Document Comparison
pci_saq_b.pdf
→
SAQ_B_v3.pdf
20% similar
18 → 24
Pages
4042 → 5337
Words
45
Content Changes
From Revision History
- October 2008 1.2 To align content with new PCI DSS v1.2 and to implement minor changes noted since original v1.1.
Content Changes
45 content changes. 26 administrative changes (dates, page numbers) hidden.
Added
p. 4
SAQ B merchants confirm that, for this payment channel:
Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information; The standalone, dial-out terminals are not connected to any other systems within your environment; The standalone, dial-out terminals are not connected to the Internet; Your company does not transmit cardholder data over a network (either an internal network or the Internet); Your company retains only paper reports or paper copies of receipts with cardholder data, and these documents are not received electronically; and Your company does not store cardholder data in electronic format.
This SAQ is not applicable to e-commerce channels.
This shortened version of the SAQ includes questions that apply to a specific type of small merchant environment, as defined in the above eligibility criteria. If there are PCI …
Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information; The standalone, dial-out terminals are not connected to any other systems within your environment; The standalone, dial-out terminals are not connected to the Internet; Your company does not transmit cardholder data over a network (either an internal network or the Internet); Your company retains only paper reports or paper copies of receipts with cardholder data, and these documents are not received electronically; and Your company does not store cardholder data in electronic format.
This SAQ is not applicable to e-commerce channels.
This shortened version of the SAQ includes questions that apply to a specific type of small merchant environment, as defined in the above eligibility criteria. If there are PCI …
Added
p. 5
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
Expected Testing The instructions provided in the “Expected Testing” column are based on the testing procedures in the PCI DSS, and provide a high-level description of the types of testing activities that should be performed in order to verify that a …
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
Expected Testing The instructions provided in the “Expected Testing” column are based on the testing procedures in the PCI DSS, and provide a high-level description of the types of testing activities that should be performed in order to verify that a …
Added
p. 6
Legal Exception If your organization is subject to a legal restriction that prevents the organization from meeting a PCI DSS requirement, check the “No” column for that requirement and complete the relevant attestation in Part 3.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
ISA Name(s) (if applicable): Title:
What types of payment channels does your business serve?
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Note: If your organization has a payment channel or process that is …
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
ISA Name(s) (if applicable): Title:
What types of payment channels does your business serve?
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Note: If your organization has a payment channel or process that is …
Added
p. 8
Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
Added
p. 9
Note: Requirement 12.8 applies to all entities in this list.
Added
p. 10
Note: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document.
Self-assessment completion date: Protect Cardholder Data
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? Review policies and procedures Examine system configurations Examine deletion processes (d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
Self-assessment completion date: Protect Cardholder Data
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? Review policies and procedures Examine system configurations Examine deletion processes (d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
Added
p. 10
Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained:
Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents 3.3 Is the …
Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents 3.3 Is the …
Added
p. 12
To least privileges necessary to perform job responsibilities?
Assigned only to roles that specifically require that privileged access?
Examine written access control policy Interview personnel Interview management Review privileged user IDs 7.1.3 Are access assigned based on individual personnel’s job classification and function? Examine written access control policy Interview management Review user IDs
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.
Interview personnel Examine media distribution tracking logs and documentation 9.6.3 Is management approval obtained prior to moving the media (especially when media is distributed to individuals)?
Interview personnel Examine media distribution tracking logs and …
Assigned only to roles that specifically require that privileged access?
Examine written access control policy Interview personnel Interview management Review privileged user IDs 7.1.3 Are access assigned based on individual personnel’s job classification and function? Examine written access control policy Interview management Review user IDs
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.
Interview personnel Examine media distribution tracking logs and documentation 9.6.3 Is management approval obtained prior to moving the media (especially when media is distributed to individuals)?
Interview personnel Examine media distribution tracking logs and …
Added
p. 14
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A (b) Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?
Review periodic media destruction policies and procedures Examine security of storage containers 9.9 Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows? Note: This requirement applies to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.
Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.
(a) Do policies and procedures require that a list of such devices maintained?
Review policies and procedures (b) Do policies and procedures …
Review periodic media destruction policies and procedures Examine security of storage containers 9.9 Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows? Note: This requirement applies to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.
Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.
(a) Do policies and procedures require that a list of such devices maintained?
Review policies and procedures (b) Do policies and procedures …
Added
p. 16
Review usage policies Interview responsible personnel 12.3.3 A list of all such devices and personnel with access? Review usage policies Interview responsible personnel 12.3.5 Acceptable uses of the technologies? Review usage policies Interview responsible personnel 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel? Review information security policy and procedures Interview a sample of responsible 12.5 (b) Are the following information security management responsibilities formally assigned to an individual or team:
Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? Review security awareness 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? Review security awareness 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
Added
p. 17
Observe processes Review policies and procedures and supporting documentation 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually? Observe processes Review policies and procedures and supporting documentation
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?
Observe processes Review policies and procedures and supporting documentation 12.10.1 (a) Has an incident response plan been created to be implemented in the event of system breach? Review the incident response plan Review incident response plan procedures
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?
Observe processes Review policies and procedures and supporting documentation 12.10.1 (a) Has an incident response plan been created to be implemented in the event of system breach? Review the incident response plan Review incident response plan procedures
Added
p. 20
Refer to Appendices B, C, and D of PCI DSS for information about compensating controls and guidance on how to complete this worksheet.
Added
p. 22
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation Based on the results noted in the SAQ B dated (completion date), the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document as of (date): (check one):
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before …
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before …
Added
p. 23
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name) Part 3b. Merchant Attestation Signature of Merchant Executive Officer Date:
Merchant Executive Officer Name: Title:
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Signature of QSA Date:
QSA Name: QSA Company:
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Signature of ISA Date:
Merchant Executive Officer Name: Title:
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Signature of QSA Date:
QSA Name: QSA Company:
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Signature of ISA Date:
Added
p. 24
Check with your acquirer or the payment brand(s) before completing Part 4.
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 7 Restrict access to cardholder data by business need to know 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 7 Restrict access to cardholder data by business need to know 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage Version 1.2
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Merchants with Only Imprint Machines or Only Standalone, Dial-out Terminals• No Electronic Cardholder Data Storage Version 3.0
Removed
p. 4
PCI Data Security Standard: Related Documents The following documents were created to assist merchants and service providers in understanding the PCI Data Security Standard and the PCI DSS SAQ.
PCI Data Security Standard Requirements and Security Assessment Procedures All merchants and service providers Navigating PCI DSS: Understanding the Intent of the Requirements All merchants and service providers
PCI Data Security Standard: Self-Assessment Guidelines and Instructions All merchants and service providers
PCI Data Security Standard: Self-Assessment Questionnaire B and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire C and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire D and Attestation Merchants1 and all service providers
PCI Data Security Standard and Payment Application Data Security Standard Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 1 To determine the appropriate Self-Assessment Questionnaire, see PCI Data Security Standard: Self- Assessment Guidelines and Instructions, “Selecting the SAQ and Attestation That Best Apply To Your Organization.”
PCI Data Security Standard Requirements and Security Assessment Procedures All merchants and service providers Navigating PCI DSS: Understanding the Intent of the Requirements All merchants and service providers
PCI Data Security Standard: Self-Assessment Guidelines and Instructions All merchants and service providers
PCI Data Security Standard: Self-Assessment Questionnaire B and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire C and Attestation Merchants1
PCI Data Security Standard: Self-Assessment Questionnaire D and Attestation Merchants1 and all service providers
PCI Data Security Standard and Payment Application Data Security Standard Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 1 To determine the appropriate Self-Assessment Questionnaire, see PCI Data Security Standard: Self- Assessment Guidelines and Instructions, “Selecting the SAQ and Attestation That Best Apply To Your Organization.”
Modified
p. 4 → 10
Section 2: Self-Assessment Questionnaire B
Removed
p. 5
For Validation Type 2:
Your company uses only imprint machines; Your company does not transmit cardholder data over either a phone line or the Internet; Your company retains only paper reports or paper copies of receipts; and Your company does not store cardholder data in electronic format For Validation Type 3:
Your company uses only standalone, dial-out terminals (connected via a phone line to your processor); Your stand-alone dial-out terminals are not connected to any other systems or to the Internet; Your company retains only paper reports or paper copies of receipts; and Your company does not store cardholder data in electronic format. Each section of the questionnaire focuses on a specific area of security, based on the requirements in the PCI Data Security Standard.
1. Complete the Self-Assessment Questionnaire (SAQ B) according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.
2. Complete …
Your company uses only imprint machines; Your company does not transmit cardholder data over either a phone line or the Internet; Your company retains only paper reports or paper copies of receipts; and Your company does not store cardholder data in electronic format For Validation Type 3:
Your company uses only standalone, dial-out terminals (connected via a phone line to your processor); Your stand-alone dial-out terminals are not connected to any other systems or to the Internet; Your company retains only paper reports or paper copies of receipts; and Your company does not store cardholder data in electronic format. Each section of the questionnaire focuses on a specific area of security, based on the requirements in the PCI Data Security Standard.
1. Complete the Self-Assessment Questionnaire (SAQ B) according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.
2. Complete …
Modified
p. 5 → 4
PCI DSS Compliance
• Completion Steps
•
PCI DSS Self-Assessment Completion Steps
Modified
p. 5 → 4
5. Submit the SAQ and Attestation of Compliance, along with any other requested documentation• such as ASV scan reports•to your acquirer, payment brand or other requester.
Removed
p. 6
Part 2a. Type of merchant business (check all that apply):
List facilities and locations included in PCI DSS review:
Part 2b. Relationships Does your company have a relationship with one or more third-party service providers (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Does your company have a relationship with more than one acquirer? Yes No Part 2c. Transaction Processing Payment Application in use: Payment Application Version:
List facilities and locations included in PCI DSS review:
Part 2b. Relationships Does your company have a relationship with one or more third-party service providers (for example, gateways, web-hosting companies, airline booking agents, loyalty program agents, etc)? Yes No Does your company have a relationship with more than one acquirer? Yes No Part 2c. Transaction Processing Payment Application in use: Payment Application Version:
Modified
p. 6 → 7
Part 1. Qualified Security Assessor Company Information (if applicable) Company Name:
Part 1b. Qualified Security Assessor Company Information (if applicable) Company Name:
Modified
p. 6 → 7
Lead QSA Contact Name:
Lead QSA Contact Name: Title:
Modified
p. 6 → 7
Business Address City:
Business Address: City:
Modified
p. 6 → 7
Business Address City:
Business Address: City:
Modified
p. 6 → 7
State/Province: Country: ZIP:
State/Province: Country: Zip:
Modified
p. 6 → 7
State/Province: Country: ZIP:
State/Province: Country: Zip:
Modified
p. 6 → 7
Part 2. Merchant Organization Information Company Name: DBA(S):
Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Company Name: DBA (doing business as):
Modified
p. 6 → 7
Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail/Telephone-Order Others (please specify):
Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail order/telephone order (MOTO) Others (please specify):
Removed
p. 7
Part 3. PCI DSS Validation Based on the results noted in the SAQ B dated (completion date), (Merchant Company Name) asserts the following compliance status (check one):
Compliant: All sections of the PCI SAQ are complete, and all questions answered “yes,” resulting in an overall COMPLIANT rating, thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI SAQ are complete, or some questions are answered “no,” resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4, since not all payment brands require this section.
Part 3a. Confirmation of Compliant Status Merchant confirms:
All information within the above-referenced SAQ and in this …
Compliant: All sections of the PCI SAQ are complete, and all questions answered “yes,” resulting in an overall COMPLIANT rating, thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI SAQ are complete, or some questions are answered “no,” resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4, since not all payment brands require this section.
Part 3a. Confirmation of Compliant Status Merchant confirms:
All information within the above-referenced SAQ and in this …
Modified
p. 7 → 9
Merchant uses only an imprint machine to imprint customers’ payment card information and does not transmit cardholder data over either a phone line or the Internet; B. Merchant uses only standalone, dial-up terminals; and the standalone, dial-up terminals are not connected to the Internet or any other systems within the merchant environment; Merchant does not store cardholder data in electronic format; and If Merchant does store cardholder data, such data is only paper reports or copies of paper receipts and …
Merchant uses only an imprint machine to imprint customers’ payment card information and does not transmit cardholder data over either a phone line or the Internet; and/or Merchant uses only standalone, dial-out terminals (connected via a phone line to your processor); and the standalone, dial-out terminals are not connected to the Internet or any other systems within the merchant environment; Merchant does not transmit cardholder data over a network (either an internal network or the Internet); Merchant does not store …
Removed
p. 9
PCI DSS Requirement Description of Requirement Compliance Status (Select One) Remediation Date and Actions (if Compliance Status is “NO”) YES NO 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks 7 Restrict access to cardholder data by business need to know 9 Restrict physical access to cardholder data 12 Maintain a policy that addresses information security 6.
Requirement 3: Protect stored cardholder data Question Response: Yes No Special 3.2 Do all systems adhere to the following requirements regarding storage of sensitive authentication data after authorization (even if encrypted)? 3.2.1 Do not store the full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. In the normal course of business, the following data elements from the magnetic stripe may …
Requirement 3: Protect stored cardholder data Question Response: Yes No Special 3.2 Do all systems adhere to the following requirements regarding storage of sensitive authentication data after authorization (even if encrypted)? 3.2.1 Do not store the full contents of any track from the magnetic stripe (located on the back of a card, contained in a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data. In the normal course of business, the following data elements from the magnetic stripe may …
Removed
p. 10
This requirement does not apply to employees and other parties with a specific need to see the full PAN; This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, for point-of- sale (POS) receipts.
“Not Applicable” (N/A) or “Compensating Control Used.” Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix. 6.
“Not Applicable” (N/A) or “Compensating Control Used.” Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix. 6.
Modified
p. 10
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Modified
p. 10
The cardholder’s name, Primary account number (PAN), Expiration date, and Service code To minimize risk, store only these data elements as needed for business.
Removed
p. 11
Requirement 4: Encrypt transmission of cardholder data across open, public networks Question Response: Yes No Special 4.2 Are policies, procedures, and practices in place to preclude the sending of unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat)? “Not Applicable” (N/A) or “Compensating Control Used.” Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix. 6.
Modified
p. 12
Requirement 7: Restrict access to cardholder data by business need-to-know Question Response: Yes No Special 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access?
Requirement 7: Restrict access to cardholder data by business need to know
Modified
p. 12 → 13
Requirement 9: Restrict physical access to cardholder data Question Response: Yes No Special* 9.6 Are all paper and electronic media that contain cardholder data physically secure?
Requirement 9: Restrict physical access to cardholder data
Removed
p. 13
“Not Applicable” (N/A) or “Compensating Control Used.” Organizations using this section must complete the Compensating Control Worksheet or Explanation of Non-Applicability Worksheet, as appropriate, in the Appendix. 6.
Includes a review at least once a year and updates when the environment changes?
Includes a review at least once a year and updates when the environment changes?
Modified
p. 13 → 16
Requirement 12: Maintain a policy that addresses information security for employees and contractors Question Response: Yes No Special 12.1 Is a security policy established, published, maintained, and disseminated, and does it accomplish the following:
Requirement 12: Maintain a policy that addresses information security for all personnel
Removed
p. 15
1. Meet the intent and rigor of the original PCI DSS requirement.
2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.) 3. Be “above and beyond” other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) When evaluating “above and beyond” for compensating controls, consider the following:
Note: The items at a) through c) below are intended as examples only. All compensating controls must be reviewed and validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the …
2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.) 3. Be “above and beyond” other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) When evaluating “above and beyond” for compensating controls, consider the following:
Note: The items at a) through c) below are intended as examples only. All compensating controls must be reviewed and validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the …
Modified
p. 16 → 20
Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance. Requirement Number and Definition:
Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.
Removed
p. 17
Requirement Number: 8.1•Are all users identified with a unique user name before allowing them to access system components or cardholder data? Information Required Explanation
1. Constraints List constraints precluding compliance with the original requirement.
Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action.
3. Identified Risk Identify any additional risk posed by the lack of the original control.
Additional risk is introduced to the access control system …
1. Constraints List constraints precluding compliance with the original requirement.
Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user.
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action.
3. Identified Risk Identify any additional risk posed by the lack of the original control.
Additional risk is introduced to the access control system …
Modified
p. 18 → 21
Requirement Reason Requirement is Not Applicable Example: 12.8 Cardholder data is never shared with service providers.
Requirement Reason Requirement is Not Applicable 3.4 Cardholder data is never stored electronically