Document Comparison
pci_saq_d.pdf
→
SAQ_D_v3_Merchant.pdf
7% similar
37 → 82
Pages
10695 → 20115
Words
81
Content Changes
From Revision History
- October 2008 1.2 To align content with new PCI DSS v1.2 and to implement minor changes noted since original v1.1.
Content Changes
81 content changes. 53 administrative changes (dates, page numbers) hidden.
Added
p. 4
E-commerce merchants who accept cardholder data on their website.
Merchants with electronic storage of cardholder data Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment While many organizations completing SAQ D will need to validate compliance with every PCI DSS requirement, some organizations with very specific business models may find that some requirements do not apply. See the guidance below for information about the exclusion of certain, specific requirements.
1. Identify the applicable SAQ for your environment
• refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
2. Confirm that your environment is properly scoped and meets the eligibility criteria for the SAQ you are using.
3. Assess your environment for compliance with …
Merchants with electronic storage of cardholder data Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment While many organizations completing SAQ D will need to validate compliance with every PCI DSS requirement, some organizations with very specific business models may find that some requirements do not apply. See the guidance below for information about the exclusion of certain, specific requirements.
1. Identify the applicable SAQ for your environment
• refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
2. Confirm that your environment is properly scoped and meets the eligibility criteria for the SAQ you are using.
3. Assess your environment for compliance with …
Added
p. 5
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
Expected Testing The instructions provided in the “Expected Testing” column are based on the testing procedures in the PCI DSS, and provide a high-level description of the types of testing activities that should be performed in order to verify that a requirement has been met. Full details of testing procedures for each requirement can be found in the PCI DSS.
Completing the Self-Assessment Questionnaire For each question, there is a choice of responses to indicate your company’s status regarding that requirement. Only one response should be selected for each question.
A description of the meaning for each response is provided …
Expected Testing The instructions provided in the “Expected Testing” column are based on the testing procedures in the PCI DSS, and provide a high-level description of the types of testing activities that should be performed in order to verify that a requirement has been met. Full details of testing procedures for each requirement can be found in the PCI DSS.
Completing the Self-Assessment Questionnaire For each question, there is a choice of responses to indicate your company’s status regarding that requirement. Only one response should be selected for each question.
A description of the meaning for each response is provided …
Added
p. 6
Examples of requirements with specific applicability include:
The questions specific to securing wireless technologies (for example, Requirements 1.2.3, 2.1.1, and 4.1.1) only need to be answered if wireless is present anywhere in your network. Note that Requirement 11.1 (use of processes to identify unauthorized wireless access points) must still be answered even if you don’t use wireless technologies in your network, since the process detects any rogue or unauthorized devices that may have been added without your knowledge.
The questions for Requirements 9.1.1 and 9.3 only need to be answered for facilities with “sensitive areas” as defined here: “Sensitive areas” refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store, but does include retail store back-office server rooms that store cardholder …
The questions specific to securing wireless technologies (for example, Requirements 1.2.3, 2.1.1, and 4.1.1) only need to be answered if wireless is present anywhere in your network. Note that Requirement 11.1 (use of processes to identify unauthorized wireless access points) must still be answered even if you don’t use wireless technologies in your network, since the process detects any rogue or unauthorized devices that may have been added without your knowledge.
The questions for Requirements 9.1.1 and 9.3 only need to be answered for facilities with “sensitive areas” as defined here: “Sensitive areas” refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store, but does include retail store back-office server rooms that store cardholder …
Added
p. 8
Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
Added
p. 9
Note: Requirement 12.8 applies to all entities in this list.
Added
p. 10
Section 2: Self-Assessment Questionnaire D for Merchants
Note: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.1 Are firewall and router configuration standards established and implemented to include the following:
Review documented process Interview personnel Examine network configurations 1.1.2 (a) Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks?
Review current network diagram Examine network configurations (b) Is there a process to ensure the diagram is kept current?
Interview responsible personnel 1.1.3 (a) Is there a current diagram that shows all cardholder data flows across systems and networks? Review current dataflow diagram Examine network configurations.
(b) Is there a …
Note: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.1 Are firewall and router configuration standards established and implemented to include the following:
Review documented process Interview personnel Examine network configurations 1.1.2 (a) Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks?
Review current network diagram Examine network configurations (b) Is there a process to ensure the diagram is kept current?
Interview responsible personnel 1.1.3 (a) Is there a current diagram that shows all cardholder data flows across systems and networks? Review current dataflow diagram Examine network configurations.
(b) Is there a …
Added
p. 15
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel (b) Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures Review vendor documentation Examine system configurations and account settings Interview personnel 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations, as follows:
(a) Are encryption keys changed from …
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel (b) Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures Review vendor documentation Examine system configurations and account settings Interview personnel 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations, as follows:
(a) Are encryption keys changed from …
Added
p. 21
Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to …
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to …
Added
p. 25
Review key-management procedures Observe key-generation method 3.6.2 Do cryptographic key procedures include secure cryptographic key distribution?
Review key management procedures Observe the key-distribution method 3.6.3 Do cryptographic key procedures include secure cryptographic key storage?
Review key-management procedures Observe the method for secure storage of keys 3.6.4 Do cryptographic key procedures include cryptographic key changes for keys that have reached the end of their defined cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57)? Review key-management procedures Interview personnel
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.5 (a) Do cryptographic key procedures include retirement …
Review key management procedures Observe the key-distribution method 3.6.3 Do cryptographic key procedures include secure cryptographic key storage?
Review key-management procedures Observe the method for secure storage of keys 3.6.4 Do cryptographic key procedures include cryptographic key changes for keys that have reached the end of their defined cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57)? Review key-management procedures Interview personnel
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.5 (a) Do cryptographic key procedures include retirement …
Added
p. 34
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.3.2 Is all custom code reviewed prior to release to production or customers to identify any potential coding vulnerability (using either manual or automated processes as follows:
Are code changes reviewed by individuals other than the originating code author, and by individuals who are knowledgeable about code review techniques and secure coding practices?
Do code reviews ensure code is developed according to secure coding guidelines?
Are appropriate corrections are implemented prior to release?
Are code review results are reviewed and approved by management prior to release? Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public-facing web applications are also subject to additional controls, to …
Are code changes reviewed by individuals other than the originating code author, and by individuals who are knowledgeable about code review techniques and secure coding practices?
Do code reviews ensure code is developed according to secure coding guidelines?
Are appropriate corrections are implemented prior to release?
Are code review results are reviewed and approved by management prior to release? Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public-facing web applications are also subject to additional controls, to …
Added
p. 37
Examine software-development policies and procedures Interview responsible personnel 6.5.8 Do coding techniques address improper access control such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions? Examine software-development policies and procedures Interview responsible personnel
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.9 Do coding techniques address cross-site request forgery (CSRF)?
Examine software-development policies and procedures Interview responsible personnel 6.5.10 Do coding techniques address broken authentication and session management? Note: Requirement 6.5.10 is a best practice until June 30, 2015, after which it becomes a requirement.
Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) in front of public-facing web applications to …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.9 Do coding techniques address cross-site request forgery (CSRF)?
Examine software-development policies and procedures Interview responsible personnel 6.5.10 Do coding techniques address broken authentication and session management? Note: Requirement 6.5.10 is a best practice until June 30, 2015, after which it becomes a requirement.
Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) in front of public-facing web applications to …
Added
p. 40
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows:
Is there a written policy for access control that incorporates the following? Defining access needs and privilege assignments for each role Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities, Assignment of access based on individual personnel’s job classification and function Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved Examine written access control policy 7.1.1 Are access needs for each role defined, including:
System components and data resources that each role needs to access for their job function?
Level of privilege required (for example, user, administrator, etc.) for accessing …
Is there a written policy for access control that incorporates the following? Defining access needs and privilege assignments for each role Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities, Assignment of access based on individual personnel’s job classification and function Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved Examine written access control policy 7.1.1 Are access needs for each role defined, including:
System components and data resources that each role needs to access for their job function?
Level of privilege required (for example, user, administrator, etc.) for accessing …
Added
p. 42
Requirement 8: Identify and authenticate access to system components
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.1 Are policies and procedures for user identification management controls defined and in place for non- consumer users and administrators on all system components, as follows:
Review password procedures Interview personnel 8.1.2 Are additions, deletions, and modifications of user IDs, credentials, and other identifier objects controlled such that user IDs are implemented only as authorized (including with specified privileges)?
Review password procedures Examine privileged and general user IDs and associated authorizations Observe system settings 8.1.3 Is access for any terminated users immediately deactivated or removed?
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices 8.1.4 Are inactive user accounts over 90 days old either removed or disabled?
Review password procedures …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.1 Are policies and procedures for user identification management controls defined and in place for non- consumer users and administrators on all system components, as follows:
Review password procedures Interview personnel 8.1.2 Are additions, deletions, and modifications of user IDs, credentials, and other identifier objects controlled such that user IDs are implemented only as authorized (including with specified privileges)?
Review password procedures Examine privileged and general user IDs and associated authorizations Observe system settings 8.1.3 Is access for any terminated users immediately deactivated or removed?
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices 8.1.4 Are inactive user accounts over 90 days old either removed or disabled?
Review password procedures …
Added
p. 45
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.3 Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)? Note: Two-factor authentication requires that two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.
Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication.
Review policies and procedures Examine system configurations Observe personnel 8.4 (a) Are authentication procedures and policies documented and communicated to all users?
Review policies and procedures Review distribution method …
Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication.
Review policies and procedures Examine system configurations Observe personnel 8.4 (a) Are authentication procedures and policies documented and communicated to all users?
Review policies and procedures Review distribution method …
Added
p. 46
(a) Is all user access to, user queries of, and user actions on (for example, move, copy, delete), the database through programmatic methods only (for example, through stored procedures)? Review database authentication policies and procedures Examine database and application configuration settings
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Is user direct access to or queries to of databases restricted to database administrators?
Review database authentication policies and procedures Examine database access control settings Examine database application configuration settings (c) Are application IDs only able to be used by the applications (and not by individual users or other processes)? Review database authentication policies and procedures Examine database access control settings Examine database application configuration settings 8.8 Are security policies and operational procedures for identification and authentication:
PCI DSS Question Expected Testing Response (Check …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Is user direct access to or queries to of databases restricted to database administrators?
Review database authentication policies and procedures Examine database access control settings Examine database application configuration settings (c) Are application IDs only able to be used by the applications (and not by individual users or other processes)? Review database authentication policies and procedures Examine database access control settings Examine database application configuration settings 8.8 Are security policies and operational procedures for identification and authentication:
PCI DSS Question Expected Testing Response (Check …
Added
p. 50
Review policies and procedures Observe visitor processes including how access is controlled Interview personnel Observe visitors and badge use 9.4.2 (a) Are visitors identified and given a badge or other identification that visibly distinguishes the visitors from onsite personnel?
Observe badge use of personnel and visitors Examine identification (b) Do visitor badges or other identification expire? Observe process Examine identification 9.4.3 Are visitors asked to surrender the badge or other identification before leaving the facility or at the date of expiration?
Observe processes Observe visitors leaving facility 9.4.4 (a) Is a visitor log in use to record physical access to the facility as well as for computer rooms and data centers where cardholder data is stored or transmitted?
Review policies and procedures Examine the visitor log Observe visitor processes Examine log retention (b) Does the visitor log contain the …
Observe badge use of personnel and visitors Examine identification (b) Do visitor badges or other identification expire? Observe process Examine identification 9.4.3 Are visitors asked to surrender the badge or other identification before leaving the facility or at the date of expiration?
Observe processes Observe visitors leaving facility 9.4.4 (a) Is a visitor log in use to record physical access to the facility as well as for computer rooms and data centers where cardholder data is stored or transmitted?
Review policies and procedures Examine the visitor log Observe visitor processes Examine log retention (b) Does the visitor log contain the …
Added
p. 56
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.1 (a) Are audit trails enabled and active for system components?
Observe processes Interview system administrator (b) Is access to system components linked to individual users? Observe processes Interview system administrator 10.2 Are automated audit trails implemented for all system components to reconstruct the following events:
Observe processes Interview system administrator (b) Is access to system components linked to individual users? Observe processes Interview system administrator 10.2 Are automated audit trails implemented for all system components to reconstruct the following events:
Added
p. 56
• and all changes, additions, or deletions to accounts with root or administrative privileges? Interview personnel Observe audit logs Examine audit log settings
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.2.6 Initialization, stopping, or pausing of the audit logs? Interview personnel Observe audit logs Examine audit log settings 10.2.7 Creation and deletion of system-level object? Interview personnel Observe audit logs Examine audit log settings 10.3 Are the following audit trail entries recorded for all system components for each event:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.2.6 Initialization, stopping, or pausing of the audit logs? Interview personnel Observe audit logs Examine audit log settings 10.2.7 Creation and deletion of system-level object? Interview personnel Observe audit logs Examine audit log settings 10.3 Are the following audit trail entries recorded for all system components for each event:
Added
p. 58
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.4 Are all critical system clocks and times synchronized through use of time synchronization technology, and is the technology kept current? Note: One example of time synchronization technology is Network Time Protocol (NTP).
Review time configuration standards and processes 10.4.1 Are the following processes implemented for critical systems to have the correct and consistent time:
(a) Do only designated central time server(s) receive time signals from external sources, and are time signals from external sources based on International Atomic Time or UTC?
Review time configuration standards and processes Examine time-related system parameters (b) Where there is more than one designated time server, do the time servers peer with each other to keep accurate time?
Review time configuration standards and processes Examine time-related system parameters (c) Do systems receive time only …
Review time configuration standards and processes 10.4.1 Are the following processes implemented for critical systems to have the correct and consistent time:
(a) Do only designated central time server(s) receive time signals from external sources, and are time signals from external sources based on International Atomic Time or UTC?
Review time configuration standards and processes Examine time-related system parameters (b) Where there is more than one designated time server, do the time servers peer with each other to keep accurate time?
Review time configuration standards and processes Examine time-related system parameters (c) Do systems receive time only …
Added
p. 60
All security events Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) Review security policies and procedures (b) Are the above logs and security events reviewed at least daily? Observe processes Interview personnel 10.6.2 (a) Are written policies and procedures defined for reviewing logs of all other system components periodically
•either manually or via log tools
• based on the organization’s policies and risk management strategy?
Review security policies and procedures (b) Are reviews of all other system components performed in accordance with organization’s policies and risk management strategy? Review risk assessment documentation Interview personnel
PCI DSS Question Expected …
•either manually or via log tools
• based on the organization’s policies and risk management strategy?
Review security policies and procedures (b) Are reviews of all other system components performed in accordance with organization’s policies and risk management strategy? Review risk assessment documentation Interview personnel
PCI DSS Question Expected …
Added
p. 63
Review scan reports (c) Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview personnel
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.2.2 (a) Are quarterly external vulnerability scans performed? Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.
Review results from the four most recent quarters of external vulnerability scans (b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.2.2 (a) Are quarterly external vulnerability scans performed? Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc.
Review results from the four most recent quarters of external vulnerability scans (b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the …
Added
p. 69
Note: For the purposes of Requirement 12, “personnel” refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?
Review the information security policy Interview responsible personnel 12.2 (a) Is an annual risk assessment process implemented that identifies assets, threats, and vulnerabilities? Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800- 30.
Review annual risk assessment process Interview personnel (b) Does the risk assessment process result in a formal risk assessment?
Review the formal risk assessment (c) Is the risk assessment process performed at least annually and …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?
Review the information security policy Interview responsible personnel 12.2 (a) Is an annual risk assessment process implemented that identifies assets, threats, and vulnerabilities? Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800- 30.
Review annual risk assessment process Interview personnel (b) Does the risk assessment process result in a formal risk assessment?
Review the formal risk assessment (c) Is the risk assessment process performed at least annually and …
Added
p. 70
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.3.2 Authentication for use of the technology? Review usage policies Interview responsible personnel 12.3.3 A list of all such devices and personnel with access? Review usage policies Interview responsible personnel 12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices)?
Review usage policies Interview responsible personnel 12.3.5 Acceptable uses of the technologies? Review usage policies Interview responsible personnel 12.3.6 Acceptable network locations for the technologies? Review usage policies Interview responsible personnel 12.3.7 List of company-approved products? Review usage policies Interview responsible personnel 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity?
Review usage policies Interview responsible personnel 12.3.9 Activation of remote-access technologies for …
Review usage policies Interview responsible personnel 12.3.5 Acceptable uses of the technologies? Review usage policies Interview responsible personnel 12.3.6 Acceptable network locations for the technologies? Review usage policies Interview responsible personnel 12.3.7 List of company-approved products? Review usage policies Interview responsible personnel 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity?
Review usage policies Interview responsible personnel 12.3.9 Activation of remote-access technologies for …
Added
p. 77
Refer to Appendices B, C, and D of PCI DSS for information about compensating controls and guidance on how to complete this worksheet.
Added
p. 79
Requirement Describe which part(s) of the requirement was not tested Describe why requirements were not tested
Requirement 12 Requirement 12.2 was the only requirement tested. All other requirements from Requirement 12 were excluded.
This assessment only covers requirements in Milestone 1 of the Prioritized Approach.
Requirements 1-8, 10-12 Only Requirement 9 was reviewed for this assessment. All other requirements were excluded.
Company is a physical hosting provider (CO- LO), and only physical security controls were considered for this assessment.
Requirement 12 Requirement 12.2 was the only requirement tested. All other requirements from Requirement 12 were excluded.
This assessment only covers requirements in Milestone 1 of the Prioritized Approach.
Requirements 1-8, 10-12 Only Requirement 9 was reviewed for this assessment. All other requirements were excluded.
Company is a physical hosting provider (CO- LO), and only physical security controls were considered for this assessment.
Added
p. 80
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation Based on the results noted in the SAQ D dated (completion date), the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document as of (date): (check one):
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before …
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before …
Added
p. 81
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name) Part 3b. Merchant Attestation Signature of Merchant Executive Officer Date:
Merchant Executive Officer Name: Title:
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Signature of QSA Date:
QSA Name: QSA Company:
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Signature of ISA Date:
Merchant Executive Officer Name: Title:
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Signature of QSA Date:
QSA Name: QSA Company:
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Signature of ISA Date:
Added
p. 82
Check with your acquirer or the payment brand(s) before completing Part 4.
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti- virus software or programs 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know 8 Identify and authenticate access to system components 9 Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data 11 Regularly test security systems and processes Maintain a policy that addresses information security for all personnel
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti- virus software or programs 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know 8 Identify and authenticate access to system components 9 Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data 11 Regularly test security systems and processes Maintain a policy that addresses information security for all personnel
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants Version 3.0
Removed
p. 4
PCI Data Security Standard: Related Documents The following documents were created to assist merchants and service providers in understanding the PCI Data Security Standard and the PCI DSS SAQ.
PCI Data Security Standard Requirements and Security Assessment Procedures All merchants and service providers Navigating PCI DSS: Understanding the Intent of the Requirements All merchants and service providers
PCI Data Security Standard: Self-Assessment Guidelines and Instructions All merchants and service providers
PCI Data Security Standard: Self-Assessment Questionnaire A and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire B and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire C and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire D and Attestation Merchants1 and all service providers
PCI Data Security Standard and Payment Application Data Security Standard Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 1 To determine the appropriate Self-Assessment Questionnaire, see PCI Data Security Standard: Self- Assessment Guidelines and Instructions, ―Selecting the SAQ and Attestation …
PCI Data Security Standard Requirements and Security Assessment Procedures All merchants and service providers Navigating PCI DSS: Understanding the Intent of the Requirements All merchants and service providers
PCI Data Security Standard: Self-Assessment Guidelines and Instructions All merchants and service providers
PCI Data Security Standard: Self-Assessment Questionnaire A and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire B and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire C and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire D and Attestation Merchants1 and all service providers
PCI Data Security Standard and Payment Application Data Security Standard Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 1 To determine the appropriate Self-Assessment Questionnaire, see PCI Data Security Standard: Self- Assessment Guidelines and Instructions, ―Selecting the SAQ and Attestation …
Removed
p. 5
SAQ Validation Description 1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face- to-face merchants.
Removed
p. 5
These merchants not meeting the criteria for SAQs A-C above and all service providers defined by a payment brand as being SAQ-eligible are defined as SAQ Validation Type 5, here and in the PCI DSS Self-Assessment Questionnaire Instructions and Guidelines. While many of the organizations completing SAQ D will need to validate compliance with every PCI DSS requirement, some organizations with very specific business models may find that some requirements do not apply. For example, a company that does not use wireless technology in any capacity would not be expected to validate compliance with the sections of the PCI DSS that are specific to wireless technology. See the guidance below for information about the exclusion of wireless technology and certain other, specific requirements.
Each section of this questionnaire focuses on a specific area of security, based on the requirements in the PCI Data Security Standard.
1. Complete the Self-Assessment Questionnaire (SAQ D) …
Each section of this questionnaire focuses on a specific area of security, based on the requirements in the PCI Data Security Standard.
1. Complete the Self-Assessment Questionnaire (SAQ D) …
Modified
p. 5 → 4
PCI DSS Compliance
• Completion Steps
•
PCI DSS Self-Assessment Completion Steps
Modified
p. 5 → 4
5. Submit the SAQ and Attestation of Compliance, along with any other requested documentation•such as ASV scan reports•to your acquirer, payment brand or other requester.
Removed
p. 6
The questions specific to wireless only need to be answered if wireless is present anywhere in your network (for example, Requirements 1.2.3, 2.1.1, and 4.1.1). Note that Requirement 11.1 (use of wireless analyzer) must still be answered even if wireless is not in your network, since the analyzer detects any rogue or unauthorized devices that may have been added without the merchant’s knowledge.
The questions for Requirements 9.1-9.4 only need to be answered for facilities with ―sensitive areas‖ as defined here. ―Sensitive areas‖ refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of- sale terminals are present, such as the cashier areas in a retail store.
Non-Applicability: These and any other requirements deemed not applicable to your environment must be indicated with ―N/A‖ in the ―Special‖ column of the SAQ. Accordingly, complete the …
The questions for Requirements 9.1-9.4 only need to be answered for facilities with ―sensitive areas‖ as defined here. ―Sensitive areas‖ refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of- sale terminals are present, such as the cashier areas in a retail store.
Non-Applicability: These and any other requirements deemed not applicable to your environment must be indicated with ―N/A‖ in the ―Special‖ column of the SAQ. Accordingly, complete the …
Modified
p. 6
The questions specific to custom applications and code (Requirements 6.3-6.5) only need to be answered if your organization writes its own custom web applications.
The questions specific to application development and secure coding (Requirements 6.3 and 6.5) only need to be answered if your organization develops its own custom applications.
Removed
p. 7
Part 2. Merchant Organization Information Company Name: DBA(S):
Part 2a. Type of merchant business (check all that apply):
List facilities and locations included in PCI DSS review:
Part 2b. Relationships Does your company have a relationship with one or more third-party service providers (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Does your company have a relationship with more than one acquirer? Yes No Part 2c. Transaction Processing Payment Application in use: Payment Application Version:
Part 2a. Type of merchant business (check all that apply):
List facilities and locations included in PCI DSS review:
Part 2b. Relationships Does your company have a relationship with one or more third-party service providers (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Does your company have a relationship with more than one acquirer? Yes No Part 2c. Transaction Processing Payment Application in use: Payment Application Version:
Modified
p. 7
Part 1. Qualified Security Assessor Company Information (if applicable) Company Name:
Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Company Name: DBA (doing business as):
Modified
p. 7
State/Province: Country: ZIP:
State/Province: Country: Zip:
Modified
p. 7
State/Province: Country: ZIP:
State/Province: Country: Zip:
Modified
p. 7
Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail/Telephone-Order Others (please specify):
Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail order/telephone order (MOTO) Others (please specify):
Removed
p. 8
Compliant: All sections of the PCI SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; and a passing scan has been completed by a PCI SSC Approved Scan Vendor, thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered ‖yes,‖ resulting in an overall NON-COMPLIANT rating, or a passing scan has not been completed by a PCI SSC Approved Scan Vendor, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4, since not all payment brands require this section.
Part 3a. Confirmation of Compliant Status Merchant confirms:
I have read the PCI …
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered ‖yes,‖ resulting in an overall NON-COMPLIANT rating, or a passing scan has not been completed by a PCI SSC Approved Scan Vendor, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4, since not all payment brands require this section.
Part 3a. Confirmation of Compliant Status Merchant confirms:
I have read the PCI …
Removed
p. 9
PCI DSS Requirement Description of Requirement Compliance Status (Select One) Remediation Date and Actions (if Compliance Status is ―NO‖) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks 5 Use and regularly update anti-virus software 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know 8 Assign a unique ID to each person with computer access 9 Restrict physical access to cardholder data 10 Track and monitor all access to network resources and cardholder data 11 Regularly test security systems and processes 12 Maintain a policy that addresses information security
List facilities and locations included in PCI DSS review:
List facilities and locations included in PCI DSS review:
Removed
p. 10
Part 1. Qualified Security Assessor Company Information (if applicable) Company Name:
Business Address: City:
Business Address: City:
Part 2. Service Provider Organization Information Company Name:
Part 2a. Services Services Provided (check all that apply):
Authorization Loyalty Programs 3-D Secure Access Control Server Switching IPSP (E-commerce) Process Magnetic-Stripe Transactions Payment Gateway Clearing & Settlement Process MO/TO Transactions Hosting Issuing Processing Others (please specify):
Part 2b. Relationships Does your company have a relationship with one or more third-party service providers (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Part 2c: Transaction Processing How and in what capacity does your business store, process and/or transmit cardholder data? Payment Applications in use or provided as part of your service: Payment Application Version:
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before …
Business Address: City:
Business Address: City:
Part 2. Service Provider Organization Information Company Name:
Part 2a. Services Services Provided (check all that apply):
Authorization Loyalty Programs 3-D Secure Access Control Server Switching IPSP (E-commerce) Process Magnetic-Stripe Transactions Payment Gateway Clearing & Settlement Process MO/TO Transactions Hosting Issuing Processing Others (please specify):
Part 2b. Relationships Does your company have a relationship with one or more third-party service providers (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Part 2c: Transaction Processing How and in what capacity does your business store, process and/or transmit cardholder data? Payment Applications in use or provided as part of your service: Payment Application Version:
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before …
Removed
p. 11
Compliant: All sections of the PCI SAQ are complete, and all questions answered ―yes‖, resulting in an overall COMPLIANT rating; and a passing scan has been completed by a PCI SSC Approved Scan Vendor, thereby (Service Provider Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI SAQ are complete, or some questions are answered ―no‖, resulting in an overall NON-COMPLIANT rating, or a passing scan has not been completed by a PCI SSC Approved Scan Vendor, thereby (Service Provider Company Name) has not demonstrated full compliance with the PCI DSS. Target Date for Compliance:
Part 3a. Confirmation of Compliant Status Service Provider confirms:
Self-Assessment Questionnaire D, Version (insert version number), was completed according to the instructions therein.
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment.
No evidence of magnetic stripe (i.e., track) data5, CAV2, CVC2, CID, or CVV2 …
Non-Compliant: Not all sections of the PCI SAQ are complete, or some questions are answered ―no‖, resulting in an overall NON-COMPLIANT rating, or a passing scan has not been completed by a PCI SSC Approved Scan Vendor, thereby (Service Provider Company Name) has not demonstrated full compliance with the PCI DSS. Target Date for Compliance:
Part 3a. Confirmation of Compliant Status Service Provider confirms:
Self-Assessment Questionnaire D, Version (insert version number), was completed according to the instructions therein.
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment.
No evidence of magnetic stripe (i.e., track) data5, CAV2, CVC2, CID, or CVV2 …
Modified
p. 13 → 10
Build and Maintain a Secure Network
Self-assessment completion date: Build and Maintain a Secure Network and Systems
Modified
p. 13 → 10
Requirement 1: Install and maintain a firewall configuration to protect data Question Response: Yes No Special 1.1 Do established firewall and router configuration standards include the following?
Requirement 1: Install and maintain a firewall configuration to protect data
Modified
p. 13 → 12
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.2.1 (a) Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment?
Removed
p. 15
(b) Are wireless device security settings enabled for strong encryption technology for authentication and transmissions?
(b) Do these standards address all known security vulnerabilities and are they consistent with industry-accepted system hardening standards•for example, SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS)?
(c) Do controls ensure the following?
(b) Do these standards address all known security vulnerabilities and are they consistent with industry-accepted system hardening standards•for example, SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS)?
(c) Do controls ensure the following?
Modified
p. 15
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Question Response: Yes No Special 2.1 Are vendor-supplied defaults always changed before installing a system on the network? Examples include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Removed
p. 17
Requirement 3: Protect stored cardholder data Question Response: Yes No Special 3.1 (a) Is storage of cardholder data kept to a minimum, and is storage amount and retention time limited to that which is required for business, legal, and/or regulatory purposes?
(b) Is there a data-retention and disposal policy, and does it include limitations as stated in (a) above?
(b) Is there a data-retention and disposal policy, and does it include limitations as stated in (a) above?
Removed
p. 17
This requirement does not apply to employees and other parties with a specific need to see the full PAN; This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, for point- of-sale (POS) receipts.
Modified
p. 17 → 21
The cardholder’s name, Primary account number (PAN), Expiration date, and Service code To minimize risk, store only these data elements as needed for business.
Removed
p. 18
(b) Are decryption keys independent of user accounts?
Removed
p. 18
As deemed necessary and recommended by the associated application (for example, re-keying), preferably automatically At least annually 3.6.5 Retirement or replacement of old or suspected compromised cryptographic keys 3.6.6 Split knowledge and establishment of dual control of cryptographic keys
Modified
p. 18 → 23
(a) Is logical access managed independently of native operating system access control mechanisms (for example, by not using local user account databases)?
(a) Is logical access to encrypted file systems managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials)?
Removed
p. 19
For new wireless implementations, it is prohibited to implement WEP after March 31, 2009. For current wireless implementations, it is prohibited to use WEP after June 30, 2010.
Modified
p. 19 → 28
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1 (a) Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and …
Removed
p. 20
Requirement 5: Use and regularly update anti-virus software or programs Question Response: Yes No Special Is anti-virus software deployed on all systems, particularly personal computers and servers, commonly affected by malicious software?
Removed
p. 20
Requirement 6: Develop and maintain secure systems and applications Question Response: Yes No Special* 6.1 (a) Do all system components and software have the latest vendor-supplied security patches installed? (b) Are critical security patches installed within one month of release? Note: An organization may consider applying a risk-based approach to prioritize their patch installations. For example, by prioritizing critical infrastructure (for example, public-facing devices and systems, databases) higher than less-critical internal devices, to ensure high-priority systems and devices are addressed within one month, and addressing less critical devices and systems within three months.
Removed
p. 20
Requirement 2.2 to address new vulnerability issues?
Removed
p. 20
(b) Do controls ensure the following? 6.3.1 Testing of all security patches and system and software configuration changes before deployment, including but not limited to the following:
Modified
p. 21 → 25
(c) Are key-management processes and procedures implemented to require the following:
Removed
p. 23
In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? Password or passphrase Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys) ―Not Applicable‖ (N/A) or ―Compensating Control Used.‖ Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix.
Modified
p. 23 → 40
Requirement 7: Restrict access to cardholder data by business need-to-know Question Response: Yes No Special 7.1 (a) Is access to system components and cardholder data limited to only those individuals whose jobs require such access? (b) Do access limitations include the following:
Requirement 7: Restrict access to cardholder data by business need to know
Modified
p. 25 → 48
Observe physical access controls Observe personnel 9.1.1 (a) Are video cameras and/or access-control mechanisms in place to monitor individual physical access to sensitive areas? Note: “Sensitive areas” refers to any data center, server room, or any area that houses systems that store cardholder data. This excludes pubic-facing areas where only point-of-sale terminals are present such as the cashier areas in a retail store.
Modified
p. 25 → 48
Observe processes Interview personnel (c) Is data collected from video cameras and/or access control mechanisms reviewed and correlated with other entries?
Modified
p. 25 → 48
Review policies and procedures Interview security personnel (d) Is data collected from video cameras and/or access control mechanisms stored for at least three months unless otherwise restricted by law?
Removed
p. 26
(b) Are the visitor’s name, the firm represented, and the employee authorizing physical access documented on the log?
(c) Is visitor log retained for a minimum of three months, unless otherwise restricted by law?
(c) Is visitor log retained for a minimum of three months, unless otherwise restricted by law?
Modified
p. 26 → 51
Examine inventory logs Interview personnel 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons? Review periodic media destruction policies and procedures
Removed
p. 27
Requirement 10: Track and monitor all access to network resources and cardholder data Question Response: Yes No Special 10.1 Is a process in place to link all access to system components (especially access done with administrative privileges such as root) to each individual user? 10.2 Are automated audit trails implemented for all system components to reconstruct the following events:
Removed
p. 27
(b) Do controls ensure the following?
Removed
p. 28
Requirement 11: Regularly test security systems and processes Question Response: Yes No Special* 11.1 Is the presence of wireless access points tested for by using a wireless analyzer at least quarterly or by deploying a wireless IDS/IPS to identify all wireless devices in use? 11.2 Are internal and external network vulnerability scans run at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades)? Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by Payment Card Industry Security Standards Council (PCI SSC). Scans conducted after network changes may be performed by the company’s internal staff.
Removed
p. 29
(b) Are all intrusion-detection and prevention engines kept up-to- date? 11.5 (a) Is file-integrity monitoring software deployed to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and (b) Is the software configured to perform critical file comparisons at least weekly? Note: For file-integrity monitoring purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. File-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is the merchant or service provider).
Modified
p. 30 → 69
Requirement 12: Maintain a policy that addresses information security for employees and contractors Question Response: Yes No Special 12.1 Is a security policy established, published, maintained, and disseminated, and does it accomplish the following:
Requirement 12: Maintain a policy that addresses information security for all personnel
Modified
p. 30 → 69
Review the information security policy 12.1.1 Is the security policy reviewed at least annually and updated when the environment changes?
Removed
p. 32
Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum Specific incident response procedures Business recovery and continuity procedures Data back-up processes Analysis of legal requirements for reporting compromises Coverage and responses of all critical system components Reference or inclusion of incident response procedures from the payment brands 12.9.2 Is the plan tested at least annually?
Removed
p. 33
A.1.1 Does each entity run processes that have access to only that entity’s cardholder data environment? A.1.2 Are each entity’s access and privileges restricted to its own cardholder data environment?
A.1.3 Are logging and audit trails enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10? A.1.4 Are processes enabled to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider?
A.1.3 Are logging and audit trails enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10? A.1.4 Are processes enabled to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider?
Removed
p. 34
1. Meet the intent and rigor of the original PCI DSS requirement.
2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.) 3. Be ―above and beyond‖ other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) When evaluating ―above and beyond‖ for compensating controls, consider the following:
Note: The items at a) through c) below are intended as examples only. All compensating controls must be reviewed and validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the …
2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.) 3. Be ―above and beyond‖ other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) When evaluating ―above and beyond‖ for compensating controls, consider the following:
Note: The items at a) through c) below are intended as examples only. All compensating controls must be reviewed and validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the …
Removed
p. 36
Requirement Number: 8.1•Are all users identified with a unique user name before allowing them to access system components or cardholder data? Information Required Explanation
1. Constraints List constraints precluding compliance with the original requirement.
Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action.
3. Identified Risk Identify any additional risk posed by the lack of the original control.
Additional risk is introduced to the access control system …
1. Constraints List constraints precluding compliance with the original requirement.
Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action.
3. Identified Risk Identify any additional risk posed by the lack of the original control.
Additional risk is introduced to the access control system …
Modified
p. 37 → 78
Requirement Reason Requirement is Not Applicable Example: 9.3.1 Visitors are not allowed in areas where cardholder data is processed or maintained.
Requirement Reason Requirement is Not Applicable 3.4 Cardholder data is never stored electronically