalone, dial-out terminals are not connected to any other systems within your environment;  The standalone, dial-out terminals are not connected to the Internet;  Your company does not transmit cardholder data over a network (either an internal network or the Internet);  Any cardholder data your company retains …
Modified p. 4
 Section 1 (Part 1 & 2 of the AOC)

• Assessment Information and Executive Summary.
 Section 1 (Parts 1 & 2 of the AOC)

• Assessment Information and Executive Summary.
Modified p. 4
5. Submit the SAQ and Attestation of Compliance, along with any other requested documentation• such as ASV scan reports•to your acquirer, payment brand or other requester.
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation

•such as ASV scan reports

•to your acquirer, payment brand or other requester.
Removed p. 7
ISA Name(s) (if applicable): Title:
Modified p. 11
 Incoming transaction data  All logs  History files  Trace files  Database schema  Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see the full PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand requirements for point-of-sale …
 Incoming transaction data  All logs  History files  Trace files  Database schema  Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal …
Modified p. 12
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 4.2 (b) Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies?  Review policies and procedures Implement Strong Access Control Measures
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 4.2 (b) Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies?  Review policies and procedures
Modified p. 12 → 13
 Examine written access control policy  Interview personnel  Interview management  Review privileged user IDs 7.1.3 Are access assigned based on individual personnel’s job classification and function?  Examine written access control policy  Interview management  Review user IDs
 Examine written access control  Interview personnel  Interview management  Review privileged user IDs 7.1.3 Is access assigned based on individual personnel’s job classification and function?  Examine written access control  Interview management  Review user IDs
Modified p. 15 → 16
 Interview personnel  Observe inspection processes and compare to defined processes (b) Are personnel are aware of procedures for inspecting devices?
 Interview personnel  Observe inspection processes and compare to defined processes (b) Are personnel aware of procedures for inspecting devices?
Modified p. 15 → 17
 Review training materials (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices?  Interview personnel at POS
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices?  Interview personnel at POS
Modified p. 17 → 19
 Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security?  Review security awareness 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
 Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures?  Review security awareness 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
Modified p. 22 → 24
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation Based on the results noted in the SAQ B dated (completion date), the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document as of (date): (check one):
Based on the results documented in the SAQ B noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Removed p. 23
Signature of ISA  Date:
Modified p. 23 → 25
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Modified p. 23 → 25
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed: