Document Comparison
AOC-SAQ-C-VT-v3-2-1-r2.pdf
→
PCI-DSS-v4-0-AOC-for-SAQ-C-VT-r1.pdf
48% similar
9 → 11
Pages
1907 → 2200
Words
29
Content Changes
Content Changes
29 content changes. 13 administrative changes (dates, page numbers) hidden.
Added
p. 2
This AOC reflects the results documented in an associated Self-Assessment Questionnaire (SAQ).
Capitalized terms used but not otherwise defined in this document have the meanings set forth in the PCI DSS Self-Assessment Questionnaire.
Part 1. Contact Information Part 1a. Assessed Merchant Company name:
Company mailing address:
Company mailing address:
Company main website:
Company contact name:
Company contact title:
Contact phone number:
Contact e-mail address:
Part 1b. Assessor Provide the following information for all assessors involved in the assessment. If there was no assessor for a given assessor type, enter Not Applicable.
PCI SSC Internal Security Assessor(s) ISA name(s):
Assessor phone number:
Assessor e-mail address:
Assessor certificate number:
Indicate all payment channels used by the business that are included in this assessment.
Mail order/telephone order (MOTO) E-Commerce Card-present Are any payment channels not included in this assessment? If yes, indicate which channel(s) is not included in the assessment and provide a brief explanation about why the channel was excluded.
Part 2b. Description of Role with Payment Cards For …
Capitalized terms used but not otherwise defined in this document have the meanings set forth in the PCI DSS Self-Assessment Questionnaire.
Part 1. Contact Information Part 1a. Assessed Merchant Company name:
Company mailing address:
Company mailing address:
Company main website:
Company contact name:
Company contact title:
Contact phone number:
Contact e-mail address:
Part 1b. Assessor Provide the following information for all assessors involved in the assessment. If there was no assessor for a given assessor type, enter Not Applicable.
PCI SSC Internal Security Assessor(s) ISA name(s):
Assessor phone number:
Assessor e-mail address:
Assessor certificate number:
Indicate all payment channels used by the business that are included in this assessment.
Mail order/telephone order (MOTO) E-Commerce Card-present Are any payment channels not included in this assessment? If yes, indicate which channel(s) is not included in the assessment and provide a brief explanation about why the channel was excluded.
Part 2b. Description of Role with Payment Cards For …
Added
p. 4
Facility Type Total number of locations (How many locations of this type are in scope) Location(s) of facility (city, country) Example: Data centers 3 Boston, MA, USA Part 2e. PCI SSC Validated Products and Solutions Does the merchant use any item identified on any PCI SSC Lists of Validated Products and Solutions♦? Provide the following information regarding each item the merchant uses from PCI SSC’s Lists of Validated Products and Solutions.
Name of PCI SSC- validated Product or Version of Product or
PCI SSC Standard to which product or solution was validated
PCI SSC listing reference number Expiry date of listing (YYYY-MM-DD) YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD ♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment …
Name of PCI SSC- validated Product or Version of Product or
PCI SSC Standard to which product or solution was validated
PCI SSC listing reference number Expiry date of listing (YYYY-MM-DD) YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD ♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment …
Added
p. 6
PCI DSS Requirement * Requirement Responses More than one response may be selected for a given requirement.
Indicate all responses that apply.
In Place In Place with CCW Not Applicable Not in Place
* PCI DSS Requirements indicated above refer to the requirements in Section 2 of the SAQ associated with this AOC.
Indicate all responses that apply.
In Place In Place with CCW Not Applicable Not in Place
* PCI DSS Requirements indicated above refer to the requirements in Section 2 of the SAQ associated with this AOC.
Added
p. 9
Target Date for Compliance: YYYY-MM-DD A merchant submitting this form with a Non-Compliant status may be required to complete the Action Plan in Part 4 of this document. Confirm with the entity to which this AOC will be submitted before completing Part 4.
Compliant but with Legal exception: One or more requirements in the PCI DSS SAQ are marked as Not in Place due to a legal restriction that prevents the requirement from being met and all other requirements are marked as being either 1) In Place, 2) In Place with CCW, or 3) Not Applicable, resulting in an overall COMPLIANT BUT WITH LEGAL EXCEPTION rating; thereby (Merchant Company Name) has demonstrated compliance with all PCI DSS requirements included in this SAQ except those noted as Not in Place due to a legal restriction.
This option requires additional review from the entity to which this AOC will be submitted. If selected, complete …
Compliant but with Legal exception: One or more requirements in the PCI DSS SAQ are marked as Not in Place due to a legal restriction that prevents the requirement from being met and all other requirements are marked as being either 1) In Place, 2) In Place with CCW, or 3) Not Applicable, resulting in an overall COMPLIANT BUT WITH LEGAL EXCEPTION rating; thereby (Merchant Company Name) has demonstrated compliance with all PCI DSS requirements included in this SAQ except those noted as Not in Place due to a legal restriction.
This option requires additional review from the entity to which this AOC will be submitted. If selected, complete …
Added
p. 11
If asked to complete this section, select the appropriate response for “Compliant to PCI DSS Requirements” for each requirement below. For any “No” responses, include the date the merchant expects to be compliant with the requirement and a brief description of the actions being taken to meet the requirement.
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain network security controls Apply secure configurations to all system components 3 Protect stored account data Protect cardholder data with strong cryptography during transmission over open, public networks 5 Protect all systems and networks from malicious software 6 Develop and maintain secure systems and software Restrict access to system components and cardholder data by business need to know 8 Identify users and authenticate access to system components 9 Restrict physical access to cardholder data …
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain network security controls Apply secure configurations to all system components 3 Protect stored account data Protect cardholder data with strong cryptography during transmission over open, public networks 5 Protect all systems and networks from malicious software 6 Develop and maintain secure systems and software Restrict access to system components and cardholder data by business need to know 8 Identify users and authenticate access to system components 9 Restrict physical access to cardholder data …
Removed
p. 3
Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Company Name: DBA (doing business as):
Business Address: City:
Business Address: City:
State/Province: Country: Zip:
State/Province: Country: Zip:
Lead QSA Contact Name: Title:
Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail order/telephone order (MOTO) Others (please specify):
What types of payment channels does your business serve?
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Business Address: City:
Business Address: City:
State/Province: Country: Zip:
State/Province: Country: Zip:
Lead QSA Contact Name: Title:
Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail order/telephone order (MOTO) Others (please specify):
What types of payment channels does your business serve?
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Modified
p. 3 → 2
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment against the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures. Complete all sections. The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the entity(ies) to which the Attestation of Compliance (AOC) will be submitted for reporting and submission procedures.
Modified
p. 3 → 2
Qualified Security Assessor Company name:
Modified
p. 3
Note: If your organization has a payment channel or process that is not covered by this SAQ, consult your acquirer or payment brand about validation for the other channels.
Note: If the organization has a payment channel that is not covered by this SAQ, consult with the entity(ies) to which this AOC will be submitted about validation for the other channels.
Removed
p. 4
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Application Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Modified
p. 4 → 3
Indicate whether the environment includes segmentation to reduce the scope of the assessment. (Refer to “Segmentation” section of PCI DSS for guidance on segmentation.)
Removed
p. 5
Description of services provided by QIR:
Does your company share cardholder data with any third-party service providers (for example, Qualified Integrator & Resellers (QIR), gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.)? Name of service provider: Description of services provided:
Part 2g. Eligibility to Complete SAQ C-VT Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:
Does your company share cardholder data with any third-party service providers (for example, Qualified Integrator & Resellers (QIR), gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.)? Name of service provider: Description of services provided:
Part 2g. Eligibility to Complete SAQ C-VT Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:
Modified
p. 5 → 7
The only payment processing is via a virtual payment terminal accessed by an Internet-connected web browser; The virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider; The PCI DSS-compliant virtual payment terminal solution is only accessed via a computing device that is isolated in a single location and is not connected to other locations or systems; The computing device does not have software installed that causes account data to be stored (for example, …
Removed
p. 6
The assessment documented in this attestation and in the SAQ was completed on:
Have compensating controls been used to meet any requirement in the SAQ? Yes No Were any requirements in the SAQ identified as being not applicable (N/A)? Yes No Were any requirements in the SAQ unable to be met due to a legal constraint? Yes No
Have compensating controls been used to meet any requirement in the SAQ? Yes No Were any requirements in the SAQ identified as being not applicable (N/A)? Yes No Were any requirements in the SAQ unable to be met due to a legal constraint? Yes No
Modified
p. 6 → 8
Section 2: Self-Assessment Questionnaire C-VT This Attestation of Compliance reflects the results of a self-assessment, which is documented in an accompanying SAQ.
Section 2: Self-Assessment Questionnaire C-VT Self-assessment completion date: YYYY-MM-DD Were any requirements in the SAQ unable to be met due to a legal constraint? Yes No
Removed
p. 7
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4.
Compliant but with Legal exception: One or more requirements are marked “No” due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand.
If checked, complete the following:
I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization.
I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times.
If my environment changes, I recognize I must reassess my environment and implement any additional PCI DSS requirements that apply.
Compliant but with Legal exception: One or more requirements are marked “No” due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand.
If checked, complete the following:
I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization.
I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times.
If my environment changes, I recognize I must reassess my environment and implement any additional PCI DSS requirements that apply.
Modified
p. 7 → 9
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ C-VT (Section 2), dated (SAQ completion date).
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ C-VT (Section 2), dated (Self-assessment completion date YYYY-MM-DD).
Modified
p. 7 → 9
Based on the results documented in the SAQ C-VT noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Based on the results documented in the SAQ C-VT noted above, each signatory identified in any of Parts 3b−3d, as applicable, assert(s) the following compliance status for the merchant identified in Part 2 of this document.
Modified
p. 7 → 9
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Compliant: All sections of the PCI DSS SAQ are complete and all requirements are marked as being either 1) In Place, 2) In Place with CCW, or 3) Not Applicable, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated compliance with all PCI DSS requirements included in this SAQ.
Modified
p. 7 → 9
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or one or more requirements are marked as Not in Place, resulting in an overall NON-COMPLIANT rating; thereby (Merchant Company Name) has not demonstrated compliance with the PCI DSS requirements included in this SAQ.
Modified
p. 7 → 9
Affected Requirement Details of how legal constraint prevents requirement being met Part 3a. Acknowledgement of Status Signatory(s) confirms:
Affected Requirement Details of how legal constraint prevents requirement from being met
Modified
p. 7 → 10
(Select all that apply)
Modified
p. 7 → 10
PCI DSS Self-Assessment Questionnaire C-VT, Version (version of SAQ), was completed according to the instructions therein.
PCI DSS Self-Assessment Questionnaire C-VT, Version 4.0 was completed according to the instructions therein.
Modified
p. 7 → 10
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment in all material respects.
All information within the above-referenced SAQ and in this attestation fairly represents the results of the merchant’s assessment in all material respects.
Removed
p. 8
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name) Part 3b. Merchant Attestation Signature of Merchant Executive Officer Date:
Modified
p. 8 → 10
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement If a QSA was involved or assisted with this assessment, indicate the role performed:
Modified
p. 8 → 10
Signature of Duly Authorized Officer of QSA Company Date:
Signature of Duly Authorized Officer of QSA Company Date: YYYY-MM-DD Duly Authorized Officer Name: QSA Company:
Modified
p. 8 → 10
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Part 3d. PCI SSC Internal Security Assessor (ISA) Involvement If an ISA(s) was involved or assisted with this assessment, indicate the role performed:
Removed
p. 9
Check with your acquirer or the payment brand(s) before completing Part 4.
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know 8 Identify and authenticate access to system components 9 Restrict physical access to cardholder data 11 Regularly test security systems and processes 12 Maintain a policy that addresses information security for all personnel Appendix A2 Additional PCI DSS Requirements for Entities using SSL/early TLS for Card-Present …
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know 8 Identify and authenticate access to system components 9 Restrict physical access to cardholder data 11 Regularly test security systems and processes 12 Maintain a policy that addresses information security for all personnel Appendix A2 Additional PCI DSS Requirements for Entities using SSL/early TLS for Card-Present …