PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI-DSS-v3-2-1-SAQ-C-r2.pdf PCI-DSS-v4-0-SAQ-C-r1.pdf
28% similar
52 → 77 Pages
12417 → 19940 Words
252 Content Changes

Content Changes

252 content changes. 67 administrative changes (dates, page numbers) hidden.

Added p. 2
December 2022 4.0 1 Removed “In Place with Remediation” as a reporting option from Requirement Responses table, Attestation of Compliance (AOC) Part 2g, SAQ Section 2 Response column, and AOC Section 3. Also removed former Appendix C.

Added “In Place with CCW” to AOC Section 3.

Added guidance for responding to future-dated requirements.

Added minor clarifications and addressed typographical errors.
Added p. 4
This SAQ is not applicable to service providers.

 The merchant has a payment application system and an Internet connection on the same device and/or same local area network (LAN);  The payment application system is not connected to any other systems within the merchant environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems);  The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single store only;  The merchant does not store account data in electronic format, and  Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically.
Added p. 5
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). Cardholder data and sensitive authentication data are considered account data and are defined as follows:

Account Data Cardholder Data includes: Sensitive Authentication Data includes:

• Full track data (magnetic-stripe data or equivalent on a chip)

• Card verification code

• PINs/PIN blocks Refer to PCI DSS Section 2, PCI DSS Applicability Information, for further details.

1. Confirm by review of the eligibility criteria in this SAQ and the Self-Assessment Questionnaire Instructions and Guidelines document on the PCI SSC website that this is the correct SAQ for the merchant’s environment.

2. Confirm that the merchant environment is properly scoped.

 Section 1: Assessment Information (Parts 1 & 2 of the Attestation of Compliance (AOC)

• Contact Information and Executive Summary).

 Section 2: Self-Assessment Questionnaire C.

The intent behind each …
Added p. 6
The testing methods are intended to allow the merchant to demonstrate how it has met a requirement. The specific items to be examined or observed and personnel to be interviewed should be appropriate for both the requirement being assessed and the merchant’s particular implementation.

Full details of testing procedures for each requirement can be found in PCI DSS.

Requirement Responses For each requirement item, there is a choice of responses to indicate the entity’s status regarding that requirement. Only one response should be selected for each requirement item.

Not Tested This response is not applicable to, and not included as an option for, this SAQ.

This SAQ was created for a specific type of environment based on how the merchant stores, processes, and/or transmits account data and defines the specific PCI DSS requirements that apply for this environment. Consequently, all requirements in this SAQ must be tested.

This response is also used if a requirement …
Added p. 7
For each response where Not Applicable is selected in this SAQ, complete Appendix C: Explanation of Requirements Noted as Not Applicable.
Added p. 7
Note: A legal restriction is one where meeting the PCI DSS requirement would violate a local or regional law or regulation.

Contractual obligations or legal advice are not legal restrictions.

Use of the Customized Approach SAQs cannot be used to document use of the Customized Approach to meet PCI DSS requirements. For this reason, the Customized Approach Objectives are not included in SAQs. Entities wishing to validate using the Customized Approach may be able to use the PCI DSS Report on Compliance (ROC) Template to document the results of their assessment.

The use of the customized approach may be regulated by organizations that manage compliance programs, such as payment brands and acquirers. Questions about use of a customized approach should always be referred to those organizations. This includes whether an entity that is eligible for an SAQ may instead complete a ROC to use a customized approach, and whether an entity is required …
Added p. 8
PCI Data Security Standard Requirements and Testing Procedures (PCI DSS)  Guidance on Scoping  Guidance on the intent of all PCI DSS Requirements  Details of testing procedures  Guidance on Compensating Controls  Appendix G: Glossary of Terms, Abbreviations, and Acronyms SAQ Instructions and Guidelines  Information about all SAQs and their eligibility criteria  How to determine which SAQ is right for your organization Frequently Asked Questions (FAQs)  Guidance and information about SAQs.

Online PCI DSS Glossary  PCI DSS Terms, Abbreviations, and Acronyms Information Supplements and Guidelines  Guidance on a variety of PCI DSS topics including:

− Understanding PCI DSS Scoping and Network Segmentation − Third-Party Security Assurance − Multi-Factor Authentication Guidance − Best Practices for Maintaining PCI DSS Compliance Getting Started with PCI  Resources for smaller merchants including:

− Guide to Safe Payments − Common Payment Systems − Questions to Ask Your Vendors − Glossary …
Added p. 10
Indicate all payment channels used by the business that are included in this assessment.

Mail order/telephone order (MOTO) E-Commerce Card-present Are any payment channels not included in this assessment? If yes, indicate which channel(s) is not included in the assessment and provide a brief explanation about why the channel was excluded.

Part 2b. Description of Role with Payment Cards For each payment channel included in this assessment as selected in Part 2a above, describe how the business stores, processes and/or transmits account data.

Channel How Business Stores, Processes, and/or Transmits Account Data Part 2c. Description of Payment Card Environment Provide a high-level description of the environment covered by this assessment. For example:

• Connections into and out of the cardholder data environment (CDE).

• Critical system components within the CDE, such as POI devices, databases, web servers, etc., and any other necessary payment components, as applicable.

• System components that could impact the security of account …
Added p. 11
Facility Type Total number of locations (How many locations of this type are in scope) Location(s) of facility (city, country) Example: Data centers 3 Boston, MA, USA Part 2e. PCI SSC Validated Products and Solutions Does the merchant use any item identified on any PCI SSC Lists of Validated Products and Solutions♦? Provide the following information regarding each item the merchant uses from PCI SSC’s Lists of Validated Products and Solutions.

Name of PCI SSC- validated Product or Version of Product or

PCI SSC Standard to which product or solution was

PCI SSC listing Expiry date of listing (YYYY-MM-DD) YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD ♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment Applications (PA-DSS), Point to …
Added p. 13
PCI DSS Requirement * Requirement Responses More than one response may be selected for a given requirement.

Indicate all responses that apply.

In Place In Place with CCW Not Applicable Not in Place

* PCI DSS Requirements indicated above refer to the requirements in Section 2 of this SAQ.

The merchant has a payment application system and an Internet connection on the same device and/or same local area network (LAN).

The payment application system is not connected to any other system within the merchant environment.

The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single location only.

Merchant does not store account data in electronic format.

Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW …
Added p. 15
• To only traffic that is necessary,

• All other traffic is specifically denied.

• All other traffic is specifically denied.

• Examine NSC configuration standards.

• Examine NSC configuration standards.
Added p. 15
• To only traffic that is necessary.
Added p. 15
• All wireless traffic from wireless networks into the CDE is denied by default.

• Only wireless traffic with an authorized business purpose is allowed into the CDE.

• Examine network diagrams.
Added p. 16
Requirement 2: Apply Secure Configurations to All System Components

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 2.1 Processes and mechanisms for applying secure configurations to all system components are defined and understood.
Added p. 16
• Cover all system components.

• Address all known security vulnerabilities.

• Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.

• Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1.

• Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.

• If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6.

• If the vendor default account(s) will not be used, the account is removed or disabled.
Added p. 17
• Observe a system administrator logging on using vendor default accounts.

• Examine configuration files.

Applicability Notes This applies to ALL vendor default accounts and passwords, including, but not limited to, those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, and Simple Network Management Protocol (SNMP) defaults. This requirement also applies where a system component is not installed within an entity’s environment, for example, software and applications that are part of the CDE and are accessed via a cloud subscription service.
Added p. 17
• Only one primary function exists on a system component, OR

• Primary functions with differing security levels that exist on the same system component are isolated from each other, OR

• Primary functions with differing security levels on the same system component are all secured to the level required by the function with the highest security need.
Added p. 18
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 2.2.5 If any insecure services, protocols, or daemons are present:

 Business justification is documented.  Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.

• Examine configuration standards.
Added p. 18
• Examine vendor documentation.

Applicability Notes This includes administrative access via browser-based interfaces and application programming interfaces (APIs).

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 2.3 Wireless environments are configured and managed securely.
Added p. 19
• Default wireless encryption keys.

• Passwords on wireless access points.

• Any other security-related wireless vendor defaults.

Applicability Notes This includes, but is not limited to, default wireless encryption keys, passwords on wireless access points, SNMP defaults, and any other security-related wireless vendor defaults.

• Whenever personnel with knowledge of the key leave the company or the role for which the knowledge was necessary.

• Whenever a key is suspected of or known to be compromised.
Added p. 20
Requirement 3: Protect Stored Account Data

Note: For SAQ C, Requirement 3 applies only to merchants with paper records that include account data (for example, receipts or printed reports).

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
Added p. 20
Selection of any of the In Place responses for Requirement 3.1.1 means that, if the merchant has paper storage of account data, the merchant has policies and procedures in place that govern merchant activities for Requirement 3. This helps to ensure personnel are aware of and following security policies and documented operational procedures for managing the secure storage of any paper records with account data.

If merchant does not store paper records with account data, mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.

♦ Refer to the “Requirement Responses” section (page v) for information about these response options

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.3 Sensitive authentication data (SAD) is not stored after authorization.
Added p. 21
• Observe the secure data deletion processes.

Applicability Notes Part of this Applicability Note was intentionally removed for this SAQ as it does not apply to merchant assessments.

Sensitive authentication data includes the data cited in Requirements 3.3.1.2 through 3.3.1.3.
Added p. 21
• Examine data sources.

• Examine data sources.

Applicability Notes The card verification code is the three- or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions.

Selection of any of the In Place responses for Requirement 3.3.1.2 means that if the merchant writes down the card verification code while a transaction is being conducted, the merchant either securely destroys the paper (for example, with a shredder) immediately after the transaction is complete, or obscures the code (for example, by “blacking it out” with a marker) before the paper is stored.

If the merchant never requests the three-digit or four-digit number printed on the front or back of a payment card (“card verification code”), mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
Added p. 21
Applicability Notes PIN blocks are encrypted during the natural course of transaction processes, but even if an entity encrypts the PIN block again, it is still not allowed to be stored after the completion of the authorization process.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.4 Access to displays of full PAN and ability to copy PAN is restricted.
Added p. 22
• Examine the documented list of roles that need access to more than the BIN and last four digits of the PAN (includes full PAN).

• Examine displays of PAN (for example, on screen, on paper receipts).

Applicability Notes This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment brand requirements for point-of-sale (POS) receipts.

This requirement relates to protection of PAN where it is displayed on screens, paper receipts, printouts, etc., and is not to be confused with Requirement 3.5.1 for protection of PAN when stored, processed, or transmitted.

Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 4.2 PAN is protected with strong cryptography during transmission.
Added p. 23
• Only trusted keys and certificates are accepted.

• Examine cardholder data transmissions.

• Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.

• The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.

• The encryption strength is appropriate for the encryption methodology in use.

Applicability Notes (continued) ♦ Refer to the “Requirement Responses” section (page v) for information about these response options.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 4.2.1 (cont.) There could be occurrences where an entity receives cardholder data unsolicited via an insecure communication channel that was not intended for the …
Added p. 24
Applicability Notes This requirement also applies if a customer, or other third-party, requests that PAN is sent to them via end-user messaging technologies.

There could be occurrences where an entity receives unsolicited cardholder data via an insecure communication channel that was not intended for transmissions of sensitive data. In this situation, the entity can choose to either include the channel in the scope of their CDE and secure it according to PCI DSS or delete the cardholder data and implement measures to prevent the channel from being used for cardholder data.

• Examine vendor documentation.

Requirement 5: Protect All Systems and Networks from Malicious Software

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 5.1 Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.

Selection of any of the In Place responses for Requirement …
Added p. 25
• Examine the periodic evaluations.
Added p. 25
• Detects all known types of malware.

• Removes, blocks, or contains all known types of malware.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 5.2.3 Any system components that are not at risk for malware are evaluated periodically to include the following:

• A documented list of all system components not at risk for malware.

• Identification and evaluation of evolving malware threats for those system components.

• Confirmation whether such system components continue to not require anti-malware protection.

• Examine the list of system components not at risk for malware and compare against the system components without an anti- malware solution deployed.

Applicability Notes System components covered by this requirement are those for which there is no anti-malware solution deployed per Requirement 5.2.1.
Added p. 26
• Examine documented results of periodic evaluations.
Added p. 26
• Examine anti-malware solution(s) configurations, including any master installation.

• Examine system components and logs.

• Examine anti-malware solution(s) configurations, including any master installation.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 5.3.2 The anti-malware solution(s):

• Performs periodic scans and active or real-time scans OR

• Performs continuous behavioral analysis of systems or processes.

• Examine logs and scan results.

• Examine logs and scan results.
Added p. 27
• Examine documented results of periodic malware scans.

Applicability Notes This requirement applies to entities conducting periodic malware scans to meet Requirement 5.3.2.
Added p. 27
• Performs automatic scans of when the media is inserted, connected, or logically mounted, OR

• Performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted.

• Examine anti-malware solution(s) configurations.

• Examine anti-malware solution(s) configurations.

• Examine system components with removable electronic media.
Added p. 28
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 5.3.5 Anti-malware mechanisms cannot be disabled or altered by users, unless specifically documented, and authorized by management on a case-by-case basis for a limited time period.

• Examine anti-malware configurations.

Applicability Notes Anti-malware solutions may be temporarily disabled only if there is a legitimate technical need, as authorized by management on a case-by-case basis. If anti-malware protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period during which anti-malware protection is not active.
Added p. 28
• Observe implemented processes.

• Examine mechanisms.

Applicability Notes This requirement applies to the automated mechanism. It is not intended that the systems and services providing such automated mechanisms (such as e-mail servers) are brought into scope for PCI DSS.

The focus of this requirement is on protecting personnel with access to system components in- scope for PCI DSS.

Meeting this requirement for technical and automated controls to detect and protect personnel against phishing is not the same as Requirement 12.6.3.1 for security awareness training. Meeting this requirement does not also meet the requirement for providing personnel with security awareness training, and vice versa.

Applicability Notes (continued) ♦ Refer to the “Requirement Responses” section (page v) for information about these response options.

Requirement 6: Develop and Maintain Secure Systems and Software

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 6.2 Bespoke and …
Added p. 29
• Based on industry standards and/or best practices for secure development.
Added p. 29
Applicability Notes This applies to all software developed for or by the entity for the entity’s own use. This includes both bespoke and custom software. This does not apply to third-party software.
Added p. 29
• On software security relevant to their job function and development languages.

• Including secure software design and secure coding techniques.

• Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software.

• Examine training records.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 6.2.2 (cont.) Software development personnel remain knowledgeable about secure development practices; software security; and attacks against the languages, frameworks, or applications they develop. Personnel are able to access assistance and guidance when required.

If manual code reviews are performed for bespoke and custom software prior to release to production, code changes are:

• Reviewed by individuals other than the originating code author, and who are knowledgeable about code- review techniques and secure coding practices.

• Reviewed and approved by management prior to release.

• Examine evidence of changes to bespoke and custom …
Added p. 31
• Interview responsible software development personnel.

• Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data.

• Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation.

• Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, client-side functionality, or other system/application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF).

• Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms, or attempts to exploit weaknesses in the implementation of such mechanisms.

• Attacks via any “high-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirement 6.3.1.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place …
Added p. 32
• New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs).

• Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.

• Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment.

• Vulnerabilities for bespoke and custom, and third- party software (for example operating systems and databases) are covered.

Applicability Notes This requirement is not achieved by, nor is it the same as, vulnerability scans performed for Requirements 11.3.1 and 11.3.2. This requirement is for a process to actively monitor industry sources for vulnerability information and for the entity to determine the risk ranking to be associated with each vulnerability.
Added p. 32
• Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.

• Examine system components and related software.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 6.5.1 Changes to all system components in the production environment are made according to established procedures that include:

• Reason for, and description of, the change.

• Documentation of security impact.

• Documented change approval by authorized parties.

• Testing to verify that the change does not adversely impact system security.

• For bespoke and custom software changes, all updates are tested for compliance with Requirement 6.2.4 before being deployed into production.

• Procedures to address failures and return to a secure state.

• Examine documented change control procedures.

• Examine recent changes to system components and trace changes to change control documentation.

• Examine change control documentation.
Added p. 33
• Examine documentation for significant changes.

• Observe the affected systems/networks.

Applicability Notes This Applicability Note was intentionally removed as it does not apply to this SAQ.
Added p. 34
Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 7.2 Access to system components and data is appropriately defined and assigned.
Added p. 34
• Job classification and function.

• Least privileges necessary to perform job responsibilities.

• Examine user access settings, including for privileged users.

• Interview responsible management personnel.

• Interview personnel responsible for assigning access.
Added p. 34
• Examine user IDs and assigned privileges.

• Examine documented approvals.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 7.2.4 All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows:

• At least once every six months.

• To ensure user accounts and access remain appropriate based on job function.

• Any inappropriate access is addressed.

• Management acknowledges that access remains appropriate.

• Examine documented results of periodic reviews of user accounts.

Applicability Notes This requirement applies to all user accounts and related access privileges, including those used by personnel and third parties/vendors, and accounts used to access third-party cloud services.

See Requirements 7.2.5 and 7.2.5.1 and 8.6.1 through 8.6.3 for controls for application and system accounts.
Added p. 35
• Based on the least privileges necessary for the operability of the system or application.

• Access is limited to the systems, applications, or processes that specifically require their use.

• Examine privileges associated with system and application accounts.

Selection of any of the In Place responses for Requirement 8.1.1 means that the merchant has policies and procedures in place that govern merchant activities for Requirement 8.

Requirement 8: Identify Users and Authenticate Access to System Components

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.
Added p. 36
• Examine audit logs and other evidence.
Added p. 37
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.2.2 Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows:

• Account use is prevented unless needed for an exceptional circumstance.

• Use is limited to the time needed for the exceptional circumstance.

• Business justification for use is documented.

• Use is explicitly approved by management.

• Individual user identity is confirmed before access to an account is granted.

• Every action taken is attributable to an individual user.

• Examine user account lists on system components and applicable documentation.

• Examine authentication policies and procedures.

• Interview system administrators.
Added p. 37
• Authorized with the appropriate approval.

• Implemented with only the privileges specified on the documented approval.

• Examine documented authorizations across various phases of the account lifecycle (additions, modifications, and deletions).

• Examine system settings.

Applicability Notes This requirement applies to all user accounts, including employees, contractors, consultants, temporary workers, and third-party vendors.
Added p. 37
• Examine information sources for terminated users.

• Review current user access lists.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity.

• Examine user accounts and last logon information.
Added p. 38
• Enabled only during the time period needed and disabled when not in use.

• Use is monitored for unexpected activity.

• Examine documentation for managing accounts.
Added p. 38
Applicability Notes This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).

This requirement is not meant to prevent legitimate activities from being performed while the console/PC is unattended.

Applicability Notes This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.3 Strong authentication for users and administrators is established and managed.
Added p. 39
• Something you know, such as a password or passphrase.

• Something you have, such as a token device or smart card.

• Something you are, such as a biometric element.

• Examine documentation describing the authentication factor(s) used.

• For each type of authentication factor used with each type of system component, observe the authentication process.

This requirement does not supersede multi-factor authentication (MFA) requirements but applies to those in-scope systems not otherwise subject to MFA requirements.

A digital certificate is a valid option for “something you have” if it is unique for a particular user.
Added p. 39
• Examine vendor documentation

• Examine repositories of authentication factors.

• Examine data transmissions.
Added p. 39
• Examine procedures for modifying authentication factors.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.3.4 Invalid authentication attempts are limited by:

• Locking out the user ID after not more than 10 attempts.

• Setting the lockout duration to a minimum of 30 minutes or until the user’s identity is confirmed.
Added p. 40
• Set to a unique value for first-time use and upon reset.

• Forced to be changed immediately after the first use.

• Examine procedures for setting and resetting passwords/passphrases.
Added p. 40
• A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters).

• Contain both numeric and alphabetic characters.

Applicability Notes This requirement is not intended to apply to:

• User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).

• Application or system accounts, which are governed by requirements in section 8.6. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Added p. 41
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used.
Added p. 41
• Guidance on selecting strong authentication factors.

• Guidance for how users should protect their authentication factors.

• Instructions not to reuse previously used passwords/passphrases.

• Instructions to change passwords/passphrases if there is any suspicion or knowledge that the password/passphrases have been compromised and how to report the incident.

• Examine procedures.

• Review authentication policies and procedures that are distributed to users.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.3.9 If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either:

• Passwords/passphrases are changed at least once every 90 days,

• The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.

• Inspect system configuration settings.

Applicability Notes This requirement applies to in-scope system components that are not in the CDE because these components are not …
Added p. 42
• Examine network and/or system configurations.

• Observe administrator personnel logging into the CDE.

Applicability Notes The requirement for MFA for non-console administrative access applies to all personnel with elevated or increased privileges accessing the CDE via a non-console connection•that is, via logical access occurring over a network interface rather than via a direct, physical connection.

MFA is considered a best practice for non-console administrative access to in-scope system components that are not part of the CDE.

• Examine network and/or system configurations.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.4.2 MFA is implemented for all access into the CDE.

• Observe personnel logging in to the CDE.

Applicability Notes This requirement does not apply to:

• Application or system accounts performing automated functions.

• User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate …
Added p. 45
• The MFA system is not susceptible to replay attacks.

• MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period.

• At least two different types of authentication factors are used.

• Success of all authentication factors is required before access is granted.

• Examine vendor system documentation.

• Examine system configurations for the MFA implementation.

• Interview responsible personnel and observe processes.

• Observe personnel logging into system components in the CDE.

• Observe personnel connecting remotely from outside the entity’s network.

• Every action taken is attributable to an individual user.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.6 Use of application and system accounts and associated authentication factors is strictly managed.
Added p. 46
• Interactive use is prevented unless needed for an exceptional circumstance.

• Interactive use is limited to the time needed for the exceptional circumstance.

• Business justification for interactive use is documented.

• Interactive use is explicitly approved by management.

• Individual user identity is confirmed before access to account is granted.

• Examine application and system accounts that can be used interactively.

• Interview administrative personnel.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.6.2 Passwords/passphrases for any application and system accounts that can be used for interactive login are not hard coded in scripts, configuration/property files, or bespoke and custom source code.

• Examine system development procedures.

• Examine scripts, configuration/property files, and bespoke and custom source code for application and system accounts that can be used for interactive login.

Applicability Notes Stored passwords/passphrases are required to be encrypted in accordance with PCI …
Added p. 47
• Passwords/passphrases are changed periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise.

• Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.

Selection of any of the In Place responses for Requirement 9.1.1 means that the merchant has policies and procedures in place that govern merchant activities for Requirement 9, including how any paper media with cardholder data is secured, and how POI devices are protected.
Added p. 48
• Observe physical entry controls.
Added p. 48
 Entry and exit points to/from sensitive areas within the CDE are monitored.

 Monitoring devices or mechanisms are protected from tampering or disabling.

 Collected data is reviewed and correlated with other entries.

 Collected data is stored for at least three months, unless otherwise restricted by law.

• Observe locations where individual physical access to sensitive areas within the CDE occurs.

• Observe the physical access control mechanisms and/or examine video cameras.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.2.2 Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility.

• Observe locations of publicly accessible network jacks.
Added p. 49
Note: For SAQ C, Requirements at 9.4 only apply to merchants with paper records (for example, receipts or printed reports) with account data, including primary account numbers (PANs).
Added p. 49
• Examine logs or other documentation.

• Interview responsible personnel at the storge location(s).
Added p. 49
• Examine media logs or other documentation.
Added p. 49
• Media is sent by secured courier or other delivery method that can be accurately tracked.

• Examine offsite tracking logs for all media.
Added p. 49
• Examine offsite media tracking logs.

Applicability Notes (continued) 9.4.4 (cont.) Individuals approving media movements should have the appropriate level of management authority to grant this approval. However, it is not specifically required that such individuals have “manager” as part of their title.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.4.6 Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows:

• Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.

• Materials are stored in secure storage containers prior to destruction.

• Examine the periodic media destruction policy.

• Observe storage containers.

Applicability Notes These requirements for media destruction when that media is no longer needed for business or legal reasons are separate and distinct from PCI DSS Requirement 3.2.1, which is for securely deleting cardholder data …
Added p. 51
• Maintaining a list of POI devices.

• Periodically inspecting POI devices to look for tampering or unauthorized substitution.

• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices.

Applicability Notes These requirements apply to deployed POI devices used in card-present transactions (that is, a payment card form factor such as a card that is swiped, tapped, or dipped). This requirement is not intended to apply to manual PAN key-entry components such as computer keyboards.

This requirement is recommended, but not required, for manual PAN key-entry components such as computer keyboards. This requirement does not apply to commercial off-the-shelf (COTS) devices (for example, smartphones or tablets), which are mobile merchant-owned devices designed for mass-market distribution.
Added p. 51
• Make and model of the device.

• Location of device.

• Device serial number or other methods of unique identification.

• Examine the list of POI devices.

• Observe POI devices and device locations.
Added p. 51
• Observe inspection processes.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.5.1.3 Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes:

• Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, before granting them access to modify or troubleshoot devices.

• Procedures to ensure devices are not installed, replaced, or returned without verification.

• Being aware of suspicious behavior around devices.

• Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel.

• Review training materials for personnel in POI environments.

Selection of any of the In Place responses for Requirements at 9.5 means that the merchant has policies and procedures in place for Requirements 9.5.1, 9.5.1.1, 9.5.1.2, and 9.5.1.3, and that they maintain a current list of devices, conduct periodic …
Added p. 53
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 10.1 Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.
Added p. 53
• Creation of new accounts.

• Elevation of privileges.

• All changes, additions, or deletions to accounts with administrative access.

• Interview system administrators.

• Examine system settings.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 10.2.2 Audit logs record the following details for each auditable event:

• User identification.

• Success and failure indication.

• Origination of event.

• Identity or name of affected data, system component, resource, or service (for example, name and protocol).
Added p. 54
• Interview system administrators

• Examine system configurations and privileges.

• Examine system configurations and privileges.
Added p. 54
• Examine backup configurations or log files.
Added p. 54
• Examine monitored files.

• Examine results from monitoring activities.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 10.4.1 The following audit logs are reviewed at least once daily:

• All security events.

• Logs of all system components that store, process, or transmit CHD and/or SAD.

• Logs of all critical system components.

• Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers).
Added p. 55
• Examine log review mechanisms.
Added p. 55
• Examine documented results of log reviews.

Applicability Notes This requirement is applicable to all other in-scope system components not included in Requirement 10.4.1.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 10.4.2.1 The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.

• Examine documented results of periodic log reviews.
Added p. 56
• Examine documented audit log retention policies and procedures.

• Examine configurations of audit log history.
Added p. 56
Applicability Notes Keeping time-synchronization technology current includes managing vulnerabilities and patching the technology according to PCI DSS Requirements 6.3.1 and 6.3.3.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 10.6.2 Systems are configured to the correct and consistent time as follows:

• One or more designated time servers are in use.

• Only the designated central time server(s) receives time from external sources.

• Time received from external sources is based on International Atomic Time or Coordinated Universal Time (UTC).

• The designated time server(s) accept time updates only from specific industry-accepted external sources.

• Where there is more than one designated time server, the time servers peer with one another to keep accurate time.

• Internal systems receive time information only from designated central time server(s).

• Examine system configuration settings for acquiring, distributing, and storing the correct time.
Added p. 57
• Access to time data is restricted to only personnel with a business need.

• Any changes to time settings on critical systems are logged, monitored, and reviewed.

• Examine system configurations and time-synchronization settings and logs.

Requirement 11: Test Security of Systems and Networks Regularly

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 11.2 Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.
Added p. 58
• The presence of wireless (Wi-Fi) access points is tested for.

• All authorized and unauthorized wireless access points are detected and identified.

• Testing, detection, and identification occurs at least once every three months.

• If automated monitoring is used, personnel are notified via generated alerts.

• Examine the methodology(ies) in use and the resulting documentation.

• Examine wireless assessment results.

Applicability Notes The requirement applies even when a policy exists that prohibits the use of wireless technology since attackers do not read and follow company policy.

Methods used to meet this requirement must be sufficient to detect and identify both authorized and unauthorized devices, including unauthorized devices attached to devices that themselves are authorized.
Added p. 59
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed.
Added p. 59
• At least once every three months.

• High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.

• High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.

• Rescans are performed that confirm all high-risk and critical vulnerabilities as noted above) have been resolved.

• Scans are performed by qualified personnel and organizational independence of the tester exists.

Applicability Notes It is not required to use a QSA or ASV to conduct internal vulnerability scans.

Internal vulnerability scans can be performed by qualified, internal staff that are reasonably independent of the system component(s) being scanned (for example, a network administrator should not be responsible for scanning the network), or an entity may choose to have internal vulnerability scans performed by a firm specializing in vulnerability scanning.
Added p. 59
• Rescans are conducted as needed.

• Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV).

• Examine internal scan and rescan report as applicable.

Applicability Notes Applicability Note intentionally left blank for this SAQ.

• At least once every three months.

• Rescans are conducted as needed.

• By PCI SSC Approved Scanning Vendor (ASV)

• Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met.

• Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan.

However, for subsequent years after the initial PCI DSS assessment, passing scans at least every three months must have occurred.

ASV scanning tools can scan a vast array of network types and topologies. Any specifics about the target environment (for example, load balancers, third-party providers, ISPs, specific configurations, protocols in use, scan interference) should be …
Added p. 60
• Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved.

• Examine external scan, and as applicable rescan reports.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 11.4 External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.

• At least once every 12 months and after any changes to segmentation controls/methods

• Covering all segmentation controls/methods in use.

• Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3).

• Performed by a qualified internal resource or qualified external third party.

• Organizational independence of the tester exists (not required to be a QSA or ASV).
Added p. 61
• To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files.

• To perform critical file comparisons at least once weekly.

• Examine system settings for the change-detection mechanism.

Applicability Notes (continued)

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 11.5.2 (cont.) For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change- detection mechanisms such as file integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).

Requirement 12: Support Information Security with Organizational Policies and Programs

Note: Requirement 12 specifies that merchants have information security policies for their personnel, but …
Added p. 63
• Disseminated to all relevant personnel, as well as to relevant vendors and business partners.
Added p. 63
• Updated as needed to reflect changes to business objectives or risks to the environment

• Examine the information security policy.

Selection of any of the In Place responses for Requirements 12.1.1 and 12.1.2 means that the merchant has a security policy that is reasonable for the size and complexity of the merchant’s operations, and that the policy is reviewed at least once every 12 months and updated if needed.

For example, such a policy could be a simple document that covers how to protect the store and payment devices in accordance with the solution provider’s guidance/instruction manual, and who to call in an emergency.

• Examine the information security policy.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.1.3 The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and …
Added p. 64
• List of products approved by the company for employee use, including hardware and software.

• Examine acceptable use policies.

Applicability Notes Examples of end-user technologies for which acceptable use policies are expected include, but are not limited to, remote access and wireless technologies, laptops, tablets, mobile phones, and removable electronic media, e-mail usage, and Internet usage.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.3 Risks to the cardholder data environment are formally identified, evaluated, and managed.
Added p. 65
• Identification of the assets being protected.

• Identification of the threat(s) that the requirement is protecting against.

• Identification of factors that contribute to the likelihood and/or impact of a threat being realized.

• Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized.

• Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed.

• Performance of updated risk analyses when needed, as determined by the annual review.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.6 Security awareness education is an ongoing activity.

• Examine the security awareness program.

Selection of any of the In Place responses for Requirement 12.6.1 means that the merchant has a security awareness …
Added p. 66
• Phishing and related attacks.

• Social engineering.

• Examine security awareness training content.

Applicability Notes See Requirement 5.4.1 in PCI DSS for guidance on the difference between technical and automated controls to detect and protect users from phishing attacks, and this requirement for providing users security awareness training about phishing and social engineering. These are two separate and distinct requirements, and one is not met by implementing controls required by the other one.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
Added p. 67
• Examine list of TPSPs.

Applicability Notes The use of a PCI DSS compliant TPSP does not make an entity PCI DSS compliant, nor does it remove the entity’s responsibility for its own PCI DSS compliance.
Added p. 67
• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.

Applicability Notes The exact wording of an acknowledgment will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgment does not have to include the exact wording provided in this requirement.

Evidence that a TPSP is meeting PCI DSS requirements (for example, a PCI DSS Attestation of Compliance (AOC) or a declaration on a company’s website) is not the same as a written agreement specified in this requirement.

PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.8.4 A program …
Added p. 69
• Incident response procedures with specific containment and mitigation activities for different types of incidents.

• Data backup processes.

• Examine documentation from previously reported incidents.

Selection of any of the In Place responses for Requirement 12.10.1 means that the merchant has documented an incident response and escalation plan to be used for emergencies, consistent with the size and complexity of the merchant’s operations. For example, such a plan could be a simple document posted in the back office that lists who to call in the event of various situations with an annual review to confirm it is still accurate, but could extend all the way to a full incident response plan including backup “hotsite” facilities and thorough annual testing. This plan should be readily available to all personnel as a resource in an emergency.
Added p. 70
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place A2.1 POI terminals using SSL and/or early TLS are not susceptible to known SSL/TLS exploits.

A2.1.1 Where POS POI terminals at the merchant or payment acceptance location use SSL and/or early TLS, the entity confirms the devices are not susceptible to any known exploits for those protocols.

Applicability Notes This requirement is intended to apply to the entity with the POS POI terminal, such as a merchant. This requirement is not intended for service providers who serve as the termination or connection point to those POS POI terminals. Requirements A2.1.2 and A2.1.3 apply to POS POI service providers.

The allowance for POS POI terminals that are not currently susceptible to exploits is based on currently known risks. If new exploits are introduced to which POS POI terminals are susceptible, the …
Added p. 75
Target Date for Compliance: YYYY-MM-DD A merchant submitting this form with a Non-Compliant status may be required to complete the Action Plan in Part 4 of this document. Confirm with the entity to which this AOC will be submitted before completing Part 4.

Compliant but with Legal exception: One or more requirements in the PCI DSS SAQ are marked as Not in Place due to a legal restriction that prevents the requirement from being met and all other requirements are marked as being either 1) In Place, 2) In Place with CCW, or 3) Not Applicable, resulting in an overall COMPLIANT BUT WITH LEGAL EXCEPTION rating; thereby (Merchant Company Name) has demonstrated compliance with all PCI DSS requirements included in this SAQ except those noted as Not in Place due to a legal restriction.

This option requires additional review from the entity to which this AOC will be submitted. If selected, complete …
Added p. 76
PCI DSS controls will be maintained at all times, as applicable to the merchant’s environment.

QSA performed testing procedures.

QSA provided other assistance.

If selected, describe all role(s) performed:

If selected, describe all role(s) performed:

Signature of Lead QSA  Date: YYYY-MM-DD Lead QSA Name:

ISA(s) performed testing procedures.

ISA(s) provided other assistance.
Added p. 77
If asked to complete this section, select the appropriate response for “Compliant to PCI DSS Requirements” for each requirement below. For any “No” responses, include the date the merchant expects to be compliant with the requirement and a brief description of the actions being taken to meet the requirement.

PCI DSS Requirement * Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain network security controls 2 Apply secure configurations to all system components 3 Protect stored account data 4 Protect cardholder data with strong cryptography during transmission over open, public networks 5 Protect all systems and networks from malicious software 6 Develop and maintain secure systems and software 7 Restrict access to system components and cardholder data by business need to know 8 Identify users and authenticate access to system components 9 Restrict physical …
Removed p. 2
This document aligns with PCI DSS v3.2.1 r1.
Removed p. 4
• Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN);

• The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems)1;

• The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single location only;

• Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and

• Your company does not store cardholder data in electronic format.

1. Identify the applicable SAQ for your environment⎯refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.

2. Confirm that your environment is properly scoped and meets the eligibility criteria for the SAQ you are using …
Modified p. 4
SAQ C merchants process cardholder data via a point-of-sale (POS) system or other payment application systems connected to the Internet, do not store cardholder data on any computer system, and may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants.
SAQ C merchants process account data via a point-of-sale (POS) system or other payment application systems connected to the Internet, do not store account data on any computer system, and may be either brick-and-mortar (card-present) or mail/telephone-order (card-not-present) merchants.
Modified p. 4
This shortened version of the SAQ includes questions that apply to a specific type of small merchant environment, as defined in the above eligibility criteria. If there are PCI DSS requirements applicable to your environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for your environment. Additionally, you must still comply with all applicable PCI DSS requirements in order to be PCI DSS compliant.
This SAQ includes only those requirements that apply to a specific type of merchant environment, as defined in the above eligibility criteria. If there are PCI DSS requirements applicable to the cardholder data environment that are not covered in this SAQ, it may be an indication that this SAQ is not suitable for the merchant’s environment.
Modified p. 4 → 5
3. Assess your environment for compliance with applicable PCI DSS requirements.
3. Assess the environment for compliance with PCI DSS requirements.
Removed p. 5
• Section 3 (Parts 3 & 4 of the AOC)
Removed p. 5
Understanding the Self-Assessment Questionnaire The questions contained in the “PCI DSS Question” column in this self-assessment questionnaire are based on the requirements in the PCI DSS.

Additional resources that provide guidance on PCI DSS requirements and how to complete the self- assessment questionnaire have been provided to assist with the assessment process. An overview of some of these resources is provided below:

(PCI Data Security Standard Requirements and Security Assessment Procedures)

• Guidance on Scoping

• Guidance on the intent of all PCI DSS Requirements

• Details of testing procedures

• Guidance on Compensating Controls SAQ Instructions and Guidelines documents

• Information about all SAQs and their eligibility criteria

• How to determine which SAQ is right for your organization

PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms

• Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged …
Modified p. 5
Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable)
 Section 3: Validation and Attestation Details (Parts 3 & 4 of the AOC

• PCI DSS Validation and Action Plan for Non-Compliant Requirements (if Part 4 is applicable)).
Modified p. 5
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation

•such as ASV scan reports

•to your acquirer, payment brand, or other requester.
5. Submit the SAQ and AOC, along with any other requested documentation

•such as ASV scan reports

•to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).
Modified p. 5
Expected Testing The instructions provided in the “Expected Testing” column are based on the testing procedures in the PCI DSS, and provide a high-level description of the types of testing activities that should be performed in order to verify that a requirement has been met. Full details of testing procedures for each requirement can be found in the PCI DSS.
Expected Testing The instructions provided in the “Expected Testing” column are based on the testing procedures in PCI DSS and provide a high-level description of the types of testing activities that a merchant is expected to perform to verify that a requirement has been met.
Removed p. 6
Guidance for Non-Applicability of Certain, Specific Requirements While many organizations completing SAQ C will need to validate compliance with every PCI DSS requirement in this SAQ, some organizations with very specific business models may find that some requirements do not apply.

For example, a company that does not use wireless technology in any capacity would not be expected to validate compliance with the sections of PCI DSS that are specific to managing wireless technology (for example, Requirements 1.2.3, 2.1.1, and 4.1.1). Note that Requirement 11.1 (use of processes to identify unauthorized wireless access points) must still be answered even if you don’t use wireless technologies in your network, since the process detects any rogue or unauthorized devices that may have been added without your knowledge.

If any requirements are deemed not applicable to your environment, select the “N/A” option for that specific requirement, and complete the “Explanation of Non-Applicability” worksheet in Appendix …
Modified p. 6
A description of the meaning for each response is provided in the table below:
A description of the meaning for each response and when to use each response is provided in the table below:
Modified p. 6
Yes The expected testing has been performed, and all elements of the requirement have been met as stated.
In Place The expected testing has been performed, and all elements of the requirement have been met as stated.
Modified p. 6
Yes with CCW (Compensating Control Worksheet) The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.
In Place with CCW (Compensating Controls Worksheet) The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.
Modified p. 6
All responses in this column require completion of a Compensating Control Worksheet (CCW) in Appendix B of the SAQ.
All responses in this column require completion of a Compensating Controls Worksheet (CCW) in Appendix B of this SAQ.
Modified p. 6
Information on the use of compensating controls and guidance on how to complete the worksheet is provided in the PCI DSS.
Information on the use of compensating controls and guidance on how to complete the worksheet is provided in PCI DSS in Appendices B and C.
Modified p. 6
No Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before it will be known if they are in place.
Not in Place Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before the merchant can confirm they are in place. Responses in this column may require the completion of Part 4, if requested by the entity to which this SAQ will be submitted.
Modified p. 6
(Not Applicable) The requirement does not apply to the organization’s environment. (See Guidance for Non-Applicability of Certain, Specific Requirements below for examples.) All responses in this column require a supporting explanation in Appendix C of the SAQ.
Not Applicable The requirement does not apply to the entity’s environment. (See “Guidance for Not Applicable Requirements” below for examples.) All responses in this column require a supporting explanation in Appendix C of this SAQ.
Modified p. 6 → 7
Legal Exception If your organization is subject to a legal restriction that prevents the organization from meeting a PCI DSS requirement, check the “No” column for that requirement and complete the relevant attestation in Part 3.
Legal Exception If your organization is subject to a legal restriction that prevents the organization from meeting a PCI DSS requirement, select Not in Place for that requirement and complete the relevant attestation in Section 3, Part 3 of this SAQ.
Removed p. 7
Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Company Name: DBA (doing business as):

Business Address: City:

Business Address: City:

State/Province: Country: Zip:

State/Province: Country: Zip:

Lead QSA Contact Name: Title:

Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail order/telephone order (MOTO) Others (please specify):

What types of payment channels does your business serve?

Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Modified p. 7 → 9
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment against the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures. Complete all sections. The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the entity(ies) to which the Attestation of Compliance (AOC) will be submitted for reporting and submission procedures.
Modified p. 7 → 9
Part 1b. Qualified Security Assessor Company Information (if applicable) Company Name:
Qualified Security Assessor Company name:
Modified p. 7 → 10
Note: If your organization has a payment channel or process that is not covered by this SAQ, consult your acquirer or payment brand about validation for the other channels.
Note: If the organization has a payment channel that is not covered by this SAQ, consult with the entity(ies) to which this AOC will be submitted about validation for the other channels.
Removed p. 8
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Applications Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:

Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.

For example:

• Connections into and out of the cardholder data environment (CDE).

• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Modified p. 8 → 10
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation.)
Indicate whether the environment includes segmentation to reduce the scope of the assessment. (Refer to “Segmentation” section of PCI DSS for guidance on segmentation.)
Removed p. 9
Description of services provided by QIR:

Does your company share cardholder data with any third-party service providers (for example, Qualified Integrator & Resellers (QIR), gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.)? Name of service provider: Description of services provided:

Merchant has a payment application system and an Internet connection on the same device and/or same local area network (LAN); The payment application system/Internet device is not connected to any other system within the merchant environment; The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single location only; Merchant does not store cardholder data in electronic format; and If Merchant does store cardholder data, such data is only paper reports or copies of paper receipts and is not received electronically.
Removed p. 10
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:

Note: An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage.
Removed p. 10
Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)?

• Review firewall and router configuration standards.
Modified p. 10 → 15
Note: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document.
Note: The following requirements mirror the requirements in the PCI DSS Requirements and Testing Procedures document.
Modified p. 10 → 15
Self-assessment completion date: Build and Maintain a Secure Network and Systems
Self-assessment completion date: YYYY-MM-DD Build and Maintain a Secure Network and Systems
Modified p. 10 → 15
Requirement 1: Install and maintain a firewall configuration to protect data
Requirement 1: Install and Maintain Network Security Controls
Modified p. 10 → 15
• Examine firewall and router configurations.
• Examine NSC configurations.
Modified p. 10 → 15
• Examine firewall and router configurations.
• Examine NSC configurations.
Modified p. 10 → 16
• Examine firewall and router configurations.
• Examine system configuration standards.
Modified p. 11 → 17
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.3 Is direct public access prohibited between the Internet and any system component in the cardholder data environment, as follows:
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 2.2.2 Vendor default accounts are managed as follows:
Removed p. 12
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
Removed p. 12
Are unnecessary default accounts removed or disabled before installing a system on the network?

• Review policies and procedures.

(a) Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions?

• Review policies and procedures.

(b) Are default SNMP community strings on wireless devices changed at installation?

• Review policies and procedures.

(c) Are default passwords/passphrases on access points changed at installation?

• Review policies and procedures.
Modified p. 12 → 17
Observe system configurations and account settings.
Examine system configuration standards.
Modified p. 12 → 19
• Examine system configurations and account settings.
• Examine wireless configuration settings.
Modified p. 12 → 19
Review vendor documentation.
Examine key-management documentation.
Modified p. 12 → 20
Review vendor documentation.
Examine documentation.
Removed p. 13
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1.1 (cont.) (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks?

• Review policies and procedures.
Removed p. 13
(e) Are other security-related wireless vendor defaults changed, if applicable?

• Review policies and procedures.
Removed p. 13
(b) Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1?

• Review policies and procedures.

(c) Are system configuration standards applied when new systems are configured?

• Review policies and procedures.
Modified p. 13 → 24
Review system configuration standards.
Examine system configurations and vendor documentation.
Modified p. 13 → 24
Review policies and procedures.
Examine documented policies and procedures.
Removed p. 14
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.2 (cont.) (d) Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server? - Enabling only necessary services, protocols, daemons, etc., as required for the function of the system? - Implementing additional security features for any required services, protocols or daemons that are considered to be insecure? - Configuring system security parameters to prevent misuse? - Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers?

• Review system configuration standards.
Removed p. 14
If virtualization technologies are used, is only one primary function implemented per virtual system component or device?

• Examine system configurations.
Removed p. 15
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)?

• Review configuration standards.

(b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?

• Review configuration standards

• Compare enabled services, etc. to documented justifications.
Removed p. 15
Are common system security parameters settings included in the system configuration standards?

• Review system configuration standards.

(c) Are security parameter settings set appropriately on system components?

• Examine system components.

• Compare settings to system configuration standards.
Removed p. 15
Are enabled functions documented and do they support secure configuration?

• Review documentation.

• Examine security parameters on system components.

• Examine security parameters on system components.

(c) Is only documented functionality present on system components?

• Review documentation.
Modified p. 15 → 38
• Examine system configurations.
• Examine system configuration settings.
Modified p. 15 → 58
• Examine security parameter settings.
• Examine documentation.
Modified p. 15 → 59
• Examine configuration settings.
• Examine scan tool configurations.
Removed p. 16
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.3 Is non-console administrative access encrypted as follows:

(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?

• Examine system components.

(b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands?

• Examine system components.

• Examine services and files.

(c) Is administrator access to web-based management interfaces encrypted with strong cryptography?

• Examine system components.

(d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?

• Examine system components.
Removed p. 16
• Known to all affected parties?

• Review security policies and operational procedures.
Modified p. 16 → 59
• Interview personnel.
• Interview responsible personnel.
Removed p. 17
Requirement 3: Protect stored cardholder data

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process?

• Review policies and procedures.

(d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
Removed p. 17
Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained:

• The cardholder’s name,

• Primary account number (PAN),

• Expiration date, and

• Service code To minimize risk, store only these data elements as needed for business.

• Examine data sources including:
Removed p. 17
- Database contents 3.2.2 The card verification code or value (three-digit or four- digit number printed on the front or back of a payment card) is not stored after authorization?

• Examine data sources including:
Modified p. 17 → 59
• Examine deletion processes.
• Examine internal scan report results.
Removed p. 18
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization?

• Examine data sources including:

- Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand requirements for point-of-sale (POS) receipts.

• Review roles that need access to displays of full PAN.

• Observe displays of PAN.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography …
Removed p. 19
• Review wireless networks.

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.2 Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies?

• Review policies and procedures.
Removed p. 21
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software?

• Examine system configurations.
Removed p. 21
(a) Are all anti-virus software and definitions kept current?

• Examine policies and procedures.

• Examine anti-virus configurations, including the master installation.

(b) Are automatic updates and periodic scans enabled and being performed?

• Examine anti-virus configurations, including the master installation.

(c) Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7?

• Examine anti-virus configurations.

• Review log retention processes.

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 5.3 Are all anti-virus mechanisms:

• Unable to be disabled or altered by users? Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.

• Examine anti-virus …
Modified p. 23 → 59
Using reputable outside sources for vulnerability information?
Scan tool is kept up to date with latest vulnerability information.
Removed p. 24
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?

• Review policies and procedures.

Are critical security patches installed within one month of release? Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
Removed p. 24
• Observe affected systems or networks.

Requirement 7: Restrict access to cardholder data by business need to know

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows:
Removed p. 25
• To least privileges necessary to perform job responsibilities?

• Assigned only to roles that specifically require that privileged access?

• Interview personnel.

• Review privileged user IDs.
Modified p. 25 → 59
• Interview management.
• Interview personnel.
Removed p. 26
Requirement 8: Identify and authenticate access to system components

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.1 Are policies and procedures for user identification management controls defined and in place for non- consumer users and administrators on all system components, as follows:
Removed p. 26
Are third-party remote access accounts monitored when in use?

• Interview personnel.
Removed p. 26
In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?

• Something you know, such as a password or passphrase

• Review password procedures.

• Observe authentication processes.
Modified p. 26 → 60
• Examine system configuration settings.
• Examine ASV scan reports.
Removed p. 27
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.2.3 (a) Are user password parameters configured to require passwords/passphrases meet the following? - A minimum password length of at least seven characters - Contain both numeric and alphabetic characters Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.

• Examine system configuration settings to verify password parameters.
Removed p. 27
• Sample system components.
Removed p. 27
Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
Removed p. 27
• Observe administrator logging into CDE.

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.3.2 Is multi-factor authentication incorporated for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network?

• Examine system configurations.

• Observe personnel connecting remotely.
Removed p. 28
• Review distribution method.

Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials

- Guidance for how users should protect their authentication credentials

- Instructions not to reuse previously used passwords

- Instructions that users should change passwords if there is any suspicion the password could be compromised

• Review documentation provided to users.
Removed p. 28
• Generic user IDs and accounts are disabled or removed;

• Shared user IDs for system administration activities and other critical functions do not exist; and

• Shared and generic user IDs are not used to administer any system components?

• Review policies and procedures.

• Examine user ID lists.

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.8 Are security policies and operational procedures for identification and authentication:

• Known to all affected parties?

• Examine security policies and operational procedures.

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?

• Observe physical access controls.
Removed p. 30
• Observe physical monitoring mechanisms.

• Observe security features.

Are either video cameras or access control mechanisms (or both) protected from tampering or disabling?

• Interview personnel.

(c) Is data collected from video cameras and/or access control mechanisms reviewed and correlated with other entries?

• Review policies and procedures.
Removed p. 30
(d) Is data collected from video cameras and/or access control mechanisms stored for at least three months unless otherwise restricted by law?

• Review data retention processes.

• Observe data storage.
Removed p. 31
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.

• Review policies and procedures for physically securing media.
Removed p. 31
Do controls include the following:
Removed p. 31
• Examine media distribution tracking logs and documentation.

• Examine media distribution tracking logs and documentation.
Removed p. 31
(c) Is media destruction performed as follows:
Removed p. 31
• Observe processes Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?

• Examine security of storage containers.

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9 Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows? Note: This requirement applies to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.

(a) Do policies and procedures require that a list of such devices be maintained?

• Review policies and procedures.

(b) Do policies and procedures require that devices are periodically inspected to look for tampering or substitution?

• Review policies and procedures.

(c) Do policies and procedures require that personnel are trained to …
Removed p. 32
• Examine the list of devices.

(b) Is the list accurate and up to date?

• Observe devices and device locations and compare to list.

(c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?

• Interview personnel.

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.2 (a) Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings.

• Observe inspection processes and compare to defined processes.

Are personnel aware of …
Removed p. 33
• Review training materials.

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.3 (cont.) (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices?

• Interview personnel at POS locations.
Removed p. 35
Requirement 10: Track and monitor all access to network resources and cardholder data

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.2 Are automated audit trails implemented for all system components to reconstruct the following events:
Removed p. 36
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.3.4 Success or failure indication?

• Interview personnel.
Removed p. 36
• Review security policies and procedures.
Removed p. 37
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.6.3 Is follow up to exceptions and anomalies performed?

• Review security policies and procedures

• Interview personnel 10.7 Are audit logs retained for at least one year?

• Interview personnel.

Are at least the last three months’ logs immediately available for analysis?

• Interview personnel.

Requirement 11: Regularly test security systems and processes

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.1 (a) Are processes implemented for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis? Note: Methods that may be used in the process include, but are not limited to, wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.

Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.

Does the methodology detect and identify any …
Removed p. 39
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.1.2 (a) Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected?

• Examine incident response plan (see Requirement 12.10).

Is action taken when unauthorized wireless access points are found?

• Interview responsible personnel.

• Inspect recent wireless scans and related responses.
Removed p. 39
Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed.
Modified p. 39 → 60
For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
Applicability Notes For initial PCI DSS compliance, it is not required that four passing scans be completed within 12 months if the assessor verifies: 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring scanning at least once every three months, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s).
Removed p. 40
(b) Does the quarterly internal scan process address all “high risk” vulnerabilities and include rescans to verify all “high-risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved?

• Review scan reports.

(c) Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?

• Interview personnel.
Removed p. 40
• Review results from the four most recent quarters of external vulnerability scans.

(b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)?

• Review results of each external quarterly scan and rescan.

(c) Are quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV?

• Review results of each external quarterly scan and rescan.
Modified p. 40 → 60
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.2.1 (a) Are quarterly internal vulnerability scans performed?

• Review scan reports.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 11.3.2 External vulnerability scans are performed as follows:
Removed p. 41
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.2.3 (a) Are internal and external scans, and rescans as needed, performed after any significant change? Note: Scans must be performed by qualified personnel.

(b) Does the scan process include rescans until:

- For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS, - For internal scans, a passing result is obtained or all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved?

• Review scan reports.

(b) Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods.

- Covers all segmentation controls/methods in use.

- Verifies that segmentation methods are operational and effective, and isolate all out-of- scope systems from systems in the CDE.

(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does …
Modified p. 41 → 60
• Examine and correlate change control documentation and scan reports.
• Examine change control documentation.
Modified p. 41 → 60
(c) Are scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?

• Interview personnel.
• Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV).
Modified p. 41 → 61
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of- scope systems from systems in the CDE?

• Examine segmentation controls.
• Confirming that the segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems.
Modified p. 41 → 61
• Examine results from the most recent penetration test.
• Examine the results from the most recent penetration test.
Removed p. 42
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.5 (a) Is a change-detection mechanism (for example, file-integrity monitoring tools) deployed to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:

• Application executables

• Configuration and parameter files

• Centrally stored, historical or archived, log, and audit files

• Additional critical files determined by entity (for example, through risk assessment or other means)

(b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change detection mechanisms …
Modified p. 42 → 61
Observe system settings and monitored files.
Examine monitored files.
Modified p. 42 → 61
Review results from monitoring activities.
Examine results from monitoring activities.
Modified p. 42 → 63
• Examine system configuration settings.
• Examine the information security policy.
Removed p. 43
Requirement 12: Maintain a policy that addresses information security for all personnel

Note: For the purposes of Requirement 12, “personnel” refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment.

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?

• Review the information security policy.
Removed p. 43
Note: Examples of critical technologies include, but are not limited to, remote access and wireless technologies, laptops, tablets, removable electronic media, e-mail usage and Internet usage.
Removed p. 44
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use?

• Review usage policies.
Modified p. 44 → 63
• Interview a sample of responsible personnel.
• Interview personnel.
Modified p. 44 → 63
Review list of service providers.
Reviewed at least once every 12 months.
Removed p. 45
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8.2 Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment? Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.
Modified p. 45 → 67
Observe written agreements.
Examine written agreements with TPSPs.
Modified p. 45 → 67
Review policies and procedures.
Examine policies and procedures.
Removed p. 46
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.10.1 (a) Has an incident response plan been created to be implemented in the event of system breach?

• Review the incident response plan.

(b) Does the plan address the following, at a minimum:

- Data backup processes?

• Review incident response plan procedures.

- Reference or inclusion of incident response procedures from the payment brands?

• Review incident response plan procedures.
Modified p. 46 → 69
Review incident response plan procedures.
Examine the incident response plan.
Modified p. 46 → 69
- Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum?

• Review incident response plan procedures.
Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum.
Modified p. 46 → 69
- Specific incident response procedures?

• Review incident response plan procedures.
• Reference or inclusion of incident response procedures from the payment brands.
Modified p. 46 → 69
- Business recovery and continuity procedures?

• Review incident response plan procedures.
Business recovery and continuity procedures.
Modified p. 46 → 69
- Analysis of legal requirements for reporting compromises?

• Review incident response plan procedures.
Analysis of legal requirements for reporting compromises.
Modified p. 46 → 69
- Coverage and responses of all critical system components?

• Review incident response plan procedures.
Coverage and responses of all critical system components.
Removed p. 47
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (at the merchant or payment- acceptance location) using SSL and/or early TLS: Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS? Note: This requirement is intended to apply to the entity with the POS POI terminal, such as a merchant. This requirement is not intended for service providers who serve as the termination or connection point to those POS POI terminals. Requirements A2.2 and A2.3 apply to POS POI service providers.
Modified p. 47 → 70
Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS.
Examine documentation (for example, vendor documentation, system/network configuration details) that verifies the devices are not susceptible to any known exploits for SSL/early TLS.
Modified p. 48 → 72
Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.
Note: Only entities that have a legitimate and documented technological or business constraint can consider the use of compensating controls to achieve compliance.
Modified p. 48 → 72
Refer to Appendices B, C, and D of PCI DSS for information about compensating controls and guidance on how to complete this worksheet.
Refer to Appendices B and C in PCI DSS for information about compensating controls and guidance on how to complete this worksheet.
Modified p. 48 → 72
1. Constraints List constraints precluding compliance with the original requirement.
1. Constraints Document the legitimate technical or business constraints precluding compliance with the original requirement.
Modified p. 48 → 72
2. Objective Define the objective of the original control; identify the objective met by the compensating control.
3. Objective Define the objective of the original control.
Modified p. 48 → 72
3. Identified Risk Identify any additional risk posed by the lack of the original control.
4. Identified Risk Identify any additional risk posed by the lack of the original control.
Modified p. 48 → 72
4. Definition of Compensating Controls Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.
2. Definition of Compensating Controls Define the compensating controls: explain how they address the objectives of the original control and the increased risk, if any.
Modified p. 48 → 72
6. Maintenance Define process and controls in place to maintain compensating controls.
6. Maintenance Define process(es) and controls in place to maintain compensating controls.
Modified p. 49 → 73
Requirement Reason Requirement is Not Applicable 3.4 Cardholder data is never stored electronically
Requirement Reason Requirement is Not Applicable
Removed p. 50
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4.

Compliant but with Legal exception: One or more requirements are marked “No” due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand.

If checked, complete the following:

I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization.

I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times.

If my environment changes, I recognize I must reassess my environment and implement any additional PCI DSS requirements that apply.
Modified p. 50 → 75
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ C (Section 2), dated (SAQ completion date).
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ C (Section 2), dated (Self-assessment completion date YYYY-MM-DD).
Modified p. 50 → 75
Based on the results documented in the SAQ C noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (check one):
Based on the results documented in the SAQ C noted above, each signatory identified in any of Parts 3b−3d, as applicable, assert(s) the following compliance status for the merchant identified in Part 2 of this document.
Modified p. 50 → 75
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Compliant: All sections of the PCI DSS SAQ are complete and all requirements are marked as being either 1) In Place, 2) In Place with CCW, or 3) Not Applicable, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated compliance with all PCI DSS requirements included in this SAQ.
Modified p. 50 → 75
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or one or more requirements are marked as Not in Place, resulting in an overall NON-COMPLIANT rating; thereby (Merchant Company Name) has not demonstrated compliance with the PCI DSS requirements included in this SAQ.
Modified p. 50 → 75
Affected Requirement Details of how legal constraint prevents requirement being met Part 3a. Acknowledgement of Status Signatory(s) confirms:
Affected Requirement Details of how legal constraint prevents requirement from being met
Modified p. 50 → 76
(Check all that apply)
(Select all that apply)
Modified p. 50 → 76
PCI DSS Self-Assessment Questionnaire C, Version (version of SAQ), was completed according to the instructions therein.
PCI DSS Self-Assessment Questionnaire C, Version 4.0 was completed according to the instructions therein.
Modified p. 50 → 76
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment in all material respects.
All information within the above-referenced SAQ and in this attestation fairly represents the results of the merchant’s assessment in all material respects.
Removed p. 51
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name).
Modified p. 51 → 76
Part 3b. Merchant Attestation Signature of Merchant Executive Officer  Date:
Part 3b. Merchant Attestation Signature of Merchant Executive Officer  Date: YYYY-MM-DD Merchant Executive Officer Name: Title:
Modified p. 51 → 76
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement If a QSA was involved or assisted with this assessment, indicate the role performed:
Modified p. 51 → 76
Signature of Duly Authorized Officer of QSA Company  Date:
Signature of Duly Authorized Officer of QSA Company  Date: YYYY-MM-DD Duly Authorized Officer Name: QSA Company:
Modified p. 51 → 76
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Part 3d. PCI SSC Internal Security Assessor (ISA) Involvement If an ISA(s) was involved or assisted with this assessment, indicate the role performed:
Removed p. 52
Check with your acquirer or the payment brand(s) before completing Part 4.

PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain a firewall configuration to protect cardholder data.

Do not use vendor-supplied defaults for system passwords and other security parameters.
Removed p. 52
Protect all systems against malware and regularly update anti-virus software or programs.
Modified p. 52 → 77
* PCI DSS Requirements indicated here refer to the questions in Section 2 of the SAQ.
* PCI DSS Requirements indicated above refer to the requirements in Section 2 of this SAQ.