Document Comparison
pci_saq_c.pdf
→
SAQ_C_v3.pdf
14% similar
22 → 46
Pages
5233 → 10697
Words
56
Content Changes
From Revision History
- October 2008 1.2 To align content with new PCI DSS v1.2 and to implement minor changes noted since original v1.1.
Content Changes
56 content changes. 31 administrative changes (dates, page numbers) hidden.
Added
p. 4
SAQ C merchants process cardholder data via a point-of-sale (POS) system or other payment application systems connected to the Internet, do not store cardholder data on any computer system, and may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants.
SAQ C merchants confirm that, for this payment channel:
This SAQ is not applicable to e-commerce channels.
This shortened version of the SAQ includes questions that apply to a specific type of small merchant environment, as defined in the above eligibility criteria. If there are PCI DSS requirements applicable to your environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for your environment. Additionally, you must still comply with all applicable PCI DSS requirements in order to be PCI DSS compliant.
1. Identify the applicable SAQ for your environment
• refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
2. Confirm …
SAQ C merchants confirm that, for this payment channel:
This SAQ is not applicable to e-commerce channels.
This shortened version of the SAQ includes questions that apply to a specific type of small merchant environment, as defined in the above eligibility criteria. If there are PCI DSS requirements applicable to your environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for your environment. Additionally, you must still comply with all applicable PCI DSS requirements in order to be PCI DSS compliant.
1. Identify the applicable SAQ for your environment
• refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
2. Confirm …
Added
p. 5
Additional resources that provide guidance on PCI DSS requirements and how to complete the self- assessment questionnaire have been provided to assist with the assessment process. An overview of some of these resources is provided below:
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
Expected Testing The instructions provided in …
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
Expected Testing The instructions provided in …
Added
p. 6
No Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before it will be known if they are in place.
(Not Applicable) The requirement does not apply to the organization’s environment. (See Guidance for Non-Applicability of Certain, Specific Requirements below for examples.) All responses in this column require a supporting explanation in Appendix C of the SAQ.
Guidance for Non-Applicability of Certain, Specific Requirements While many organizations completing SAQ C will need to validate compliance with every PCI DSS requirement in this SAQ, some organizations with very specific business models may find that some requirements do not apply.
For example, a company that does not use wireless technology in any capacity would not be expected to validate compliance with the sections of PCI DSS that are specific to managing wireless technology (for example, Requirements 1.2.3, 2.1.1, and 4.1.1). Note …
(Not Applicable) The requirement does not apply to the organization’s environment. (See Guidance for Non-Applicability of Certain, Specific Requirements below for examples.) All responses in this column require a supporting explanation in Appendix C of the SAQ.
Guidance for Non-Applicability of Certain, Specific Requirements While many organizations completing SAQ C will need to validate compliance with every PCI DSS requirement in this SAQ, some organizations with very specific business models may find that some requirements do not apply.
For example, a company that does not use wireless technology in any capacity would not be expected to validate compliance with the sections of PCI DSS that are specific to managing wireless technology (for example, Requirements 1.2.3, 2.1.1, and 4.1.1). Note …
Added
p. 8
Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
Added
p. 9
Note: Requirement 12.8 applies to all entities in this list.
Added
p. 10
Section 2: Self-Assessment Questionnaire C
Note: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
Note: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
Added
p. 10
Review firewall and router configuration standards Examine firewall and router configurations (b) Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)?
Review firewall and router configuration standards Examine firewall and router configurations 1.2.3 Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment? Review firewall and router configuration standards Examine firewall and router configurations
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.3 Is direct public access prohibited between the Internet and any system component in the cardholder data environment, as follows:
Review firewall and router configuration standards Examine firewall and router configurations 1.2.3 Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment? Review firewall and router configuration standards Examine firewall and router configurations
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.3 Is direct public access prohibited between the Internet and any system component in the cardholder data environment, as follows:
Added
p. 11
Examine firewall and router configurations 1.3.5 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
Examine firewall and router configurations 1.3.6 Is stateful inspection, also known as dynamic packet filtering, implemented•that is, only established connections are allowed into the network? Examine firewall and router configurations
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel (b) Are unnecessary default accounts removed or disabled before installing a system on the network? Review …
Examine firewall and router configurations 1.3.6 Is stateful inspection, also known as dynamic packet filtering, implemented•that is, only established connections are allowed into the network? Examine firewall and router configurations
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel (b) Are unnecessary default accounts removed or disabled before installing a system on the network? Review …
Added
p. 16
Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained:
Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.2 The card verification code or value (three-digit or four- digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents 3.3 Is the PAN masked …
Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.2 The card verification code or value (three-digit or four- digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents 3.3 Is the PAN masked …
Added
p. 23
To least privileges necessary to perform job responsibilities?
Assigned only to roles that specifically require that privileged access?
Examine written access control policy Interview personnel Interview management Review privileged user IDs 7.1.3 Are access assigned based on individual personnel’s job classification and function? Examine written access control policy Interview management Review user IDs
Requirement 8: Identify and authenticate access to system components
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 8.1.5 (a) Are accounts used by vendors to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use?
Review password procedures Interview personnel Observe processes (b) Are vendor remote access accounts monitored when in use?
Interview personnel Observe processes 8.3 Is two-factor authentication incorporated for remote network access originating from outside …
Assigned only to roles that specifically require that privileged access?
Examine written access control policy Interview personnel Interview management Review privileged user IDs 7.1.3 Are access assigned based on individual personnel’s job classification and function? Examine written access control policy Interview management Review user IDs
Requirement 8: Identify and authenticate access to system components
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 8.1.5 (a) Are accounts used by vendors to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use?
Review password procedures Interview personnel Observe processes (b) Are vendor remote access accounts monitored when in use?
Interview personnel Observe processes 8.3 Is two-factor authentication incorporated for remote network access originating from outside …
Added
p. 26
Review periodic media destruction policies and procedures Interview personnel Observe processes (b) Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?
Examine security of storage containers 9.9 Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows? Note: This requirement applies to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.
Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.
(a) Do policies and procedures require that a list of such devices maintained?
Review policies and procedures (b) Do policies and procedures require that devices are periodically inspected to look for tampering or substitution?
…
Examine security of storage containers 9.9 Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows? Note: This requirement applies to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.
Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.
(a) Do policies and procedures require that a list of such devices maintained?
Review policies and procedures (b) Do policies and procedures require that devices are periodically inspected to look for tampering or substitution?
…
Added
p. 29
• and all changes, additions, or deletions to accounts with root or administrative privileges? Interview personnel Observe audit logs Examine audit log settings 10.3 Are the following audit trail entries recorded for all system components for each event:
Added
p. 30
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.3.4 Success or failure indication? Interview personnel Observe audit logs Examine audit log settings 10.3.5 Origination of event? Interview personnel Observe audit logs Examine audit log settings 10.3.6 Identity or name of affected data, system component, or resource?
Interview personnel Observe audit logs Examine audit log settings 10.6 Are logs and security events for all system components reviewed to identify anomalies or suspicious activity as follows? Note: Log harvesting, parsing, and alerting tools may be used to achieve compliance with Requirement 10.6.
Interview personnel Observe audit logs Examine audit log settings 10.6 Are logs and security events for all system components reviewed to identify anomalies or suspicious activity as follows? Note: Log harvesting, parsing, and alerting tools may be used to achieve compliance with Requirement 10.6.
Added
p. 30
All security events Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) Review security policies and procedures Observe processes Interview personnel 10.6.2 (b) Are logs of all other system components periodically
•either manually or via log tools
•based on the organization’s policies and risk management strategy? Review security policies and procedures Review risk assessment documentation Interview personnel
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.6.3 (b) Is follow up to exceptions and anomalies identified during the review process performed?
Review security policies and procedures Observe processes Interview personnel …
•either manually or via log tools
•based on the organization’s policies and risk management strategy? Review security policies and procedures Review risk assessment documentation Interview personnel
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.6.3 (b) Is follow up to exceptions and anomalies identified during the review process performed?
Review security policies and procedures Observe processes Interview personnel …
Added
p. 33
Review scan reports (c) Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview personnel
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.2.2 (a) Are quarterly external vulnerability scans performed? Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.
Review results from the four most recent quarters of external vulnerability scans (b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.2.2 (a) Are quarterly external vulnerability scans performed? Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.
Review results from the four most recent quarters of external vulnerability scans (b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic …
Added
p. 37
Review usage policies Interview responsible personnel 12.3.2 Authentication for use of the technology? Review usage policies Interview responsible personnel 12.3.3 A list of all such devices and personnel with access? Review usage policies Interview responsible personnel 12.3.5 Acceptable uses of the technologies? Review usage policies Interview responsible personnel 12.3.6 Acceptable network locations for the technologies? Review usage policies Interview responsible personnel 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity? Review usage policies Interview responsible personnel
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use?
Review usage policies Interview responsible personnel 12.4 Do security policy and procedures clearly define information security responsibilities for all …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use?
Review usage policies Interview responsible personnel 12.4 Do security policy and procedures clearly define information security responsibilities for all …
Added
p. 39
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8.2 Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment? Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.
Observe processes Review policies and procedures and supporting documentation 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity? Observe processes Review policies …
Observe processes Review policies and procedures and supporting documentation 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity? Observe processes Review policies …
Added
p. 42
Refer to Appendices B, C, and D of PCI DSS for information about compensating controls and guidance on how to complete this worksheet.
Added
p. 44
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation Based on the results noted in the SAQ C dated (completion date), the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document as of (date): (check one):
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before …
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before …
Added
p. 45
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name) Part 3b. Merchant Attestation Signature of Merchant Executive Officer Date:
Merchant Executive Officer Name: Title:
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Signature of QSA Date:
QSA Name: QSA Company:
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Signature of ISA Date:
Merchant Executive Officer Name: Title:
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Signature of QSA Date:
QSA Name: QSA Company:
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Signature of ISA Date:
Added
p. 46
Check with your acquirer or the payment brand(s) before completing Part 4.
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know 8 Identify and authenticate access to system components 9 Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data 11 Regularly test security systems and processes Maintain a policy that addresses information security for all personnel
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know 8 Identify and authenticate access to system components 9 Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data 11 Regularly test security systems and processes Maintain a policy that addresses information security for all personnel
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version 1.2
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Merchants with Payment Application Systems Connected to the Internet• No Electronic Cardholder Data Storage Version 3.0
Removed
p. 4
PCI Data Security Standard: Related Documents The following documents were created to assist merchants and service providers in understanding the PCI Data Security Standard and the PCI DSS SAQ.
PCI Data Security Standard Requirements and Security Assessment Procedures All merchants and service providers Navigating PCI DSS: Understanding the Intent of the Requirements All merchants and service providers
PCI Data Security Standard: Self-Assessment Guidelines and Instructions All merchants and service providers
PCI Data Security Standard: Self-Assessment Questionnaire A and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire B and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire C and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire D and Attestation Merchants1 and all service providers
PCI Data Security Standard and Payment Application Data Security Standard Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 1 To determine the appropriate Self-Assessment Questionnaire, see PCI Data Security Standard: Self- Assessment Guidelines and Instructions, “Selecting the SAQ and Attestation …
PCI Data Security Standard Requirements and Security Assessment Procedures All merchants and service providers Navigating PCI DSS: Understanding the Intent of the Requirements All merchants and service providers
PCI Data Security Standard: Self-Assessment Guidelines and Instructions All merchants and service providers
PCI Data Security Standard: Self-Assessment Questionnaire A and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire B and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire C and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire D and Attestation Merchants1 and all service providers
PCI Data Security Standard and Payment Application Data Security Standard Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 1 To determine the appropriate Self-Assessment Questionnaire, see PCI Data Security Standard: Self- Assessment Guidelines and Instructions, “Selecting the SAQ and Attestation …
Removed
p. 5
1. The payment application is on a personal computer connected to the Internet, or
2. The payment application is connected to the Internet to transmit cardholder data. These merchants are defined as SAQ Validation Type 4, as defined here and in the PCI DSS Self- Assessment Questionnaire Instructions and Guidelines. Validation Type 4 merchants process cardholder data via POS machines connected to the Internet, do not store cardholder data on any computer system, and may be either brick-and-mortar (card-present) or e-commerce or mail/telephone-order (card-not- present) merchants. Such merchants must validate compliance by completing SAQ C and the associated Attestation of Compliance, confirming that:
Each section of this questionnaire focuses on a specific area of security, based on the requirements in the PCI Data Security Standard.
1. Complete the Self-Assessment Questionnaire (SAQ C) according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.
2. Complete a passing vulnerability scan with a PCI SSC …
2. The payment application is connected to the Internet to transmit cardholder data. These merchants are defined as SAQ Validation Type 4, as defined here and in the PCI DSS Self- Assessment Questionnaire Instructions and Guidelines. Validation Type 4 merchants process cardholder data via POS machines connected to the Internet, do not store cardholder data on any computer system, and may be either brick-and-mortar (card-present) or e-commerce or mail/telephone-order (card-not- present) merchants. Such merchants must validate compliance by completing SAQ C and the associated Attestation of Compliance, confirming that:
Each section of this questionnaire focuses on a specific area of security, based on the requirements in the PCI Data Security Standard.
1. Complete the Self-Assessment Questionnaire (SAQ C) according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.
2. Complete a passing vulnerability scan with a PCI SSC …
Modified
p. 5 → 4
Your company has a payment application system and an Internet connection on the same device; The payment application/Internet device is not connected to any other systems within your environment; Your company retains only paper reports or paper copies of receipts; Your company does not store cardholder data in electronic format; and Your company’s payment application vendor uses secure techniques to provide remote support to your payment system.
Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN); The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems); The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single location only; …
Modified
p. 5 → 4
PCI DSS Compliance
• Completion Steps
•
PCI DSS Self-Assessment Completion Steps
Modified
p. 5 → 4
5. Submit the SAQ and Attestation of Compliance, along with any other requested documentation• such as ASV scan reports•to your acquirer, payment brand or other requester.
Removed
p. 6
The questions specific to wireless only need to be answered if wireless is present anywhere in your network (for example, Requirement 2.1.1). Note that Requirement 11.1 (use of wireless analyzer) must still be answered even if wireless is not in your network, since the analyzer detects any rogue or unauthorized devices that may have been added without the merchant’s knowledge.
Modified
p. 6
If any requirements are deemed not applicable to your environment, select the “N/A” option for that specific requirement, and complete the “Explanation of Non-Applicability” worksheet in Appendix C for each “N/A” entry.
Removed
p. 7
Part 2. Merchant Organization Information Company Name: DBA(S):
Part 2a. Type of merchant business (check all that apply):
List facilities and locations included in PCI DSS review:
Part 2b. Relationships Does your company have a relationship with one or more third-party service providers (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Does your company have a relationship with more than one acquirer? Yes No Part 2c. Transaction Processing Payment Application in use: Payment Application Version:
Part 2a. Type of merchant business (check all that apply):
List facilities and locations included in PCI DSS review:
Part 2b. Relationships Does your company have a relationship with one or more third-party service providers (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Does your company have a relationship with more than one acquirer? Yes No Part 2c. Transaction Processing Payment Application in use: Payment Application Version:
Modified
p. 7
Part 1. Qualified Security Assessor Company Information (if applicable) Company Name:
Part 1b. Qualified Security Assessor Company Information (if applicable) Company Name:
Modified
p. 7
State/Province: Country: ZIP:
State/Province: Country: Zip:
Modified
p. 7
Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail/Telephone-Order Others (please specify):
Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail order/telephone order (MOTO) Others (please specify):
Removed
p. 8
Part 3. PCI DSS Validation Based on the results noted in the SAQ C dated (completion date), (Merchant Company Name) asserts the following compliance status (check one):
Compliant: All sections of the PCI SAQ are complete, and all questions answered “yes,” resulting in an overall COMPLIANT rating, and a passing scan has been completed by a PCI SSC Approved Scan Vendor, thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI SAQ are complete, or some questions are answered “no,” resulting in an overall NON-COMPLIANT rating, or a passing scan has not been completed by a PCI SSC Approved Scan Vendor, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the …
Compliant: All sections of the PCI SAQ are complete, and all questions answered “yes,” resulting in an overall COMPLIANT rating, and a passing scan has been completed by a PCI SSC Approved Scan Vendor, thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI SAQ are complete, or some questions are answered “no,” resulting in an overall NON-COMPLIANT rating, or a passing scan has not been completed by a PCI SSC Approved Scan Vendor, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the …
Modified
p. 8 → 9
Merchant has a payment application system and an Internet or public network connection on the same device; The payment application system/Internet device is not connected to any other system within the merchant environment; Merchant does not store cardholder data in electronic format; If Merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically; and Merchant’s payment application software vendor uses secure techniques to provide remote support to merchant’s …
Merchant has a payment application system and an Internet connection on the same device and/or same local area network (LAN); The payment application system/Internet device is not connected to any other system within the merchant environment; The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single location only; Merchant does not store cardholder data in electronic format; and If Merchant does store cardholder data, such data is only …
Removed
p. 10
PCI DSS Requirement Description of Requirement Compliance Status (Select One) Remediation Date and Actions (if Compliance Status is ―NO‖) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks 5 Use and regularly update anti-virus software 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know 8 Assign a unique ID to each person with computer access 9 Restrict physical access to cardholder data 11 Regularly test security systems and processes 12 Maintain a policy that addresses information security
Modified
p. 11 → 10
Build and Maintain a Secure Network
Self-assessment completion date: Build and Maintain a Secure Network and Systems
Modified
p. 11 → 10
Note: An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage.
Modified
p. 11 → 15
Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
Removed
p. 12
Requirement 3: Protect stored cardholder data Question Response: Yes No Special 3.2 Do all systems adhere to the following requirements regarding storage of sensitive authentication data after authorization (even if encrypted)? 3.2.1 Do not store the full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. In the normal course of business, the following data elements from the magnetic stripe may need to be retained:
Removed
p. 12
This requirement does not apply to employees and other parties with a specific need to see the full PAN; This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, for point- of-sale (POS) receipts.
Modified
p. 12 → 16
The cardholder’s name, Primary account number (PAN), Expiration date, and Service code To minimize risk, store only these data elements as needed for business.
Removed
p. 13
Requirement 4: Encrypt transmission of cardholder data across open, public networks Question Response: Yes No Special 4.1 Are strong cryptography and security protocols, such as SSLTLS or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Examples of open, public networks that are in scope of the PCI DSS are the Internet, wireless technologies, Global System for Mobile communications (GSM), and General Packet Radio Service (GPRS). Note: If you have wireless technology implemented in your environment, please be aware of the following:
For new wireless implementations, it is prohibited to implement WEP after March 31, 2009. For current wireless implementations, it is prohibited to use WEP after June 30, 2010.
For new wireless implementations, it is prohibited to implement WEP after March 31, 2009. For current wireless implementations, it is prohibited to use WEP after June 30, 2010.
Removed
p. 14
Requirement 5: Use and regularly update anti-virus software or programs Question Response: Yes No Special Is anti-virus software deployed on all systems, particularly personal computers and servers, commonly affected by malicious software?
Removed
p. 14
Requirement 6: Develop and maintain secure systems and applications Question Response: Yes No Special* 6.1 (a) Do all system components and software have the latest vendor- supplied security patches installed? (b) Are critical security patches installed within one month of release? Note: An organization may consider applying a risk-based approach to prioritize their patch installations. For example, by prioritizing critical infrastructure (for example, public-facing devices and systems, databases) higher than less-critical internal devices, to ensure high- priority systems and devices are addressed within one month, and addressing less critical devices and systems within three months.
Removed
p. 15
Requirement 8: Assign a unique ID to each person with computer access Question Response: Yes No Special* 8.5.6 Are accounts used by vendors for remote maintenance enabled only during the time period needed?
Modified
p. 15 → 23
Requirement 7: Restrict access to cardholder data by business need-to-know Question Response: Yes No Special 7.1 (a) Is access to system components and cardholder data limited to only those individuals whose jobs require such access?
Requirement 7: Restrict access to cardholder data by business need to know
Modified
p. 15 → 25
Requirement 9: Restrict physical access to cardholder data Question Response: Yes No Special* 9.6 Are all paper and electronic media that contain cardholder data physically secure?
Requirement 9: Restrict physical access to cardholder data
Removed
p. 16
Requirement 11: Regularly test security systems and processes Question Response: Yes No Special* 11.1 Is the presence of wireless access points tested for by using a wireless analyzer at least quarterly or by deploying a wireless IDS/IPS to identify all wireless devices in use? 11.2 Are internal and external network vulnerability scans run at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades)? Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by Payment Card Industry Security Standards Council (PCI SSC). Scans conducted after network changes may be performed by the company’s internal staff.
Modified
p. 16 → 29
Requirement 10: Track and monitor all access to network resources and cardholder data Question Response: Yes No Special No questions applicable to SAQ C.
Requirement 10: Track and monitor all access to network resources and cardholder data
Removed
p. 17
Includes a review at least once a year and updates when the environment changes?
Modified
p. 17 → 37
Requirement 12: Maintain a policy that addresses information security for employees and contractors Question Response: Yes No Special 12.1 Is a security policy established, published, maintained, and disseminated, and does it accomplish the following:
Requirement 12: Maintain a policy that addresses information security for all personnel
Removed
p. 19
1. Meet the intent and rigor of the original PCI DSS requirement.
2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.) 3. Be “above and beyond” other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) When evaluating “above and beyond” for compensating controls, consider the following:
Note: The items at a) through c) below are intended as examples only. All compensating controls must be reviewed and validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the …
2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.) 3. Be “above and beyond” other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) When evaluating “above and beyond” for compensating controls, consider the following:
Note: The items at a) through c) below are intended as examples only. All compensating controls must be reviewed and validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the …
Modified
p. 20 → 42
Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance. Requirement Number and Definition:
Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.
Removed
p. 21
Requirement Number: 8.1•Are all users identified with a unique user name before allowing them to access system components or cardholder data? Information Required Explanation
1. Constraints List constraints precluding compliance with the original requirement.
Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action.
3. Identified Risk Identify any additional risk posed by the lack of the original control.
Additional risk is introduced to the access control system …
1. Constraints List constraints precluding compliance with the original requirement.
Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action.
3. Identified Risk Identify any additional risk posed by the lack of the original control.
Additional risk is introduced to the access control system …
Modified
p. 22 → 43
Requirement Reason Requirement is Not Applicable Example: 12.8 Cardholder data is never shared with service providers.
Requirement Reason Requirement is Not Applicable 3.4 Cardholder data is never stored electronically