Document Comparison
SAQ_P2PE-HW_v3.pdf
→
PCI_DSS_v3-1_SAQ_P2PE_rev1-1.pdf
93% similar
26 → 26
Pages
6265 → 6419
Words
32
Content Changes
Content Changes
32 content changes. 20 administrative changes (dates, page numbers) hidden.
Added
p. 2
Removed “HW” from SAQ title, as may be used by merchants using either a HW/HW or HW/Hybrid P2PE solution.
July 2015 3.1 1.1 Updated to remove references to “best practices” prior to June 30, 2015.
All payment processing is via a validated PCI P2PE solution approved and listed by the PCI SSC; The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices which are approved for use with the validated and PCI-listed P2PE solution; Your company does not otherwise receive or transmit cardholder data electronically.
There is no legacy storage of electronic cardholder data in the environment; If your company stores cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically, and Your company has implemented all controls in the P2PE Instruction Manual (PIM) provided by the …
July 2015 3.1 1.1 Updated to remove references to “best practices” prior to June 30, 2015.
All payment processing is via a validated PCI P2PE solution approved and listed by the PCI SSC; The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices which are approved for use with the validated and PCI-listed P2PE solution; Your company does not otherwise receive or transmit cardholder data electronically.
There is no legacy storage of electronic cardholder data in the environment; If your company stores cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically, and Your company has implemented all controls in the P2PE Instruction Manual (PIM) provided by the …
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance Hardware Payment Terminals in a PCI-Listed P2PE Solution Only
• No Electronic Cardholder Data Storage Version3.0
• No Electronic Cardholder Data Storage Version
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance Merchants using Hardware Payment Terminals in a PCI SSC-Listed P2PE Solution Only
• No Electronic Cardholder Data Storage For use with PCI DSS Version 3.1 Revision 1.1
• No Electronic Cardholder Data Storage For use with PCI DSS Version 3.1 Revision 1.1
Removed
p. 4
Your company does not store, process, or transmit any cardholder data on any system or electronic media (for example, on computers, portable disks, or audio recordings) outside of the hardware payment terminal used as part of a validated PCI P2PE solution; Your company has confirmed that the implemented PCI P2PE solution is listed on the PCI SSC’s list of Validated Point-to-Point Encryption Solutions; If your company stores cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically, and Your company has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
Modified
p. 4
SAQ P2PE-HW merchants do not have access to clear-text cardholder data on any computer system and only enter account data via hardware payment terminals from a PCI SSC-approved P2PE solution. SAQ P2PE-HW merchants may be either brick-and-mortar (card-present) or mail/telephone-order (card-not- present) merchants. For example, a mail/telephone-order merchant could be eligible for SAQ P2PE if they receive cardholder data on paper or over a telephone, and key it directly and only into a validated P2PE hardware device.
SAQ P2PE merchants do not have access to clear-text cardholder data on any computer system and only enter account data via hardware payment terminals from a PCI SSC-approved P2PE solution. SAQ P2PE merchants may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants. For example, a mail/telephone-order merchant could be eligible for SAQ P2PE if they receive cardholder data on paper or over a telephone, and key it directly and only into a validated P2PE hardware device.
Modified
p. 4
SAQ P2PE-HW merchants confirm that, for this payment channel:
SAQ P2PE merchants confirm that, for this payment channel:
Modified
p. 4
Section 1 (Part 1 & 2 of the AOC
• Assessment Information and Executive Summary) Section 2
• PCI DSS Self-Assessment Questionnaire (SAQP2PE-HW) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details, and Action Plan for Non-Compliant Requirements (if applicable)
• Assessment Information and Executive Summary) Section 2
• PCI DSS Self-Assessment Questionnaire (SAQ
• Validation and Attestation Details, and Action Plan for Non-Compliant Requirements (if applicable)
Section 1 (Part 1 & 2 of the AOC
• Assessment Information and Executive Summary) Section 2
• PCI DSS Self-Assessment Questionnaire (SAQ P2PE) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details, and Action Plan for Non-Compliant Requirements (if applicable)
• Assessment Information and Executive Summary) Section 2
• PCI DSS Self-Assessment Questionnaire (SAQ P2PE) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details, and Action Plan for Non-Compliant Requirements (if applicable)
Modified
p. 8
Type of facility Location(s) of facility (city, country) Part 2d. P2PE Solution Provide the following information regarding the validated P2PE solution your organization uses:
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. P2PE Solution Provide the following information regarding the validated PCI P2PE solution your organization uses:
Modified
p. 8
PCI SSC Reference Number Listed P2PE Devices used by Merchant:
PCI SSC Reference Number Listed P2PE POI Devices used by Merchant (PTS Device Dependencies):
Modified
p. 9
Part 2g. Eligibility to Complete SAQ P2PE-HW Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:
Part 2g. Eligibility to Complete SAQ P2PE Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:
Modified
p. 9
All payment processing is via the validated P2PE solution approved by the PCI SSC (per above).
All payment processing is via the validated PCI P2PE solution approved and listed by the PCI SSC (per above).
Modified
p. 10
Section 2: Self-Assessment Questionnaire P2PE-HW
Section 2: Self-Assessment Questionnaire P2PE
Modified
p. 10
Note: The following questions are numbered according to the actual PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document. As only a subset of PCI DSS requirements are provided in this SAQ P2PE-HW, the numbering of these questions may not be consecutive.
Note: The following questions are numbered according to the actual PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document. As only a subset of PCI DSS requirements are provided in this SAQ P2PE, the numbering of these questions may not be consecutive.
Modified
p. 10
Note: Requirement 3 applies only to SAQ P2PE-HW merchants that have paper records (for example, receipts, printed reports, etc.) with account data, including primary account numbers (PANs).
Note: Requirement 3 applies only to SAQ P2PE merchants that have paper records (for example, receipts, printed reports, etc.) with account data, including primary account numbers (PANs).
Modified
p. 10
(a) Is data storage amount and retention time limited to that required for legal, regulatory, and business requirements?
(a) Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements?
Modified
p. 10
Review data retention and disposal policies and procedures Interview personnel (b) Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, or business reasons? Review policies and procedures Interview personnel Examine deletion mechanism (c) Are there specific retention requirements for cardholder data? For example, cardholder data needs to be held for X period for Y business reasons.
Review data retention and disposal policies and procedures Interview personnel (b) Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, and/or business reasons? Review policies and procedures Interview personnel Examine deletion mechanism (c) Are there specific retention requirements for cardholder data? For example, cardholder data needs to be held for X period for Y business reasons.
Modified
p. 10
Review policies and procedures Interview personnel Examine retention requirements
Review policies and procedures Interview personnel Examine retention requirements (d) Is there a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements? Review policies and procedures Interview personnel Observe deletion processes
Removed
p. 11
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (d) Is there a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements?
Modified
p. 11
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (e) Does all stored cardholder data meet the requirements defined in the data-retention policy? Examine files and system records Guidance: “Yes” answers for requirements at 3.1 mean that if a merchant stores any paper (for example, receipts or paper reports) that contain account data, the merchant only stores the paper as long as it is needed for business, legal, and/or regulatory reasons and destroys …
Modified
p. 13
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.2 (b) Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? Review policies and procedures Guidance: A “Yes” answer to Requirement 4.2 means that the merchant has a written document or policy for employees, so they know they cannot use e-mail, instant messaging or chat (or other end-user messaging technologies) to send PANs, for example, …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.2 (b) Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? Review policies and procedures Guidance: A “Yes” answer to Requirement 4.2 means that the merchant has a written document or policy for employees, so they know they cannot use e- mail, instant messaging or chat (or other end-user messaging technologies) to send PANs, for …
Modified
p. 14
Note: Requirements 9.6 and 9.8 apply only to SAQ P2PE-HW merchants that have paper records (for example, receipts, printed reports, etc.) with account data, including primary account numbers (PANs).
Note: Requirements 9.5 and 9.8 apply only to SAQ P2PE merchants that have paper records (for example, receipts, printed reports, etc.) with account data, including primary account numbers (PANs).
Modified
p. 14
Review periodic media destruction policies and procedures Interview personnel Observe processes (c) Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents? Review periodic media destruction policies and procedures Examine security of storage containers Guidance: “Yes” answers for requirements at 9.5 and 9.8 mean that the merchant securely stores any paper with account data, for example by storing them in a locked drawer, cabinet, or safe, …
Review periodic media destruction policies and procedures Interview personnel Observe processes (b) Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents? Review periodic media destruction policies and procedures Examine security of storage containers Guidance: “Yes” answers for requirements at 9.5 and 9.8 mean that the merchant securely stores any paper with account data, for example by storing them in a locked drawer, cabinet, or safe, …
Removed
p. 15
Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.
Modified
p. 15
(a) Do policies and procedures require that a list of such devices maintained?
(a) Do policies and procedures require that a list of such devices be maintained?
Modified
p. 15
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe device locations and compare to (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.? Interview personnel
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.? Interview personnel
Modified
p. 18
Review the information security policy 12.1.1 Is the security policy reviewed at least annually and updated when the environment changes? Review the information security policy Interview responsible personnel Guidance: “Yes” answers for requirements at 12.1 mean that the merchant has a security policy that is reasonable for the size and complexity of the merchant’s operations, and that the policy is reviewed annually and updated if needed. For example, such a policy could be a simple document that …
Review the information security 12.1.1 Is the security policy reviewed at least annually and updated when the environment changes? Review the information security Interview responsible personnel Guidance: “Yes” answers for requirements at 12.1 mean that the merchant has a security policy that is reasonable for the size and complexity of the merchant’s operations, and that the policy is reviewed annually and updated if needed. For example, such a policy could be a simple document that covers how …
Modified
p. 24
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation Based on the results noted in the SAQ P2PE-HW dated (completion date), the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document as of (date) (check one):
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation Based on the results noted in the SAQ P2PE dated (completion date), the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document as of (date) (check one):
Modified
p. 24
Compliant: All sections of the PCI DSS SAQ P2PE-HW are complete, and all questions answered affirmatively, resulting in an overall COMPLIANT rating, thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Compliant: All sections of the PCI DSS SAQ P2PE are complete, and all questions answered affirmatively, resulting in an overall COMPLIANT rating, thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Modified
p. 24
Non-Compliant: Not all sections of the PCI DSS SAQ P2PE-HW are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ P2PE are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
Modified
p. 24
PCI DSS Self-Assessment Questionnaire P2PE-HW, Version (version of SAQ), was completed according to the instructions therein.
PCI DSS Self-Assessment Questionnaire P2PE, Version (version of SAQ), was completed according to the instructions therein.
Modified
p. 25
Signature of QSA Date:
Signature of Duly Authorized Officer of QSA Company Date:
Modified
p. 25
Duly Authorized Officer Name: QSA Company:
Modified
p. 26
PCI DSS Requirement Description of Requirement Compliance to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel
PCI DSS Requirement* Description of Requirement Compliance to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel * PCI DSS Requirements indicated here refer to the questions in Section 2 of the SAQ.