Document Comparison
PCI-DSS-v3_2-SAQ-C-rev1_1.pdf
→
PCI-DSS-v3-2-1-SAQ-C-r2.pdf
92% similar
55 → 52
Pages
12689 → 12417
Words
141
Content Changes
Content Changes
141 content changes. 39 administrative changes (dates, page numbers) hidden.
Added
p. 2
This document aligns with PCI DSS v3.2.1 r1.
• Section 1 (Parts 1 & 2 of the AOC)
• Section 3 (Parts 3 & 4 of the AOC)
• Section 1 (Parts 1 & 2 of the AOC)
• Section 3 (Parts 3 & 4 of the AOC)
Added
p. 12
• Examine vendor documentation.
• Observe system configurations and account settings.
• Observe system configurations and account settings.
Added
p. 12
Are unnecessary default accounts removed or disabled before installing a system on the network?
• Review policies and procedures.
• Review policies and procedures.
Added
p. 12
• Examine system configurations and account settings.
Added
p. 13
• Review system configuration standards.
• Review industry-accepted hardening standards.
• Examine configuration settings.
• Examine configuration settings.
• Compare enabled services, etc. to documented justifications.
• Examine security parameter settings.
• Compare settings to system configuration standards.
• Examine security parameters on system components.
• Examine security parameters on system components.
(c) Is only documented functionality present on system components?
• Review documentation.
• Observe an administrator log on.
• Observe an administrator log on.
• Examine services and files.
• Examine deletion processes.
• The cardholder’s name,
• Primary account number (PAN),
• Expiration date, and
• Review industry-accepted hardening standards.
• Examine configuration settings.
• Examine configuration settings.
• Compare enabled services, etc. to documented justifications.
• Examine security parameter settings.
• Compare settings to system configuration standards.
• Examine security parameters on system components.
• Examine security parameters on system components.
(c) Is only documented functionality present on system components?
• Review documentation.
• Observe an administrator log on.
• Observe an administrator log on.
• Examine services and files.
• Examine deletion processes.
• The cardholder’s name,
• Primary account number (PAN),
• Expiration date, and
Added
p. 17
- Database contents 3.2.2 The card verification code or value (three-digit or four- digit number printed on the front or back of a payment card) is not stored after authorization?
• Examine data sources including:
• Review roles that need access to displays of full PAN.
• Observe displays of PAN.
• Review documented standards.
• Review all locations where CHD is transmitted or received.
(b) Are only trusted keys and/or certificates accepted?
• Observe inbound and outbound transmissions.
• Examine keys and certificates.
(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
• Examine system configurations.
• Cardholder data is only requested if “HTTPS” appears as part of the URL.
• Review wireless networks.
• Examine data sources including:
• Review roles that need access to displays of full PAN.
• Observe displays of PAN.
• Review documented standards.
• Review all locations where CHD is transmitted or received.
(b) Are only trusted keys and/or certificates accepted?
• Observe inbound and outbound transmissions.
• Examine keys and certificates.
(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
• Examine system configurations.
• Cardholder data is only requested if “HTTPS” appears as part of the URL.
• Review wireless networks.
Added
p. 21
• Examine anti-virus configurations, including the master installation.
Added
p. 21
(b) Are automatic updates and periodic scans enabled and being performed?
• Examine anti-virus configurations, including the master installation.
• Review log retention processes.
• Examine anti-virus configurations.
• Compare list of security patches installed to recent vendor patch lists.
• Examine change control documentation.
• Observe affected systems or networks.
• Interview management.
• Review privileged user IDs.
Are third-party remote access accounts monitored when in use?
• Interview personnel.
• Something you have, such as a token device or smart card
• Something you are, such as a biometric
• Review password procedures.
• Observe authentication processes.
• Examine anti-virus configurations, including the master installation.
• Review log retention processes.
• Examine anti-virus configurations.
• Compare list of security patches installed to recent vendor patch lists.
• Examine change control documentation.
• Observe affected systems or networks.
• Interview management.
• Review privileged user IDs.
Are third-party remote access accounts monitored when in use?
• Interview personnel.
• Something you have, such as a token device or smart card
• Something you are, such as a biometric
• Review password procedures.
• Observe authentication processes.
Added
p. 27
• Sample system components.
• Observe security personnel.
• Observe security personnel.
Added
p. 27
• Observe administrator logging into CDE.
• Observe personnel connecting remotely.
• Review distribution method.
Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials
- Guidance for how users should protect their authentication credentials
- Instructions not to reuse previously used passwords
- Instructions that users should change passwords if there is any suspicion the password could be compromised
• Review documentation provided to users.
• Generic user IDs and accounts are disabled or removed;
• Shared user IDs for system administration activities and other critical functions do not exist; and
• Shared and generic user IDs are not used to administer any system components?
• Review policies and procedures.
• Examine user ID lists.
• Observe physical monitoring mechanisms.
• Observe security features.
• Observe personnel connecting remotely.
• Review distribution method.
Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials
- Guidance for how users should protect their authentication credentials
- Instructions not to reuse previously used passwords
- Instructions that users should change passwords if there is any suspicion the password could be compromised
• Review documentation provided to users.
• Generic user IDs and accounts are disabled or removed;
• Shared user IDs for system administration activities and other critical functions do not exist; and
• Shared and generic user IDs are not used to administer any system components?
• Review policies and procedures.
• Examine user ID lists.
• Observe physical monitoring mechanisms.
• Observe security features.
Added
p. 30
• Observe data storage.
• Examine media distribution tracking logs and documentation.
• Examine media distribution tracking logs and documentation.
• Interview personnel
• Examine media distribution tracking logs and documentation.
• Examine media distribution tracking logs and documentation.
• Interview personnel
Added
p. 32
• Examine the list of devices.
(b) Is the list accurate and up to date?
• Observe devices and device locations and compare to list.
(c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
• Interview personnel.
Are personnel aware of procedures for inspecting devices?
• Interview personnel.
(b) Is the list accurate and up to date?
• Observe devices and device locations and compare to list.
(c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
• Interview personnel.
Are personnel aware of procedures for inspecting devices?
• Interview personnel.
Added
p. 36
• Review security policies and procedures.
Added
p. 37
• Interview personnel 10.7 Are audit logs retained for at least one year?
• Interview personnel.
• Examine audit logs.
Are at least the last three months’ logs immediately available for analysis?
• Interview personnel.
• Evaluate the methodology.
(c) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities?
• Examine output from recent wireless scans.
• Inspect recent wireless scans and related responses.
(b) Does the quarterly internal scan process address all “high risk” vulnerabilities and include rescans to verify all “high-risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved?
• Review scan reports.
• Review results from the four most recent quarters of external vulnerability scans.
• Review penetration-testing methodology.
- Covers all segmentation controls/methods in use.
- Verifies that segmentation methods are operational and effective, and isolate all out-of- scope systems from systems in the CDE.
• Application executables
• Configuration and parameter files
• …
• Interview personnel.
• Examine audit logs.
Are at least the last three months’ logs immediately available for analysis?
• Interview personnel.
• Evaluate the methodology.
(c) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities?
• Examine output from recent wireless scans.
• Inspect recent wireless scans and related responses.
(b) Does the quarterly internal scan process address all “high risk” vulnerabilities and include rescans to verify all “high-risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved?
• Review scan reports.
• Review results from the four most recent quarters of external vulnerability scans.
• Review penetration-testing methodology.
- Covers all segmentation controls/methods in use.
- Verifies that segmentation methods are operational and effective, and isolate all out-of- scope systems from systems in the CDE.
• Application executables
• Configuration and parameter files
• …
Added
p. 44
• Interview a sample of responsible personnel.
Added
p. 44
• Review list of service providers.
• Observe written agreements.
• Review incident response plan procedures.
- Specific incident response procedures?
• Review incident response plan procedures.
- Business recovery and continuity procedures?
• Review incident response plan procedures.
- Data backup processes?
• Review incident response plan procedures.
- Analysis of legal requirements for reporting compromises?
• Review incident response plan procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (at the merchant or payment- acceptance location) using SSL and/or early TLS: Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS? Note: This requirement is intended to apply to the entity with the POS POI terminal, such as a merchant. This requirement is not intended for service providers who serve as the termination or connection point to those POS POI terminals. Requirements A2.2 and A2.3 apply to POS POI service providers.
• Review …
• Observe written agreements.
• Review incident response plan procedures.
- Specific incident response procedures?
• Review incident response plan procedures.
- Business recovery and continuity procedures?
• Review incident response plan procedures.
- Data backup processes?
• Review incident response plan procedures.
- Analysis of legal requirements for reporting compromises?
• Review incident response plan procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (at the merchant or payment- acceptance location) using SSL and/or early TLS: Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS? Note: This requirement is intended to apply to the entity with the POS POI terminal, such as a merchant. This requirement is not intended for service providers who serve as the termination or connection point to those POS POI terminals. Requirements A2.2 and A2.3 apply to POS POI service providers.
• Review …
Modified
p. 4
• Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN); • The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems)1; • The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single location only; …
Modified
p. 4
1. Identify the applicable SAQ for your environment
• refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
• refer
1. Identify the applicable SAQ for your environment⎯refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
Modified
p. 4
• Assessment Information and Executive
• Assessment Information and Executive Summary
Modified
p. 4
• PCI DSS Self-Assessment Questionnaire (SAQ C) 1 This criteria is not intended to prohibit more than one of the permitted system type (that is, a payment application system) being on the same network zone, as long as the permitted systems are isolated from other types of systems
• PCI DSS Self-Assessment Questionnaire (SAQ C) 1 This criteria is not intended to prohibit more than one of the permitted system type (that is, a payment application system) being on the same network zone, as long as the permitted systems are isolated from other types of systems (e.g., by implementing network segmentation). Additionally, this criteria is not intended to prevent the defined system type from being able to transmit transaction information to a third party for processing, such as …
Removed
p. 5
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
Modified
p. 5
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to your acquirer, paymentbrand or other requester.
•such as ASV scan reports
•to your acquirer, payment
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to your acquirer, payment brand, or other requester.
•such as ASV scan reports
•to your acquirer, payment brand, or other requester.
Modified
p. 5
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
(PCI Data Security Standard Requirements and Security Assessment Procedures)
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms • Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources …
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms • Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources …
Modified
p. 7
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Modified
p. 8
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Application Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Applications Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Modified
p. 8
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation.)
Modified
p. 10
Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)? • Review firewall and router configuration standards.
Removed
p. 12
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel (b) Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures Review vendor documentation Examine system configurations and account settings Interview personnel 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations, as follows:
Modified
p. 12
(a) Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions?
(a) Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions? • Review policies and procedures.
Modified
p. 12
(b) Are default SNMP community strings on wireless devices changed at installation? • Review policies and procedures.
Modified
p. 12
(c) Are default passwords/passphrases on access points changed at installation? • Review policies and procedures.
Modified
p. 13
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1.1 (cont.) (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks? • Review policies and procedures.
Modified
p. 13
(e) Are other security-related wireless vendor defaults changed, if applicable? • Review policies and procedures.
Modified
p. 13
(b) Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? • Review policies and procedures.
Modified
p. 13
(c) Are system configuration standards applied when new systems are configured? • Review policies and procedures.
Modified
p. 14
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.2 (cont.) (d) Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server? - Enabling only necessary services, protocols, daemons, etc., as required for the function of the system? - Implementing additional …
Modified
p. 14
If virtualization technologies are used, is only one primary function implemented per virtual system component or device? • Examine system configurations.
Modified
p. 14 → 16
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (d) Do system configuration standards include all of the following:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.3 Is non-console administrative access encrypted as follows:
Modified
p. 15
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? • Review configuration standards.
Modified
p. 15
(b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards? • Review configuration standards
Modified
p. 15
Are common system security parameters settings included in the system configuration standards? • Review system configuration standards.
Modified
p. 15
(c) Are security parameter settings set appropriately on system components? • Examine system components.
Removed
p. 16
Review documentation Examine security parameters on system components (c) Is only documented functionality present on system components? Review documentation Examine security parameters on system components 2.3 Is non-console administrative access encrypted as follows:
Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Modified
p. 16 → 15
Are enabled functions documented and do they support secure configuration? • Review documentation.
Modified
p. 16
(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?
(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested? • Examine system components.
Modified
p. 16
(b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? • Examine system components.
Modified
p. 16
(c) Is administrator access to web-based management interfaces encrypted with strong cryptography? • Examine system components.
Modified
p. 16
(d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? • Examine system components.
Modified
p. 17 → 16
• Known to all affected parties? • Review security policies and operational procedures.
Removed
p. 18
Incoming transaction data All logs History files Trace files Database schema Database contents
Modified
p. 18 → 17
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? Review policies and procedures Examine system configurations Examine deletion processes (d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? • Review policies and procedures.
Modified
p. 18 → 17
• Service code To minimize risk, store only these data elements as needed for business.
Modified
p. 18 → 17
• Examine data sources including:
Removed
p. 19
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
Review policies and procedures Review roles that need access to displays of full PAN Examine system configurations Observe displays of PAN
Review policies and procedures Review roles that need access to displays of full PAN Examine system configurations Observe displays of PAN
Modified
p. 19 → 18
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? • Examine data sources including:
Modified
p. 19 → 18
- Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand requirements for point-of-sale (POS) receipts.
Removed
p. 20
Review documented standards Review policies and procedures Review all locations where CHD is transmitted or received Examine system configurations (b) Are only trusted keys and/or certificates accepted? Observe inbound and outbound transmissions Examine keys and certificates (c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
Modified
p. 20 → 19
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).
Modified
p. 20 → 19
(d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? • Review vendor documentation.
Modified
p. 20 → 19
(e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified
p. 20 → 19
• “HTTPS” appears as the browser Universal Record Locator (URL) protocol, and
Modified
p. 20 → 19
• Examine system configurations.
Modified
p. 21 → 20
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.2 Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? • Review policies and procedures.
Modified
p. 22 → 21
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software? • Examine system configurations.
Modified
p. 22 → 21
(a) Are all anti-virus software and definitions kept current? Examine policies and procedures Examine anti-virus configurations, including the master installation Examine system components (b) Are automatic updates and periodic scans enabled and being performed?
(a) Are all anti-virus software and definitions kept current? • Examine policies and procedures.
Modified
p. 22 → 21
(c) Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? • Examine anti-virus configurations.
Removed
p. 23
Examine anti-virus configurations Examine system components Observe processes Interview personnel
Modified
p. 23 → 22
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 5.3 Are all anti-virus mechanisms:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 5.3 Are all anti-virus mechanisms:
Modified
p. 23 → 22
• Unable to be disabled or altered by users? Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.
Modified
p. 24 → 23
• Using reputable outside sources for vulnerability information?
Modified
p. 24 → 23
• Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities? Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score and/or the classification by the vendor, and/or type of systems affected.
Modified
p. 24 → 23
• Review policies and procedures.
Removed
p. 25
Trace changes to change control documentation Examine change control documentation Interview personnel Observe affected systems or networks
Modified
p. 25 → 24
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches? • Review policies and procedures.
Modified
p. 25 → 24
Are critical security patches installed within one month of release? Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
Modified
p. 26 → 25
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows:
Modified
p. 26 → 25
• To least privileges necessary to perform job responsibilities?
Modified
p. 26 → 25
• Assigned only to roles that specifically require that privileged access? • Interview personnel.
Removed
p. 27
Review password procedures Interview personnel Observe processes (b) Are third party remote access accounts monitored when in use?
Modified
p. 27 → 26
In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? • Something you know, such as a password or passphrase
Modified
p. 28 → 27
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.2.3 (a) Are user password parameters configured to require passwords/passphrases meet the following? A minimum password length of at least seven characters Contain both numeric and alphabetic characters Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.2.3 (a) Are user password parameters configured to require passwords/passphrases meet the following? - A minimum password length of at least seven characters - Contain both numeric and alphabetic characters Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.
Modified
p. 28 → 27
• Examine system configuration settings to verify password parameters.
Removed
p. 29
Review policies and procedures Review distribution method Interview personnel Interview users (b) Do authentication policies and procedures include the following? Guidance on selecting strong authentication credentials Guidance for how users should protect their authentication credentials Instructions not to reuse previously used passwords Instructions that users should change passwords if there is any suspicion the password could be compromised Review policies and procedures Review documentation provided to users
Modified
p. 29 → 28
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.3.2 Is multi-factor authentication incorporated for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network? • Examine system configurations.
Modified
p. 29
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.3.1 Is multi-factor authentication incorporated for all non- console access into the CDE for personnel with administrative access? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.8 Are security policies and operational procedures for identification and authentication:
Removed
p. 30
Generic user IDs and accounts are disabled or removed; Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components? Review policies and procedures Examine user ID lists Interview personnel 8.8 Are security policies and operational procedures for identification and authentication:
Modified
p. 30 → 29
• Known to all affected parties? • Examine security policies and operational procedures.
Modified
p. 31 → 30
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment? • Observe physical access controls.
Modified
p. 31 → 30
Are either video cameras or access control mechanisms (or both) protected from tampering or disabling? • Interview personnel.
Modified
p. 31 → 30
(c) Is data collected from video cameras and/or access control mechanisms reviewed and correlated with other entries? • Review policies and procedures.
Modified
p. 31 → 30
(d) Is data collected from video cameras and/or access control mechanisms stored for at least three months unless otherwise restricted by law? • Review data retention processes.
Modified
p. 31
• Review policies and procedures for physically securing media.
Modified
p. 32 → 31
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.
Removed
p. 33
Review policies and procedures 9.9.1 (a) Does the list of devices include the following?
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.? Interview personnel
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.? Interview personnel
Modified
p. 33 → 31
• Observe processes Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents? • Examine security of storage containers.
Modified
p. 33 → 32
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9 Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows? Note: This requirement applies to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.
Modified
p. 33 → 32
(a) Do policies and procedures require that a list of such devices be maintained?
(a) Do policies and procedures require that a list of such devices be maintained? • Review policies and procedures.
Modified
p. 33 → 32
(b) Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? • Review policies and procedures.
Modified
p. 33 → 32
(c) Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? • Review policies and procedures.
Removed
p. 34
Interview personnel 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following?
Modified
p. 34 → 33
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.9.2 (a) Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.2 (a) Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into …
Modified
p. 34 → 33
• Observe inspection processes and compare to defined processes.
Modified
p. 34 → 33
• Review training materials.
Modified
p. 35 → 34
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? Interview personnel at POS locations
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.3 (cont.) (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? • Interview personnel at POS locations.
Removed
p. 36
• and all changes, additions, or deletions to accounts with root or administrative privileges? Interview personnel Observe audit logs Examine audit log settings 10.3 Are the following audit trail entries recorded for all system components for each event:
Modified
p. 37 → 36
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.3.4 Success or failure indication? Interview personnel Observe audit logs Examine audit log settings 10.3.5 Origination of event? Interview personnel Observe audit logs Examine audit log settings 10.3.6 Identity or name of affected data, system component, or resource?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.3.4 Success or failure indication? • Interview personnel.
Removed
p. 38
Review security policies and procedures Observe processes Interview personnel 10.7 (b) Are audit logs retained for at least one year? Review security policies and procedures Interview personnel Examine audit logs (c) Are at least the last three months’ logs immediately available for analysis? Interview personnel Observe processes
Modified
p. 38 → 37
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.6.3 (b) Is follow up to exceptions and anomalies identified during the review process performed?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 10.6.3 Is follow up to exceptions and anomalies performed? • Review security policies and procedures
Removed
p. 39
Evaluate the methodology (c) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities?
Modified
p. 39 → 38
Does the methodology detect and identify any unauthorized wireless access points, including at least the following? - WLAN cards inserted into system components; - Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.); and - Wireless devices attached to a network port or network device.
Modified
p. 39 → 38
(d) If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), is monitoring configured to generate alerts to notify personnel? • Examine configuration settings.
Modified
p. 40 → 39
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.1.2 (a) Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.1.2 (a) Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected? • Examine incident response plan (see Requirement 12.10).
Modified
p. 40 → 39
Is action taken when unauthorized wireless access points are found? • Interview responsible personnel.
Modified
p. 40 → 39
For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re- scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
Modified
p. 41 → 40
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.2.1 (a) Are quarterly internal vulnerability scans performed? Review scan reports (b) Does the quarterly internal scan process address all “high risk” vulnerabilities and include rescans to verify all “high-risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.2.1 (a) Are quarterly internal vulnerability scans performed? • Review scan reports.
Modified
p. 41 → 40
(c) Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? • Interview personnel.
Modified
p. 41 → 40
(b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)? • Review results of each external quarterly scan and rescan.
Modified
p. 41 → 40
(c) Are quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV? • Review results of each external quarterly scan and rescan.
Modified
p. 42 → 41
• Examine and correlate change control documentation and scan reports.
Modified
p. 42 → 41
- For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS, - For internal scans, a passing result is obtained or all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved? • Review scan reports.
Modified
p. 42 → 41
(c) Are scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? • Interview personnel.
Modified
p. 42 → 41
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of- scope systems from systems in the CDE? • Examine segmentation controls.
Modified
p. 42 → 41
(b) Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods.
Modified
p. 42 → 41
• Examine results from the most recent penetration test.
Modified
p. 43 → 41
(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? • Interview responsible personnel.
Modified
p. 43 → 42
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.5 (a) Is a change-detection mechanism (for example, file-integrity monitoring tools) deployed to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:
Modified
p. 43 → 42
(b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files …
Modified
p. 43 → 42
• Observe system settings and monitored files.
Modified
p. 45 → 43
Note: For the purposes of Requirement 12, “personnel” refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment.
Modified
p. 45 → 43
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel? • Review the information security policy.
Modified
p. 46 → 44
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use? • Review usage policies.
Removed
p. 48
Review incident response plan procedures Specific incident response procedures? Review incident response plan procedures Business recovery and continuity procedures? Review incident response plan procedures Data backup processes? Review incident response plan procedures Analysis of legal requirements for reporting compromises?
Modified
p. 48 → 46
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.10.1 (a) Has an incident response plan been created to be implemented in the event of system breach? Review the incident response plan Review incident response plan procedures (b) Does the plan address the following, at a minimum:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.10.1 (a) Has an incident response plan been created to be implemented in the event of system breach? • Review the incident response plan.
Modified
p. 48 → 46
- Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? • Review incident response plan procedures.
Modified
p. 48 → 46
- Coverage and responses of all critical system components? • Review incident response plan procedures.
Modified
p. 48 → 46
- Reference or inclusion of incident response procedures from the payment brands? • Review incident response plan procedures.
Removed
p. 49
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls …
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls …
Modified
p. 49 → 47
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections
Modified
p. 53 → 50
Based on the results documented in the SAQ C noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Based on the results documented in the SAQ C noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (check one):
Modified
p. 54 → 51
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name) Part 3b. Merchant Attestation Signature of Merchant Executive Officer Date:
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name).
Modified
p. 55 → 52
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti- virus software or programs 6 Develop and maintain secure …
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters. 3 Protect stored cardholder data. 4 Encrypt transmission of cardholder data across open, public networks. Protect all systems against malware and regularly update anti-virus software or programs. 6 Develop and maintain secure …