PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI_DSS_v3_1_ROC_Reporting_Template.pdf PCI-DSS-v3_2-ROC-Reporting-Template.pdf
70% similar
198 → 198 Pages
68740 → 66422 Words
1190 Content Changes

From Revision History

  • April 2016 PCI DSS 3.2, Revision 1.0 Revision to align with changes from PCI DSS 3.1 to PCI DSS 3.2 (see PCI DSS – Summary of
  • April 2016 © 2016 PCI Security Standards Council, LLC. All Rights Reserved. Page iii Table of Contents

Content Changes

1190 content changes. 67 administrative changes (dates, page numbers) hidden.

Added p. 1
PCI DSS v3.2 Template for Report on Compliance Revision 1.0
Added p. 5
 Section 1: Contact Information and Report Date  Section 2: Summary Overview  Section 3: Description of Scope of Work and Approach Taken  Section 4: Details about Reviewed Environment  Section 5: Quarterly Scan Results  Section 6: Findings and Observations
Added p. 11
 Don’t leave any spaces blank. If a section does not apply, annotate it as such.
Added p. 14
PCI DSS Requirement Summary of Findings (check one) Compliant Non Compliant Not Applicable

1. Install and maintain a firewall configuration to protect cardholder data ☐ ☐ ☐

2. Do not use vendor-supplied defaults for system passwords and other security parameters ☐ ☐ ☐

3. Protect stored cardholder data ☐ ☐ ☐

4. Encrypt transmission of cardholder data across open, public networks ☐ ☐ ☐

5. Protect all systems against malware and regularly update anti-virus software or programs ☐ ☐ ☐

6. Develop and maintain secure systems and applications ☐ ☐ ☐

7. Restrict access to cardholder data by business need to know ☐ ☐ ☐

8. Identify and authenticate access to system components ☐ ☐ ☐

9. Restrict physical access to cardholder data ☐ ☐ ☐

10. Track and monitor all access to network resources and cardholder data ☐ ☐ ☐

11. Regularly test security systems and processes ☐ ☐ ☐

12. Maintain a policy that addresses information security for all personnel …
Added p. 18
- Describe how it was verified that the identified security controls are in place.

List all countries where the entity conducts business.

(If there are no international entities, then the country where the assessment is occurring should be included at a minimum.) International Entity Name Facilities in this country reviewed:

Note: The term “Capture” in Section 4.2 of the ROC Template refers to the specific transaction activity, while the use of “capture” in PCI DSS Requirement 9.9 refers to the receiving of cardholder data via physical contact with a payment card (e.g. via swipe or dip).

Cardholder data-flow diagrams may also be included as a supplement to the description of how cardholder data is transmitted and/or processed.

<Insert optional data-flow diagram(s)> Cardholder data flows Types of CHD involved (for example, full track, PAN, expiry) Describe how cardholder data is transmitted and/or processed and for what purpose it is used Authorization
Added p. 23
• including homegrown software/applications. For each item in the list, provide details for the hardware and software as indicated below. Add rows, as needed.

 If standardized PCI DSS security and operational processes/controls were used for selecting sample sizes, describe how they were validated by the assessor.
Added p. 34
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.1.4.b Verify that the current network diagram is consistent with the firewall configuration standards.

Identify the responsible personnel interviewed who confirm that roles and responsibilities are assigned as documented.

Identify the firewall and router configuration standards document(s) reviewed to verify that security features are documented for each insecure service/protocol/port.

PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.2.1.a Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment.

<Report Findings Here> 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. ☐ ☐ ☐ ☐ ☐ 1.3.4 Examine firewall and router configurations to verify that outbound …
Added p. 43
 All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network.

 Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network.

 Encryption keys were changed from default at installation  Encryption keys are changed anytime anyone with knowledge of the keys leaves the company or changes positions.

 Default SNMP community strings are not used.  Default passwords/passphrases on access points are not used.

 Default SNMP community strings are not used.  Default passwords/passphrases on access points are not used.

 Authentication over wireless networks  Transmission over wireless networks Identify vendor documentation examined to verify firmware on wireless devices is updated to support strong encryption …
Added p. 61
 One-way hashes based on strong cryptography,  Truncation  Index tokens and pads, with the pads being securely stored  Strong cryptography, with associated key-management processes and procedures Identify the documentation examined to verify that the PAN is rendered unreadable using any of the following methods:

Identify the sample of data repositories selected for this testing procedure.

Identify the sample of audit logs, including payment application logs, selected for this testing procedure.

Note: This requirement applies in addition to all other PCI DSS encryption and key management requirements.

Describe how the configurations verified that cardholder data on removable media is encrypted wherever stored.

<Report Findings Here> 3.5.1 Additional requirement for service providers only: Maintain a documented description of the cryptographic architecture that includes:
Added p. 64
• Description of the key usage for each key.

• Inventory of any HSMs and other SCDs used for key management
Added p. 64
• Description of the key usage for each key Identify the responsible personnel interviewed who confirm that a document exists to describe the cryptographic architecture, including:

• Description of the key usage for each key

• Inventory of any HSMs and other SCDs used for key management <Report Findings Here>

• Description of the key usage for each key

• Inventory of any HSMs and other SCDs used for key management Identify the documentation reviewed to verify that it contains a description of the cryptographic architecture, including:

<Report Findings Here> Describe how system configurations and key storage locations verified that cryptographic keys used to encrypt/decrypt cardholder data must only exist in one (or more) of the following forms at all times.

PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.6.1.b Observe the procedures for generating keys to verify that …
Added p. 83
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place security patches installed on each system to the most recent vendor security-patch list, to verify the following:

 That applicable critical vendor- supplied security patches are installed within one month of release.

 All applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months).
Added p. 86
<Report Findings Here>  Code-review results are reviewed and approved by management prior to release.
Added p. 90
For each change from 6.4.5.b, describe how the change control documentation confirmed that functionality testing is performed to verify that the change does not adversely impact the security of the system.

<Report Findings Here> For each change, describe how the change control documentation verified that updates are tested for compliance with PCI DSS Requirement 6.5 before being deployed into production.

<Report Findings Here> 6.4.6 Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
Added p. 91
Identify whether a significant change occurred within the past 12 months. (yes/no) If “yes,” complete the following:

If “no,” mark the rest of 6.4.6 as “Not Applicable” <Report Findings Here> Identify the responsible personnel interviewed for this testing procedure.

<Report Findings Here> Identify the relevant documentation reviewed to verify that the documentation was updated as part of the change.

<Report Findings Here> Identify the sample of change records examined for this testing procedure.

<Report Findings Here> Identify the sample of systems/networks affected by the significant change.

<Report Findings Here> For each sampled change, describe how the system/networks observed verified that applicable PCI DSS requirements were implemented and documentation updated as part of the change.

PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place responsible personnel to verify that injection flaws are addressed by coding techniques that include:
Added p. 99
<Report Findings Here> Describe how the records of application vulnerability security assessments verified that public-facing web applications are reviewed as follows:

PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Identify the responsible personnel interviewed who confirm that the above automated technical solution is in place as follows:
Added p. 104
<Report Findings Here> For each user ID in the selected sample, describe how:
Added p. 107
<Report Findings Here> Describe how the physical authentication method(s) for the terminated employees were verified to have been returned or deactivated.
Added p. 110
<Report Findings Here> Identify the sample of system components selected for this testing procedure.

PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.2.3 Passwords/passphrases must meet the following:

For each item in the sample, describe how system configuration settings verified that password/passphrase parameters are set to require that new passwords/passphrases cannot be the same as the four previously used passwords/passphrases.

Additional procedure for service provider assessments only, identify the documented internal processes and customer/user documentation reviewed to verify that new non-consumer customer user passwords/passphrases cannot be the same as the previous four passwords/passphrases.

PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested  Set reset passwords/passphrases to a unique value for each existing user.

<Report Findings Here> 8.3 Secure all individual non-console …
Added p. 115
8.3.1.a Examine network and/or system configurations, as applicable, to verify multi-factor authentication is required for all non-console administrative access into the CDE.

Identify the sample of network and/or system components examined for this testing procedure.

<Report Findings Here> Describe how the configurations verify that multi-factor authentication is required for all non-console access into the CDE.

<Report Findings Here> 8.3.1.b Observe a sample of administrator personnel login to the CDE and verify that at least two of the three authentication methods are used.

Identify the sample of administrator personnel observed logging in to the CDE.

<Report Findings Here> Describe the multi-factor authentication methods observed to be in place for a personnel non-console log ins to the CDE.

<Report Findings Here> 8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third party access for support or maintenance) originating from outside the entity’s network. ☐ ☐ ☐ ☐ ☐ 8.3.2.a Examine system configurations …
Added p. 118
 Shared and generic user IDs are not used to administer any system components.

<Report Findings Here> 8.5.b Examine authentication policies and procedures to verify that use of group and shared IDs and/or passwords or other authentication methods are explicitly prohibited.

<Report Findings Here> Identify the responsible personnel interviewed who confirm that different authentication credentials are used for access to each customer <Report Findings Here> 8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) use of these mechanisms must be assigned as follows:

For each database from 8.7.a, describe how the database and application configuration settings verified that all user access to, user queries of, and user actions on the database are through programmatic methods only.

For each database from 8.7.a, describe how database application configuration settings verified that user direct access to or queries of databases are restricted to database administrators.

<Report Findings Here> 8.7.d …
Added p. 124
<Report Findings Here> Identify the responsible personnel interviewed who confirm that visitors must be authorized before they are granted access to, and escorted at all times within, areas where cardholder data is processed or maintained.

Describe how it was observed that a visitor log is in use to record physical access to:

PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.6.2.a Interview personnel and examine records to verify that all media sent outside the facility is logged and sent via secured courier or other delivery method that can be tracked.

<Report Findings Here> For each item in the sample in 9.6.2.b, describe how proper management authorization was observed to be obtained whenever media is moved from a secured area (including when media is distributed to individuals).

PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings …
Added p. 138
 Implemented. <Report Findings Here>  Kept current, per the documented process. <Report Findings Here> 10.4.1 Critical systems have the correct and consistent time. ☐ ☐ ☐ ☐ ☐ 10.4.1.a Examine the process for acquiring, distributing and storing the correct time within the organization to verify that:

Identify the sample of time servers selected for this testing procedure.

For each item in the sample at 10.5, describe how system configurations and permissions verified that current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation.

PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.6 Perform the following:

 All security events  Logs of all system components that store, process, or transmit CHD and/or SAD  Logs of all critical system components  Logs of all servers and system components …
Added p. 160
 The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out- of-scope systems from systems in the CDE.

<Report Findings Here> 11.3.4.c Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).

PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place 11.3.4.1 Additional requirement for service providers only: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods. Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.

11.3.4.1.a Examine the results from the most recent penetration test to verify that:  Penetration testing is performed …
Added p. 169
 A list of all critical devices, and  A list of personnel authorized to use the devices.

 A list of all critical devices, and  A list of personnel authorized to use the devices.

PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.3.7 Verify that the usage policies include a list of company-approved products.

Identify any remote access technologies in use <Report Findings Here> . Describe how configurations for remote access technologies verified that remote access sessions will be automatically disconnected after a specific period of inactivity.

<Report Findings Here> 12.4.1 Additional requirement for service providers only: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:

 Overall accountability for maintaining PCI DSS compliance  Defining a charter for a PCI DSS compliance program and communication to executive …
Added p. 179
<Report Findings Here> 12.10.1.b Interview personnel and review documentation from a sample of previously reported incidents or alerts to Identify the responsible personnel interviewed who confirm that the documented incident response plan and procedures are followed.

<Report Findings Here> Identify documentation reviewed from testing to verify that the incident response plan is tested at least annually and that testing includes all elements listed in Requirement 12.10.1.

PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place reports of unauthorized critical system or content file changes.

PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.10.5 Verify through observation and review of processes that monitoring and responding to alerts from security monitoring systems are covered in the Incident Response Plan.

PCI DSS Requirements and Testing Procedures Reporting …
Added p. 185
 Appendix A1 Additional PCI DSS Requirements for Shared Hosting Providers  Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS  Appendix A3: Designated Entities Supplemental Validation Guidance and applicability information is provided within each section.

<Report Findings Here> Identify the sample of servers selected for this testing procedure.

For each item in the sample of servers and hosted entities from A1.1, perform the following:

<Report Findings Here> Describe how running application process IDs were observed to verify that the process IDs are not privileged users.

<Report Findings Here> A1.2.b Verify each entity (merchant, service provider) has read, write, or execute permissions only for files and directories it owns or for necessary system files (restricted via file system permissions, access control lists, chroot, jailshell, etc.) Important: An entity’s files may not be shared by group.

For each item in the sample of servers and hosted entities from A1.1, describe how the system …
Added p. 190
The PCI DSS requirements directly affected are:

Requirement 2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.

Requirement 2.3 Encrypt all non-console administrative access using strong cryptography.

Requirement 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.

SSL and early TLS should not be used as a security control to meet these requirements. To support entities working to migrate away from SSL/early TLS, the following provisions are included:

 New implementations must not use SSL or early TLS as a security control  All service providers must provide a secure service offering by June 30, 2016  After June 30, 2018, all entities must have stopped use of SSL/early TLS as a security control, and use only secure versions of the protocol (an allowance for certain POS POI terminals is described in the last bullet).

 Prior to …
Added p. 194
 Reporting Template for use with the PCI DSS Designated Entities Supplemental Validation  Supplemental Attestation of Compliance for Onsite Assessments

• Designated Entities These documents are available in the PCI SSC Document Library.

Note that an entity is ONLY required to undergo an assessment according to this Appendix if instructed to do so by an acquirer or a payment brand.
Modified p. 1
Payment Card Industry (PCI) Data Security Standard Report on Compliance Template for Report on Compliance for use with PCI DSS v3.1 Revision 1.0
Payment Card Industry (PCI) Data Security Standard Report on Compliance
Removed p. 5
• Section 1: Contact Information and Report Date

• Section 2: Summary Overview

• Section 3: Description of Scope of Work and Approach Taken

• Section 4: Details about Reviewed Environment

• Section 5: Quarterly Scan Results

• Section 6: Findings and Observations
Modified p. 5
Use of this Reporting Template is mandatory for all v3.1 submissions.
Use of this Reporting Template is mandatory for all v3.2 submissions.
Modified p. 5
The Report on Compliance (ROC) is produced during onsite PCI DSS assessments as part of an entity’s validation process. The ROC provides details about the entity’s environment and assessment methodology, and documents the entity’s compliance status for each PCI DSS Requirement. A PCI DSS compliance assessment involves thorough testing and assessment activities, from which the assessor will generate detailed work papers. These work papers contain comprehensive records of the assessment activities, including observations, results of system testing, configuration data, file …
The Report on Compliance (ROC) is produced during onsite PCI DSS assessments as part of an entity’s validation process. The ROC provides details about the entity’s environment and assessment methodology, and documents the entity’s compliance status for each PCI DSS Requirement. A PCI DSS compliance assessment involves thorough testing and assessment activities, from which the assessor will generate detailed work papers. These work papers contain comprehensive records of the assessment activities, including observations, results of system testing, configuration data, file …
Removed p. 6
• Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers

• Appendices B and C: Compensating Controls and Compensating Controls Worksheet (as applicable)
Modified p. 7
All “not applicable” responses require reporting on testing performed to confirm the “not applicable” status. Note that a “Not Applicable” response still requires a detailed description explaining how it was determined that the requirement does not apply.
All “not applicable” responses require reporting on testing performed to confirm the “not applicable” status. Note that a “Not Applicable” response still requires a detailed description explaining how it was determined that the requirement does not apply. In scenarios where the Reporting Instruction states, "If 'no/yes', mark as Not Applicable," assessors may simply enter “Not Applicable” or “N/A” and are not required to report on the testing performed to confirm the "Not Applicable" status.
Modified p. 7
Certain requirements are always applicable (3.2.1-3.2.3, for example), and that will be designated by a grey box under “Not Applicable.” In the sample, the Summary of Assessment Findings at 1.1 is “not applicable” if both 1.1.a and 1.1.b are concluded to be “not applicable.” A requirement is applicable if any aspects of the requirement apply to the environment being assessed, and a “Not Applicable” designation in the Summary of Assessment Findings should not be used in this scenario.
Certain requirements are always applicable (3.2.1- 3.2.3, for example), and that will be designated by a grey box under “Not Applicable.” In the sample, the Summary of Assessment Findings at 1.1 is “not applicable” if both 1.1.a and 1.1.b are concluded to be “not applicable.” A requirement is applicable if any aspects of the requirement apply to the environment being assessed, and a “Not Applicable” designation in the Summary of Assessment Findings should not be used in this scenario.
Modified p. 7
**Note, future-dated requirements are considered Not Applicable until the future date has passed. While it is true that the requirement is likely not tested (hence the original instructions), it is not required to be tested until the future date has passed, and the requirement is therefore not applicable until that date. As such, a “Not Applicable” response to future- dated requirements is accurate, whereas a “Not Tested” response would imply there was not any consideration as to whether it could …
**Note, future-dated requirements are considered Not Applicable until the future date has passed. While it is true that the requirement is likely not tested (hence the original instructions), it is not required to be tested until the future date has passed, and the requirement is therefore not applicable until that date. As such, a “Not Applicable” response to future-dated requirements is accurate, whereas a “Not Tested” response would imply there was not any consideration as to whether it could apply …
Modified p. 8
(See “What is the difference between ‘Not Applicable’ and ‘Not Tested’?” below for examples of when this option should be used.) In the sample, the Summary of Assessment Findings at 1.1 is “not tested” if either 1.1.a or 1.1.b are concluded to be “not tested.” What is the difference between “Not Applicable” and “Not Tested?” Requirements that are deemed to be not applicable to an environment must be verified as such. Using the example of wireless and an organization that …
(See “What is the difference between ‘Not Applicable’ and ‘Not Tested’?” in the following section for examples of when this option should be used.) In the sample, the Summary of Assessment Findings at 1.1 is “not tested” if either 1.1.a or 1.1.b are concluded to be “not tested.” What is the difference between “Not Applicable” and “Not Tested?” Requirements that are deemed to be not applicable to an environment must be verified as such. Using the example of wireless and …
Modified p. 8
Requirement X: Sample Note

• checkboxes have been added to the “Summary of Assessment Findings” so that the assessor may double click to check the applicable summary result. Hover over the box you’d like to mark and click once to mark with an ‘x.’ To remove a mark, hover over the box and click again.
Requirement X: Sample Note

• checkboxes have been added to the “Summary of Assessment Findings” so that the assessor may double click to check the applicable summary result. Hover over the box you’d like to mark and click once to mark with an ‘x’. To remove a mark, hover over the box and click again.
Removed p. 9
• One word (yes/no) Example Reporting Instruction: Indicate whether the assessed entity is an issuer or supports issuing services. (yes/no)

• Document name or interviewee job title/reference

• Brief description/short answer
Modified p. 9
• In Sections 4.10, “Documentation Reviewed,” and 4.11, “Individuals Interviewed” below, there is a space for a reference number and it is the QSA’s choice to use the document name/interviewee job title or the reference number at the individual reporting instruction response.
 One word (yes/no) Example Reporting Instruction: Indicate whether the assessed entity is an issuer or supports issuing services. (yes/no)  Document name or interviewee job title/reference

• In Sections 4.10, “Documentation Reviewed,” and 4.11, “Individuals Interviewed” below, there is a space for a reference number and it is the QSA’s choice to use the document name/interviewee job title or the reference number at the individual reporting instruction response.
Modified p. 9
• For sampling, the QSA must use the table at “Sample sets for reporting” in the Details about Reviewed Environment section of this document to fully report the sampling, but it is the QSA’s choice to use the Sample set reference number (“Sample Set-5”) or list out the items from the sample again at the individual reporting instruction response.
Example Reporting Instruction: Identify the document that defines vendor software development processes. Example Reporting Instruction: Identify the individuals interviewed who confirm that …  Sample description

• For sampling, the QSA must use the table at “Sample sets for reporting” in the Details about Reviewed Environment section of this document to fully report the sampling, but it is the QSA’s choice to use the Sample set reference number (“Sample Set-5”) or list out the items from the sample again at the …
Modified p. 9
• Short and to the point, but provide detail and individual content that is not simply an echoing of the testing procedure or reporting instruction nor a template answer used from report-to-report, but instead relevant and specific to the assessed entity.
 Brief description/short answer

• Short and to the point, but provide detail and individual content that is not simply an echoing of the testing procedure or reporting instruction nor a template answer used from report-to-report, but instead relevant and specific to the assessed entity. These responses must include unique details, such as the specific system configurations reviewed (to include what the assessor observed in the
Modified p. 9 → 10
Example Reporting Instruction: Describe the procedures for secure key distribution that were observed to be implemented. Example Reporting Instruction: For the interview, summarize the relevant details discussed that verify …
Example Reporting Instruction: Describe the procedures for secure key distribution that were observed to be implemented. Example Reporting Instruction: For the interview, summarize the relevant details discussed that verify … Dependence on another service provider’s compliance:
Modified p. 10
“Assessor verified this is the responsibility of Service Provider X, as verified through review of x/y contract (document). Assessor reviewed the AOC for Service Provider X, dated MM/DD/YYYY, and confirmed the service provider was found to be PCI DSS compliant against PCI DSS v2.0 (or PCI DSS v3.0/PCI DSS v3.1) for all applicable requirements, and that it covers the scope of the services used by the assessed entity.” That response could vary, but what’s important is that it is noted …
“Assessor verified this is the responsibility of Service Provider X, as verified through review of x/y contract (document). Assessor reviewed the AOC for Service Provider X, dated MM/DD/YYYY, and confirmed the service provider was found to be PCI DSS compliant against PCI DSS v3.1 (or PCI DSS v3.2) for all applicable requirements, and that it covers the scope of the services used by the assessed entity.” That response could vary, but what’s important is that it is noted as “in …
Modified p. 10
Dependence on another service provider’s compliance where the service providers is compliant with PCI DSS v2.0, but the entity is being assessed against PCI DSS v3.1:
Dependence on another service provider’s compliance where the service providers is compliant with PCI DSS v3.1, but the entity is being assessed against PCI DSS v3.2:
Modified p. 10
The requirement and/or testing procedure exists in both standards, in which case the response noted above would likely be sufficient. Noting that the service provider is compliant with 2.0 of the PCI DSS in the response is worthwhile to address any possible changes to requirements or testing procedures. As noted above, future-dated requirements are considered Not Applicable until the future date has passed. Until that date, an acceptable answer for the accompanying “not applicable” finding might be something like: …
The requirement and/or testing procedure exists in both standards, in which case the response noted above would likely be sufficient. Noting that the service provider is compliant with 3.1 of the PCI DSS in the response is worthwhile to address any possible changes to requirements or testing procedures. As noted above, future-dated requirements are considered Not Applicable until the future date has passed. Until that date, an acceptable answer for the accompanying “not applicable” finding might be something like: …
Modified p. 11
 Use this Reporting Template when assessing against v3.1 of the PCI DSS.
 Use this Reporting Template when assessing against v3.2 of the PCI DSS.
Modified p. 13
Descriptions of time spent onsite at the entity and time spent performing remote assessment activities, including time spent on validation of remediation activities.
Describe the time spent onsite at the entity, time spent performing remote assessment activities and time spent on validation of remediation activities.
Removed p. 14
 Any entities that the assessed entity connects to for payment transmission or processing, including processor relationships.
Modified p. 14 → 15
 Describe how and why the entity stores, processes, and/or transmits cardholder data.
 Describe how the entity stores, processes, and/or transmits cardholder data.
Modified p. 14 → 15
Note: This is not intended to be a cut-and-paste from above, but should build on the understanding of the business and the impact this can have upon the security of cardholder data. website  What types of payment channels the entity serves, such as card-present and card-not-present (for example, mail order/telephone order (MOTO), e- commerce).
Note: This is not intended to be a cut-and-paste from above, but should build on the understanding of the business and the impact this can have upon the security of cardholder data.
Modified p. 14 → 15
 Connections into and out of the network including demarcation points between the cardholder data environment (CDE) and other networks/zones  Critical components within the cardholder data environment, including POS devices, systems, databases, and web servers, as applicable  Other necessary payment components, as applicable <Insert high-level network diagram(s)>
 Connections into and out of the network including demarcation points between the cardholder data environment (CDE) and other networks/zones  Critical components within the cardholder data environment, including POS devices, systems, databases, and web servers, as applicable  Other necessary payment components, as applicable
Modified p. 15 → 17
As noted in PCI DSS, v3.1

• “At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or if compromised could impact the CDE (e.g. authentication servers) to ensure they are included in the PCI DSS scope.” Note

• additional reporting has been added below to emphasize systems that are connected to or if …
As noted in PCI DSS, v3.2

• “At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data, and identify all systems that are connected to or if compromised could impact the CDE (e.g. authentication servers) to ensure they are included in the PCI DSS scope.” Note

• additional reporting has been added below to emphasize systems that are connected to or if …
Modified p. 15 → 17
 Describe the methods or processes (for example, tools, observations, feedback, scans, data flow analysis) used to identify and document all existences of cardholder data (as executed by the assessor, assessed entity or a combination):
 Describe the methods or processes (for example, the specific types of tools, observations, feedback, scans, data flow analysis) used to identify and document all existences of cardholder data (as executed by the assessed entity, assessor or a combination):
Modified p. 15 → 17
 Describe the methods or processes (for example, tools, observations, feedback, scans, data flow analysis) used to verify that no cardholder data exists outside of the defined CDE (as executed by the assessor, assessed entity or a combination):
 Describe the methods or processes (for example, the specific types of tools, observations, feedback, scans, data flow analysis) used to verify that no cardholder data exists outside of the defined CDE (as executed by the assessed entity, assessor or a combination):
Removed p. 16
• Explain how the assessor validated the effectiveness of the segmentation, as follows:
Modified p. 16 → 18
Identify the technologies used and any supporting processes
Identify the technologies used and any supporting processes  Explain how the assessor validated the effectiveness of the segmentation, as follows:
Modified p. 16 → 18
- Describe how it was verified that adequate security controls are in place to ensure the integrity of the segmentation mechanisms (e.g., access controls, change management, logging, monitoring, etc.).
- Identify the security controls that are in place to ensure the integrity of the segmentation mechanisms (e.g., access controls, change management, logging, monitoring, etc.).
Modified p. 17 → 19
Network Name (out of scope) Function/ Purpose of Network 3.5 Connected entities for processing Complete the following for connected entities for processing. If the assessor needs to include additional reporting for the specific brand and/or acquirer, it can be included either here within 3.5 or as an appendix at the end of this report. Do not alter the Attestation of Compliance (AOC) for this purpose.
Network Name (out of scope) Function/ Purpose of Network 3.5 Connected entities for payment processing and transmission Complete the following for connected entities for processing and/or transmission. If the assessor needs to include additional reporting for the specific brand and/or acquirer, it can be included either here within 3.5 or as an appendix at the end of this report. Do not alter the Attestation of Compliance (AOC) for this purpose.
Modified p. 18 → 21
 If there are wireless networks or technologies in use, identify and describe all wireless technologies in use that are connected to or could impact
 If there are wireless networks or technologies in use, identify and describe all wireless technologies in use that are connected to or could impact the security of the cardholder data environment. This would include:
Removed p. 19
• Wireless payment applications (for example, POS terminals)
Modified p. 19 → 21
All other wireless devices/technologies 3.8 Wireless details For each wireless technology in scope, identify the following:
 Wireless LANs  Wireless payment applications (for example, POS terminals)  All other wireless devices/technologies 3.8 Wireless details For each wireless technology in scope, identify the following:
Modified p. 20 → 22
 All boundaries of the cardholder data environment  Any network segmentation points which are used to reduce scope of the assessment  Boundaries between trusted and untrusted networks  Wireless and wired networks  All other connection points applicable to the assessment Ensure the diagram(s) include enough detail to clearly understand how each communication point functions and is secured. (For example, the level of detail may include identifying the types of devices, device interfaces, network technologies, protocols, and security …
 All boundaries of the cardholder data environment  Any network segmentation points which are used to reduce scope of the assessment  Boundaries between trusted and untrusted networks  Wireless and wired networks  All other connection points applicable to the assessment Ensure the diagram(s) include enough detail to clearly understand how each communication point functions and is secured. (For example, the level of detail may include identifying the types of devices, device interfaces, network technologies, protocols, and security …
Modified p. 21 → 23
Data Store (database, file, table, etc.) Cardholder data elements stored (PAN, expiry, any elements of SAD) How data is secured (for example, use of encryption, access controls, truncation, etc.) How access to data stores is logged (description of logging mechanism used for logging access to data•for example, enterprise log management solution, application-level logging, operating system logging, etc.) 4.4 Critical hardware in use in the cardholder data environment Identify and list all types of hardware in the cardholder environment, including network …
Data Store (database, etc.) File(s) and/or Table(s) Cardholder data elements stored (for example, PAN, expiry, any elements of SAD) How data is secured (for example, use of encryption, access controls, truncation, etc.) How access to data stores is logged (description of logging mechanism used for logging access to data•for example, enterprise log management solution, application-level logging, operating system logging, etc.) 4.4 Critical hardware and software in use in the cardholder data environment Identify and list all types of hardware and …
Modified p. 21 → 23
Type of Device Vendor (make/model) Role/Functionality 4.5 Critical software in use in the cardholder data environment Identify and list all critical software in the cardholder environment, such as e-commerce applications, applications accessing CHD for non-payment functions (fraud modeling, credit verification, etc.), software performing security functions or enforcing PCI DSS controls, underlying operating systems that store, process or transmit CHD, system management software, virtualization management software, and other critical software • including homegrown software/applications. For each item in the list, provide …
• including homegrown components. Critical software includes e-commerce applications, applications accessing CHD for non-payment functions (fraud modeling, credit verification, etc.), software performing security functions or enforcing PCI DSS controls, underlying operating systems that store, process or transmit CHD, system management software, virtualization management software, and other critical software
Removed p. 22
• Describe how the above processes and controls were validated by the assessor.
Modified p. 22 → 24
Provide the name of the assessor who attests that every system component and all business facilities have been assessed.
Provide the name of the assessor who attests that every system component and all business facilities have been assessed.
Modified p. 22 → 24
Provide the name of the assessor who attests that all sample sets used for this assessment are represented in the below “Sample sets for reporting” table. Examples may include, but are not limited to firewalls, application servers, retail locations, data centers, User IDs, people, etc.
Provide the name of the assessor who attests that all sample sets used for this assessment are represented in the below “Sample sets for reporting” table. Examples may include, but are not limited to firewalls, application servers, retail locations, data centers, User IDs, people, etc.
Modified p. 22 → 24
Describe the sampling rationale and/or standardized PCI DSS security and operational processes/controls used for selecting sample sizes (for people, processes, technologies, devices, locations/sites, etc.).
Describe the sampling rationale used for selecting sample sizes (for people, processes, technologies, devices, locations/sites, etc.).
Modified p. 23 → 25
Note: When a reporting instruction asks for a sample, the QSA may either refer to the Sample Set Identifier here (for example “Sample Set-1”) OR list the sampled items individually in the response. Examples of sample sets may include, but are not limited to, firewalls, application servers, retail locations, data centers, User IDs, people, etc. Add rows as needed.
Note: If sampling is used, this section MUST be completed. When a reporting instruction asks to identify a sample, the QSA may either refer to the Sample Set Reference Number (for example “Sample Set-1”) OR list the sampled items individually in the response. Examples of sample sets may include, but are not limited to, firewalls, application servers, retail locations, data centers, User IDs, people, etc. Add rows as needed.
Modified p. 23 → 25
Sample Set Reference Number Sample Type/ Description (e.g., firewalls, datacenters, etc.) Listing of all components (devices, locations, etc.) of the Sample Set (with make/model, as applicable) Total Sampled Total Population Sample Set-1 Sample Set-2 Sample Set-3 Sample Set-4 4.8 Service providers and other third parties with which the entity shares cardholder data For each service provider or third party, provide:
Sample Set Sample Type/ Description (e.g., firewalls, datacenters, change records, User IDs, etc.) Listing of all items (devices, locations, change records, people, etc.) in the Sample Make/Model of Components (as applicable) Total Sampled Total Population Sample Set-1 Sample Set-2 Sample Set-3 Sample Set-4 4.7 Service providers and other third parties with which the entity shares cardholder data or that could affect the security of cardholder data For each service provider or third party, provide:
Modified p. 24 → 27
 Any additional comments or findings the assessor would like to share, as applicable:
PCI SSC listing reference number Expiry date of listing, if applicable  Any additional comments or findings the assessor would like to include, as applicable:
Modified p. 25 → 27
Document Name (including version, if applicable) Brief description of document purpose Document date (latest version date) 4.11 Individuals interviewed Identify and list the individuals interviewed. Include the following:
(optional) Document Name (including version, if applicable) Brief description of document purpose Document date (latest version date) 4.10 Individuals interviewed Identify and list the individuals interviewed. Include the following:
Modified p. 25 → 27
Number Employee Name Role/Job Title Organization Is this person an ISA? (yes/no) Summary of Topics Covered / Areas or Systems of Expertise (high-level summary only) 4.12 Managed service providers For managed service provider (MSP) reviews, the assessor must clearly identify which requirements in this document apply to the MSP (and are included in the review), and which are not included in the review and are the responsibility of the MSP’s customers to include in their reviews. Include information about which …
(optional) Employee Name Role/Job Title Organization Is this person an ISA? (yes/no) 4.11 Managed service providers For managed service provider (MSP) reviews, the assessor must clearly identify which requirements in this document apply to the MSP (and are included in the review), and which are not included in the review and are the responsibility of the MSP’s customers to include in their reviews. Include information about which of the MSP’s IP addresses are scanned as part of the MSP’s quarterly …
Modified p. 25 → 28
List the requirements that apply to the MSP and are included in this assessment.
List the requirements that apply to the MSP and are included in this assessment.
Modified p. 25 → 28
List the requirements that are the responsibility of the MSP’s customers (and have not been included in this assessment).
List the requirements that are the responsibility of the MSP’s customers (and have not been included in this assessment).
Modified p. 26 → 28
Provide the name of the assessor who attests that the testing of these requirements and/or responsibilities of the MSP is accurately represented in the signed Attestation of Compliance.
Provide the name of the assessor who attests that the testing of these requirements and/or responsibilities of the MSP is accurately represented in the signed Attestation of Compliance.
Modified p. 26 → 28
Identify which of the MSP’s IP addresses are scanned as part of the MSP’s quarterly vulnerability scans.
Identify which of the MSP’s IP addresses are scanned as part of the MSP’s quarterly vulnerability scans.
Modified p. 26 → 28
Identify which of the MSP’s IP addresses are the responsibility of the MSP’s customers.
Identify which of the MSP’s IP addresses are the responsibility of the MSP’s customers.
Modified p. 26 → 28
List of all requirements/testing procedures with this result Summary of the issue (legal obligation, etc.) 4.14 Disclosure summary for “Not Tested” responses  Identify whether there were any responses indicated as “Not Tested”: (yes/no)  If “yes,” complete the table below:
List of all requirements/testing procedures with this result Summary of the issue (legal obligation, etc.) 4.13 Disclosure summary for “Not Tested” responses  Identify whether there were any responses indicated as “Not Tested”: (yes/no)  If “yes,” complete the table below:
Modified p. 26 → 28
List of all requirements/testing procedures with this result Summary of the issue (for example, not deemed in scope for the assessment, reliance on a third-party service provider who is compliant to PCI DSS v2.0 and hasn’t yet assessed against 3.0 or 3.1, etc.)
List of all requirements/testing procedures with this result Summary of the issue (for example, not deemed in scope for the assessment, reliance on a third-party service provider who is compliant to PCI DSS v3.1 and hasn’t yet assessed against 3.2, etc.)
Modified p. 27 → 30
5. Quarterly Scan Results 5.1 Quarterly scan results • initial PCI DSS compliance validation  Is this the assessed entity’s initial PCI DSS compliance validation? (yes/no)  If “yes,” complete the remainder of Table 5.1 below. If “no,” proceed to Table 5.2.
5. Quarterly Scan Results 5.1 Quarterly scan results  Is this the assessed entity’s initial PCI DSS compliance validation? (yes/no)  Identify how many external quarterly ASV scans were performed within the last 12 months:
Modified p. 27 → 30
Date of the scan(s) Were any vulnerabilities found that resulted in a failed initial scan? (yes/no) For all scans resulting in a Fail, provide date(s) of re-scans showing that the vulnerabilities have been corrected  Provide the name of the assessor who attests that the most recent scan result was verified to be a passing scan.
Date of the scan(s) Name of ASV that performed the scan Were any vulnerabilities found that resulted in a failed initial scan? (yes/no) For all scans resulting in a Fail, provide date(s) of re-scans showing that the vulnerabilities have been corrected If this is the initial PCI DSS compliance validation, complete the following:
Removed p. 28
Date of the scan(s) Results of Scans (Pass/Fail) For all scans resulting in a Fail, provide date(s) of re-scans showing that the vulnerabilities have been corrected Assessor comments, if applicable:
Removed p. 29
• Network connections, and
Modified p. 29 → 32
Changes to firewall and router configurations.
 Network connections, and  Changes to firewall and router configurations.
Modified p. 29 → 32
Identify the sample of records for network connections that were examined.
Identify the sample of records for network connections that were selected for this testing procedure.
Modified p. 29 → 32
<Report Findings Here> Describe how the sampled records were examined to verify that network connections were:
<Report Findings Here> Describe how the sampled records verified that network connections were:
Modified p. 29 → 32
Identify the sample of records for firewall and router configuration changes that were examined.
Identify the sample of records for firewall and router configuration changes that were selected for this testing procedure.
Modified p. 29 → 32
<Report Findings Here> Describe how change records were compared to actual changes made to firewall and router configurations to verify the changes were:
<Report Findings Here> Describe how the sampled records verified that the firewall and router configuration changes were:
Removed p. 30
<Report Findings Here> For the interview, summarize the relevant details discussed to verify that the diagram is kept current.

<Report Findings Here> For the interview, summarize the relevant details discussed to verify the diagram:

 Shows all cardholder data flows across systems and networks.

<Report Findings Here>  Is kept current and updated as needed upon changes to the environment.
Modified p. 30 → 33
Identify the current network diagram(s) examined. <Report Findings Here> Describe how network connections were observed and compared to the diagram(s) to verify that the diagram:
Identify the current network diagram(s) examined. <Report Findings Here> Describe how network configurations verified that the diagram:
Modified p. 30 → 33
Identify the document examined to verify processes require that the network diagram is kept current.
Identify the responsible personnel interviewed who confirm that the diagram is kept current.
Modified p. 30 → 33
Shows all cardholder data flows across systems and networks.
Shows all cardholder data flows across systems and networks.  Is kept current and updated as needed upon changes to the environment.
Modified p. 30 → 33
Is kept current and updated as needed upon changes to the environment.
 Shows all cardholder data flows across systems and networks.  Is kept current and updated as needed upon changes to the environment.
Modified p. 30 → 33
Identify the data-flow diagram(s) examined. <Report Findings Here> Identify the responsible personnel interviewed for this testing procedure.
Identify the data-flow diagram(s) examined. <Report Findings Here> Identify the responsible personnel interviewed who confirm that the diagram:
Modified p. 30 → 33
&lt;Report Findings Here&gt; 1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone. ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone. ☐ ☐ ☐ ☐ ☐ 1.1.4.a Examine the firewall configuration standards and verify that they include requirements for a firewall at each Internet connection and between any DMZ and the internal network zone.
Removed p. 31
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.1.4.a Examine the firewall configuration standards and verify that they include requirements for a firewall at each Internet connection and between any DMZ and the internal network zone.

Provide the name of the assessor who attests that the current network diagram identified at 1.1.2.a was compared to the firewall configuration standards identified at 1.1.4.a to verify they are consistent with each other.

Identify the personnel responsible for management of network components interviewed for this testing procedure.

<Report Findings Here> For the interview, summarize the relevant details discussed to verify that roles and responsibilities are assigned as documented for management of firewall and router components.

Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2.
Modified p. 31 → 33
At each Internet connection.
At each Internet connection.
Modified p. 31 → 33
Between any DMZ and the internal network zone.
Between any DMZ and the internal network zone.
Modified p. 31 → 34
<Report Findings Here> 1.1.4.b Verify that the current network diagram is consistent with the firewall configuration standards.
Provide the name of the assessor who attests that the current network diagram is consistent with the firewall configuration standards.
Modified p. 31 → 34
Describe how network configurations were observed to verify that, per the documented configuration standards and network diagrams, a firewall is in place:
Describe how network configurations verified that, per the documented configuration standards and network diagrams, a firewall is in place:
Modified p. 31 → 34
<Report Findings Here> 1.1.6 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.
<Report Findings Here> 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. ☐ ☐ ☐ ☐ ☐ 1.1.6.a Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification and approval for each.
Removed p. 32
<Report Findings Here> Identify the router configuration standards document(s) reviewed to verify the document contains a list of all services, protocols and ports necessary for business, including a business justification for each.

Indicate whether any insecure services, protocols or ports are allowed. (yes/no) <Report Findings Here> If “yes,” complete the instructions below for EACH insecure service, protocol, and port allowed: (add rows as needed) Identify the documented justification. <Report Findings Here> Identify the firewall and router configuration standards reviewed to verify that security features are documented for each insecure service/protocol/port.
Modified p. 32 → 34
Identify the firewall configuration standards document(s) reviewed to verify the document(s) contains a list of all services, protocols and ports necessary for business, including a business justification for each.
Identify the firewall and router configuration standards document(s) reviewed to verify the document(s) contains a list of all services, protocols and ports necessary for business, including a business justification and approval for each.
Modified p. 32 → 34
<Report Findings Here> 1.1.6.b Identify insecure services, protocols, and ports allowed; and verify that security features are documented for each service.
<Report Findings Here> 1.1.6.b Identify insecure services, protocols, and ports allowed; and verify Indicate whether any insecure services, protocols or ports are allowed. (yes/no) <Report Findings Here> If “yes,” complete the instructions below for EACH insecure service, protocol, and port allowed: (add rows as needed)
Modified p. 32 → 35
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.1.6.a Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification for each•for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place that security features are documented for each service.
Modified p. 32 → 35
Describe how the firewall and router configurations were examined to verify that the documented security features are implemented for each insecure service, protocol and/or port.
Describe how firewall and router configurations verified that the documented security features are implemented for each insecure service, protocol and/or port.
Modified p. 32 → 35
Identify the firewall and router configuration standards reviewed to verify they require a review of firewall rule sets at least every six months.
Identify the firewall and router configuration standards document(s) reviewed to verify they require a review of firewall rule sets at least every six months.
Modified p. 33 → 35
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Identify the responsible personnel interviewed who confirm that rule sets are reviewed at least every six months for firewall and router rule sets.
<Report Findings Here> Identify the responsible personnel interviewed who confirm that rule sets are reviewed at least every six months for firewall and router rule sets.
Modified p. 33 → 36
Identify the firewall and router configuration standards reviewed to verify they identify inbound and outbound traffic necessary for the cardholder data environment.
Identify the firewall and router configuration standards document(s) reviewed to verify they identify inbound and outbound traffic necessary for the cardholder data environment.
Modified p. 33 → 36
Describe how firewall and router configurations were examined to verify that the following traffic is limited to that which is necessary for the cardholder data environment:
Describe how firewall and router configurations verified that the following traffic is limited to that which is necessary for the cardholder data environment:
Modified p. 33 → 36
Describe how firewall and router configurations were examined to verify the following is specifically denied:
Describe how firewall and router configurations verified that the following is specifically denied:
Modified p. 33 → 36
Describe how router configuration files were examined to verify they are secured from unauthorized access.
Describe how router configuration files are secured from unauthorized access.
Modified p. 34 → 36
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.2.2.b Examine router configurations to verify they are synchronized•for example, the running (or active) configuration matches the start-up configuration (used when machines are booted).
<Report Findings Here> 1.2.2.b Examine router configurations to verify they are synchronized•for example, the running (or active) configuration matches the start-up configuration (used when machines are booted).
Modified p. 34 → 36
Describe how router configuration files were examined to verify they are synchronized.
Describe how router configurations are synchronized.
Modified p. 34 → 36
Describe how firewall and router configurations were examined to verify perimeter firewalls are in place between all wireless networks and the cardholder data environment.
Describe how firewall and router configurations verified that perimeter firewalls are in place between all wireless networks and the cardholder data environment.
Modified p. 34 → 37
<Report Findings Here> 1.2.3.b Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.2.3.b Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.
Modified p. 34 → 37
Indicate whether traffic between the wireless environment and the cardholder data environment is necessary for business purposes. (yes/no) <Report Findings Here> Describe how firewall and/or router configurations were observed to verify firewalls deny all traffic from any wireless environment into the cardholder environment.
Indicate whether traffic between the wireless environment and the cardholder data environment is necessary for business purposes. (yes/no) <Report Findings Here> Describe how firewall and/or router configurations verified that firewalls deny all traffic from any wireless environment into the cardholder environment.
Modified p. 34 → 37
<Report Findings Here> Describe how firewall and/or router configurations were observed to verify firewalls permit only authorized traffic from any wireless environment into the cardholder environment.
<Report Findings Here> Describe how firewall and/or router configurations verified that firewalls permit only authorized traffic from any wireless environment into the cardholder environment.
Removed p. 35
<Report Findings Here> 1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment. ☐ ☐ ☐ ☐ ☐ 1.3.3 Examine firewall and router configurations to verify direct connections inbound or outbound are not allowed for traffic between the Internet and the cardholder data environment.

<Report Findings Here> Describe the anti-spoofing measures implemented <Report Findings Here> 1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. ☐ ☐ ☐ ☐ ☐
Modified p. 35 → 37
Describe how the firewall and router configurations were examined to verify that the DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
Describe how firewall and router configurations verified that the DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
Modified p. 35 → 37
Describe how the firewall and router configurations were examined to verify that configurations limit inbound Internet traffic to IP addresses within the DMZ.
Describe how firewall and router configurations verified that configurations limit inbound Internet traffic to IP addresses within the DMZ.
Modified p. 35 → 37
 Inbound <Report Findings Here>  Outbound <Report Findings Here> 1.3.4 Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.
<Report Findings Here> 1.3.3 Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.
Modified p. 35 → 37
(For example, block traffic originating from the Internet with an internal source address) ☐ ☐ ☐ ☐ ☐ 1.3.4 Examine firewall and router configurations to verify that anti-spoofing measures are implemented, for example internal addresses cannot pass from the Internet into the DMZ.
(For example, block traffic originating from the Internet with an internal source address) ☐ ☐ ☐ ☐ ☐
Modified p. 35 → 38
Describe how the examined firewall and router configurations were observed to prevent direct connections between the Internet and the cardholder data environment:
Describe how firewall and router configurations verified that outbound traffic from the cardholder data environment to the Internet is explicitly authorized.
Modified p. 35 → 38
Describe how firewall and router configurations were examined to verify that anti-spoofing measures are implemented.
Describe how firewall and router configurations verified that anti-spoofing measures are implemented.
Removed p. 36
<Report Findings Here> 1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only “established” connections are allowed into the network.) ☐ ☐ ☐ ☐ ☐ 1.3.6 Examine firewall and router configurations to verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.) Describe how firewall and router configurations were examined to verify that the firewall performs stateful inspection.

• Network Address Translation (NAT),

• Placing servers containing cardholder data behind proxy servers/firewalls,

• Removal or filtering of route advertisements for private networks that employ registered addressing,

• Internal use of RFC1918 address space instead of registered addresses.
Modified p. 36 → 38
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.3.5 Examine firewall and router configurations to verify that outbound traffic from the cardholder data environment to the Internet is explicitly authorized.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.3.3 Examine firewall and router configurations to verify that anti-spoofing measures are implemented, for example internal addresses cannot pass from the Internet into the DMZ.
Modified p. 36 → 38
<Report Findings Here> Describe how observed firewall configurations implement stateful inspection <Report Findings Here> 1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. ☐ ☐ ☐ ☐ ☐ 1.3.7 Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks.
Describe how firewall and router configurations verified that the firewall permits only established connections into internal network, and denies any inbound connections not associated with a previously established session <Report Findings Here> 1.3.6 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. ☐ ☐ ☐ ☐ ☐ 1.3.6 Examine firewall and router configurations to verify that system components that store cardholder data are on an …
Modified p. 36 → 38
Indicate whether any system components store cardholder data. (yes/no) <Report Findings Here> Describe how firewall and router configurations were examined to verify that the system components that store cardholder data are located on an internal network zone, and are segregated from the DMZ and other untrusted networks.
Indicate whether any system components store cardholder data. (yes/no) <Report Findings Here> Describe how firewall and router configurations verified that the system components that store cardholder data are located on an internal network zone, and are segregated from the DMZ and other untrusted networks.
Modified p. 36 → 39
Describe how firewall and router configurations were examined to verify that outbound traffic from the cardholder data environment to the Internet is explicitly authorized.
Describe how firewall and router configurations verified that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet.
Modified p. 36 → 39
<Report Findings Here> 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties.
<Report Findings Here> 1.3.7.b Interview personnel and examine documentation to verify that any disclosure of private IP addresses and routing information to external entities is authorized.
Modified p. 36 → 39
1.3.8.a Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of Describe the methods in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet.
1.3.7.a Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet.
Removed p. 37
Describe how firewall and router configurations were examined to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet.

<Report Findings Here> 1.3.8.b Interview personnel and examine documentation to verify that any disclosure of private IP addresses and routing information to external entities is authorized.
Modified p. 37 → 39
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place private IP addresses and routing information from internal networks to the Internet.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties.
Modified p. 37 → 39
<Report Findings Here> 1.4 Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. Firewall configurations include:
<Report Findings Here> 1.4 Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee/owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE. Firewall (or equivalent) configurations include:
Modified p. 37 → 39
Specific configuration settings are defined for personal firewall software.
Specific configuration settings are defined.
Modified p. 37 → 39
Personal firewall software is actively running.
Personal firewall (or equivalent functionality) is actively running.
Modified p. 37 → 39
Personal firewall software is not alterable by users of mobile and/or employee-owned devices.
Personal firewall (or equivalent functionality) is not alterable by users of the portable computing devices.
Removed p. 38
• Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network, and which are also used to access the network.
Modified p. 38 → 40
Personal firewall software is required for all mobile and/or employee-owned devices that connect to the Internet when outside the network, (for example, laptops used by employees), and which are also used to access the network.
Personal firewall software or equivalent functionality is required for all portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network, (for example, laptops used by employees), and which are also used to access the CDE.
Modified p. 38 → 40
Specific configuration settings are defined for personal firewall software.
Specific configuration settings are defined for personal firewall or equivalent functionality.
Modified p. 38 → 40
Specific configuration settings are defined for personal firewall software.
Specific configuration settings are defined for personal firewall or equivalent functionality.
Modified p. 38 → 40
Personal firewall software is configured to actively run.
Personal firewall or equivalent functionality is configured to actively run.
Modified p. 38 → 40
Personal firewall software is configured to actively run.
Personal firewall or equivalent functionality is configured to actively run.
Modified p. 38 → 40
Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices.
Personal firewall or equivalent functionality is configured to not be alterable by users of the portable computing devices.
Modified p. 38 → 40
Personal firewall software is configured to not be alterable by users of mobile and/or employee-owned devices.
Personal firewall or equivalent functionality is configured to not be alterable by users of the portable computing devices.
Modified p. 38 → 40
Indicate whether mobile and/or employee-owned computers with direct connectivity to the Internet when outside the network are used to access the organization’s network. (yes/no) <Report Findings Here> If “no,” identify the document reviewed that explicitly prohibits mobile and/or employee-owned computers with direct connectivity to the Internet when outside the network from being used to access the organization’s network.
Indicate whether portable computing devices (including company and/or employee-owned) with direct connectivity to the Internet when outside the network are used to access the organization’s CDE. (yes/no) <Report Findings Here> If “no,” identify the document reviewed that explicitly prohibits portable computing devices (including company and/or employee-owned) with direct connectivity to the Internet when outside the network from being used to access the organization’s CDE.
Modified p. 39 → 41
Personal firewall software is actively running.
Personal firewall (or equivalent functionality) is actively running.
Modified p. 39 → 41
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.4.b Inspect a sample of mobile and/or employee-owned devices to verify that:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 1.4.b Inspect a sample of portable computing devices (including company and/or employee-owned)to verify that:
Modified p. 39 → 41
Personal firewall software is installed and configured per the organization’s specific configuration settings.
Personal firewall (or equivalent functionality) is installed and configured per the organization’s specific configuration settings.
Modified p. 39 → 41
Personal firewall software is not alterable by users of mobile and/or employee-owned devices.
Personal firewall or equivalent functionality is not alterable by users of the portable computing devices.
Modified p. 39 → 41
<Report Findings Here> Describe how the sample of mobile and/or employee-owned devices was inspected to verify that personal firewall software is:
<Report Findings Here> Describe how the sample of portable computing devices (including company and/or employee-owned) verified that personal firewall software is:
Modified p. 39 → 41
&lt;Report Findings Here&gt; Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for managing firewalls are:
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for managing firewalls are:
Modified p. 40 → 42
This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.
This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, POS terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.
Modified p. 40 → 42
2.1.a Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor- supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.) Identify the sample of system components selected. …
2.1.a Choose a sample of system components, and attempt to log on (with system administrator help) to the devices and applications using default vendor- supplied accounts and passwords, to verify that ALL default passwords (including those on operating systems, software that provides security services, application and system accounts, POS terminals, and Simple Network Management Protocol (SNMP) community strings) have been changed. (Use vendor manuals and sources on the Internet to find vendor-supplied accounts/passwords.) Identify the sample of system components selected …
Modified p. 40 → 42
<Report Findings Here> For each item in the sample, describe how attempts to log on (with system administrator help) to the sample of devices and applications using default vendor-supplied accounts and passwords were performed to verify that all default passwords have been changed.
<Report Findings Here> For each item in the sample, describe how attempts to log on to the sample of devices and applications using default vendor-supplied accounts and passwords verified that all default passwords have been changed.
Removed p. 41
<Report Findings Here> Describe how the supporting documentation examined verified that:

 All vendor defaults are changed before a system is installed on the network.

<Report Findings Here>  Unnecessary default accounts are removed or disabled before a system is installed on the network.

• Encryption keys were changed from default at installation
Modified p. 41 → 43
All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network.
All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network.
Modified p. 41 → 43
All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network.
All vendor defaults (including default passwords on operating systems, software providing security services, application and system accounts, POS terminals, Simple Network Management Protocol (SNMP) community strings, etc.) are changed before a system is installed on the network.
Modified p. 41 → 43
Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network.
Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network.
Modified p. 41 → 43
Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network.
Unnecessary default accounts (including accounts used by operating systems, security software, applications, systems, POS terminals, SNMP, etc.) are removed or disabled before a system is installed on the network.
Modified p. 41 → 43
Identify responsible personnel interviewed who verify that:
Identify the responsible personnel interviewed who verify that:
Modified p. 41 → 43
<Report Findings Here> Identify supporting documentation examined for this testing procedure.
<Report Findings Here> Identify supporting documentation examined to verify that:
Modified p. 41 → 44
• Encryption keys are changed anytime Indicate whether there are wireless environments connected to the cardholder data environment or transmitting cardholder data. (yes/no) If “no,” mark 2.1.1 as “Not Applicable” and proceed to 2.2.
Indicate whether there are wireless environments connected to the cardholder data environment or transmitting cardholder data. (yes/no) If “no,” mark 2.1.1 as “Not Applicable” and proceed to 2.2.
Removed p. 42
• From default at installation

• Default passwords/phrases on access points are required to be changed upon installation.
Modified p. 42 → 44
Identify responsible personnel interviewed who verify that:
Identify the responsible personnel interviewed who verify that:
Modified p. 42 → 44
<Report Findings Here> Identify supporting documentation examined for this testing procedure.
<Report Findings Here> Identify supporting documentation examined to verify that:
Modified p. 42 → 44
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Identify responsible personnel interviewed who verify that encryption keys are changed:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.1.1.a Interview responsible personnel and examine supporting documentation to verify that:
Modified p. 42 → 44
Anytime anyone with knowledge of the keys leaves the company or changes positions.
 From default at installation  Anytime anyone with knowledge of the keys leaves the company or changes positions.
Modified p. 42 → 44
<Report Findings Here> Describe how the supporting documentation was examined to verify that encryption keys are changed:
<Report Findings Here> Identify the responsible personnel interviewed who verify that encryption keys are changed:
Modified p. 42 → 44
 From default at installation <Report Findings Here>  Anytime anyone with knowledge of the keys leaves the company or changes positions.
 Encryption keys were changed from default at installation Encryption keys are changed anytime anyone with knowledge of the keys leaves the company or changes positions.
Modified p. 42 → 44
Default SNMP community strings are required to be changed upon installation.
Default SNMP community strings are required to be changed upon installation.
Modified p. 42 → 44
Default SNMP community strings are required to be changed upon installation.
Default SNMP community strings are required to be changed upon installation.
Modified p. 42 → 44
Default passwords/phrases on access points are required to be changed upon installation.
Default passwords/passphrases on access points are required to be changed upon installation.
Modified p. 42 → 44
Default SNMP community strings are required to be changed upon installation.
Default SNMP community strings are required to be changed upon installation.  Default passwords/phrases on access points are required to be changed upon installation.
Modified p. 42 → 44
Default passwords/phrases on access points are required to be changed upon installation.
Default passwords/phrases on access points are required to be changed upon installation.
Modified p. 42 → 45
<Report Findings Here> 2.1.1.c Examine vendor documentation and login to wireless devices, with system administrator help, to verify:
<Report Findings Here> Describe how attempts to login to wireless devices verified that:
Modified p. 42 → 45
Identify vendor documentation examined for this testing procedure.
Identify vendor documentation examined to verify that:
Removed p. 43
• Authentication over wireless networks

• Transmission over wireless networks Identify vendor documentation examined for this testing procedure.

<Report Findings Here> Describe how wireless configuration settings were observed with examined vendor documentation to verify that firmware on wireless devices is updated to support strong encryption for:

• Center for Internet Security (CIS)

• International Organization for Standardization (ISO)

• SysAdmin Audit Network Security (SANS) Institute

• National Institute of Standards Technology (NIST) 2.2.a Examine the organization’s system configuration standards for all types of system components and verify the system Identify the documented system configuration standards for all types of system components examined.
Modified p. 43 → 45
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Describe how examined vendor documentation was used to attempt to login to wireless devices (with system administrator help) to verify:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.1.1.c Examine vendor documentation and login to wireless devices, with system administrator help, to verify:
Modified p. 43 → 45
Identify vendor documentation examined for this testing procedure.
Identify vendor documentation examined to verify other security-related wireless vendor defaults were changed, if applicable.
Modified p. 43 → 45
<Report Findings Here> Describe how wireless configuration settings were observed with examined vendor documentation to verify other security-related wireless vendor defaults were changed, if applicable.
<Report Findings Here> Describe how wireless configuration settings verified that other security-related wireless vendor defaults were changed, if applicable.
Modified p. 43 → 46
<Report Findings Here> 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
Removed p. 44
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place configuration standards are consistent with industry-accepted hardening standards.

Identify the industry-accepted hardening standards the system configuration standards were verified to be consistent with.

<Report Findings Here> For the interview, summarize the relevant details discussed that verify that the process is implemented.

Identify the policy documentation examined to verify it defines that system configuration standards are applied when new systems are configured and verified as being in place before a system is installed on the network <Report Findings Here> Identify the personnel interviewed for this testing procedure.

 System configuration standards are applied when new systems are configured <Report Findings Here>  System configuration standards are verified as being in place before a system is installed on the network.
Modified p. 44 → 46
Identify the policy documentation verified to define that system configuration standards are updated as new vulnerability issues are identified <Report Findings Here> Identify the personnel interviewed for this testing procedure.
Identify the policy documentation examined to verify that system configuration standards are updated as new vulnerability issues are identified.
Modified p. 44 → 46
<Report Findings Here> 2.2.c Examine policies and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before a system is installed on the network.
Identify the responsible personnel interviewed who confirm that system configuration standards are applied when new systems are configured and verified as being in place before a system is installed on the network.
Removed p. 45
• Changing of all vendor-supplied defaults and elimination of unnecessary default accounts

• Changing of all vendor-supplied defaults and elimination of unnecessary default accounts

• Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server

• Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server

• Enabling only necessary services, protocols, daemons, etc., as required for the function of the system

• Enabling only necessary services, protocols, daemons, etc., as required for the function of the system

• Implementing additional security features for any required services, protocols or daemons that are considered to be insecure

• Implementing additional security features for any required services, protocols or daemons that are considered to be insecure

• Configuring system security parameters to prevent misuse

• Configuring system security parameters to prevent misuse

• Removing all unnecessary functionality, such as scripts, …
Modified p. 45 → 47
Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers <Report Findings Here> 2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)
 Changing of all vendor-supplied defaults and elimination of unnecessary default accounts  Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server  Enabling only necessary services, protocols, daemons, etc., as required for the function of the system  Implementing additional security features for any required services, protocols or daemons that are considered to be insecure  Configuring system security parameters to prevent misuse  Removing all unnecessary …
Modified p. 45 → 47
2.2.1.a Select a sample of system components and inspect the system configurations to verify that only one primary function is implemented per server.
2.2.1.a Select a sample of system components and inspect the system Identify the sample of system components selected for this testing procedure.
Modified p. 45 → 48
<Report Findings Here> For each item in the sample, describe how system configurations were inspected to verify that only one primary function per server is implemented.
For each item in the sample, describe how system configurations verified that only one primary function per server is implemented.
Removed p. 46
<Report Findings Here> Identify the sample of virtual system components or devices observed.
Modified p. 46 → 48
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.2.1.b If virtualization technologies are used, inspect the system configurations to verify that only one primary function is implemented per virtual system component or device.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place configurations to verify that only one primary function is implemented per server.
Modified p. 46 → 48
<Report Findings Here> Identify the functions for which virtualization technologies are used.
<Report Findings Here> Identify the sample of virtual system components or devices selected for this testing procedure.
Modified p. 46 → 48
<Report Findings Here> For each virtual system component and device in the sample, describe how the system configurations were inspected to verify that only one primary function is implemented per virtual system component or device.
<Report Findings Here> For each virtual system component and device in the sample, describe how system configurations verified that only one primary function is implemented per virtual system component or device.
Modified p. 46 → 48
Identify the sample of system components selected. <Report Findings Here> For each item in the sample, describe how the enabled system services, daemons, and protocols were inspected to verify that only necessary services or protocols are enabled.
<Report Findings Here> For each item in the sample, describe how the enabled system services, daemons, and protocols verified that only necessary services or protocols are enabled.
Modified p. 46 → 48
For each item in the sample of system components from 2.2.2.a, indicate whether any insecure services, daemons, or protocols are enabled. (yes/no) If “no,” mark the remainder of 2.2.2.b and 2.2.3 as “Not Applicable.” &lt;Report Findings Here&gt; If “yes,” identify responsible personnel interviewed who confirm that a documented business justification was present for each insecure service, daemon, or protocol &lt;Report Findings Here&gt;
For each item in the sample of system components from 2.2.2.a, indicate whether any insecure services, daemons, or protocols are enabled. (yes/no) If “no,” mark the remainder of 2.2.2.b and 2.2.3 as “Not Applicable.” <Report Findings Here> If “yes,” identify the responsible personnel interviewed who confirm that a documented business justification was present for each insecure service, daemon, or protocol <Report Findings Here>
Removed p. 47
 Documented <Report Findings Here>  Implemented <Report Findings Here> 2.2.3.b For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Removed p. 47
Indicate whether the assessed entity includes POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS

• for which the entity asserts are not susceptible to any known exploits for those protocols. (yes/no) If ‘no,’ mark the remainder of 2.2.3.b as ‘not applicable.’ <Report Findings Here> If ‘yes,’ identify the document(s) examined to verify that the entity maintains documentation that verifies the devices are not susceptible to any known exploits for SSL/early TLS.

<Report Findings Here> 2.2.3.c For all other environments using SSL and/or early TLS:

Indicate whether the assessed entity includes any other environments using SSL and/or early TLS (yes/no) If ‘no,’ mark the remainder of 2.2.3.c as ‘not applicable.’ <Report Findings Here>
Modified p. 47 → 49
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure• for example, use secured technologies such as SSH, S-FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure
Modified p. 47 → 49
Identify configuration settings inspected. <Report Findings Here> Describe how configuration settings were inspected to verify that security features for all insecure services, daemons, or protocols are:
Describe how configuration settings verified that security features for all insecure services, daemons, or protocols are:
Removed p. 48
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place

• Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment;
Removed p. 48
If ‘yes,’ identify the Risk Mitigation and Migration Plan document(s) examined to verify that it includes:
Modified p. 48 → 49
<Report Findings Here> 2.2.4.c Select a sample of system Identify the sample of system components selected. <Report Findings Here>
Identify the sample of system components selected for this testing procedure.
Removed p. 49
<Report Findings Here> 2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. ☐ ☐ ☐ ☐ ☐ 2.2.5.a Select a sample of system components and inspect the configurations to verify that all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.) is removed.
Modified p. 49
For each item in the sample, describe how the common security parameters were inspected to verify that they are set appropriately and in accordance with the configuration standards.
<Report Findings Here> For each item in the sample, describe how the common security parameters verified that they are set appropriately and in accordance with the configuration standards.
Modified p. 49 → 50
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place components and inspect the common security parameters to verify that they are set appropriately and in accordance with the configuration standards.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. ☐ ☐ ☐ ☐ ☐ 2.2.5.a Select a sample of system components and inspect the configurations to verify that all unnecessary functionality (for example, scripts, drivers, features, subsystems, file systems, etc.) is removed.
Modified p. 49 → 50
Identify the sample of system components selected. <Report Findings Here> For each item in the sample, describe how the configurations were inspected to verify that all unnecessary functionality is removed.
<Report Findings Here> For each item in the sample, describe how configurations verified that all unnecessary functionality is removed.
Modified p. 49 → 50
Describe how the security parameters were examined with relevant documentation to verify that enabled functions are:
Describe how the security parameters and relevant documentation verified that enabled functions are:
Modified p. 49 → 50
<Report Findings Here> Describe how the security parameters were examined with relevant documentation to verify that only documented functionality is present on the sampled system components from 2.2.5.a.
<Report Findings Here> Describe how the security parameters verified that only documented functionality is present on the sampled system components from 2.2.5.a.
Modified p. 49 → 50
<Report Findings Here> 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or TLS for web-based management and other non-console administrative access.
&lt;Report Findings Here&gt; 2.3 Encrypt all non-console administrative access using strong cryptography.
Removed p. 50
<Report Findings Here> Describe how system configurations for each system were examined to verify that a strong encryption method is invoked before the administrator’s password is requested.

<Report Findings Here> Describe how parameter files on systems were reviewed to determine that Telnet and other insecure remote-login commands are not available for non- console access.
Modified p. 50
For each item in the sample from 2.3:
<Report Findings Here> For each item in the sample from 2.3:
Modified p. 50 → 51
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.3 Select a sample of system components and verify that non-console administrative access is encrypted by performing the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.3.a Observe an administrator log on to each system and examine system configurations to verify that a strong encryption method is invoked before the administrator’s password is requested.
Modified p. 50 → 51
Identify the sample of system components selected for 2.3.a-2.3.d to verify that non-console administrative access is encrypted <Report Findings Here> 2.3.a Observe an administrator log on to each system and examine system configurations to verify that a strong encryption method is invoked before the administrator’s password is requested.
<Report Findings Here> Describe how system configurations for each system verified that a strong encryption method is invoked before the administrator’s password is requested.
Modified p. 50 → 51
Describe how the administrator log on for each system was observed to verify that a strong encryption method is invoked before the administrator’s password is requested.
Describe how the administrator log on to each system verified that a strong encryption method is invoked before the administrator’s password is requested.
Modified p. 50 → 51
Describe how services on systems were reviewed to determine that Telnet and other insecure remote- login commands are not available for non-console access.
Describe how services and parameter files on systems verified that Telnet and other insecure remote-login commands are not available for non- console access.
Modified p. 50 → 51
<Report Findings Here> 2.3.c Observe an administrator log on to each system to verify that administrator access to any web-based management For each item in the sample from 2.3:
<Report Findings Here> 2.3.c Observe an administrator log on to each system to verify that administrator access to any web-based management interfaces is encrypted with strong cryptography.
Removed p. 51
<Report Findings Here> Identify the personnel interviewed for this testing procedure.

<Report Findings Here> For the interview, summarize the relevant details discussed that verify that strong cryptography for the technology in use is implemented according to industry best practices and/or vendor recommendations.

<Report Findings Here> 2.3.e For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:

Indicate whether the assessed entity includes POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS

• for which the entity asserts are not susceptible to any known exploits for those protocols. (yes/no) If ‘no,’ mark the remainder of 2.3.e as ‘not applicable.’ <Report Findings Here> If ‘yes,’ identify the document(s) examined to verify that the entity maintains documentation that verifies the devices are not susceptible to …
Modified p. 51
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Describe how the administrator log on to each system was observed to verify that administrator access to any web-based management interfaces was encrypted with strong cryptography.
Describe how the administrator log on to each system verified that administrator access to any web- based management interfaces was encrypted with strong cryptography.
Modified p. 51
&lt;Report Findings Here&gt; 2.3.d Examine vendor documentation and interview personnel to verify that strong cryptography for the technology in use is implemented according to industry best practices and/or vendor recommendations.
<Report Findings Here> 2.3.d Examine vendor documentation and interview personnel to verify that strong cryptography for the technology in use is implemented according to industry best Identify the vendor documentation examined to verify that strong cryptography for the technology in use is implemented according to industry best practices and/or vendor recommendations.
Modified p. 51 → 52
Identify the vendor documentation examined to verify that strong cryptography for the technology in use is implemented according to industry best practices and/or vendor recommendations.
Identify the responsible personnel interviewed who confirm that that strong cryptography for the technology in use is implemented according to industry best practices and/or vendor recommendations.
Removed p. 52
If ‘yes,’ identify the Risk Mitigation and Migration Plan document(s) examined to verify that it includes:

• Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment;

<Report Findings Here> For the interview, summarize the relevant details discussed that verify that the documented inventory is kept current.
Modified p. 52
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place and Migration Plan to verify it includes:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place practices and/or vendor recommendations.
Modified p. 52
Describe how the system inventory was examined to verify that a list of hardware and software components is:
Describe how the system inventory verified that a list of hardware and software components is:
Modified p. 52
Identify the personnel interviewed for this testing procedure.
Identify the responsible personnel interviewed who confirm that the documented inventory is kept current.
Modified p. 52
&lt;Report Findings Here&gt; 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 2.5 Examine documentation and interview personnel to verify that security policies and operational procedures for managing Identify the document reviewed to verify that security policies and operational procedures for managing vendor defaults and other security parameters are documented.
Removed p. 53
<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for managing vendor defaults and other security parameters are:
Modified p. 53
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 2.5 Examine documentation and interview personnel to verify that security policies and operational procedures for managing vendor defaults and other security parameters are:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place vendor defaults and other security parameters are:
Modified p. 53
Identify the document reviewed to verify that security policies and operational procedures for managing vendor defaults and other security parameters are documented.
Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for managing vendor defaults and other security parameters are:
Modified p. 53
Known to all affected parties <Report Findings Here> 2.6 Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers. ☐ ☐ ☐ ☐ ☐ 2.6 Perform testing procedures A.1.1 through A.1.4 detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers for PCI DSS assessments of shared hosting providers, to verify that shared hosting providers protect …
Known to all affected parties <Report Findings Here> 2.6 Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers. ☐ ☐ ☐ ☐ ☐ 2.6 Perform testing procedures A1.1 through A1.4 detailed in Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers for PCI DSS assessments of shared hosting providers, to verify that shared hosting providers protect …
Modified p. 53
Indicate whether the assessed entity is a shared hosting provider. (yes/no) <Report Findings Here> If “yes,” provide the name of the assessor who attests that Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers has been completed.
Indicate whether the assessed entity is a shared hosting provider. (yes/no) <Report Findings Here> If “yes,” provide the name of the assessor who attests that Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers has been completed.
Removed p. 54
• Processes for secure deletion of data when no longer needed.

• A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements.
Modified p. 54
Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements.
Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements.
Modified p. 54
Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements.
Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements.
Modified p. 54
Specific retention requirements for cardholder data
Specific retention requirements for cardholder data  Processes for secure deletion of data when no longer needed.
Modified p. 54
A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.
A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.
Modified p. 54
Specific requirements for retention of cardholder data (for example, cardholder data needs to be held for X period for Y business reasons).
Specific requirements for retention of cardholder data (for example, cardholder data needs to be held for X period for Y business reasons).
Modified p. 54
Processes for secure deletion of cardholder data when no longer needed for legal, regulatory, or business reasons
Processes for secure deletion of cardholder data when no longer needed for legal, regulatory, or business reasons  A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements.
Modified p. 54
Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements for data retention.
Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements for data retention.
Modified p. 54
Specific requirements for retention of cardholder data.
Specific requirements for retention of cardholder data.
Modified p. 54
Processes for secure deletion of cardholder data when no longer needed for legal, regulatory, or business reasons.
Processes for secure deletion of cardholder data when no longer needed for legal, regulatory, or business reasons.
Modified p. 54
A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements.
A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements.
Removed p. 55
<Report Findings Here> For the interview, summarize the relevant details discussed that verify the following:

 All locations of stored cardholder data are included in the data-retention and disposal process.

<Report Findings Here>  Either a quarterly automatic or manual process is in place to identify and securely delete stored cardholder data.

<Report Findings Here>  The quarterly automatic or manual process is performed for all locations of cardholder data.

<Report Findings Here> Describe the quarterly process in place to identify and securely delete stored cardholder data, including whether it is an automatic or manual process.
Modified p. 55
All locations of stored cardholder data are included in the data-retention and disposal processes.
All locations of stored cardholder data are included in the data-retention and disposal processes.
Modified p. 55
Either a quarterly automatic or manual process is in place to identify and securely delete stored cardholder data.
Either a quarterly automatic or manual process is in place to identify and securely delete stored cardholder data.
Modified p. 55
Either a quarterly automatic or manual process is in place to identify and securely delete stored cardholder data.
Either a quarterly automatic or manual process is in place to identify and securely delete stored cardholder data.
Modified p. 55
The quarterly automatic or manual process is performed for all locations of cardholder data.
The quarterly automatic or manual process is performed for all locations of cardholder data.
Modified p. 55
The quarterly automatic or manual process is performed for all locations of cardholder data.
The quarterly automatic or manual process is performed for all locations of cardholder data.
Modified p. 55
Identify the personnel interviewed who confirm that:
Identify the responsible personnel interviewed who confirm that:
Modified p. 55
All locations of stored cardholder data are included in the data-retention and disposal processes.
All locations of stored cardholder data are included in the data- retention and disposal processes.
Removed p. 56
• The data is stored securely.
Modified p. 56
Examine files and system records to verify that the data stored does not exceed the requirements defined in the data-retention policy.
Examine files and system records to verify that the data stored does not exceed the requirements defined in the data-retention policy.
Modified p. 56
Observe the deletion mechanism to verify data is deleted securely.
Observe the deletion mechanism to verify data is deleted securely.
Modified p. 56
Identify the sample of system components selected.
Identify the sample of system components selected for this testing procedure.
Modified p. 56
<Report Findings Here> For each item in the sample, describe how files and system records were examined to verify that the data stored does not exceed the requirements defined in the data-retention policy.
<Report Findings Here> For each item in the sample, describe how files and system records verified that the data stored does not exceed the requirements defined in the data-retention policy.
Modified p. 56
It is permissible for issuers and companies that support issuing services to store sensitive authentication data if: There is a business justification, and
It is permissible for issuers and companies that support issuing services to store sensitive authentication data if: There is a business justification, and  The data is stored securely.
Modified p. 56
<Report Findings Here> 3.2.b For issuers and/or companies that support issuing services and store sensitive authentication data, examine data stores and system configurations to If “yes” at 3.2.a, Identify data stores examined. <Report Findings Here> Identify the system configurations examined. <Report Findings Here>
&lt;Report Findings Here&gt; 3.2.b For issuers and/or companies that support issuing services and store sensitive authentication data, examine If “yes” at 3.2.a, Identify data stores examined. &lt;Report Findings Here&gt;
Removed p. 57
• The cardholder’s name

• Primary account number (PAN)
Modified p. 57
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place verify that the sensitive authentication data is secured.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place data stores and system configurations to verify that the sensitive authentication data is secured.
Modified p. 57
Identify the document(s) reviewed to verify that it defines that data is not retained after authorization.
Identify the document(s) reviewed to verify the data is not retained after authorization.
Modified p. 57
<Report Findings Here> Describe how system configurations were examined to verify the data is not retained after authorization.
<Report Findings Here> Describe how system configurations verified that the data is not retained after authorization.
Modified p. 57
Identify the document(s) reviewed to verify that it defines processes for securely deleting the data to verify that the data is unrecoverable.
Identify the document(s) reviewed to verify that it defines processes for securely deleting the data so that it is unrecoverable.
Modified p. 57
Service code To minimize risk, store only these data elements as needed for business.
 The cardholder’s name  Primary account number (PAN)  Expiration date  Service code To minimize risk, store only these data elements as needed for business.
Modified p. 58
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place not stored after authorization:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place data on a chip are not stored after authorization:
Modified p. 58
Database contents  Incoming transaction data <Report Findings Here>  All logs (for example, transaction, history, debugging error) <Report Findings Here>  History files <Report Findings Here>  Trace files <Report Findings Here>  Database schemas <Report Findings Here>  Database contents <Report Findings Here>  If applicable, any other output observed to be generated <Report Findings Here> 3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of …
 Incoming transaction data  All logs (for example, transaction, history, debugging, error)  History files  Trace files  Several database schemas  Database contents  Incoming transaction data <Report Findings Here>  All logs (for example, transaction, history, debugging error) <Report Findings Here>  History files <Report Findings Here>  Trace files <Report Findings Here>  Database schemas <Report Findings Here>  Database contents <Report Findings Here>  If applicable, any other output observed to be generated <Report …
Modified p. 58
Database contents For each data source type below from the sample of system of components at 3.2.1, summarize the specific examples of each data source type observed to verify that the three-digit or four-digit card verification code or value printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data) is not stored after authorization. If that type of data source is not present, indicate that in the space.
 Incoming transaction data  All logs (for example, transaction, history, debugging, error)  History files  Trace files  Several database schemas  Database contents For each data source type below from the sample of system of components at 3.2.1, summarize the specific examples of each data source type observed to verify that the three-digit or four-digit card verification code or value printed on the front of the card or the signature panel (CVV2, CVC2, CID, CAV2 data) is …
Modified p. 59
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization. ☐ ☐ ☐ ☐ 3.2.3 For a sample of system components, examine data sources, including but not limited to the following and verify that PINs and encrypted PIN blocks are not stored after authorization:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization. ☐ ☐ ☐ ☐ 3.2.3 For a sample of system components, examine data sources, including but not limited to the following and verify that PINs and encrypted PIN blocks are not stored after authorization:
Modified p. 59
Database contents For each data source type below from the sample of system of components at 3.2.1, summarize the specific examples of each data source type observed. If that type of data source is not present, indicate that in the space.
 Incoming transaction data  All logs (for example, transaction, history, debugging, error)  History files  Trace files  Several database schemas  Database contents For each data source type below from the sample of system of components at 3.2.1, summarize the specific examples of each data source type observed. If that type of data source is not present, indicate that in the space.
Modified p. 59
 Incoming transaction data <Report Findings Here>  All logs (for example, transaction, history, debugging error) <Report Findings Here>  History files <Report Findings Here>  Trace files <Report Findings Here>  Database schemas <Report Findings Here>  Database contents <Report Findings Here>  If applicable, any other output observed to be generated <Report Findings Here> 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only …
 Incoming transaction data <Report Findings Here>  All logs (for example, transaction, history, debugging error) <Report Findings Here>  History files <Report Findings Here>  Trace files <Report Findings Here>  Database schemas <Report Findings Here>  Database contents <Report Findings Here>  If applicable, any other output observed to be generated <Report Findings Here> 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only …
Modified p. 60
A list of roles that need access to displays of full PAN is documented, together with a legitimate business need for each role to have such access.
A list of roles that need access to displays of more than first six/last four (includes full PAN) is documented, together with a legitimate business need for each role to have such access.
Modified p. 60
A list of roles that need access to displays of full PAN is documented, together with a legitimate business need for each role to have such access.
A list of roles that need access to displays of more than first six/last four (includes full PAN) is documented, together with a legitimate business need for each role to have such access.
Modified p. 60
PAN must be masked when displayed such that only personnel with a legitimate business need can see the full PAN.
PAN must be masked when displayed such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN.
Modified p. 60
All other roles not specifically authorized to see the full PAN must only see masked PANs.
All roles not specifically authorized to see the full PAN must only see masked PANs.
Modified p. 60
All other roles not specifically authorized to see the full PAN must only see masked PANs.
All roles not specifically authorized to see the full PAN must only see masked PANs.
Modified p. 60
PAN must be masked when displayed such that only personnel with a legitimate business need can see the full PAN.
PAN must be masked when displayed such that only personnel with a legitimate business need can see more than first six/last four digits of the PAN.
Modified p. 60
Describe how system configurations were examined to verify that:
Describe how system configurations verified that:
Modified p. 60
<Report Findings Here>  PAN is masked for all other requests. <Report Findings Here> 3.3.c Examine displays of PAN (for example, on screen, on paper receipts) to verify that PANs are masked when displaying cardholder data, and that only those with a legitimate business need are able to see full PAN.
<Report Findings Here>  PAN is masked for all other requests. <Report Findings Here> 3.3.c Examine displays of PAN (for example, on screen, on paper receipts) to verify that PANs are masked when displaying cardholder data, and that only those with a legitimate business need are able to see more than first six/last four digits of the PAN.
Modified p. 60
Describe how displays of PAN were examined to verify that:
Describe how displays of PAN verified that:
Modified p. 60
<Report Findings Here>  Only those with a legitimate business need are able to see full PAN.
<Report Findings Here>  Only those with a legitimate business need are able to see more than first six/last four digits of the PAN.
Removed p. 61
• One-way hashes based on strong cryptography,

• Index tokens and pads, with the pads being securely stored

• Strong cryptography, with associated key-management processes and procedures Identify the documentation examined about the system used to protect the PAN.

<Report Findings Here> Briefly describe the documented methods

• including the vendor, type of system/process, and then encryption algorithms (if applicable)

• used to protect the PAN.

• One-way hashes based on strong cryptography

• Index token and pads, with the pads being securely stored
Modified p. 61
One-way hashes based on strong cryptography, (hash must be of the entire PAN).
One-way hashes based on strong cryptography, (hash must be of the entire PAN).
Modified p. 61
Truncation (hashing cannot be used to replace the truncated segment of PAN).
Truncation (hashing cannot be used to replace the truncated segment of PAN).
Modified p. 61
Index tokens and pads (pads must be securely stored).
Index tokens and pads (pads must be securely stored).
Modified p. 61
Strong cryptography with associated key-management processes and procedures.
Strong cryptography with associated key-management processes and procedures.
Modified p. 61
<Report Findings Here> Identify which of the following methods is used to render the PAN unreadable:
<Report Findings Here> For each item in the sample, describe how the tables or files verified that the PAN is rendered unreadable.
Modified p. 61
Strong cryptography, with associated key- management processes and procedures <Report Findings Here> 3.4.b Examine several tables or files from a sample of data repositories to verify the PAN is rendered unreadable (that is, not stored in plain-text).
 One-way hashes based on strong cryptography,  Truncation  Index tokens and pads, with the pads being securely stored Strong cryptography, with associated key- management processes and procedures <Report Findings Here> 3.4.b Examine several tables or files from a sample of data repositories to verify the PAN is rendered unreadable (that is, not stored in plain-text).
Modified p. 61
Identify the sample of data repositories selected. <Report Findings Here> Identify the tables or files examined for each item in the sample of data repositories.
&lt;Report Findings Here&gt; Identify the tables or files examined for each item in the sample of data repositories.
Modified p. 61
<Report Findings Here> 3.4.c Examine a sample of removable Identify the sample of removable media selected. <Report Findings Here>
<Report Findings Here> 3.4.c Examine a sample of removable media (for example, backup tapes) to Identify the sample of removable media selected for this testing procedure.
Modified p. 61 → 62
<Report Findings Here> For each item in the sample, describe how the table or file was examined to verify the PAN is rendered unreadable.
<Report Findings Here> For each item in the sample, describe how the sample of audit logs, including payment application logs, confirmed that the PAN is rendered unreadable or is not present in the logs.
Removed p. 62
Identify the sample of audit logs selected. <Report Findings Here> For each item in the sample, describe how the sample of audit logs was examined to confirm that the PAN is rendered unreadable or removed from the logs.
Modified p. 62
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place media (for example, backup tapes) to confirm that the PAN is rendered unreadable.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place confirm that the PAN is rendered unreadable.
Modified p. 62
For each item in the sample, describe how the sample of removable media was examined to confirm that the PAN is rendered unreadable.
For each item in the sample, describe how the sample of removable media confirmed that the PAN is rendered unreadable.
Modified p. 62
<Report Findings Here> 3.4.d Examine a sample of audit logs to confirm that the PAN is rendered unreadable or removed from the logs.
<Report Findings Here> 3.4.d Examine a sample of audit logs, including payment application logs, to confirm that PAN is rendered unreadable or is not present in the logs.
Modified p. 62
If “no,” mark the remainder of 3.4.1.a, 3.4.1.b and 3.4.1.c as “Not Applicable.’ Describe the disk encryption mechanism(s) in use. <Report Findings Here> For each disk encryption mechanism in use, describe how the configuration was inspected and the authentication process observed to verify that logical access to encrypted file systems is separate from the native operating system’s authentication mechanism.
If “no,” mark the remainder of 3.4.1.a, 3.4.1.b and 3.4.1.c as “Not Applicable.’ Describe the disk encryption mechanism(s) in use. <Report Findings Here> For each disk encryption mechanism in use, describe how the configuration verified that logical access to encrypted file systems is separate from the native operating system’s authentication mechanism.
Modified p. 62 → 63
<Report Findings Here> 3.4.1.b Observe processes and interview personnel to verify that cryptographic keys Describe how processes were observed to verify that cryptographic keys are stored securely.
<Report Findings Here> 3.4.1.b Observe processes and interview personnel to verify that cryptographic keys are stored securely (for example, stored on removable media that is adequately protected with strong access controls).
Modified p. 63
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place are stored securely (for example, stored on removable media that is adequately protected with strong access controls).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested For each disk encryption mechanism in use, describe how the authentication process was observed to verify that logical access to encrypted file systems is separate from the native operating system’s authentication mechanism.
Modified p. 63
Identify the personnel interviewed who confirm that cryptographic keys are stored securely.
<Report Findings Here> Identify the responsible personnel interviewed who confirm that cryptographic keys are stored securely.
Modified p. 63
Identify the configurations examined. <Report Findings Here> Describe how the configurations were examined and the processes observed to verify that cardholder data on removable media is encrypted wherever stored.
<Report Findings Here> Describe how processes were observed to verify that cardholder data on removable media is encrypted wherever stored.
Modified p. 63 → 64
Access to keys is restricted to the fewest number of custodians necessary.
Access to keys is restricted to the fewest number of custodians necessary.
Modified p. 63 → 64
Access to keys is restricted to the fewest number of custodians necessary.
Access to keys is restricted to the fewest number of custodians necessary.
Modified p. 63 → 64
Key-encrypting keys are at least as strong as the data-encrypting keys they protect.
Key-encrypting keys are at least as strong as the data-encrypting keys they protect.
Modified p. 63 → 64
Key-encrypting keys are at least as strong as the data-encrypting keys they protect.
Key-encrypting keys are at least as strong as the data-encrypting keys they protect.
Modified p. 63 → 64
Key-encrypting keys are stored separately from data-encrypting keys.
Key-encrypting keys are stored separately from data-encrypting keys.
Modified p. 63 → 64
Key-encrypting keys are stored separately from data-encrypting keys.
Key-encrypting keys are stored separately from data-encrypting keys.
Modified p. 63 → 64
Keys are stored securely in the fewest possible locations and forms.
Keys are stored securely in the fewest possible locations and forms.
Modified p. 63 → 64
Keys are stored securely in the fewest possible locations and forms.
Keys are stored securely in the fewest possible locations and forms.
Modified p. 63 → 65
<Report Findings Here> 3.5.1 Restrict access to cryptographic keys to the fewest number of custodians necessary. ☐ ☐ ☐ ☐ ☐ 3.5.1 Examine user access lists to verify Identify user access lists examined. <Report Findings Here>
• Inventory of any HSMs and other SCDs used for key management <Report Findings Here> 3.5.2 Restrict access to cryptographic keys to the fewest number of custodians necessary. ☐ ☐ ☐ ☐ ☐ 3.5.2 Examine user access lists to verify that access to keys is restricted to the fewest number of custodians necessary.
Removed p. 64
• Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point- of-interaction device).

• As key components or key shares, in accordance with an industry-accepted method.
Modified p. 64 → 65
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place that access to keys is restricted to the fewest number of custodians necessary.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested
Modified p. 64 → 65
Describe how user access lists were examined to verify that access to keys is restricted to the fewest number of custodians necessary.
Identify user access lists examined. <Report Findings Here> Describe how the user access lists verified that access to keys is restricted to the fewest number of custodians necessary.
Modified p. 64 → 65
<Report Findings Here> 3.5.2 Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:
<Report Findings Here> 3.5.3 Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:
Modified p. 64 → 65
Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key. Within a secure cryptographic device (such as a hardware/host security module (HSM) or PTS-approved point-of-interaction device). As at least two full-length key components or key shares, in accordance with an industry-accepted method.
Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key. Within a secure cryptographic device (such as a hardware/host security module (HSM) or PTS-approved point-of-interaction device). As at least two full-length key components or key shares, in accordance with an industry-accepted method.
Modified p. 64 → 66
3.5.2.a Examine documented procedures to verify that cryptographic keys used to encrypt/decrypt cardholder data must only exist in one (or more) of the following forms at all times.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.5.3.a Examine documented procedures to verify that cryptographic keys used to encrypt/decrypt cardholder data must only exist in one (or more) of the following forms at all times.
Modified p. 64 → 66
Encrypted with a key-encrypting key that is at least as strong as the data- encrypting key, and that is stored separately from the data-encrypting key.
Encrypted with a key-encrypting key that is at least as strong as the data- encrypting key, and that is stored separately from the data-encrypting key.  Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point- of-interaction device).  As key components or key shares, in accordance with an industry-accepted method.
Modified p. 64 → 66
Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data- encrypting key.
Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key.
Modified p. 64 → 66
Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device).
Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device).
Modified p. 64 → 66
As key components or key shares, in accordance with an industry-accepted method.
As key components or key shares, in accordance with an industry-accepted method.
Removed p. 65
• As key components or key shares, in accordance with an industry-accepted method.

• Encrypted with a key-encrypting key.

• Key-encrypting keys are stored separately from data-encrypting keys.

Describe how system configurations and key storage locations were examined to verify that, wherever key-encrypting keys are used:
Modified p. 65 → 66
Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data- encrypting key.
Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key.
Modified p. 65 → 66
Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device).
Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device).
Modified p. 65 → 66
As key components or key shares, in accordance with an industry-accepted method.
As key components or key shares, in accordance with an industry-accepted method.
Modified p. 65 → 66
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.5.2.b Examine system configurations and key storage locations to verify that cryptographic keys used to encrypt/decrypt cardholder data exist in one, (or more), of the following form at all times.
<Report Findings Here> 3.5.3.b Examine system configurations and key storage locations to verify that cryptographic keys used to encrypt/decrypt cardholder data exist in one, (or more), of the following form at all times.
Modified p. 65 → 66
Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point- of-interaction device).
 Encrypted with a key-encrypting key.  Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point- of-interaction device).  As key components or key shares, in accordance with an industry-accepted method.
Modified p. 65 → 66
<Report Findings Here> Describe how system configurations and key storage locations were examined to verify that cryptographic keys used to encrypt/decrypt cardholder data must only exist in one (or more) of the following forms at all times.
<Report Findings Here> Describe how system configurations and key storage locations verified that, wherever key-encrypting keys are used:
Modified p. 65 → 67
<Report Findings Here> 3.5.2.c Wherever key-encrypting keys are used, examine system configurations and key storage locations to verify:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.5.3.c Wherever key-encrypting keys are used, examine system configurations and key storage locations to verify:
Modified p. 65 → 67
Key-encrypting keys are at least as strong as the data-encrypting keys they protect.
Key-encrypting keys are at least as strong as the data-encrypting keys they protect.  Key-encrypting keys are stored separately from data-encrypting keys.
Modified p. 65 → 67
<Report Findings Here> 3.5.3 Store cryptographic keys in the fewest possible locations. ☐ ☐ ☐ ☐ ☐ 3.5.3 Examine key storage locations and observe processes to verify that keys are stored in the fewest possible locations.
<Report Findings Here> 3.5.4 Store cryptographic keys in the fewest possible locations. ☐ ☐ ☐ ☐ ☐ 3.5.4 Examine key storage locations and observe processes to verify that keys are stored in the fewest possible locations.
Modified p. 65 → 67
Describe how key storage locations were examined and processes were observed to verify that keys are stored in the fewest possible locations.
Describe how key storage locations and the observed processes verified that keys are stored in the fewest possible locations.
Removed p. 66
Describe how the method for generating keys was observed to verify that strong keys are generated.
Modified p. 66 → 67
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.6.a Additional Procedure for service provider assessments only: If the service provider shares keys with their customers for transmission or storage of cardholder data, examine the documentation that the service provider provides to their customers to verify that it includes guidance on how to securely transmit, store, and update customers’ keys, in accordance with Requirements …
3.6.a Additional Procedure for service provider assessments only: If the service provider shares keys with their customers for transmission or storage of cardholder data, examine the documentation that the service provider provides to their customers to verify that it includes guidance on how to securely transmit, store, and update customers’ keys, in accordance with Requirements 3.6.1 through 3.6.8 below.
Modified p. 66 → 68
<Report Findings Here> 3.6.1.b Observe the method for generating keys to verify that strong keys are generated.
Describe how the procedures for generating keys was observed to verify that strong keys are generated.
Removed p. 67
Identify the document that defines:

• Key cryptoperiod(s) for each key type in use

• The retirement or replacement of keys when the integrity of the key has been weakened.

• The replacement of known or suspected compromised keys.
Modified p. 67 → 68
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.6.3.b Observe the method for storing keys to verify that keys are stored securely.
<Report Findings Here> 3.6.3.b Observe the method for storing keys to verify that keys are stored securely.
Modified p. 67 → 68
• A process for key changes at the end of the defined cryptoperiod(s) <Report Findings Here> 3.6.4.b Interview personnel to verify that keys are changed at the end of the defined cryptoperiod(s).
&lt;Report Findings Here&gt; 3.6.4.b Interview personnel to verify that keys are changed at the end of the defined cryptoperiod(s).
Modified p. 67 → 68
Identify personnel interviewed for this testing procedure who confirm that keys are changed at the end of the defined cryptoperiod(s).
Identify the responsible personnel interviewed who confirm that keys are changed at the end of the defined cryptoperiod(s).
Modified p. 67 → 69
<Report Findings Here> 3.6.5 Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.6.5 Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised.
Modified p. 67 → 69
The retirement or replacement of keys when the integrity of the key has been weakened.
The retirement or replacement of keys when the integrity of the key has been weakened.
Modified p. 67 → 69
The replacement of known or suspected compromised keys.
The replacement of known or suspected compromised keys.
Modified p. 67 → 69
Any keys retained after retiring or replacing are not used for encryption operations.
Any keys retained after retiring or replacing are not used for encryption operations.
Modified p. 67 → 69
Identify the key-management document examined to verify that key-management processes specify the following:
Identify the documented key-management procedures examined to verify that key-management processes specify the following:
Modified p. 67 → 69
Any keys retained after retiring or replacing are not used for encryption operations.
Any keys retained after retiring or replacing are not used for encryption operations.
Removed p. 68
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.6.5.b Interview personnel to verify the following processes are implemented:

• Keys are replaced if known or suspected to be compromised.

• Any keys retained after retiring or replacing are not used for encryption operations.

<Report Findings Here>  Keys are replaced if known or suspected to be compromised.

Identify the document examined to verify that manual clear-text key-management procedures define processes for the use of the following:

• Split knowledge of keys, such that key components are under the control of at least two people who only have knowledge of their own key components; AND

• Dual control of keys, such that at least two people are required to perform any key- management operations and no one person has access to the authentication materials of another.
Modified p. 68 → 69
Keys are retired or replaced as necessary when the integrity of the key has been weakened, including when someone with knowledge of the key leaves the company.
Keys are retired or replaced as necessary when the integrity of the key has been weakened, including when someone with knowledge of the key leaves the company.  Keys are replaced if known or suspected to be compromised.
Modified p. 68 → 69
Identify the personnel interviewed for this testing procedure.
Identify the responsible personnel interviewed who confirm that the following processes are implemented:
Modified p. 68 → 69
<Report Findings Here> For the interview, summarize the relevant details discussed that verify the following processes are implemented:
<Report Findings Here> 3.6.5.b Interview personnel to verify the following processes are implemented:
Modified p. 68 → 69
Keys are retired or replaced as necessary when the integrity of the key has been weakened, including when someone with knowledge of the key leaves the company.
Keys are retired or replaced as necessary when the integrity of the key has been weakened, including when someone with knowledge of the key leaves the company.  Keys are replaced if known or suspected to be compromised.  Any keys retained after retiring or replacing are not used for encryption operations.
Modified p. 68 → 69
<Report Findings Here>  Any keys retained after retiring or replacing are not used for encryption operations.
 The retirement or replacement of keys when the integrity of the key has been weakened.  The replacement of known or suspected compromised keys.  Any keys retained after retiring or replacing are not used for encryption operations.
Modified p. 68 → 69
Indicate whether manual clear-text cryptographic key-management operations are used. (yes/no) <Report Findings Here> If “no,” mark the remainder of 3.6.6.a and 3.6.6.b as “Not Applicable.” If “yes,” complete 3.6.6.a and 3.6.6.b.
Indicate whether manual clear-text cryptographic key-management operations are used. (yes/no) &lt;Report Findings Here&gt;
Modified p. 68 → 70
3.6.6.a Verify that manual clear-text key- management procedures specify processes for the use of the following:
Identify the documented key-management procedures examined to verify that manual clear-text key-management procedures define processes for the use of the following:
Modified p. 68 → 70
Split knowledge of keys, such that key components are under the control of at least two people who only have knowledge of their own key components; AND
Split knowledge of keys, such that key components are under the control of at least two people who only have knowledge of their own key components; AND  Dual control of keys, such that at least two people are required to perform any key- management operations and no one person has access to the authentication materials of another.
Modified p. 68 → 70
Dual control of keys, such that at least two people are required to perform any key-management operations and no one person has access to the authentication materials (for example, passwords or keys) of another.
 Split knowledge of keys, such that key components are under the control of at least two people who only have knowledge of their own key components; AND  Dual control of keys, such that at least two people are required to perform any key-management operations and no one person has access to the authentication materials (for example, passwords or keys) of another.
Removed p. 69
• Split knowledge, AND
Modified p. 69 → 70
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.6.6 b Interview personnel and/or observe processes to verify that manual clear-text keys are managed with:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.6.6.a Verify that manual clear-text key- management procedures specify processes for the use of the following:
Modified p. 69 → 70
Dual control Identify the personnel interviewed for this testing procedure, if applicable.
 Split knowledge, AND  Dual control Identify the responsible personnel interviewed for this testing procedure, if applicable.
Modified p. 69 → 70
<Report Findings Here> For the interview, summarize the relevant details discussed and/or describe how processes were observed to verify the following processes are implemented:
<Report Findings Here> For the interview, summarize the relevant details discussed and/or describe how processes were observed to verify that manual clear-text keys are managed with:
Modified p. 69 → 70
Identify the document examined to verify that key- management procedures specify processes to prevent unauthorized substitution of keys.
Identify the documented key-management procedures examined to verify that key-management procedures specify processes to prevent unauthorized substitution of keys.
Modified p. 69 → 70
Identify the personnel interviewed for this testing procedure, if applicable.
Identify the responsible personnel interviewed for this testing procedure, if applicable.
Modified p. 69 → 71
<Report Findings Here> 3.6.8 Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities. ☐ ☐ ☐ ☐ ☐ 3.6.8.a Verify that key-management procedures specify processes for key custodians to acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.6.8 Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities. ☐ ☐ ☐ ☐ ☐ 3.6.8.a Verify that key-management procedures specify processes for key custodians to acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities.
Modified p. 69 → 71
Identify the document examined to verify that key- management procedures specify processes for key custodians to acknowledge that they understand and accept their key-custodian responsibilities.
Identify the documented key-management procedures examined to verify that key-management procedures specify processes for key custodians to acknowledge that they understand and accept their key-custodian responsibilities.
Modified p. 69 → 71
&lt;Report Findings Here&gt;
 Known to all affected parties <Report Findings Here>
Removed p. 70
• Known to all affected parties <Report Findings Here>
Modified p. 70 → 71
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 3.7 Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 3.7 Examine documentation and interview personnel to verify that security policies and operational procedures for protecting stored cardholder data are:
<Report Findings Here> 3.7 Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 3.7 Examine documentation and interview personnel to verify that security policies and operational procedures for protecting stored cardholder data are:
Modified p. 70 → 71
Known to all affected parties Identify the document reviewed to verify that security policies and operational procedures for protecting stored cardholder data are documented.
 Documented,  In use, and  Known to all affected parties Identify the document reviewed to verify that security policies and operational procedures for protecting stored cardholder data are documented.
Modified p. 70 → 71
&lt;Report Findings Here&gt; Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for protecting stored cardholder data are:
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for protecting stored cardholder data are:
Removed p. 71
• Wireless technologies, including 802.11 and Bluetooth

• Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA)

• General Packet Radio Service (GPRS)
Modified p. 71 → 72
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
Modified p. 71 → 72
Only trusted keys and certificates are accepted.
Only trusted keys and certificates are accepted.
Modified p. 71 → 72
The protocol in use only supports secure versions or configurations.
The protocol in use only supports secure versions or configurations.
Modified p. 71 → 72
The encryption strength is appropriate for the encryption methodology in use.
The encryption strength is appropriate for the encryption methodology in use.
Modified p. 71 → 72
Examples of open, public networks include but are not limited to: • The Internet
Examples of open, public networks include but are not limited to:
Modified p. 71 → 72
Satellite communications 4.1.a Identify all locations where cardholder data is transmitted or received Identify all locations where cardholder data is transmitted or received over open, public networks.
 The Internet  Wireless technologies, including 802.11 and Bluetooth  Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA)  General Packet Radio Service (GPRS)  Satellite communications 4.1.a Identify all locations where cardholder data is transmitted or received Identify all locations where cardholder data is transmitted or received over open, public networks.
Removed p. 72
<Report Findings Here> Describe how the samples of inbound and outbound transmissions were observed as they occurred to verify that all cardholder data is encrypted with strong cryptography during transit.
Modified p. 72 → 73
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested Identify the documented standards examined. <Report Findings Here> Describe how the documented standards were examined and compared to system configurations to verify the use of:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested Place over open, public networks. Examine documented standards and compare to system configurations to verify the use of security protocols and strong cryptography for all locations.
Modified p. 72 → 73
 Security protocols observed in use <Report Findings Here>  Strong cryptography for all locations <Report Findings Here> 4.1.b Review documented policies and procedures to verify processes are specified for the following:
 Security protocols for all locations <Report Findings Here>  Strong cryptography for all locations <Report Findings Here> 4.1.b Review documented policies and procedures to verify processes are specified for the following:
Modified p. 72 → 73
For acceptance of only trusted keys and/or certificates.
For acceptance of only trusted keys and/or certificates.
Modified p. 72 → 73
For acceptance of only trusted keys and/or certificates.
For acceptance of only trusted keys and/or certificates.
Modified p. 72 → 73
For the protocol in use to only support secure versions and configurations (that insecure versions or configurations are not supported).
For the protocol in use to only support secure versions and configurations (that insecure versions or configurations are not supported).
Modified p. 72 → 73
For the protocol in use to only support secure versions and configurations (that insecure versions or configurations are not supported).
For the protocol in use to only support secure versions and configurations (that insecure versions or configurations are not supported).
Modified p. 72 → 73
For implementation of proper encryption strength per the encryption methodology in use.
For implementation of proper encryption strength per the encryption methodology in use.
Modified p. 72 → 73
For implementation of proper encryption strength per the encryption methodology in use.
For implementation of proper encryption strength per the encryption methodology in use.
Modified p. 72 → 73
<Report Findings Here> 4.1.c Select and observe a sample of inbound and outbound transmissions as they occur to verify that all cardholder data is encrypted with strong cryptography during transit.
<Report Findings Here> Describe how the sample of inbound and outbound transmissions verified that all cardholder data is encrypted with strong cryptography during transit.
Modified p. 72 → 73
Describe the sample of inbound and outbound transmissions observed as they occurred.
Describe the sample of inbound and outbound transmissions that were observed as they occurred.
Removed p. 73
For all instances where cardholder data Is transmitted or received over open, public networks, describe how system configurations were observed to verify that the protocol is implemented:

• “HTTPS” appears as the browser Universal Record Locator (URL) protocol; and

• Cardholder data is only requested if “HTTPS” appears as part of the URL.

 HTTPS appears as part of the browser URL. <Report Findings Here>  Cardholder data is only requested if HTTPS appears as part of the URL.

<Report Findings Here> 4.1.h For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:

Indicate whether the assessed entity includes POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS

• for which the entity asserts are not susceptible to any known exploits for those protocols. …
Modified p. 73 → 74
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 4.1.e Examine system configurations to verify that the protocol is implemented to use only secure configurations and does not support insecure versions or configurations.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested Place not support insecure versions or configurations.
Modified p. 73 → 74
 To use only secure configurations. <Report Findings Here>  Does not support insecure versions or configurations.
 Does not support insecure versions or configurations.
Modified p. 73 → 74
Indicate whether TLS is implemented to encrypt cardholder data over open, public networks in the CDE. (yes/no) <Report Findings Here> If “yes,” for all instances where TLS is used to encrypt cardholder data over open, public networks, describe how system configurations were examined to verify that TLS is enabled whenever cardholder data is transmitted or received, as follows:
Indicate whether TLS is implemented to encrypt cardholder data over open, public networks. (yes/no) If ‘no,’ mark the remainder of 4.1.g as ‘not applicable.’ <Report Findings Here> If “yes,” for all instances where TLS is used to encrypt cardholder data over open, public networks, describe how system configurations verified that TLS is enabled whenever cardholder data is transmitted or received.
Removed p. 74
• Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment;

Indicate whether the assessed entity includes any other environments using SSL and/or early TLS (yes/no) If ‘no,’ mark the remainder of 4.1.i as ‘not applicable.’ <Report Findings Here> If ‘yes,’ identify the Risk Mitigation and Migration Plan document(s) examined to verify that it includes:

Note: The use of WEP as a security control is prohibited.
Modified p. 74
<Report Findings Here> 4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.
<Report Findings Here> 4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices to implement strong encryption for authentication and transmission. ☐ ☐ ☐ ☐ ☐ 4.1.1 Identify all wireless networks transmitting cardholder data or connected to the cardholder data environment. Examine documented standards and compare to system configuration settings Identify all wireless networks transmitting cardholder data or connected to the cardholder data environment.
Modified p. 74 → 75
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 4.1.i For all other environments using SSL and/or early TLS:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested Place to verify the following for all wireless networks identified:
Removed p. 75
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 4.1.1 Identify all wireless networks transmitting cardholder data or connected to the cardholder data environment. Examine documented standards and compare to system configuration settings to verify the following for all wireless networks identified:

• Industry best practices (for example, IEEE 802.11i) are used to implement strong encryption for authentication and transmission.

• Industry best practices (for example, IEEE 802.11i) are used to implement strong encryption for authentication and transmission.

• Weak encryption is not used as a security control for authentication or transmission.

<Report Findings Here> Describe how documented standards were examined and compared to system configuration settings to verify the following for all wireless networks identified:
Modified p. 75 → 74
<Report Findings Here> Identify the documented standards examined to verify processes define the following for all wireless networks identified:
<Report Findings Here> Identify the documented standards examined. <Report Findings Here> Describe how the documented standards and system configuration settings both verified the following for all wireless networks identified:
Modified p. 75
Weak encryption (for example, WEP, SSL) is not used as a security control for authentication or transmission.
 Industry best practices are used to implement strong encryption for authentication and transmission.  Weak encryption (for example, WEP, SSL) is not used as a security control for authentication or transmission.
Removed p. 76
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested Describe how the sample of outbound transmissions observed as they occurred to verify that PAN is rendered unreadable or secured with strong cryptography whenever it is sent via end-user messaging technologies.

Identify the policy document that explicitly prohibits PAN from being sent via end-user messaging technologies under any circumstances.
Modified p. 76 → 75
Identify the policy document stating that unprotected PANs must not be sent via end-user messaging technologies.
Identify the policy document that prohibits PAN from being sent via end-user messaging technologies under any circumstances.
Modified p. 76 → 75
<Report Findings Here> If “no” at 4.2.a:
&lt;Report Findings Here&gt;
Modified p. 76
<Report Findings Here> 4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 4.3 Examine documentation and interview personnel to verify that security policies and operational procedures for encrypting transmissions of cardholder data are:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 4.3 Examine documentation and interview personnel to verify that security policies and operational procedures for encrypting transmissions of cardholder data are:
Modified p. 76
&lt;Report Findings Here&gt; Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for encrypting transmissions of cardholder data are:
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for encrypting transmissions of cardholder data are:
Removed p. 77
• Detect all known types of malicious software,

• Detect all known types of malicious software,

• Remove all known types of malicious software, and

• Remove all known types of malicious software, and

• Protect against all known types of malicious software.

• Protect against all known types of malicious software.
Modified p. 77
Identify the sample of system components selected (including all operating system types commonly affected by malicious software).
Identify the sample of system components (including all operating system types commonly affected by malicious software) selected for this testing procedure.
Modified p. 77
&lt;Report Findings Here&gt; 5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. ☐ ☐ ☐ ☐ ☐ 5.1.1 Review vendor documentation and examine anti-virus configurations to verify that anti-virus programs;
<Report Findings Here> 5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. ☐ ☐ ☐ ☐ ☐ 5.1.1 Review vendor documentation and examine anti-virus configurations to verify that anti-virus programs;  Detect all known types of malicious software,  Remove all known types of malicious software, and  Protect against all known types of malicious software.
Modified p. 77
<Report Findings Here> Describe how anti-virus configurations were examined to verify that anti-virus programs:
<Report Findings Here> Describe how anti-virus configurations verified that anti-virus programs:
Modified p. 77
&lt;Report Findings Here&gt; 5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. ☐ ☐ ☐ ☐ ☐ 5.1.2 Interview personnel to verify that evolving malware threats are monitored Identify the personnel interviewed for this testing procedure.
<Report Findings Here> 5.1.2 For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. ☐ ☐ ☐ ☐ ☐ 5.1.2 Interview personnel to verify that evolving malware threats are monitored Identify the responsible personnel interviewed for this testing procedure.
Modified p. 78
For the interview, summarize the relevant details discussed and/or describe how processes were observed to verify that evolving malware threats are monitored and evaluated for systems not currently considered to be commonly affected by malicious software, and that such systems continue to not require anti-virus software.
For the interview, summarize the relevant details discussed to verify that evolving malware threats are monitored and evaluated for systems not currently considered to be commonly affected by malicious software, and that such systems continue to not require anti-virus software.
Modified p. 78
Perform periodic scans.
Perform periodic scans.
Modified p. 78
Generate audit logs which are retained per PCI DSS Requirement 10.7.
Generate audit logs which are retained per PCI DSS Requirement 10.7.
Modified p. 78
Configured to perform automatic updates, and Configured to perform periodic Describe how anti-virus configurations, including the master installation of the software, were examined to verify anti-virus mechanisms are:
Configured to perform automatic updates, and Describe how anti-virus configurations, including the master installation of the software, verified anti-virus mechanisms are:
Removed p. 79
• Logs are retained in accordance with PCI DSS Requirement 10.7.

Identify the sample of system components selected. <Report Findings Here> For each item in the sample, describe how anti-virus configurations, including the master installation of the software, were examined to verify that the anti-virus software is actively running.
Modified p. 79
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested  Configured to perform automatic updates, and <Report Findings Here>  Configured to perform periodic scans. <Report Findings Here> 5.2.c Examine a sample of system components, including all operating system types commonly affected by malicious software, to verify that:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place  Configured to perform periodic scans.
Modified p. 79
The anti-virus software and definitions are current.
The anti-virus software and definitions are current.
Modified p. 79
Periodic scans are performed.
Periodic scans are performed.
Modified p. 79
Identify the sample of system components, including all operating system types commonly affected by malicious software, selected for this testing procedure.
Identify the sample of system components (including all operating system types commonly affected by malicious software) selected for this testing procedure.
Modified p. 79
<Report Findings Here> Describe how system components were examined to verify that:
<Report Findings Here> Describe how the system components verified that:
Modified p. 79
Anti-virus software log generation is enabled, and
Anti-virus software log generation is enabled, and  Logs are retained in accordance with PCI DSS Requirement 10.7.
Modified p. 79
<Report Findings Here> For each item in the sample, describe how anti-virus configurations, including the master installation of the software, were examined to verify that:
<Report Findings Here> For each item in the sample, describe how anti-virus configurations, including the master installation of the software, verified that:
Modified p. 79
 Anti-virus software log generation is enabled, and <Report Findings Here>  Logs are retained in accordance with PCI DSS Requirement 10.7.
 Anti-virus software log generation is enabled, and. <Report Findings Here>  Logs are retained in accordance with PCI DSS Requirement 10.7.
Modified p. 80
For each item in the sample from 5.3.a, describe how anti-virus configurations, including the master installation of the software, were examined to verify that the anti-virus software cannot be disabled or altered by users.
For each item in the sample from 5.3.a, describe how anti-virus configurations, including the master installation of the software, verified that the anti-virus software cannot be disabled or altered by users.
Modified p. 80
<Report Findings Here> Describe how the process was observed to verify that anti-virus software cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
<Report Findings Here> Describe how processes were observed to verify that anti-virus software cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
Modified p. 80
&lt;Report Findings Here&gt; Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for protecting systems against malware are:
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for protecting systems against malware are:
Removed p. 81
• Processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information.
Modified p. 81
To identify new security vulnerabilities.
To identify new security vulnerabilities.
Modified p. 81
To identify new security vulnerabilities.
To identify new security vulnerabilities.
Modified p. 81
To assign a risk ranking to vulnerabilities that includes identification of all “high risk” and “critical” vulnerabilities.
To assign a risk ranking to vulnerabilities that includes identification of all “high risk” and “critical” vulnerabilities.
Modified p. 81
To assign a risk ranking to vulnerabilities that includes identification of all “high risk” and “critical” vulnerabilities.
To assign a risk ranking to vulnerabilities that includes identification of all “high risk” and “critical” vulnerabilities.
Modified p. 81
To include using reputable outside sources for security vulnerability information.
To include using reputable outside sources for security vulnerability information.
Modified p. 81
To include using reputable outside sources for security vulnerability information.
To include using reputable outside sources for security vulnerability information.
Modified p. 81
New security vulnerabilities are identified.
New security vulnerabilities are identified.
Modified p. 81
New security vulnerabilities are identified.
New security vulnerabilities are identified.
Modified p. 81
A risk ranking is assigned to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities.
A risk ranking is assigned to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities.
Modified p. 81
A risk ranking is assigned to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities.
A risk ranking is assigned to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities.
Modified p. 81
Processes to identify new security vulnerabilities include using reputable outside sources for security Identify the responsible personnel interviewed who confirm that:
Processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information.
Modified p. 81 → 82
<Report Findings Here> Describe the processes observed to verify that:
Describe the processes observed to verify that:
Modified p. 82
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place vulnerability information.  New security vulnerabilities are identified. <Report Findings Here>  A risk ranking is assigned to vulnerabilities to include identification of all “high” risk and “critical” vulnerabilities.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place  Processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information.
Modified p. 82
Installation of applicable critical vendor-supplied security patches within one month of release.
Installation of applicable critical vendor-supplied security patches within one month of release.
Modified p. 82
Installation of all applicable vendor- supplied security patches within an appropriate time frame (for example, within three months).
Installation of all applicable vendor-supplied security patches within an appropriate time frame (for example, within three months).
Modified p. 82
Installation of applicable critical vendor- supplied security patches within one month of release.
Installation of applicable critical vendor- supplied security patches within one month of release.
Modified p. 82
Installation of all applicable vendor-supplied security patches within an appropriate time frame.
Installation of all applicable vendor-supplied security patches within an appropriate time frame.
Modified p. 82
<Report Findings Here> 6.2.b For a sample of system components and related software, compare the list of security patches installed on each system Identify the sample of system components and related software selected for this testing procedure.
&lt;Report Findings Here&gt; 6.2.b For a sample of system components and related software, compare the list of Identify the sample of system components and related software selected for this testing procedure.
Removed p. 83
<Report Findings Here> Identify the industry standards and/or best practices used.

<Report Findings Here> For the interview, summarize the relevant details discussed to verify that written software development processes are implemented.
Modified p. 83
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Identify the vendor security patch list reviewed. <Report Findings Here> For each item in the sample, describe how the list of security patches installed on each system was compared to the most recent vendor security-patch list to verify that:
Identify the vendor security patch list reviewed. &lt;Report Findings Here&gt; For each item in the sample, describe how the list of security patches installed on each system was compared to the most recent vendor security-patch list to verify that:
Modified p. 83
In accordance with PCI DSS (for example, secure authentication and logging).
In accordance with PCI DSS (for example, secure authentication and logging).
Modified p. 83
Based on industry standards and/or best practices.
Based on industry standards and/or best practices.
Modified p. 83
Incorporate information security throughout the software development life cycle.
Incorporate information security throughout the software development life cycle.
Modified p. 83
Identify the document that defines software development processes based on industry standards and/or best practices.
Identify the document examined to verify that software-development processes are based on industry standards and/or best practices.
Modified p. 83
Identify the software developers interviewed for this testing procedure.
Identify the software developers interviewed who confirm that written software development processes are implemented.
Removed p. 84
<Report Findings Here> For the interview, summarize the relevant details discussed to confirm that pre-production and/or custom application accounts, user IDs and/or passwords are removed before an application goes into production or is released to customers.

• Code reviews ensure code is developed according to secure coding guidelines.

• Appropriate corrections are implemented prior to release.

• Code review results are reviewed and approved by management prior to release.
Modified p. 84
<Report Findings Here> Identify the responsible personnel interviewed for this testing procedure.
<Report Findings Here> Identify the responsible personnel interviewed who confirm that pre-production and/or custom application accounts, user IDs and/or passwords are removed before an application goes into production or is released to customers.
Modified p. 84
Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code review techniques and secure coding practices.
Code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code review techniques and secure coding practices.  Code reviews ensure code is developed according to secure coding guidelines.  Appropriate corrections are implemented prior to release.  Code review results are reviewed and approved by management prior to release.
Removed p. 85
• Appropriate corrections are implemented prior to release.

• Code reviews ensure code is developed according to secure coding guidelines (see PCI DSS Requirement 6.5).

• Code-review results are reviewed and approved by management prior to release.
Modified p. 85
Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices.
Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices.  Code reviews ensure code is developed according to secure coding guidelines (see PCI DSS Requirement 6.5).  Appropriate corrections are implemented prior to release.  Code-review results are reviewed and approved by management prior to release.
Modified p. 85
Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices.
Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code review techniques and secure coding practices.
Modified p. 85
Code reviews ensure code is developed according to secure coding guidelines (see PCI DSS Requirement 6.5).
Code reviews ensure code is developed according to secure coding guidelines (see PCI DSS Requirement 6.5).
Modified p. 85
Appropriate corrections are implemented prior to release.
Appropriate corrections are implemented prior to release.
Modified p. 85
Code-review results are reviewed and approved by management prior to release.
Code-review results are reviewed and approved by management prior to release.
Removed p. 86
<Report Findings Here> Describe how all custom application code changes must be reviewed, including whether processes are manual or automated.
Modified p. 86
Code reviews ensure code is developed according to secure coding guidelines (see PCI DSS Requirement 6.5).
Code reviews ensure code is developed according to secure coding guidelines (see PCI DSS Requirement 6.5).
Modified p. 86
Appropriate corrections are implemented prior to release.
Appropriate corrections are implemented prior to release.
Modified p. 86
Code-review results are reviewed and approved by management prior to release.
Code-review results are reviewed and approved by management prior to release.
Modified p. 86
Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code- review techniques and secure coding practices.
Code changes are reviewed by individuals other than the originating code author, and by individuals who are knowledgeable in code-review techniques and secure coding practices.
Removed p. 87
<Report Findings Here> 6.4 Follow change control processes and procedures for all changes to system components. The processes must include the following: ☐ ☐ ☐ ☐ ☐ 6.4 Examine policies and procedures to verify the following are defined:
Modified p. 87
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested  Code-review results are reviewed and approved by management prior to release.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.4 Follow change control processes and procedures for all changes to system components. The processes must include the following: ☐ ☐ ☐ ☐ ☐ 6.4 Examine policies and procedures to verify the following are defined:
Modified p. 87
Development/test environments are separate from production environments with access control in place to enforce separation.
Development/test environments are separate from production environments with access control in place to enforce separation.
Modified p. 87
Development/test environments are separate from production environments with access control in place to enforce separation.
Development/test environments are separate from production environments with access control in place to enforce separation.
Modified p. 87
A separation of duties between personnel assigned to the development/test environments and those assigned to the production environment.
A separation of duties between personnel assigned to the development/test environments and those assigned to the production environment.
Modified p. 87
A separation of duties between personnel assigned to the development/test environments and those assigned to the production environment.
A separation of duties between personnel assigned to the development/test environments and those assigned to the production environment.
Modified p. 87
Production data (live PANs) are not used for testing or development.
Production data (live PANs) are not used for testing or development.
Modified p. 87
Production data (live PANs) are not used for testing or development.
Production data (live PANs) are not used for testing or development.
Modified p. 87
Test data and accounts are removed before a production system becomes active.
Test data and accounts are removed before a production system becomes active.
Modified p. 87
Test data and accounts are removed before a production system becomes active.
Test data and accounts are removed before a production system becomes active.
Modified p. 87
Change control procedures related to implementing security patches and software modifications are documented.
Change control procedures related to implementing security patches and software modifications are documented.
Modified p. 87
Change-control procedures related to implementing security patches and software modifications are documented.
Change-control procedures related to implementing security patches and software modifications are documented.
Modified p. 87
Identify the network documentation that illustrates that the development/test environments are separate from the production environment(s).
Identify the network documentation examined to verify that the development/test environments are separate from the production environment(s).
Modified p. 87
<Report Findings Here> Describe how network device configurations were examined to verify that the development/test environments are separate from the production environment(s).
<Report Findings Here> Describe how network device configurations verified that the development/test environments are separate from the production environment(s).
Modified p. 88 → 87
Identify the access control settings examined for this testing procedure.
<Report Findings Here> 6.4.1.b Examine access controls settings to verify that access controls are in place Identify the access control settings examined for this testing procedure.
Modified p. 88
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.4.1.b Examine access controls settings to verify that access controls are in place to enforce separation between the development/test environments and the production environment(s).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place to enforce separation between the development/test environments and the production environment(s).
Modified p. 88
<Report Findings Here> Describe how the access control settings were examined to verify that access controls are in place to enforce separation between the development/test environments and the production environment(s).
Describe how the access control settings verified that access controls are in place to enforce separation between the development/test environments and the production environment(s).
Modified p. 88
Identify the personnel interviewed who confirm that procedures are in place to ensure production data (live PANs) are not used for testing or development.
Identify the responsible personnel interviewed who confirm that procedures are in place to ensure production data (live PANs) are not used for testing or development.
Modified p. 89 → 88
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.4.3.b Examine a sample of test data to verify production data (live PANs) is not used for testing or development.
<Report Findings Here> 6.4.3.b Examine a sample of test data to verify production data (live PANs) is not used for testing or development.
Modified p. 89
<Report Findings Here> Describe how a sample of test data was examined to verify production data (live PANs) is not used for development.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Describe how a sample of test data was examined to verify production data (live PANs) is not used for development.
Modified p. 89
<Report Findings Here> 6.4.4 Removal of test data and accounts before production systems become active. ☐ ☐ ☐ ☐ ☐ 6.4.4.a Observe testing processes and interview personnel to verify test data and accounts are removed before a production system becomes active.
<Report Findings Here> 6.4.4 Removal of test data and accounts from system components before the system becomes active / goes into production. ☐ ☐ ☐ ☐ ☐ 6.4.4.a Observe testing processes and interview personnel to verify test data and accounts are removed before a production system becomes active.
Modified p. 89
Identify the personnel interviewed who confirm that test data and accounts are removed before a production system becomes active.
Identify the responsible personnel interviewed who confirm that test data and accounts are removed before a production system becomes active.
Modified p. 89
Describe how a sample of data from production systems recently installed or updated was examined to verify test data is removed before the system becomes active.
Describe how the sampled data examined verified that test data is removed before the system becomes active.
Modified p. 89
<Report Findings Here> Describe how a sample of accounts from production systems recently installed or updated was examined to verify test accounts are removed before the system becomes active.
<Report Findings Here> Describe how the sampled data examined verified that test accounts are removed before the system becomes active.
Modified p. 89
<Report Findings Here> 6.4.5 Change control procedures for the implementation of security patches and software modifications must include the following: ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 6.4.5 Change control procedures must include the following: ☐ ☐ ☐ ☐ ☐ 6.4.5.a Examine documented change- control procedures and verify procedures are defined for:
Removed p. 90
• Documentation of impact.

• Documented change approval by authorized parties.

• Back-out procedures.

<Report Findings Here> 6.4.5.b For a sample of system components, interview responsible personnel to determine recent changes/security patches. Trace those changes back to related change control documentation. For each change examined, perform the following:
Modified p. 90 → 89
Documentation of impact.
Documentation of impact.
Modified p. 90 → 89
Documented change approval by authorized parties.
Documented change approval by authorized parties.
Modified p. 90 → 89
Functionality testing to verify that the change does not adversely impact the security of the system.
Functionality testing to verify that the change does not adversely impact the security of the system.
Modified p. 90 → 89
Back-out procedures.
Back-out procedures.
Modified p. 90 → 89
Identify the documented change-control procedures related to implementing security patches and software modification examined to verify procedures are defined for:
Identify the documented change-control procedures examined to verify procedures are defined for:
Modified p. 90 → 89
Functionality testing to verify that the change does not adversely impact the security of the system.
 Documentation of impact.  Documented change approval by authorized parties.  Functionality testing to verify that the change does not adversely impact the security of the system.  Back-out procedures.
Modified p. 90
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.4.5.a Examine documented change- control procedures related to implementing security patches and software modifications and verify procedures are defined for:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.4.5.b For a sample of system components, interview responsible personnel to determine recent changes. Trace those changes back to related change control documentation. For each change examined, perform the following:
Modified p. 90
Identify the sample of system components selected. <Report Findings Here> Identify the responsible personnel interviewed to determine recent changes/security patches.
<Report Findings Here> Identify the responsible personnel interviewed to determine recent changes.
Modified p. 90
<Report Findings Here> For each item in the sample, identify the sample of changes and the related change control documentation selected for this testing procedure (through 6.4.5.4) <Report Findings Here> 6.4.5.1 Documentation of impact. ☐ ☐ ☐ ☐ ☐ 6.4.5.1 Verify that documentation of impact is included in the change control documentation for each sampled change.
<Report Findings Here> For each item in the sample, identify the sample of changes and the related change control documentation selected for this testing procedure (through 6.4.5.4).
Modified p. 90
For each change from 6.4.5.b, describe how the changes were traced back to the identified related change control documentation to verify that documentation of impact is included in the change control documentation for each sampled change.
For each change from 6.4.5.b, describe how the documentation of impact is included in the change control documentation for each sampled change.
Modified p. 90
For each change from 6.4.5.b, describe how the changes were traced back to the identified related change control documentation to verify that documented approval by authorized parties is present in the change control documentation for each sampled change.
For each change from 6.4.5.b, describe how documented approval by authorized parties is present in the change control documentation for each sampled change.
Removed p. 91
For each change from 6.4.5.b, describe how the changes were traced back to the identified related change control documentation to verify that the change control documentation for each sampled change includes evidence that functionality testing is performed to verify that the change does not adversely impact the security of the system.

<Report Findings Here> Describe how the custom code changes were traced back to the identified related change control documentation to verify that the change control documentation for each sampled custom code change includes evidence that all updates are tested for compliance with PCI DSS Requirement 6.5 before being deployed into production.
Modified p. 91 → 90
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. ☐ ☐ ☐ ☐ ☐ 6.4.5.3.a For each sampled change, verify that functionality testing is performed to verify that the change does not adversely impact the security of the system.
<Report Findings Here> 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. ☐ ☐ ☐ ☐ ☐ 6.4.5.3.a For each sampled change, verify that functionality testing is performed to verify that the change does not adversely impact the security of the system.
Modified p. 91
<Report Findings Here> 6.4.5.4 Back-out procedures. ☐ ☐ ☐ ☐ ☐ 6.4.5.4 Verify that back-out procedures are prepared for each sampled change.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.4.5.4 Back-out procedures. ☐ ☐ ☐ ☐ ☐ 6.4.5.4 Verify that back-out procedures are prepared for each sampled change.
Modified p. 91
For each change from 6.4.5.b, describe how the changes were traced back to the identified related change control documentation to verify that back-out procedures are prepared for each sampled change and present in the change control documentation for each sampled change.
For each change from 6.4.5.b, describe how the change control documentation verified that back-out procedures are prepared.
Removed p. 92
<Report Findings Here> 6.5.b Interview a sample of developers to verify that they are knowledgeable in secure coding techniques.

Identify the developers interviewed for this testing procedure.

<Report Findings Here> For the interview, summarize the relevant details discussed to verify that they are knowledgeable in secure coding techniques.

Identify the records of training that were examined to verify that software developers received training on secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.
Modified p. 92
Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.
Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.
Modified p. 92
Develop applications based on secure coding guidelines.
Develop applications based on secure coding guidelines.
Modified p. 92
6.5.a Examine software development policies and procedures to verify that training in secure coding techniques is required for developers, based on industry best practices and guidance.
6.5.a Examine software development policies and procedures to verify that up- to-date training in secure coding techniques is required for developers at least annually, based on industry best practices and guidance.
Modified p. 92
Identify the document reviewed to verify that training in secure coding techniques is required for developers.
Identify the document reviewed to verify that up-to- date training in secure coding techniques is required for developers at least annually.
Modified p. 92
<Report Findings Here> Identify the industry best practices and guidance that training is based on.
<Report Findings Here> Identify the industry best practices and guidance on which the training is based.
Modified p. 92
<Report Findings Here> 6.5.c Examine records of training to verify that software developers received training on secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.
<Report Findings Here> 6.5.b Examine records of training to verify that software developers receive up-to- date training on secure coding techniques at least annually, including how to avoid common coding vulnerabilities Identify the records of training that were examined to verify that software developers receive up-to-date training on secure coding techniques at least annually, including how to avoid common coding vulnerabilities.
Modified p. 92
<Report Findings Here> 6.5.d. Verify that processes are in place to protect applications from, at a minimum, the following vulnerabilities:
<Report Findings Here> 6.5.c. Verify that processes are in place to protect applications from, at a minimum, the following vulnerabilities:
Modified p. 92
Identify the software-development policies and procedures examined to verify that processes are in place to protect applications from, at a minimum, the following vulnerabilities:
Identify the software-development policies and procedures examined to verify that processes are in place to protect applications from, at a minimum, the vulnerabilities from 6.5.1-6.5.10.
Modified p. 92
<Report Findings Here> Identify the responsible personnel interviewed to verify that processes are in place to protect applications from, at a minimum, the following vulnerabilities:
<Report Findings Here> Identify the responsible personnel interviewed to verify that processes are in place to protect applications from, at a minimum, the vulnerabilities from 6.5.1-6.5.10.
Removed p. 93
• Utilizing parameterized queries.

For the interviews at 6.5.d, summarize the relevant interview details that confirm processes are in place, consistent with the software development documentation at 6.5.d, to ensure that injection flaws are addressed by coding techniques that include:

• Truncating input strings.

• Prevent cryptographic flaws.
Modified p. 93
Validating input to verify user data cannot modify meaning of commands and queries.
Validating input to verify user data cannot modify meaning of commands and queries.  Utilizing parameterized queries.
Modified p. 93
Validating buffer boundaries.
Validating buffer boundaries.  Truncating input strings.
Modified p. 93
For the interviews at 6.5.d, summarize the relevant interview details that confirm processes are in place, consistent with the software development documentation at 6.5.d, to ensure that buffer overflows are addressed by coding techniques that include:
For the interviews at 6.5.d, summarize the relevant details discussed to verify that buffer overflows are addressed by coding techniques that include:
Modified p. 93
Use strong cryptographic algorithms and keys.
 Prevent cryptographic flaws.  Use strong cryptographic algorithms and keys.
Modified p. 93
For the interviews at 6.5.d, summarize the relevant interview details that confirm processes are in place, consistent with the software development documentation at 6.5.d, to ensure that insecure cryptographic storage is addressed by coding techniques that:
For the interviews at 6.5.d, summarize the relevant details discussed to verify that insecure cryptographic storage is addressed by coding techniques that:
Modified p. 93
 Prevent cryptographic flaws. &lt;Report Findings Here&gt;  Use strong cryptographic algorithms and keys. &lt;Report Findings Here&gt; 6.5.4 Insecure communications. ☐ ☐ ☐ ☐ ☐
 Prevent cryptographic flaws. <Report Findings Here>  Use strong cryptographic algorithms and keys. <Report Findings Here> 6.5.4 Insecure communications. ☐ ☐ ☐ ☐ ☐ 6.5.4 Examine software-development policies and procedures and interview responsible personnel to verify that insecure communications are addressed by coding techniques that properly authenticate and encrypt all sensitive communications.
Modified p. 94 → 93
For the interviews at 6.5.d, summarize the relevant interview details that confirm processes are in place, consistent with the software development documentation at 6.5.d, to ensure that insecure communications are addressed by coding techniques that properly:
For the interviews at 6.5.d, summarize the relevant details discussed to verify that insecure communications are addressed by coding techniques that properly:
Modified p. 94 → 93
 Authenticate all sensitive communications. <Report Findings Here>  Encrypt all sensitive communications. <Report Findings Here> 6.5.5 Improper error handling. ☐ ☐ ☐ ☐ ☐ 6.5.5 Examine-software development policies and procedures and interview responsible personnel to verify that improper error handling is addressed by coding techniques that do not leak information via error messages (for example, by returning generic rather than specific error details).
 Authenticate all sensitive communications. &lt;Report Findings Here&gt;  Encrypt all sensitive communications. &lt;Report Findings Here&gt;
Modified p. 94
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.5.4 Examine software-development policies and procedures and interview responsible personnel to verify that insecure communications are addressed by coding techniques that properly authenticate and encrypt all sensitive communications.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.5.5 Improper error handling. ☐ ☐ ☐ ☐ ☐ 6.5.5 Examine-software development policies and procedures and interview responsible personnel to verify that improper error handling is addressed by coding techniques that do not leak information via error messages (for example, by returning generic rather than specific error details).
Modified p. 94
For the interviews at 6.5.d, summarize the relevant interview details that confirm processes are in place, consistent with the software development documentation at 6.5.d, to ensure that improper error handling is addressed by coding techniques that do not leak information via error messages.
For the interviews at 6.5.d, summarize the relevant details discussed to verify that improper error handling is addressed by coding techniques that do not leak information via error messages.
Modified p. 94
For the interviews at 6.5.d, summarize the relevant interview details that confirm processes are in place, consistent with the software development documentation at 6.5.d, to ensure that applications are not vulnerable to “High” vulnerabilities, as identified in PCI DSS Requirement 6.1.
For the interviews at 6.5.d, summarize the relevant details discussed to verify that coding techniques address any “high risk” vulnerabilities that could affect the application, as identified in PCI DSS Requirement 6.1.
Modified p. 94
&lt;Report Findings Here&gt; 6.5.7 Cross-site scripting (XSS). ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 6.5.7 Cross-site scripting (XSS). ☐ ☐ ☐ ☐ ☐ 6.5.7 Examine software-development policies and procedures and interview responsible personnel to verify that cross- site scripting (XSS) is addressed by coding techniques that include:
Removed p. 95
• Utilizing context-sensitive escaping.

• Proper authentication of users.

• Not exposing internal object references to users.
Modified p. 95 → 94
Validating all parameters before inclusion.
Validating all parameters before inclusion.  Utilizing context-sensitive escaping.
Modified p. 95 → 94
For the interviews at 6.5.d, summarize the relevant interview details that confirm processes are in place, consistent with the software development documentation at 6.5.d, to ensure that cross-site scripting (XSS) is addressed by coding techniques that include:
For the interviews at 6.5.d, summarize the relevant details discussed to verify that cross-site scripting (XSS) is addressed by coding techniques that include:
Modified p. 95 → 94
 Validating all parameters before inclusion. <Report Findings Here>  Utilizing context-sensitive escaping. <Report Findings Here> 6.5.8 Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions). ☐ ☐ ☐ ☐ ☐ 6.5.8 Examine software-development policies and procedures and interview responsible personnel to verify that improper access control

•such as insecure direct object references, failure to restrict URL access, and directory traversal

•is addressed by coding technique that …
 Validating all parameters before inclusion. &lt;Report Findings Here&gt;  Utilizing context-sensitive escaping. &lt;Report Findings Here&gt; 6.5.8 Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions). ☐ ☐ ☐ ☐ ☐
Modified p. 95
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.5.7 Examine software-development policies and procedures and interview responsible personnel to verify that cross- site scripting (XSS) is addressed by coding techniques that include:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.5.8 Examine software-development policies and procedures and interview responsible personnel to verify that improper access control

•such as insecure direct object references, failure to restrict URL access, and directory traversal

•is addressed by coding technique that include:
Modified p. 95
User interfaces that do not permit access to unauthorized functions.
 Proper authentication of users.  Sanitizing input.  Not exposing internal object references to users.  User interfaces that do not permit access to unauthorized functions.
Modified p. 95
For the interviews at 6.5.d, summarize the relevant interview details that confirm processes are in place, consistent with the software development documentation at 6.5.d, to ensure that improper access control is addressed by coding techniques that include:
For the interviews at 6.5.d, summarize the relevant details discussed to verify that improper access control is addressed by coding techniques that include:
Modified p. 95
For the interviews at 6.5.d, summarize the relevant interview details that confirm processes are in place, consistent with the software development documentation at 6.5.d, to ensure that cross-site request forgery (CSRF) is addressed by coding techniques that ensure applications do not rely on authorization credentials and tokens automatically submitted by browsers.
For the interviews at 6.5.d, summarize the relevant details discussed to verify that cross-site request forgery (CSRF) is addressed by coding techniques that ensure applications do not rely on authorization credentials and tokens automatically submitted by browsers.
Removed p. 96
• Not exposing session IDs in the URL.

Indicate whether this ROC is being completed prior to June 30, 2015. (yes/no) <Report Findings Here> If “yes” AND the assessed entity does not have this in place ahead of the requirement’s effective date, mark the remainder of 6.5.10 as “Not Applicable.” If “no” OR if the assessed entity has this in place ahead of the requirement’s effective date, complete the following:

 Flagging session tokens (for example cookies) as “secure.” <Report Findings Here>  Not exposing session IDs in the URL. <Report Findings Here>  Implementing appropriate time-outs and rotation of session IDs after a successful login <Report Findings Here>
Modified p. 96 → 95
Note: Requirement 6.5.10 is a best practice until June 30, 2015, after which it becomes a requirement. ☐ ☐ ☐ ☐ ☐ 6.5.10 Examine software development policies and procedures and interview responsible personnel to verify that broken authentication and session management are addressed via coding techniques that commonly include:
<Report Findings Here> 6.5.10 Broken authentication and session management. ☐ ☐ ☐ ☐ ☐ 6.5.10 Examine software development policies and procedures and interview responsible personnel to verify that broken authentication and session management are addressed via coding techniques that commonly include:
Modified p. 96 → 95
Flagging session tokens (for example cookies) as “secure.”
Flagging session tokens (for example cookies) as “secure.” <Report Findings Here>  Not exposing session IDs in the URL. <Report Findings Here>
Modified p. 96 → 95
For the interviews at 6.5.d, summarize the relevant interview details that confirm processes are in place, consistent with the software development documentation at 6.5.d, to ensure that broken authentication and session management are addressed via coding techniques that protect credentials and session IDs, including:
For the interviews at 6.5.d, summarize the relevant details discussed to verify that broken authentication and session management are addressed via coding techniques that commonly include:
Modified p. 96
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 6.5.10 Broken authentication and session management.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place  Flagging session tokens (for example cookies) as “secure.”  Not exposing session IDs in the URL.  Incorporating appropriate time-outs and rotation of session IDs after a successful login.
Modified p. 96
Incorporating appropriate time-outs and rotation of session IDs after a successful login.
Incorporating appropriate time-outs and rotation of session IDs after a successful login.
Removed p. 97
• Web application vulnerability security assessments, AND/OR

<Report Findings Here> Identify the organization(s) confirmed to specialize in application security that is performing the assessments.
Modified p. 97
Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes.
Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes.
Modified p. 97
Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.
Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.
Modified p. 97
Examine documented processes, interview personnel, and examine records of application security assessments to verify that public- facing web applications are reviewed

•using either manual or automated vulnerability security assessment tools or methods •as follows: - At least annually. - After any changes. - By an organization that specializes in application security.
Examine documented processes, interview personnel, and examine records of application security assessments to verify that public-facing web applications are reviewed•using either manual or automated For each public-facing web application, identify which of the two methods are implemented:
Modified p. 97
Automated technical solution that detects and prevents web-based attacks, such as web application firewalls.
 Web application vulnerability security assessments, AND/OR  Automated technical solution that detects and prevents web-based attacks, such as web application firewalls.
Modified p. 98
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place - That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment. - That all vulnerabilities are corrected. - That the application is re-evaluated after the corrections.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place vulnerability security assessment tools or methods•as follows: - At least annually. - After any changes. - By an organization that specializes in application security. - That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment. - That all vulnerabilities are corrected. - That the application is re-evaluated after the corrections.
Modified p. 98
Examine the system configuration settings and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) is in place as follows: - Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up-to-date as applicable. - Is generating audit logs. - Is configured to either block web- based attacks, or generate an alert that is immediately investigated.
Examine the system configuration settings and interview responsible personnel to verify that an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) is in place as follows: - Is situated in front of public-facing web applications to detect and prevent web-based attacks.
Modified p. 98
By an organization that specializes in application security.
By an organization that specializes in application security.
Modified p. 98
That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment.
That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment.
Modified p. 98
That all vulnerabilities are corrected.
That all vulnerabilities are corrected  That the application is re-evaluated after the corrections.
Modified p. 98 → 99
By an organization that specializes in application security.
By an organization that specializes in application security.
Modified p. 98 → 99
That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment.
That, at a minimum, all vulnerabilities in Requirement 6.5 are included in the assessment.
Modified p. 98 → 99
That all vulnerabilities are corrected
That all vulnerabilities are corrected.
Modified p. 98 → 99
That the application is re-evaluated after the corrections.
That the application is re-evaluated after the corrections.
Modified p. 98 → 99
<Report Findings Here> Identify the responsible personnel interviewed who confirm that public-facing web applications are reviewed, as follows:
Identify the responsible personnel interviewed who confirm that public-facing web applications are reviewed, as follows:
Modified p. 98 → 99
That the application is re-evaluated after the corrections.
<Report Findings Here>  That all vulnerabilities are corrected. <Report Findings Here>  That the application is re-evaluated after the corrections.
Modified p. 98 → 99
&lt;Report Findings Here&gt; Identify the records of application security assessments examined for this testing procedure.
<Report Findings Here> Identify the records of application vulnerability security assessments examined for this testing procedure.
Removed p. 99
• At least annually. <Report Findings Here>

• After any changes. <Report Findings Here>

• That all vulnerabilities are corrected. <Report Findings Here>

• That the application is re-evaluated after the corrections.

<Report Findings Here> Identify the system configuration settings examined for this testing procedure.
Modified p. 99
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Describe how the records of application security assessments were examined to verify that public-facing web applications are reviewed as follows:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place - Is actively running and up-to-date as applicable. - Is generating audit logs. - Is configured to either block web- based attacks, or generate an alert that is immediately investigated.
Modified p. 99
By an organization that specialized in application security.
 At least annually. <Report Findings Here>  After any changes. <Report Findings Here>  By an organization that specialized in application security.
Modified p. 99
That at a minimum, all vulnerabilities in requirement 6.5 are included in the assessment.
<Report Findings Here>  That at a minimum, all vulnerabilities in requirement 6.5 are included in the assessment.
Modified p. 99 → 100
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above automated technical solution in use to detect and prevent web-based attacks is in place as follows:
<Report Findings Here> Describe how the system configuration settings verified that the above automated technical solution is in place as follows:
Modified p. 99 → 100
Is situated in front of public-facing web applications to detect and prevent web-based attacks.
Is situated in front of public-facing web applications to detect and prevent web- based attacks.
Modified p. 99 → 100
Is actively running and up-to-date as applicable.
Is actively running and up-to-date as applicable.
Modified p. 99 → 100
Is generating audit logs.
Is generating audit logs.
Modified p. 99 → 100
Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
Removed p. 100
• Known to all affected parties <Report Findings Here>

• Is generating audit logs. <Report Findings Here>

<Report Findings Here> Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for developing and maintaining secure systems and applications are:
Modified p. 100
Is situated in front of public-facing web applications to detect and prevent web-based attacks.
Is situated in front of public-facing web applications to detect and prevent web- based attacks.
Modified p. 100
Is actively running and up-to-date as applicable.
<Report Findings Here>  Is actively running and up-to-date as applicable.
Modified p. 100
Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
<Report Findings Here>  Is generating audit logs. <Report Findings Here>  Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
Modified p. 100
<Report Findings Here> 6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 6.7 Examine documentation and interview personnel to verify that security policies and operational procedures for developing and maintaining secure systems and applications are:
<Report Findings Here> 6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 6.7 Examine documentation and interview personnel to verify that security policies and operational procedures for developing Identify the document examined to verify that security policies and operational procedures for developing and maintaining secure systems and applications are documented.
Modified p. 100 → 101
&lt;Report Findings Here&gt;
 Known to all affected parties <Report Findings Here>
Modified p. 100 → 101
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Describe how the system configuration settings were examined to verify that the above automated technical solution is use to detect and prevent web-based attacks is in place as follows:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place and maintaining secure systems and applications are:
Modified p. 100 → 101
Identify the document reviewed to verify that security policies and operational procedures for developing and maintaining secure systems and applications are documented.
Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for developing and maintaining secure systems and applications are:
Removed p. 101
• Assignment of access based on individual personnel’s job classification and function

• Level of privilege required (for example, user, administrator, etc.) for accessing resources.
Modified p. 101 → 102
Defining access needs and privilege assignments for each role.
Defining access needs and privilege assignments for each role.
Modified p. 101 → 102
Defining access needs and privilege assignments for each role.
Defining access needs and privilege assignments for each role.
Modified p. 101 → 102
Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities.
Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities.
Modified p. 101 → 102
Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities.
Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities.
Modified p. 101 → 102
Assignment of access based on individual personnel’s job classification and function.
Assignment of access based on individual personnel’s job classification and function.
Modified p. 101 → 102
Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved.
Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved.
Modified p. 101 → 102
Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved.
 Assignment of access based on individual personnel’s job classification and function  Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved.
Modified p. 101 → 102
System components and data resources that each role needs to access for their job function.
System components and data resources that each role needs to access for their job function.  Level of privilege required (for example, user, administrator, etc.) for accessing resources.
Modified p. 101 → 102
System components and data resources that each role needs to access for their job function.
System components and data resources that each role needs to access for their job function.
Modified p. 101 → 102
• Identification of privilege necessary for Identify the selected sample of roles for this testing procedure.
Identify the selected sample of roles for this testing procedure.
Modified p. 101 → 102
<Report Findings Here> For each role in the selected sample, describe how the role was examined to verify access needs for each role are defined and include:
&lt;Report Findings Here&gt; For each role in the selected sample, describe how the role was examined to verify access needs are defined and include:
Removed p. 102
• Restricted to least privileges necessary to perform job responsibilities.

• Necessary for that individual’s job function.
Modified p. 102 → 103
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested  System components and data resources that each role needs to access for their job function.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested Place  Identification of privilege necessary for each role to perform their job function.
Modified p. 102 → 103
Assigned only to roles that specifically require such privileged access.
Assigned only to roles that specifically require such privileged access.  Restricted to least privileges necessary to perform job responsibilities.
Modified p. 102 → 103
Assigned only to roles that specifically require such privileged access.
Assigned only to roles that specifically require such privileged access.
Modified p. 102 → 103
Restricted to least privileges necessary to perform job responsibilities.
Restricted to least privileges necessary to perform job responsibilities.
Modified p. 102 → 103
Restricted to least privileges necessary to perform job responsibilities.
Restricted to least privileges necessary to perform job responsibilities.
Modified p. 102 → 103
Restricted to least privileges necessary to perform job responsibilities.
 Necessary for that individual’s job function.  Restricted to least privileges necessary to perform job responsibilities.
Modified p. 102 → 103
Necessary for that individual’s job function.
Necessary for that individual’s job function.
Modified p. 102 → 103
<Report Findings Here> For the interview, summarize the relevant details discussed to confirm that privileges assigned to each user ID in the selected sample are:
<Report Findings Here> For the interview, summarize the relevant details discussed to confirm that privileges assigned to each sample user ID are:
Modified p. 102 → 103
Identify the sample of user IDs examined for this testing procedure.
Identify the sample of user IDs selected for this testing procedure.
Removed p. 103
• Documented approval exists for the assigned privileges.

• The approval was by authorized parties.

<Report Findings Here> Describe how each item in the sample of user IDs was compared with documented approvals to verify that:
Modified p. 103 → 104
Identify the sample of user IDs examined for this testing procedure.
Identify the sample of user IDs selected for this testing procedure.
Modified p. 103 → 104
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested For the interview, summarize the relevant details discussed to confirm that privileges assigned to each user ID in the selected sample are based on an individual’s job classification and function.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested For the interview, summarize the relevant details discussed to confirm that privileges assigned to each sample user ID are based on that individual’s job classification and function.
Modified p. 103 → 104
That specified privileges match the roles assigned to the individual.
 Documented approval exists for the assigned privileges.  The approval was by authorized parties.  That specified privileges match the roles assigned to the individual.
Modified p. 103 → 104
<Report Findings Here> 7.2 Establish an access control system for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.
<Report Findings Here> 7.2 Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.
Modified p. 103 → 104
This access control system must include the following:
This access control system(s) must include the following:
Modified p. 103 → 104
Identify vendor documentation examined. <Report Findings Here> Describe how system settings were examined with the vendor documentation to verify that access control systems are in place on all system components.
Identify vendor documentation examined. <Report Findings Here> Describe how system settings and the vendor documentation verified that access control systems are in place on all system components.
Modified p. 103 → 104
Describe how system settings were examined with the vendor documentation at 7.2.1 to verify that access control systems are configured to enforce privileges assigned to individuals based on job classification and function.
Describe how system settings and the vendor documentation at 7.2.1 verified that access control systems are configured to enforce privileges assigned to individuals based on job classification and function.
Modified p. 104 → 105
Describe how system settings were examined with vendor documentation at 7.2.1 to verify that access control systems have a default “deny-all” setting.
Describe how system settings and the vendor documentation at 7.2.1 verified that access control systems have a default “deny-all” setting.
Modified p. 104 → 105
&lt;Report Findings Here&gt; Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for restricting access to cardholder data are:
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for restricting access to cardholder data are:
Modified p. 105 → 106
Assign all users a unique ID before allowing them to access system components or cardholder data.
Assign all users a unique ID before allowing them to access system components or cardholder data.
Modified p. 105 → 106
Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
Modified p. 105 → 106
Immediately revoke access for any terminated users.
Immediately revoke access for any terminated users.
Modified p. 105 → 106
Remove/disable inactive user accounts at least every 90 days.
Remove/disable inactive user accounts at least every 90 days.
Modified p. 105 → 106
Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use.
Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: - Enabled only during the time period needed and disabled when not in use. - Monitored when in use.
Modified p. 105 → 106
Limit repeated access attempts by locking out the user ID after not more than six attempts.
Limit repeated access attempts by locking out the user ID after not more than six attempts.
Modified p. 105 → 106
Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.
Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.
Modified p. 105 → 106
If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
Removed p. 106
<Report Findings Here> For the interview, summarize the relevant details discussed to confirm that all users are assigned a unique ID for access to system components or cardholder data.
Modified p. 106 → 107
Identify the responsible administrative personnel interviewed for this testing procedure.
Identify the responsible administrative personnel interviewed who confirm that all users are assigned a unique ID for access to system components or cardholder data.
Modified p. 106 → 107
<Report Findings Here> Describe how observed system settings and the associated authorizations documented for the user IDs were compared to verify that each ID has been implemented with only the privileges specified on the documented approval:
<Report Findings Here> Describe how observed system settings and the associated authorizations verified that each ID has been implemented with only the privileges specified on the documented approval:
Modified p. 106 → 107
Identify the sample of users terminated in the past six months selected.
Identify the sample of users terminated in the past six months that were selected for this testing procedure.
Modified p. 106 → 107
<Report Findings Here> Describe how the current user access lists for local access were reviewed to verify that the sampled user IDs have been deactivated or removed from the access lists.
<Report Findings Here> Describe how the current user access lists for local access verified that the sampled user IDs have been deactivated or removed from the access lists.
Modified p. 106 → 107
<Report Findings Here> Describe how the current user access lists for remote access were reviewed to verify that the sampled user IDs have been deactivated or removed from the access lists.
<Report Findings Here> Describe how the current user access lists for remote access verified that the sampled user IDs have been deactivated or removed from the access lists.
Removed p. 107
<Report Findings Here> 8.1.4 Remove/disable inactive user accounts within 90 days. ☐ ☐ ☐ ☐ ☐ 8.1.4 Observe user accounts to verify that any inactive accounts over 90 days old are either removed or disabled.

• Disabled when not in use.

• Disabled when not in use.
Modified p. 107 → 108
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Describe how the physical authentication method(s) for the terminated employees were verified to have been returned or deactivated.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.1.4 Remove/disable inactive user accounts within 90 days. ☐ ☐ ☐ ☐ ☐ 8.1.4 Observe user accounts to verify that any inactive accounts over 90 days old are either removed or disabled.
Modified p. 107 → 108
<Report Findings Here> 8.1.5 Manage IDs used by vendors to access, support, or maintain system components via remote access as follows:
<Report Findings Here> 8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access as follows:
Modified p. 107 → 108
Enabled only during the time period needed and disabled when not in use.
Enabled only during the time period needed and disabled when not in use.  Monitored when in use.
Modified p. 107 → 108
• Monitored when in use.
 Disabled when not in use.
Modified p. 107 → 108
8.1.5.a Interview personnel and observe processes for managing accounts used by vendors to access, support, or maintain system components to verify that accounts used by vendors for remote access are:
8.1.5.a Interview personnel and observe processes for managing accounts used by third parties to access, support, or maintain system components to verify that accounts used for remote access are:
Modified p. 107 → 108
Enabled only when needed by the vendor, and disabled when not in use.
Enabled only when needed by the third party, and disabled when not in use.
Modified p. 107 → 108
Identify the personnel interviewed who confirm that accounts used by vendors for remote access are:
Identify the responsible personnel interviewed who confirm that accounts used by third parties for remote access are:
Modified p. 107 → 108
Enabled only when needed by the vendor, and disabled when not in use.
 Disabled when not in use.  Enabled only when needed by the third party, and disabled when not in use.
Modified p. 107 → 108
<Report Findings Here> Describe how processes for managing accounts used by vendors to access, support, or maintain system components were observed to verify that accounts used by vendors for remote access are:
<Report Findings Here> Describe how processes for managing third party accounts were observed to verify that accounts used for remote access are:
Modified p. 107 → 108
 Disabled when not in use. <Report Findings Here>  Enabled only when needed by the vendor, and disabled when not in use.
 Disabled when not in use. <Report Findings Here>  Enabled only when needed by the third party, and disabled when not in use.
Modified p. 107 → 108
<Report Findings Here> 8.1.5.b Interview personnel and observe processes to verify that vendor remote access accounts are monitored while being used.
<Report Findings Here> 8.1.5.b Interview personnel and observe processes to verify that third party remote access accounts are monitored while being used.
Modified p. 107 → 108
Identify the personnel interviewed who confirm that accounts used by vendors for remote access are monitored while being used.
Identify the responsible personnel interviewed who confirm that accounts used by third parties for remote access are monitored while being used.
Modified p. 107 → 108
<Report Findings Here> Describe how processes for managing accounts used by vendors to access, support, or maintain system components were observed to verify that vendor remote access accounts are monitored while being used.
<Report Findings Here> Describe how processes for managing third party remote access were observed to verify that accounts are monitored while being used.
Modified p. 107 → 108
&lt;Report Findings Here&gt; 8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts. ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts. ☐ ☐ ☐ ☐ ☐ 8.1.6.a For a sample of system components, inspect system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than six invalid logon attempts.
Removed p. 108
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.1.6.a For a sample of system components, inspect system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than six invalid logon attempts.
Modified p. 108
<Report Findings Here> For each item in the sample, describe how system configuration settings were inspected to verify that authentication parameters are set to require that user accounts be locked after not more than six invalid logon attempts.
<Report Findings Here> For each item in the sample, describe how system configuration settings verified that authentication parameters are set to require that user accounts be locked after not more than six invalid logon attempts.
Modified p. 108 → 109
<Report Findings Here> 8.1.6.b Additional procedure for service provider assessments only: Review internal processes and customer/user documentation, and observe implemented processes to verify that non-consumer customer user accounts are temporarily locked-out after not more than six invalid access attempts.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.1.6.b Additional procedure for service provider assessments only: Review internal processes and customer/user documentation, and observe implemented processes to verify that non-consumer customer user accounts are temporarily locked-out after not more than six invalid access attempts.
Modified p. 108 → 109
Additional procedure for service provider assessments only, identify the documented internal processes and customer/user documentation reviewed to verify that non- consumer customer user accounts are temporarily locked-out after not more than six invalid access attempts.
Additional procedure for service provider assessments only, identify the documented internal processes and customer/user documentation reviewed to verify that non-consumer customer user accounts are temporarily locked-out after not more than six invalid access attempts.
Modified p. 108 → 109
<Report Findings Here> Describe the implemented processes that were observed to verify that non-consumer customer user accounts are temporarily locked-out after not more than six invalid access attempts.
<Report Findings Here> Describe how implemented processes were observed to verify that non-consumer customer user accounts are temporarily locked-out after not more than six invalid access attempts.
Modified p. 108 → 109
<Report Findings Here> For each item in the sample, describe how system configuration settings were inspected to verify that password parameters are set to require that once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account.
<Report Findings Here> For each item in the sample, describe how system configuration settings verified that password parameters are set to require that once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account.
Modified p. 108 → 109
<Report Findings Here> 8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. ☐ ☐ ☐ ☐ ☐ 8.1.8 For a sample of system components, inspect system configuration Identify the sample of system components selected for this testing procedure.
<Report Findings Here> 8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. ☐ ☐ ☐ ☐ ☐ 8.1.8 For a sample of system components, inspect system configuration settings to verify that system/session idle time out features have been set to 15 minutes or less.
Removed p. 109
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place settings to verify that system/session idle time out features have been set to 15 minutes or less.

 Used for access to the cardholder data environment.

<Report Findings Here>  Functioning consistently with the documented authentication method(s).
Modified p. 109
For each item in the sample, describe how system configuration settings were inspected to verify that system/session idle time out features have been set to 15 minutes or less.
<Report Findings Here> For each item in the sample, describe how system configuration settings verified that system/session idle time out features have been set to 15 minutes or less.
Modified p. 109
Something you know, such as a password or passphrase.
Something you know, such as a password or passphrase.
Modified p. 109
Something you have, such as a token device or smart card.
Something you have, such as a token device or smart card.
Modified p. 109
Something you are, such as a biometric.
Something you are, such as a biometric.
Modified p. 109 → 110
Examine documentation describing the authentication method(s) used.
Examine documentation describing the authentication method(s) used.
Modified p. 109 → 110
For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s).
For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s).
Modified p. 109 → 110
<Report Findings Here> For each type of authentication method used and for each type of system component, describe how the authentication method was observed to be:
<Report Findings Here> For each type of authentication method used and for each type of system component, describe how the authentication method was observed to be functioning consistently with the documented authentication method(s).
Modified p. 109 → 110
&lt;Report Findings Here&gt; 8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. ☐ ☐ ☐ ☐ ☐ 8.2.1.a Examine vendor documentation and system configuration settings to verify that passwords are protected with strong cryptography during transmission and storage.
Removed p. 110
For each item in the sample at 8.2.1.a, describe how password files were examined to verify that passwords are unreadable during storage.
Modified p. 110
Identify the vendor documentation reviewed for this testing procedure.
Identify the vendor documentation examined to verify that passwords are protected with strong cryptography during transmission and storage.
Modified p. 110
<Report Findings Here> Identify the sample of system components selected. <Report Findings Here> For each item in the sample, describe how system configuration settings were examined to verify that passwords are protected with strong cryptography during transmission.
<Report Findings Here> For each item in the sample, describe how system configuration settings verified that passwords are protected with strong cryptography during transmission.
Modified p. 110
<Report Findings Here> For each item in the sample, describe how system configuration settings were examined to verify that passwords are protected with strong cryptography during storage.
<Report Findings Here> For each item in the sample, describe how system configuration settings verified that passwords are protected with strong cryptography during storage.
Modified p. 110 → 111
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.2.1.a Examine vendor documentation and system configuration settings to verify that passwords are protected with strong cryptography during transmission and storage.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.2.1.b For a sample of system components, examine password files to verify that passwords are unreadable during storage.
Modified p. 110 → 111
<Report Findings Here> 8.2.1.b For a sample of system components, examine password files to verify that passwords are unreadable during storage.
For each item in the sample at 8.2.1.a, describe how password files verified that passwords are unreadable during storage.
Modified p. 110 → 111
For each item in the sample at 8.2.1.a, describe how password files were examined to verify that passwords are unreadable during transmission.
For each item in the sample at 8.2.1.a, describe how password files verified that passwords are unreadable during transmission.
Modified p. 110 → 111
Additional procedure for service provider assessments only: for each item in the sample at 8.2.1.a, describe how password files were examined to verify that non-consumer customer passwords are unreadable during storage.
Additional procedure for service provider assessments only: for each item in the sample at 8.2.1.a, describe how password files verified that non-consumer customer passwords are unreadable during storage.
Modified p. 110 → 111
Additional procedure for service provider assessments only: for each item in the sample at 8.2.1.a, describe how password files were examined to verify that non-consumer customer passwords are unreadable during transmission.
Additional procedure for service provider assessments only: for each item in the sample at 8.2.1.a, describe how password files verified that non-consumer customer passwords are unreadable during transmission.
Modified p. 110 → 111
&lt;Report Findings Here&gt; 8.2.2 Verify user identity before modifying any authentication credential•for example, performing password resets, provisioning new tokens, or generating new keys. ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 8.2.2 Verify user identity before modifying any authentication credential•for example, performing password resets, provisioning new tokens, or generating new keys. ☐ ☐ ☐ ☐ ☐ 8.2.2 Examine authentication procedures for modifying authentication credentials and observe security personnel to verify that, if a user requests a reset of an authentication credential by phone, e-mail, web, or other non-face-to-face method, the user’s identity is verified before the authentication credential is modified.
Removed p. 111
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.2.2 Examine authentication procedures for modifying authentication credentials and observe security personnel to verify that, if a user requests a reset of an authentication credential by phone, e-mail, web, or other non-face-to-face method, the user’s identity is verified before the authentication credential is modified.

<Report Findings Here> 8.2.3 Passwords/phrases must meet the following:

• Contain both numeric and alphabetic characters.
Modified p. 111
<Report Findings Here> Describe how security personnel were observed to verify that if a user requests a reset of an authentication credential by a non-face-to-face method, the user’s identity is verified before the authentication credential is modified.
<Report Findings Here> For each non-face-to-face method, describe how security personnel were observed to verify the user’s identity before the authentication credential was modified.
Modified p. 111 → 112
Require a minimum length of at least seven characters.
Require a minimum length of at least seven characters.
Modified p. 111 → 112
Contain both numeric and alphabetic characters.
Contain both numeric and alphabetic characters.
Modified p. 111 → 112
Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.
Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.
Modified p. 111 → 112
8.2.3.a For a sample of system components, inspect system configuration settings to verify that user password parameters are set to require at least the following strength/complexity:
8.2.3.a For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require at least the following strength/complexity:
Modified p. 111 → 112
Require a minimum length of at least seven characters.
Require a minimum length of at least seven characters.  Contain both numeric and alphabetic characters.
Modified p. 111 → 112
<Report Findings Here> For each item in the sample, describe how system configuration settings were inspected to verify that user password parameters are set to require at least the following strength/complexity:
<Report Findings Here> For each item in the sample, describe how system configuration settings verified that user password/passphrase parameters are set to require at least the following strength/complexity:
Modified p. 111 → 112
&lt;Report Findings Here&gt;  Contain both numeric and alphabetic characters. &lt;Report Findings Here&gt;
<Report Findings Here>  Contain both numeric and alphabetic characters. <Report Findings Here> 8.2.3.b Additional procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that non- consumer customer passwords/passphrases are required to meet at least the following strength/complexity:
Removed p. 112
• A minimum length of at least seven characters.

<Report Findings Here> 8.2.4 Change user passwords/passphrases at least once every 90 days. ☐ ☐ ☐ ☐ ☐ 8.2.4.a For a sample of system components, inspect system configuration settings to verify that user password parameters are set to require users to change passwords at least once every 90 days.
Modified p. 112
• Require a minimum length of at least seven characters.
 A minimum length of at least seven characters.
Modified p. 112
Contain both numeric and alphabetic characters.
 Require a minimum length of at least seven characters.  Contain both numeric and alphabetic characters.
Modified p. 112
Additional procedure for service provider assessments only: Identify the documented internal processes and customer/user documentation reviewed to verify that non- consumer customer passwords are required to meet at least the following strength/complexity:
Additional procedure for service provider assessments only: Identify the documented internal processes and customer/user documentation reviewed to verify that non-consumer customer passwords/passphrases are required to meet at least the following strength/complexity:
Modified p. 112
Non-consumer user passwords are required to contain both numeric and alphabetic characters.
Non-consumer customer passwords/passphrases are required to contain both numeric and alphabetic characters.
Modified p. 112
<Report Findings Here> Describe how internal processes were reviewed to verify that non-consumer customer passwords are required to meet at least the following strength/complexity:
<Report Findings Here> Describe how internal processes were observed to verify that non-consumer customer passwords/passphrases are required to meet at least the following strength/complexity:
Modified p. 112
 A minimum length of at least seven characters. <Report Findings Here>  Non-consumer customer passwords are required to contain both numeric and alphabetic characters.
 A minimum length of at least seven characters. <Report Findings Here>  Non-consumer customer passwords/passphrases are required to contain both numeric and alphabetic characters.
Modified p. 112 → 113
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.2.3.b Additional procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that non- consumer customer passwords are required to meet at least the following strength/complexity:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.2.4 Change user passwords/passphrases at least once every 90 days. ☐ ☐ ☐ ☐ ☐ 8.2.4.a For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require users to change passwords/passphrases at least once every 90 days.
Modified p. 112 → 113
<Report Findings Here> For each item in the sample, describe how system configuration settings were inspected to verify that user password parameters are set to require users to change passwords at least once every 90 days.
<Report Findings Here> For each item in the sample, describe how system configuration settings verified that user password/passphrase parameters are set to require users to change passwords/passphrases at least once every 90 days.
Removed p. 113
• Non-consumer customer user passwords are required to change periodically; and

• Non-consumer customer user passwords are required to change periodically; and
Modified p. 113
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.2.4.b Additional procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that:
<Report Findings Here> 8.2.4.b Additional procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that:
Modified p. 113
Non-consumer customer users are given guidance as to when, and under what circumstances, passwords must change.
 Non-consumer customer user passwords/passphrases are required to change periodically; and  Non-consumer customer users are given guidance as to when, and under what circumstances, passwords/passphrases must change.
Modified p. 113
Non-consumer customer users are given guidance as to when, and under what circumstances, passwords must change.
 Non-consumer customer user passwords/passphrases are required to change periodically; and  Non-consumer customer users are given guidance as to when, and under what circumstances, passwords/passphrases must change.
Modified p. 113
<Report Findings Here> Describe how internal processes were reviewed to verify that:
<Report Findings Here> Describe how internal processes were observed to verify that:
Modified p. 113
 Non-consumer customer user passwords are required to change periodically; and <Report Findings Here>  Non-consumer customer users are given guidance as to when, and under what circumstances, passwords must change.
 Non-consumer customer user passwords/passphrases are required to change periodically; and <Report Findings Here>  Non-consumer customer users are given guidance as to when, and under what circumstances, passwords/passphrases must change.
Modified p. 113
<Report Findings Here> 8.2.5 Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. ☐ ☐ ☐ ☐ ☐ 8.2.5.a For a sample of system components, obtain and inspect system configuration settings to verify that password parameters are set to require that new passwords cannot be the same as the four previously used passwords.
<Report Findings Here> 8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used. ☐ ☐ ☐ ☐ ☐ 8.2.5.a For a sample of system components, obtain and inspect system Identify the sample of system components selected for this testing procedure.
Modified p. 113 → 114
<Report Findings Here> For each item in the sample, describe how system configuration settings were inspected to verify that password parameters are set to require that new passwords cannot be the same as the four previously used passwords.
<Report Findings Here> Describe how internal processes were observed to verify that new non-consumer customer user passwords/passphrases cannot be the same as the previous four passwords/passphrases.
Modified p. 113 → 114
<Report Findings Here> 8.2.5.b Additional Procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that new non-consumer customer user passwords cannot be the same as the Additional procedure for service provider assessments only, identify the documented internal processes and customer/user documentation reviewed to verify that new non- consumer customer user passwords cannot be the same as the previous four passwords.
<Report Findings Here> 8.2.5.b Additional Procedure for service provider assessments only: Review internal processes and customer/user documentation to verify that new non-consumer customer user passwords/passphrases cannot be the same as the previous four passwords/passphrases.
Removed p. 114
<Report Findings Here>  Set reset passwords to be changed after first use. <Report Findings Here> 8.3 Incorporate two-factor authentication for remote network access originating from outside the network, by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).

Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication.
Modified p. 114
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place previous four passwords. Describe how internal processes were reviewed to verify that new non-consumer customer user passwords cannot be the same as the previous four passwords.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place configuration settings to verify that password/passphrases parameters are set to require that new passwords/passphrases cannot be the same as the four previously used passwords/passphrases.
Modified p. 114
<Report Findings Here> 8.2.6 Set passwords/phrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use. ☐ ☐ ☐ ☐ ☐ 8.2.6 Examine password procedures and observe security personnel to verify that first-time passwords for new users, and reset passwords for existing users, are set to a unique value for each user and changed after first use.
<Report Findings Here> 8.2.6 Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use. ☐ ☐ ☐ ☐ ☐ 8.2.6 Examine password procedures and observe security personnel to verify that first-time passwords/passphrases for new users, and reset passwords/passphrases for existing users, are set to a unique value for each user and changed after first use.
Modified p. 114
First-time passwords must be set to a unique value for each user.
First-time passwords/passphrases must be set to a unique value for each user.
Modified p. 114
First-time passwords must be changed after the first use.
First-time passwords/passphrases must be changed after the first use.
Modified p. 114
Reset passwords must be set to a unique value for each user.
Reset passwords/passphrases must be set to a unique value for each user.
Modified p. 114
Reset passwords must be changed after the first use.
Reset passwords/passphrases must be changed after the first use.
Modified p. 114
 Set first-time passwords to a unique value for each new user.
 Set first-time passwords/passphrases to a unique value for each new user.
Modified p. 114
<Report Findings Here>  Set first-time passwords to be changed after first use.
<Report Findings Here>  Set first-time passwords/passphrases to be changed after first use.
Modified p. 114 → 115
<Report Findings Here>  Set reset passwords to a unique value for each existing user.
<Report Findings Here>  Set reset passwords/passphrases to be changed after first use.
Modified p. 114 → 115
Note: Two-factor authentication requires that two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.
Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
Removed p. 115
• All remote access by personnel.

Describe how system configurations for remote access servers and systems were examined to verify two-factor authentication is required for:

<Report Findings Here> Identify which two factors are used:
Modified p. 115 → 116
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.3.a Examine system configurations for remote access servers and systems to verify two-factor authentication is required for:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place verify multi-factor authentication is required for:
Modified p. 115 → 116
All third-party/vendor remote access (including access to applications and system components for support or maintenance purposes).
All third-party/vendor remote access (including access to applications and system components for support or maintenance purposes).
Modified p. 115 → 116
All remote access by personnel. <Report Findings Here>  All third-party/vendor remote access (including access to applications and system components for support or maintenance purposes).
All remote access by personnel, both user and administrator, and  All third-party/vendor remote access (including access to applications and system components for support or maintenance purposes).
Modified p. 115 → 116
<Report Findings Here> 8.3.b Observe a sample of personnel (for example, users and administrators) connecting remotely to the network and verify that at least two of the three authentication methods are used.
<Report Findings Here> 8.3.2.b Observe a sample of personnel (for example, users and administrators) connecting remotely to the network and verify that at least two of the three authentication methods are used.
Modified p. 115 → 116
Identify the sample of personnel observed connecting remotely to the network selected.
Identify the sample of personnel observed connecting remotely to the network.
Modified p. 115 → 116
<Report Findings Here> For each item in the sample, describe how two- factor authentication was observed to be required for remote access to the network.
<Report Findings Here> For each individual in the sample, describe how multi-factor authentication was observed to be required for remote access to the network.
Modified p. 115 → 116
• Something you have <Report Findings Here> 8.4 Document and communicate authentication policies and procedures to all users including:
&lt;Report Findings Here&gt; 8.4 Document and communicate authentication policies and procedures to all users including:
Modified p. 115 → 116
Instructions not to reuse previously used passwords.
Instructions not to reuse previously used passwords.
Modified p. 115 → 116
Instructions to change passwords if there is any suspicion the password could be compromised.
Instructions to change passwords if there is any suspicion the password could be compromised.
Modified p. 115 → 116
&lt;Report Findings Here&gt; Identify the personnel interviewed who confirm that authentication policies and procedures are distributed to all users.
<Report Findings Here> Identify the responsible personnel interviewed who confirm that authentication policies and procedures are distributed to all users.
Removed p. 116
• Shared and generic user IDs are not used to administer any system components.
Modified p. 116 → 117
Instructions to change passwords if there is any suspicion the password could be compromised.
Instructions to change passwords if there is any suspicion the password could be compromised.
Modified p. 116 → 117
Instructions for users not to reuse previously used passwords.
Instructions for users not to reuse previously used passwords.
Modified p. 116 → 117
Instructions for users not to reuse previously used passwords.
Instructions for users not to reuse previously used passwords.
Modified p. 116 → 117
That users should change passwords if there is any suspicion the password could be compromised.
That users should change passwords if there is any suspicion the password could be compromised.
Modified p. 116 → 117
<Report Findings Here> For the interview, summarize the relevant details discussed that verify that the sampled users are familiar with authentication policies and procedures.
<Report Findings Here> For each user in the sample, summarize the relevant details discussed that verify that they are familiar with authentication policies and procedures.
Modified p. 116 → 117
Generic user IDs are disabled or removed.
Generic user IDs are disabled or removed.
Modified p. 116 → 117
Generic user IDs are disabled or removed.
Generic user IDs are disabled or removed.
Modified p. 116 → 117
Shared user IDs do not exist for system administration and other critical functions.
Shared user IDs do not exist for system administration and other critical functions.
Modified p. 116 → 117
Shared and generic user IDs are not used to administer any system components.
Shared and generic user IDs are not used to administer any system components.
Modified p. 116 → 117
Shared user IDs for system administration activities and other critical functions do not exist.
Shared user IDs for system administration activities and Identify the sample of system components selected for this testing procedure.
Modified p. 116 → 117
<Report Findings Here> For each item in the sample, describe how user ID lists for the sample of system components were examined to verify that:
<Report Findings Here> For each item in the sample, describe how the user ID lists verified that:
Modified p. 116 → 118
<Report Findings Here>  Shared and generic user IDs are not used to administer any system components.
 Shared and generic user IDs are not used to administer any system components.
Removed p. 117
<Report Findings Here> Identify the personnel interviewed for this testing procedure.

Note: Requirement 8.5.1 is a best practice until June 30, 2015, after which it becomes a requirement.

Additional procedure for service provider assessments only, indicate whether this ROC is being completed prior to June 30, 2015. (yes/no) <Report Findings Here> If “yes” AND the assessed entity does not have this in place ahead of the requirement’s effective date, mark this as “Not Applicable.” If “no” OR if the assessed entity has this in place ahead of the requirement’s effective date, complete the following:

<Report Findings Here> For the interview, summarize the relevant details discussed to confirm that different authentication credentials are used for access to each customer.
Modified p. 117 → 118
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.5.b Examine authentication policies and procedures to verify that use of group and shared IDs and/or passwords or other authentication methods are explicitly prohibited.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place other critical functions do not exist.
Modified p. 118
Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.
Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.
Modified p. 118
Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.
Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.
Modified p. 118 → 119
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.) use of these mechanisms must be assigned as follows:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.6.a Examine authentication policies and procedures to verify that procedures for using authentication mechanisms such as physical security tokens, smart cards, and certificates are defined and include:
Modified p. 118 → 119
Authentication mechanisms are assigned to an individual account and not shared among multiple accounts.
Authentication mechanisms are assigned to an individual account and not shared among multiple accounts.
Modified p. 118 → 119
Authentication mechanisms are assigned to an individual account and not shared among multiple accounts.
Authentication mechanisms are assigned to an individual account and not shared among multiple accounts.
Modified p. 118 → 119
Physical and/or logical controls are defined to ensure only the intended account can use that mechanism to gain access.
Physical and/or logical controls are defined to ensure only the intended account can use that mechanism to gain access.
Modified p. 118 → 119
Physical and/or logical controls are defined to ensure only the intended account can use that mechanism to gain access.
Physical and/or logical controls are defined to ensure only the intended account can use that mechanism to gain access.
Modified p. 118 → 119
<Report Findings Here> For each item in the sample, describe how system configuration settings and/or physical controls, as applicable, were examined to verify that controls are implemented to ensure only the intended account can use that mechanism to gain access.
<Report Findings Here> For each item in the sample, describe how system configuration settings and/or physical controls, as applicable, verified that controls are implemented to ensure only the intended account can use that mechanism to gain access.
Modified p. 118 → 119
All user access to, user queries of, and user actions on databases are through programmatic methods.
All user access to, user queries of, and user actions on databases are through programmatic methods.
Modified p. 118 → 119
Only database administrators have the ability to directly access or query databases.
Only database administrators have the ability to directly access or query databases.
Modified p. 118 → 119
Application IDs for database applications can only be used by the applications (and not by individual users or other non- application processes).
Application IDs for database applications can only be used by the applications (and not by individual users or other non- application processes).
Removed p. 119
<Report Findings Here> 8.7.b Examine database and application configuration settings to verify that all user access to, user queries of, and user actions on (for example, move, copy, delete), the database are through programmatic methods only (for example, through stored procedures).

Describe how the database and application configuration settings were examined to verify that only programmatic methods are used for:

 All user access to the database <Report Findings Here>  All user queries of the database <Report Findings Here>  All user actions on the database <Report Findings Here> Describe the process observed to verify that only programmatic methods are used for:

 All user access to the database <Report Findings Here>  All user queries of the database <Report Findings Here>  All user actions on the database <Report Findings Here> 8.7.c Examine database access control settings and database application configuration settings to verify that user direct access to or queries …
Modified p. 119
Identify all databases containing cardholder data. <Report Findings Here> Describe how authentication is managed (for example, via application and/or database interfaces).
Identify all databases containing cardholder data. <Report Findings Here> Describe how database and/or application configuration settings verified that all users are authenticated prior to access.
Modified p. 119
<Report Findings Here> Describe how database and/or application configuration settings were observed to verify that all users are authenticated prior to access.
8.7.a Review database and application configuration settings and verify that all users are authenticated prior to access.
Modified p. 119 → 120
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.7.a Review database and application configuration settings and verify that all users are authenticated prior to access.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.7.b Examine database and application configuration settings to verify that all user access to, user queries of, and user actions on (for example, move, copy, delete), the database are through programmatic methods only (for example, through stored procedures).
Removed p. 120
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 8.7.d Examine database access control settings, database application configuration settings, and the related application IDs to verify that application IDs can only be used by the applications (and not by individual users or other processes).

For each database from 8.7.a:

<Report Findings Here>  Describe how database access control settings, database application configuration settings and related application IDs were examined together to verify that application IDs can only be used by the applications.
Modified p. 120
 Identify applications with access to the database. <Report Findings Here>  Describe the implemented methods for ensuring that application IDs can only be used by the applications.
 Identify applications with access to the database. <Report Findings Here>  Describe how database access control settings, database application configuration settings and related application IDs verified that application IDs can only be used by the applications.
Modified p. 120
&lt;Report Findings Here&gt; Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for identification and authentication are:
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for identification and authentication are:
Modified p. 121
Verify that access is controlled with badge readers or other devices including authorized badges and lock and key.
Verify that access is controlled with badge readers or other devices including authorized badges and lock and key.
Modified p. 121
Observe a system administrator’s attempt to log into consoles for randomly selected systems in the cardholder environment and verify that they are “locked” to prevent unauthorized use.
Observe a system administrator’s attempt to log into consoles for randomly selected systems in the cardholder data environment and verify that they are “locked” to prevent unauthorized use.
Modified p. 121
Describe the physical security controls to be in place, including authorized badges and lock and key.
Describe the physical security controls observed to be in place, including authorized badges and lock and key.
Modified p. 121
<Report Findings Here> Describe how consoles for the randomly selected systems were observed to verify that they are “locked” when not in use to prevent unauthorized use.
<Report Findings Here> Describe how consoles for the randomly selected systems were observed to be “locked” when not in use.
Modified p. 121
<Report Findings Here> 9.1.1 Use video cameras and/or access control mechanisms to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.
<Report Findings Here> 9.1.1 Use either video cameras or access control mechanisms (or both) to monitor individual physical access to sensitive areas. Review collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law.
Modified p. 121
9.1.1.a Verify that video cameras and/or access control mechanisms are in place to monitor the entry/exit points to sensitive areas.
9.1.1.a Verify that either video cameras or access control mechanisms (or both) are in place to monitor the entry/exit points to sensitive areas.
Modified p. 121
Describe the video cameras and/or access control mechanisms observed to monitor the entry/exit points to sensitive areas.
Describe either the video cameras or access control mechanisms (or both) observed to monitor the entry/exit points to sensitive areas.
Modified p. 121
<Report Findings Here> 9.1.1.b Verify that video cameras and/or access control mechanisms are protected from tampering or disabling.
<Report Findings Here> 9.1.1.b Verify that either video cameras or access control mechanisms (or both) are protected from tampering or disabling.
Modified p. 121
Describe how the video cameras and/or access control mechanisms were observed to be protected from tampering and/or disabling.
Describe how either the video cameras or access control mechanisms (or both) were observed to be protected from tampering and/or disabling.
Modified p. 122
Identify responsible personnel interviewed who confirm that physical and/or logical controls are in place to restrict access to publicly accessible network jacks.
Identify the responsible personnel interviewed who confirm that physical and/or logical controls are in place to restrict access to publicly accessible network jacks.
Modified p. 122
<Report Findings Here> Describe the physical and/or logical controls observed at the locations of publicly accessible network jacks to verify the controls are in place restrict access.
<Report Findings Here> Describe how physical and/or logical controls were observed to be in place to restrict access to publicly- accessible network jacks.
Modified p. 122
Identifying onsite personnel and visitors (for example, assigning badges).
Identifying onsite personnel and visitors (for example, assigning badges).
Modified p. 122
Changes to access requirements.
Changes to access requirements.
Modified p. 122
Revoking or terminating onsite personnel and expired visitor identification (such as ID badges).
Revoking or terminating onsite personnel and expired visitor identification (such as ID badges).
Removed p. 123
• Identifying onsite personnel and visitors (for example, assigning badges),

• Identifying onsite personnel and visitors (for example, assigning badges),

• Changing access requirements, and

• Changing access requirements, and

• Visitors are clearly identified, and

<Report Findings Here> Describe how access to the identification process was observed to be limited to authorized personnel.
Modified p. 123
Revoking terminated onsite personnel and expired visitor identification (such as ID badges).
 Identifying onsite personnel and visitors (for example, assigning badges),  Changing access requirements, and  Revoking terminated onsite personnel and expired visitor identification (such as ID badges).
Modified p. 123
Revoking terminated onsite personnel and expired visitor identification (such as ID badges).
 Identifying onsite personnel and visitors (for example, assigning badges),  Changing access requirements, and  Revoking terminated onsite personnel and expired visitor identification (such as ID badges).
Modified p. 123
It is easy to distinguish between onsite personnel and visitors.
 Visitors are clearly identified, and  It is easy to distinguish between onsite personnel and visitors.
Modified p. 123
Identify the document that defines that access to the identification process is limited to authorized personnel.
Describe how access to the identification process was observed to be limited to authorized personnel.
Modified p. 123
Access must be authorized and based on individual job function.
Access must be authorized and based on individual job function.
Modified p. 123
Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled.
Removed p. 124
Describe how visitor authorization processes were observed to verify that visitors:

• Are escorted at all times within areas where cardholder data is processed and maintained.
Modified p. 124
Access to the sensitive area is authorized.
Access to the sensitive area is authorized.
Modified p. 124
Access is required for the individual’s job function.
Access is required for the individual’s job function.
Modified p. 124
Identify the sample of onsite personnel with physical access to sensitive areas interviewed for this testing procedure.
Identify the sample of onsite personnel with physical access to sensitive areas that were interviewed for this testing procedure.
Modified p. 124
<Report Findings Here> For all items in the sample, describe how responsible personnel were interviewed and access control lists observed to verify that:
<Report Findings Here> For the interview, summarize the relevant details discussed to verify that:
Modified p. 124
• Must be authorized before they are granted access to areas where cardholder data is processed or maintained.
Identify the documented procedures examined to verify that visitors must be authorized before they are granted access to, and escorted at all times within, areas where cardholder data is processed or maintained.:
Removed p. 125
<Report Findings Here> 9.4.1.b Observe the use of visitor badges or other identification to verify that a physical token badge does not permit unescorted access to physical areas where cardholder data is processed or maintained.
Modified p. 125
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested Identify personnel interviewed who confirm that visitor authorization processes are in place so that visitors must be authorized before they are granted access to, and escorted at all times within, areas where cardholder data is processed or maintained.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.4.1.b Observe the use of visitor badges or other identification to verify that a physical token badge does not permit unescorted access to physical areas where cardholder data is processed or maintained.
Modified p. 125
9.4.4.a Verify that a visitor log is in use to record physical access to the facility as well as computer rooms and data centers Describe how it was verified that a visitor log is in use to record physical access to:
9.4.4.a Verify that a visitor log is in use to record physical access to the facility as well as computer rooms and data centers where cardholder data is stored or transmitted.
Removed p. 126
<Report Findings Here> 9.4.4.b Verify that the log contains:

• The visitor’s name,

• The visitor’s name,

• The firm represented, and

• The firm represented, and

<Report Findings Here> For all types of media used, describe the controls for physically securing the media used.

Identify all locations where backup media is stored. <Report Findings Here> Describe how it was observed that backup media storage is stored in a secure location.

Identify the document reviewed to verify that the storage location must be reviewed at least annually.

<Report Findings Here> Describe how processes were observed to verify that reviews of the security of each storage location are performed at least annually.
Modified p. 126
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested  The facility. <Report Findings Here>  Computer rooms and data centers where cardholder data is stored or transmitted.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.4.4.b Verify that the log contains:
Modified p. 126
The onsite personnel authorizing physical access.
 The visitor’s name,  The firm represented, and  The onsite personnel authorizing physical access.
Modified p. 126
The onsite personnel authorizing physical access.
 The visitor’s name,  The firm represented, and  The onsite personnel authorizing physical access.
Modified p. 126
Identify the defined retention period for visitor logs. <Report Findings Here> Describe how visitor logs were observed to be retained for at least three months.
Describe how visitor logs were observed to be retained for at least three months.
Modified p. 126
<Report Findings Here> 9.5.1 Store media backups in a secure location, preferably an off-site facility, such as an alternate or back-up site, or a commercial storage facility. Review the location’s security at least annually. ☐ ☐ ☐ ☐ ☐ 9.5.1.a Observe the storage location’s physical security to confirm that backup media storage is secure.
<Report Findings Here> 9.5.1 Store media backups in a secure location, preferably an off-site facility, such as an alternate or back-up site, or a commercial storage facility. Review the location’s security at least annually. ☐ ☐ ☐ ☐ ☐ 9.5.1. Verify that the storage location security is reviewed at least annually to confirm that backup media storage is secure.
Modified p. 126
<Report Findings Here> 9.5.1.b Verify that the storage location security is reviewed at least annually.
Describe how processes were observed to verify that the storage location is reviewed at least annually to confirm that backup media storage is secure.
Modified p. 126
&lt;Report Findings Here&gt; 9.6 Maintain strict control over the internal or external distribution of any kind of media, including the following: ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 9.6 Maintain strict control over the internal or external distribution of any kind of media, including the following: ☐ ☐ ☐ ☐ ☐ 9.6 Verify that a policy exists to control distribution of media, and that the policy covers all distributed media including that distributed to individuals.
Removed p. 127
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.6 Verify that a policy exists to control distribution of media, and that the policy covers all distributed media including that distributed to individuals.

<Report Findings Here> Describe how media distribution is controlled, including distribution to individuals.

Identify the documented policy reviewed to verify policy defines how media is classified.
Modified p. 127 → 126
<Report Findings Here> Describe how the classifications were observed to be implemented so the sensitivity of the data can be determined.
Describe how media was observed to be classified so the sensitivity of the data can be determined.
Modified p. 127 → 126
<Report Findings Here> 9.6.2 Send the media by secured courier or other delivery method that can be accurately tracked. ☐ ☐ ☐ ☐ ☐ 9.6.2.a Interview personnel and examine records to verify that all media sent outside the facility is logged and sent via secured courier or other delivery method that can be tracked.
&lt;Report Findings Here&gt; 9.6.2 Send the media by secured courier or other delivery method that can be accurately tracked. ☐ ☐ ☐ ☐ ☐
Modified p. 127
Identify the personnel interviewed who confirm that all media sent outside the facility is logged and sent via secured courier or other delivery method that can be tracked.
Identify the responsible personnel interviewed who confirm that all media sent outside the facility is logged and sent via secured courier or other delivery method that can be tracked.
Modified p. 127
<Report Findings Here> Describe how offsite tracking records were examined to verify that all media is logged and sent via secured courier or other delivery method that can be tracked.
<Report Findings Here> Describe how the offsite tracking records verified that all media is logged and sent via secured courier or other delivery method that can be tracked.
Modified p. 127
<Report Findings Here> For each item in the sample, describe how the offsite tracking logs were reviewed to verify that tracking details are documented.
<Report Findings Here> For each item in the sample, describe how tracking details were observed to be documented.
Modified p. 127
&lt;Report Findings Here&gt; 9.6.3 Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals). ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 9.6.3 Ensure management approves any and all media that is moved from a secured area (including when media is distributed to individuals). ☐ ☐ ☐ ☐ ☐ 9.6.3 Select a recent sample of several days of offsite tracking logs for all media. From examination of the logs and interviews with responsible personnel, verify proper management authorization is obtained whenever media is moved from a secured area (including when media is distributed to individuals).
Removed p. 128
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.6.3 Select a recent sample of several days of offsite tracking logs for all media. From examination of the logs and interviews with responsible personnel, verify proper management authorization is obtained whenever media is moved from a secured area (including when media is distributed to individuals).

<Report Findings Here> For each item in the sample in 9.6.2.b, describe how offsite tracking logs were examined to verify proper management authorization is obtained whenever media is moved from a secured area (including when media is distributed to individuals).
Modified p. 128 → 127
Identify responsible personnel interviewed who confirm that proper management authorization is obtained whenever media is moved from a secured area (including when media is distributed to individuals).
Identify the responsible personnel interviewed who confirm that proper management authorization is obtained whenever media is moved from a secured area (including when media is distributed to individuals).
Modified p. 128 → 127
<Report Findings Here> 9.7.1 Properly maintain inventory logs of all media and conduct media inventories at least annually. ☐ ☐ ☐ ☐ ☐ 9.7.1 Review media inventory logs to verify that logs are maintained and media inventories are performed at least annually.
&lt;Report Findings Here&gt; 9.7.1 Properly maintain inventory logs of all media and conduct media inventories at least annually. ☐ ☐ ☐ ☐ ☐
Modified p. 128
Identify the media inventories logs reviewed. <Report Findings Here> Describe how the media inventory logs were reviewed to verify that:
Identify the media inventories logs reviewed. <Report Findings Here> Describe how the media inventory logs verified that:
Modified p. 128
&lt;Report Findings Here&gt;  Media inventories are performed at least annually. &lt;Report Findings Here&gt; 9.8 Destroy media when it is no longer needed for business or legal reasons as follows: ☐ ☐ ☐ ☐ ☐
<Report Findings Here>  Media inventories are performed at least annually. <Report Findings Here> 9.8 Destroy media when it is no longer needed for business or legal reasons as follows: ☐ ☐ ☐ ☐ ☐ 9.8 Examine the periodic media destruction policy and verify that it covers all media and defines requirements for the following:
Removed p. 129
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.8 Examine the periodic media destruction policy and verify that it covers all media and defines requirements for the following:
Modified p. 129 → 128
Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard- copy materials cannot be reconstructed.
Modified p. 129 → 128
Storage containers used for materials that are to be destroyed must be secured.
Storage containers used for materials that are to be destroyed must be secured.
Modified p. 129 → 128
Storage containers used for materials that are to be destroyed must be secured.
Storage containers used for materials that are to be destroyed must be secured.
Modified p. 129 → 128
Cardholder data on electronic media must be rendered unrecoverable (e.g. via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).
Cardholder data on electronic media must be rendered unrecoverable (e.g. via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).
Modified p. 129 → 128
Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Modified p. 129 → 128
Cardholder data on electronic media must be rendered unrecoverable (e.g. via a secure wipe program in accordance with industry- accepted standards for secure deletion, or by physically destroying the media).
Cardholder data on electronic media must be rendered unrecoverable (e.g. via a secure wipe program in accordance with industry- accepted standards for secure deletion, or by physically destroying the media).
Modified p. 129 → 128
<Report Findings Here> 9.8.1 Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed. ☐ ☐ ☐ ☐ ☐ 9.8.1.a Interview personnel and examine procedures to verify that hard-copy materials are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
&lt;Report Findings Here&gt; 9.8.1 Shred, incinerate, or pulp hard-copy materials so that cardholder data cannot be reconstructed. Secure storage containers used for materials that are to be destroyed. ☐ ☐ ☐ ☐ ☐
Modified p. 129
Identify personnel interviewed who confirm that hard-copy materials are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Identify the responsible personnel interviewed who confirm that hard-copy materials are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Modified p. 129
<Report Findings Here> Describe how the procedures were examined to verify that hard-copy materials are crosscut shredded, incinerated, or pulped such that there is reasonable assurance that hardcopy materials cannot be reconstructed.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.8.1.a Interview personnel and examine procedures to verify that hard-copy materials are crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Modified p. 129
Describe how the storage containers used for materials to be destroyed are secured.
Describe how the storage containers used for materials to be destroyed were verified to be secured.
Removed p. 130
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.8.2 Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed. ☐ ☐ ☐ ☐ ☐ 9.8.2 Verify that cardholder data on electronic media is rendered unrecoverable (e.g. via a secure wipe program in accordance with industry- accepted standards for secure deletion, or by physically destroying the media).

Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.

Indicate whether this ROC is being completed prior to June 30, 2015. (yes/no) <Report Findings Here> If “yes” AND the assessed entity does not have this in place ahead of the requirement’s effective date, mark 9.9

• 9.9.3.b as “Not Applicable.” If not OR if the assessed entity has this in place ahead of the requirement’s effective date, complete the following:

• Make, model of …
Modified p. 130
Maintaining a list of devices.
Maintaining a list of devices.
Modified p. 130
Maintaining a list of devices.
Maintaining a list of devices.
Modified p. 130
Periodically inspecting devices to look for tampering or substitution.
Periodically inspecting devices to look for tampering or substitution.
Modified p. 130
Periodically inspecting devices to look for tampering or substitution.
Periodically inspecting devices to look for tampering or substitution.
Modified p. 130
Training personnel to be aware of suspicious behavior and to report tampering or substitution of POS devices.
Training personnel to be aware of suspicious behavior and to report tampering or substitution of POS devices.
Modified p. 130
Training personnel to be aware of suspicious behavior and to report tampering or substitution of POS devices.
Training personnel to be aware of suspicious behavior and to report tampering or substitution of POS devices.
Modified p. 130
Location of device (for example, the address of the site or facility where the device is located).
 Make, model of device.  Location of device (for example, the address of the site or facility where the device is located).  Device serial number or other method of unique identification.
Removed p. 131
• Make, model of device.

• Device serial number or other method of unique identification.

PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.9.1.a Examine the list of devices to verify it includes:

If “yes” at 9.9 AND the assessed entity does not have this in place ahead of the requirement’s effective date, mark 9.9.1.a -9.9.1.c as “Not Applicable.” If not OR if the assessed entity has this in place ahead of the requirement’s effective date, complete the following:

Identify personnel interviewed for this testing procedure.
Modified p. 131 → 130
Location of device (for example, the address of the site or facility where the device is located).
 Make, model of device.  Location of device (for example, the address of the site or facility where the device is located).  Device serial number or other method of unique identification.
Modified p. 131 → 130
Make, model of device.
Make, model of device.
Modified p. 131 → 130
Location of device (for example, the address of the site or facility where the device is located).
Location of device (for example, the address of the site or facility where the device is located).
Modified p. 131 → 130
Device serial number or other method of unique identification.
Device serial number or other method of unique identification.
Modified p. 131 → 130
<Report Findings Here> For all items in the sample, describe how the devices and device locations for the sample of devices were observed to verify that the list is accurate and up-to- date.
<Report Findings Here> For all items in the sample, describe how the devices and device locations were observed to verify that the list is accurate and up-to-date.
Modified p. 131 → 130
<Report Findings Here> For the interview, summarize the relevant details discussed that verify the list of devices is updated when devices are added, relocated, decommissioned, etc.
Identify the responsible personnel interviewed who confirm the list of devices is updated when devices are added, relocated, decommissioned, etc.
Modified p. 131
<Report Findings Here> 9.9.2 Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.9.2 Periodically inspect device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
Removed p. 132
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.9.2.a Examine documented procedures to verify processes are defined to include the following:

• Frequency of inspections.

If “yes” at 9.9 AND the assessed entity does not have this in place ahead of the requirement’s effective date, mark 9.9.2.a -9.9.2.b as “Not Applicable.” If not OR if the assessed entity has this in place ahead of the requirement’s effective date, complete the following:

• All devices are periodically inspected for evidence of tampering and substitution.

• Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.

• Do not install, replace, or return devices without verification.

• Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).

• Report suspicious behavior and indications of device …
Modified p. 132 → 131
Procedures for inspecting devices.
Procedures for inspecting devices.  Frequency of inspections.
Modified p. 132 → 131
Procedures for inspecting devices.
Procedures for inspecting devices.
Modified p. 132 → 131
Frequency of inspections.
Frequency of inspections.
Modified p. 132 → 131
Personnel are aware of procedures for inspecting devices.
Personnel are aware of procedures for inspecting devices.
Modified p. 132 → 131
All devices are periodically inspected for evidence of tampering and substitution.
All devices are periodically inspected for evidence of tampering and substitution.
Modified p. 132 → 131
Identify responsible personnel interviewed who confirm that:
Identify the responsible personnel interviewed who confirm that:
Modified p. 132 → 131
Personnel are aware of procedures for inspecting devices.
Personnel are aware of procedures for inspecting devices.  All devices are periodically inspected for evidence of tampering and substitution.
Modified p. 132
9.9.3.a Review training materials for personnel at point-of-sale locations to verify it includes training in the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested 9.9.3.a Review training materials for personnel at point-of-sale locations to verify it includes training in the following:
Removed p. 133
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) Not Tested Place persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.

• Not to install, replace, or return devices without verification.

• Being aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).

• Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).
Modified p. 133 → 132
Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
Modified p. 133 → 132
Not to install, replace, or return devices without verification.
Not to install, replace, or return devices without verification.
Modified p. 133 → 132
Being aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
Being aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).
Modified p. 133 → 132
Reporting all suspicious behavior to appropriate personnel (for example, a manager or security officer).
Reporting all suspicious behavior to appropriate personnel (for example, a manager or security officer).
Modified p. 133 → 132
Reporting tampering or substitution of devices.
Reporting tampering or substitution of devices.
Removed p. 134
• Not to install, replace, or return devices without verification.

• Being aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).

• Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example, to a manager or security officer).

• Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.
Modified p. 134 → 133
Identify the sample of personnel at point-of-sale locations interviewed to verify they have received training.
Identify the sample of personnel at point-of-sale locations interviewed.
Modified p. 134 → 133
&lt;Report Findings Here&gt; For the interview, summarize the relevant details discussed that verify interviewees are aware of the procedures for the following:
<Report Findings Here> For the interview, summarize the relevant details discussed that verify interviewees have received training and are aware of the procedures for the following:
Modified p. 134 → 133
&lt;Report Findings Here&gt; Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for restricting physical access to cardholder data are:
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for restricting physical access to cardholder data are:
Modified p. 135 → 134
Audit trails are enabled and active for system components.
Audit trails are enabled and active for system components.
Modified p. 135 → 134
Audit trails are enabled and active for system components.
Audit trails are enabled and active for system components.
Modified p. 135 → 134
Access to system components is linked to individual users.
Access to system components is linked to individual users.
Modified p. 135 → 134
Access to system components is linked to individual users.
Access to system components is linked to individual users.
Removed p. 136
• Invalid logical access attempts.Use of and changes to identification and authentication mechanisms, including: o All elevation of privileges. o All changes, additions, or deletions to any account with root or administrative privileges.
Modified p. 136 → 135
All individual access to cardholder data.
All individual access to cardholder data.
Modified p. 136 → 135
All actions taken by any individual with root or administrative privileges.
All actions taken by any individual with root or administrative privileges.
Modified p. 136 → 135
Access to all audit trails.
Access to all audit trails.
Modified p. 136 → 135
Initialization of audit logs.
Initialization of audit logs.
Modified p. 136 → 135
Stopping or pausing of audit logs.
Stopping or pausing of audit logs.
Modified p. 136 → 135
Creation and deletion of system level objects.
Creation and deletion of system level objects.
Removed p. 137
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Identify the sample of audit logs observed to verify the following from 10.2.1-10.2.7 are logged:

• All individual access to cardholder data.

• All actions taken by any individual with root or administrative privileges.

• Access to all audit trails.

• Use of and changes to identification and authentication mechanisms, including. o All elevation of privileges. o All changes, additions, or deletions to any account with root or administrative privileges.

• Initialization of audit logs.

• Stopping or pausing of audit logs.

• Creation and deletion of system level objects.
Modified p. 137 → 135
Invalid logical access attempts.
Invalid logical access attempts.
Modified p. 137 → 135
For all items in the sample at 10.2, describe how configuration settings were observed to verify all individual access to cardholder data is logged.
For all items in the sample at 10.2, describe how configuration settings verified that all individual access to cardholder data is logged.
Modified p. 137 → 135
For all items in the sample at 10.2, describe how configuration settings were observed to verify all actions taken by any individual with root or administrative privileges are logged.
For all items in the sample at 10.2, describe how configuration settings verifiedall actions taken by any individual with root or administrative privileges are logged.
Modified p. 137 → 136
<Report Findings Here> 10.2.3 Access to all audit trails. ☐ ☐ ☐ ☐ ☐ 10.2.3 Verify access to all audit trails is logged.
<Report Findings Here> 10.2.4 Invalid logical access attempts. ☐ ☐ ☐ ☐ ☐ 10.2.4 Verify invalid logical access attempts are logged.
Modified p. 137 → 136
For all items in the sample at 10.2, describe how configuration settings were observed to verify access to all audit trails is logged.
For all items in the sample at 10.2, describe how configuration settings verified that access to all audit trails is logged.
Removed p. 138
• Stopping or pausing of audit logs.

<Report Findings Here> 10.3 Record at least the following audit trail entries for all system components for each event: ☐ ☐ ☐ ☐ ☐
Modified p. 138 → 136
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.2.4 Verify invalid logical access attempts are logged.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.2.3 Access to all audit trails. ☐ ☐ ☐ ☐ ☐ 10.2.3 Verify access to all audit trails is logged.
Modified p. 138 → 136
For all items in the sample at 10.2, describe how configuration settings were observed to verify invalid logical access attempts are logged.
For all items in the sample at 10.2, describe how configuration settings verified that invalid logical access attempts are logged.
Modified p. 138 → 136
<Report Findings Here> 10.2.5 Use of and changes to identification and authentication mechanisms

•including but not limited to creation of new accounts and elevation of privileges

•and all changes, additions, or deletions to accounts with root or administrative privileges. ☐ ☐ ☐ ☐ ☐ 10.2.5.a Verify use of identification and authentication mechanisms is logged.
&lt;Report Findings Here&gt; 10.2.5 Use of and changes to identification and authentication mechanisms

•including but not limited to creation of new accounts and elevation of privileges

•and all changes, additions, or deletions to accounts with root or administrative privileges.
Modified p. 138 → 136
For all items in the sample at 10.2, describe how configuration settings were observed to verify use of identification and authentication mechanisms is logged.
For all items in the sample at 10.2, describe how configuration settings verified that use of identification and authentication mechanisms is logged.
Modified p. 138 → 136
For all items in the sample at 10.2, describe how configuration settings were observed to verify all elevation of privileges is logged.
For all items in the sample at 10.2, describe how configuration settings verified that all elevation of privileges is logged.
Modified p. 138 → 136
For all items in the sample at 10.2, describe how configuration settings were observed to verify all changes, additions, or deletions to any account with root or administrative privileges are logged.
For all items in the sample at 10.2, describe how configuration settings verified that all changes, additions, or deletions to any account with root or administrative privileges are logged.
Modified p. 138 → 136
Initialization of audit logs.
Initialization of audit logs.  Stopping or pausing of audit logs.
Modified p. 138 → 136
For all items in the sample at 10.2, describe how configuration settings were observed to verify initialization of audit logs is logged.
For all items in the sample at 10.2, describe how configuration settings verified that initialization of audit logs is logged.
Modified p. 138 → 136
<Report Findings Here> For all items in the sample at 10.2, describe how configuration settings were observed to verify stopping and pausing of audit logs is logged.
<Report Findings Here> For all items in the sample at 10.2, describe how configuration settings verified that stopping and pausing of audit logs is logged.
Modified p. 138 → 136
For all items in the sample at 10.2, describe how configuration settings were observed to verify creation and deletion of system level objects are logged.
For all items in the sample at 10.2, describe how configuration settings verified that creation and deletion of system level objects are logged.
Removed p. 139
• User identification

• User identification

• Success or failure indication

• Success or failure indication
Modified p. 139 → 137
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.3 Through interviews and observation of audit logs, for each auditable event (from 10.2), perform the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.3 Record at least the following audit trail entries for all system components for each event: ☐ ☐ ☐ ☐ ☐ 10.3 Through interviews and observation of audit logs, for each auditable event (from 10.2), perform the following:
Modified p. 139 → 137
Origination of event <Report Findings Here> Identify the sample of audit logs from 10.2.1-10.2.7 observed to verify the following are included in log entries:
 User identification  Type of event  Date and time  Success or failure indication  Origination of event <Report Findings Here> Identify the sample of audit logs from 10.2.1-10.2.7 observed to verify the following are included in log entries:
Modified p. 139 → 137
Origination of event <Report Findings Here> 10.3.1 User identification ☐ ☐ ☐ ☐ ☐ 10.3.1 Verify user identification is included in log entries.
 User identification  Type of event  Date and time  Success or failure indication  Origination of event <Report Findings Here> 10.3.1 User identification ☐ ☐ ☐ ☐ ☐ 10.3.1 Verify user identification is included in log entries.
Modified p. 139 → 137
For all logs in the sample at 10.3, describe how the audit logs were observed to verify user identification is included in log entries.
For all logs in the sample at 10.3, describe how the audit logs verified that user identification is included in log entries.
Modified p. 139 → 137
For all logs in the sample at 10.3, describe how the audit logs were observed to verify type of event is included in log entries.
For all logs in the sample at 10.3, describe how the audit logs verified that type of event is included in log entries.
Modified p. 139 → 137
For all logs in the sample at 10.3, describe how the audit logs were observed to verify date and time stamp is included in log entries.
For all logs in the sample at 10.3, describe how the audit logs verified that date and time stamp is included in log entries.
Removed p. 140
• Implemented. <Report Findings Here>

• Kept current, per the documented process. <Report Findings Here> 10.4.1 Critical systems have the correct and consistent time. ☐ ☐ ☐ ☐ ☐
Modified p. 140 → 138
For all logs in the sample at 10.3, describe how the audit logs were observed to verify success or failure indication is included in log entries.
For all logs in the sample at 10.3, describe how the audit logs verifiedsuccess or failure indication is included in log entries.
Modified p. 140 → 138
For all logs in the sample at 10.3, describe how the audit logs were observed to verify origination of event is included in log entries.
For all logs in the sample at 10.3, describe how the audit logs verifiedorigination of event is included in log entries.
Modified p. 140 → 138
For all logs in the sample at 10.3, describe how the audit logs were observed to verify the identity or name of affected data, system component, or resource is included in log entries.
For all logs in the sample at 10.3, describe how the audit logs verifiedthe identity or name of affected data, system component, or resource is included in log entries.
Modified p. 140 → 138
Identify the time synchronization technologies in use. (If NTP, include version) <Report Findings Here> Identify the documented time-synchronization process that defines processes for ensuring the time synchronization technologies are kept current per PCI DSS Requirements 6.1 and 6.2.
Identify the time synchronization technologies in use. (If NTP, include version) <Report Findings Here> Identify the documented time-synchronization configuration standards examined to verify that time synchronization technology is implemented and kept current per PCI DSS Requirements 6.1 and 6.2.
Removed p. 141
• Only the designated central time server(s) receive time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.

• Where there is more than one designated time server, the time servers peer with one another to keep accurate time.

• Systems receive time information only from designated central time server(s).

• Where there is more than one designated time server, the designated central time server(s) peer with one another to keep accurate time.

• Systems receive time only from designated central time server(s).
Modified p. 141 → 138
Identify the documented process for acquiring, distributing, and storing the correct time within the organization examined to verify that the process defines the following:
Describe how the process for acquiring, distributing, and storing the correct time within the organization was examined to verify the following:
Modified p. 141 → 139
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.4.1.a Examine the process for acquiring, distributing and storing the correct time within the organization to verify that:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place  Only the designated central time server(s) receive time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.  Where there is more than one designated time server, the time servers peer with one another to keep accurate time.  Systems receive time information only …
Modified p. 141 → 139
Only the designated central time server(s) receive time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.
Only the designated central time server(s) receive time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.
Modified p. 141 → 139
Where there is more than one designated time server, the time servers peer with one another to keep accurate time.
<Report Findings Here>  Where there is more than one designated time server, the time servers peer with one another to keep accurate time.
Modified p. 141 → 139
Systems receive time information only from designated central time server(s).
<Report Findings Here>  Systems receive time information only from designated central time server(s).
Modified p. 141 → 139
Only the designated central time server(s) receive time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.
Only the designated central time server(s) receive time signals from external sources, and time signals from external sources are based on International Atomic Time or UTC.  Where there is more than one designated time server, the designated central time server(s) peer with one another to keep accurate time.  Systems receive time only from designated central time server(s).
Modified p. 141 → 139
Identify the sample of system components selected for 10.4.1.b-10.4.2.b <Report Findings Here> For all items in the sample, describe how the time-related system-parameter settings for the sample of system components were observed to verify:
Identify the sample of system components selected for 10.4.1.b-10.4.2.b <Report Findings Here> For all items in the sample, describe how the time-related system-parameter settings verified:
Modified p. 141 → 139
&lt;Report Findings Here&gt; 10.4.2 Time data is protected. ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 10.4.2 Time data is protected. ☐ ☐ ☐ ☐ ☐ 10.4.2.a Examine system configurations and time-synchronization settings to verify that access to time data is restricted to only personnel with a business need to access time data.
Removed p. 142
Identify the documented time-synchronization procedures examined to verify procedures define that:

• Define which personnel have a business need to access time data.

<Report Findings Here> Identify the authorized personnel interviewed who confirm that personnel with access to time data have a business need to access time data.

Identify the documented time-synchronization procedures examined to verify procedures define that changes to time settings on critical systems must be:

• Reviewed <Report Findings Here> For all items in the sample from 10.4.1, describe how configuration settings on the sampled system components were examined to log any changes to time settings on critical systems.

<Report Findings Here> For all items in the sample from 10.4.1, describe how logs were examined to log any changes to time settings on critical systems.

• Logged <Report Findings Here>

• Monitored <Report Findings Here>
Modified p. 142 → 139
• Access to time data is restricted to only personnel with a business need to access time data.
For all items in the sample from 10.4.1, describe how configuration settings verified that access to time data is restricted to only personnel with a business need to access time data.
Modified p. 142 → 139
<Report Findings Here> 10.4.2.b Examine system configurations, time synchronization settings and logs, and processes to verify that any changes to time settings on critical systems are logged, monitored, and reviewed.
<Report Findings Here> 10.4.2.b Examine system configurations, time synchronization settings and logs, and processes to verify that any changes For all items in the sample from 10.4.1, describe how configuration settings and time synchronization settings verified that any changes to time settings on critical systems are logged.
Modified p. 142 → 140
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.4.2.a Examine system configurations and time-synchronization settings to verify that access to time data is restricted to only personnel with a business need to access time data.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place to time settings on critical systems are logged, monitored, and reviewed.
Modified p. 142 → 140
<Report Findings Here> For all items in the sample from 10.4.1, describe how configuration settings were examined to restrict access to time data to only personnel with a documented need.
For all items in the sample from 10.4.1, describe how the examined logs verified that any changes to time settings on critical systems are logged.
Removed p. 143
Identify the document reviewed to verify it defines that:

• Time settings are configured to either accept time updates from specific, industry-accepted time sources; OR

• The updates are encrypted with a symmetric key and access control lists specify the IP addresses of client machines that will be provided with the time updates.

<Report Findings Here> Identify the industry-accepted time source indicated (if applicable).
Modified p. 143 → 140
Reviewed <Report Findings Here> 10.4.3 Time settings are received from industry-accepted time sources. ☐ ☐ ☐ ☐ ☐ 10.4.3 Examine systems configurations to verify that the time server(s) accept time updates from specific, industry- accepted external sources (to prevent a malicious individual from changing the clock). Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the time updates …
 Logged <Report Findings Here>  Monitored <Report Findings Here>  Reviewed <Report Findings Here> 10.4.3 Time settings are received from industry-accepted time sources. ☐ ☐ ☐ ☐ ☐ 10.4.3 Examine systems configurations to verify that the time server(s) accept time updates from specific, industry-accepted external sources (to prevent a malicious individual from changing the clock). Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client …
Modified p. 143 → 140
<Report Findings Here> Identify the sample of time servers selected. <Report Findings Here> For all items in the sample, describe how configuration settings were examined to verify either of the following:
<Report Findings Here> For all items in the sample, describe how configuration settings verified either of the following:
Removed p. 144
• Logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are written onto a secure, centralized, internal log server or media.
Modified p. 144 → 141
Only individuals who have a job-related need can view audit trail files.
Only individuals who have a job-related need can view audit trail files.
Modified p. 144 → 141
Current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation.
Current audit trail files are protected from unauthorized modifications via access control mechanisms, physical segregation, and/or network segregation.
Modified p. 144 → 141
Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter, including: - That current audit trail files are promptly backed up to the centralized log server or media - The frequency that audit trail files are backed up - That the centralized log server or media is difficult to alter
Current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter, including: - That current audit trail files are promptly backed up to the centralized log server or media - The frequency that audit trail files are backed up - That the centralized log server or media is difficult to alter  Logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are written onto a secure, centralized, internal log …
Modified p. 144 → 141
Use file-integrity monitoring or change- detection software on logs to ensure that existing log data cannot be changed without generating alerts.
Use file-integrity monitoring or change- detection software on logs to ensure that existing log data cannot be changed without generating alerts.
Modified p. 144 → 141
<Report Findings Here> Identify the sample of system components selected for this testing procedure from 10.5.1-10.5.5.
&lt;Report Findings Here&gt; Identify the sample of system components selected for 10.5.1-10.5.5.
Modified p. 144 → 141
For each item in the sample at 10.5, describe how system configurations and permissions were examined to verify they restrict viewing of audit trail files to only individuals who have a documented job-related need.
For each item in the sample at 10.5, describe how system configurations and permissions verified that only individuals who have a job-related need can view audit trail files.
Removed p. 145
For each item in the sample at 10.5, describe how system configurations and permissions were examined to verify that current audit trail files are protected from unauthorized modifications. (e.g., via access control mechanisms, physical segregation, and/or network segregation).

<Report Findings Here> Identify and briefly describe the following:

 The centralized log server or media to which audit trail files are backed up.

<Report Findings Here>  How frequently the audit trail files are backed up, and how the frequency is appropriate.

<Report Findings Here>  How the centralized log server or media is difficult to alter.

<Report Findings Here> Describe how logs for external-facing technologies are written onto a secure centralized internal log server or media.
Modified p. 145 → 142
For each item in the sample at 10.5, describe how system configurations and permissions were examined to verify that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.
For each item in the sample at 10.5, describe how system configurations and permissions verified that current audit trail files are promptly backed up to a centralized log server or media that is difficult to alter.
Modified p. 145 → 142
For each item in the sample at 10.5, describe how system configurations and permissions were examined to verify that logs for external-facing technologies are written onto a secure, centralized, internal log server or media.
For each item in the sample at 10.5, describe how system configurations and permissions verified that logs for external-facing technologies are written onto a secure, centralized, internal log server or media.
Modified p. 145 → 142
&lt;Report Findings Here&gt; 10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). ☐ ☐ ☐ ☐ ☐ 10.5.5 Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change- detection software on logs.
Removed p. 146
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.5.5 Examine system settings, monitored files, and results from monitoring activities to verify the use of file-integrity monitoring or change- detection software on logs.

• System settings <Report Findings Here>

• Monitored files <Report Findings Here>
Removed p. 146
• Logs of all servers and system components that perform security functions.
Modified p. 146 → 142
For each item in the sample at 10.5, describe how the following were examined to verify the use of file-integrity monitoring or change- detection software on logs:
For each item in the sample at 10.5, describe how the following verified the use of file-integrity monitoring or change-detection software on logs:
Modified p. 146 → 142
Results from monitoring activities <Report Findings Here> Identify the file-integrity monitoring (FIM) or change- detection software verified to be in use.
 System settings <Report Findings Here>  Monitored files <Report Findings Here>  Results from monitoring activities <Report Findings Here> Identify the file-integrity monitoring (FIM) or change- detection software verified to be in use.
Modified p. 146 → 143
Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).
 All security events  Logs of all system components that store, process, or transmit CHD and/or SAD  Logs of all critical system components  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).
Modified p. 146 → 143
• Logs of all critical system components Identify the documented security policies and procedures examined to verify that procedures define reviewing the following at least daily, either manually or via log tools:
Identify the documented security policies and procedures examined to verify that procedures define reviewing the following at least daily, either manually or via log tools:
Modified p. 147 → 143
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place

 Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).
 All security events  Logs of all system components that store, process, or transmit CHD and/or SAD  Logs of all critical system components  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).
Modified p. 147 → 143
Describe the manual or log tools used for daily review of logs.
<Report Findings Here> Describe the manual or log tools used for daily review of logs.
Modified p. 147 → 143
All security events Logs of all system components that store, process, or transmit CHD and/or SAD Logs of all critical system components • Logs of all servers and system components that perform security functions. <Report Findings Here> Describe how processes were observed to verify that the following are reviewed at least daily:
All security events Logs of all system components that store, process, or transmit CHD and/or SAD Logs of all critical system components Identify the responsible personnel interviewed who confirm that the following are reviewed at least daily:
Modified p. 147 → 144
Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) Identify the personnel interviewed who confirm that the following are reviewed at least daily:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested Place  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) Describe how processes were observed to verify that the following are reviewed at least daily:
Modified p. 147 → 144
&lt;Report Findings Here&gt; 10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment. ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 10.6.2 Review logs of all other system components periodically based on the organization’s policies and risk management strategy, as determined by the organization’s annual risk assessment. ☐ ☐ ☐ ☐ ☐ 10.6.2.a Examine security policies and procedures to verify that procedures are defined for reviewing logs of all other system components periodically

•either manually or via log tools

•based on the organization’s policies and risk management strategy.
Removed p. 148
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.6.2.a Examine security policies and procedures to verify that procedures are defined for reviewing logs of all other system components periodically

•either manually or via log tools

•based on the organization’s policies and risk management strategy.

<Report Findings Here> For the interview, summarize the relevant details discussed that verify that reviews are performed in accordance with the organization’s policies and risk management strategy.
Modified p. 148 → 144
<Report Findings Here> Identify the personnel interviewed for this testing procedure.
<Report Findings Here> Identify the responsible personnel interviewed who confirm that reviews are performed in accordance with organization’s policies and risk management strategy.
Modified p. 148 → 144
<Report Findings Here> 10.6.3 Follow up exceptions and anomalies identified during the review process. ☐ ☐ ☐ ☐ ☐ 10.6.3.a Examine security policies and procedures to verify that procedures are defined for following up on exceptions and anomalies identified during the review process.
&lt;Report Findings Here&gt; 10.6.3 Follow up exceptions and anomalies identified during the review process. ☐ ☐ ☐ ☐ ☐
Modified p. 148 → 145
<Report Findings Here> 10.6.3.b Observe processes and interview personnel to verify that follow- up to exceptions and anomalies is performed.
<Report Findings Here> 10.6.3.b Observe processes and interview personnel to verify that follow-up to exceptions and anomalies is performed.
Modified p. 148 → 145
&lt;Report Findings Here&gt; Identify the personnel interviewed who confirm that follow-up to exceptions and anomalies is performed.
<Report Findings Here> Identify the responsible personnel interviewed who confirm that follow-up to exceptions and anomalies is performed.
Modified p. 148 → 145
&lt;Report Findings Here&gt; 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). ☐ ☐ ☐ ☐ ☐ 10.7.a Examine security policies and procedures to verify that they define the following:
Removed p. 149
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ CCW N/A Not Tested 10.7.a Examine security policies and procedures to verify that they define the following:

<Report Findings Here> 10.8 Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 10.8 Examine documentation and interview personnel to verify that security policies and operational procedures for monitoring all access to network resources and cardholder data are:
Modified p. 149 → 145
Audit log retention policies.
Audit log retention policies.
Modified p. 149 → 145
Audit log retention policies.
Audit log retention policies.
Modified p. 149 → 145
Procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online.
Procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online.
Modified p. 149 → 145
Procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online.
Procedures for retaining audit logs for at least one year, with a minimum of three months immediately available online.
Modified p. 149 → 145
Identify the personnel interviewed who confirm that audit logs are retained for at least one year.
Identify the responsible personnel interviewed who confirm that audit logs are retained for at least one year.
Modified p. 149 → 145
<Report Findings Here> Describe how the audit logs were examined to verify that audit logs are retained for at least one year.
<Report Findings Here> Describe how the audit logs verified that audit logs are retained for at least one year.
Modified p. 149 → 145
Identify the personnel interviewed who confirm that at least the last three months’ logs are immediately available for analysis.
Identify the responsible personnel interviewed who confirm that at least the last three months’ logs are immediately available for analysis.
Modified p. 149 → 145
<Report Findings Here> Describe the processes observed to verify that at least the last three months’ logs are immediately available for analysis.
<Report Findings Here> Describe how processes were observed to verify that at least the last three months’ logs are immediately available for analysis.
Modified p. 149
&lt;Report Findings Here&gt; Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for monitoring all access to network resources and cardholder data are:
<Report Findings Here> Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for monitoring all access to network resources and cardholder data are:
Modified p. 150
WLAN cards inserted into system components.
WLAN cards inserted into system components.
Modified p. 150
Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.).
Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.).
Modified p. 150
Wireless devices attached to a network port or network device.
Wireless devices attached to a network port or network device.
Modified p. 150
Describe how the methodology/processes were verified to be adequate to detect and identify unauthorized wireless access points, including the following:
Provide the name of the assessor who attests that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:
Modified p. 150
 WLAN cards inserted into system components. <Report Findings Here>  Portable or mobile devices attached to system components to create a wireless access point.
Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.).
Modified p. 150
<Report Findings Here>  Wireless devices attached to a network port or network device.
Wireless devices attached to a network port or network device.
Modified p. 150
<Report Findings Here>  Any other unauthorized wireless access point. <Report Findings Here> 11.1.c If wireless scanning is utilized, examine output from recent wireless scans to verify that:
&lt;Report Findings Here&gt; 11.1.c If wireless scanning is utilized, examine output from recent wireless scans to verify that:
Removed p. 151
• The scan is performed at least quarterly for all system components and facilities.
Modified p. 151
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place Authorized and unauthorized wireless access points are identified, and
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place Authorized and unauthorized wireless access points are identified, and  The scan is performed at least quarterly for all system components and facilities.
Modified p. 151
Authorized wireless access points are identified.
Authorized wireless access points are identified.
Modified p. 151
Unauthorized wireless access points are identified.
Unauthorized wireless access points are identified.
Modified p. 151
The scan is performed at least quarterly.
The scan is performed at least quarterly.
Modified p. 151
The scan covers all system components.
The scan covers all system components.
Modified p. 151
The scan covers all facilities.
The scan covers all facilities.
Removed p. 152
<Report Findings Here> 11.2.1.b Review the scan reports and verify that the scan process includes rescans until all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 Identify the documented process for quarterly internal scanning to verify the process defines performing rescans as part of the quarterly internal scan process.
Modified p. 152 → 151
Identify the responsible personnel interviewed for this testing procedure.
<Report Findings Here> 11.1.2.b Interview responsible personnel and/or inspect recent wireless scans and Identify the responsible personnel interviewed for this testing procedure.
Modified p. 152
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.1.2.b Interview responsible personnel and/or inspect recent wireless scans and related responses to verify action is taken when unauthorized wireless access points are found.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place related responses to verify action is taken when unauthorized wireless access points are found.
Modified p. 152
<Report Findings Here> For the interview, summarize the relevant details discussed that verify that action is taken when unauthorized wireless access points are found.
For the interview, summarize the relevant details discussed that verify that action is taken when unauthorized wireless access points are found.
Modified p. 152
<Report Findings Here> Describe how the recent wireless scans and related responses were inspected to verify that action is taken when unauthorized wireless access points are found.
<Report Findings Here> Describe how the recent wireless scans and related responses verified that action is taken when unauthorized wireless access points are found.
Removed p. 153
 Passing results are obtained, or <Report Findings Here>  All “High” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.

<Report Findings Here> Describe how the personnel who perform the scans demonstrated they are qualified to perform the scans.
Modified p. 153
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place are resolved. For each of the four internal quarterly scans indicated at 11.2.1.a, indicate whether a rescan was required. (yes/no) <Report Findings Here> If “yes,” describe how rescans were verified to be performed until either:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.
Modified p. 153
Identify the responsible personnel interviewed who confirm that the scan was performed by a qualified internal resource(s) or qualified external third party.
Identify the responsible personnel interviewed for this testing procedure.
Modified p. 153
&lt;Report Findings Here&gt; 11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.
 The scan was performed by a qualified internal resource <Report Findings Here>  Organizational independence of the tester exists. <Report Findings Here> 11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.
Removed p. 154
Identify the document reviewed to verify processes are defined for performing internal and external scans after any significant change.
Modified p. 154
Describe how the results of each quarterly scan were reviewed to verify that the ASV Program Guide requirements for a passing scan have been met.
Provide the name of the assessor who attests that the results of each quarterly scan were reviewed and verified that the ASV Program Guide requirements for a passing scan have been met.
Modified p. 154
<Report Findings Here> For each of the four external quarterly scans indicated at 11.2.2.a, indicate whether a rescan was necessary. (yes/no) <Report Findings Here> If “yes,” describe how the results of the rescan were reviewed to verify that the ASV Program Guide requirements for a passing scan have been met.
<Report Findings Here> For each of the four external quarterly scans indicated at 11.2.2.a, indicate whether a rescan was necessary. (yes/no) <Report Findings Here> If “yes,” describe how the results of the rescan verified that the ASV Program Guide requirements for a passing scan have been met.
Modified p. 154
<Report Findings Here> Identify the change control documentation and scan reports reviewed for this testing procedure.
Identify the change control documentation and scan reports reviewed for this testing procedure.
Modified p. 154
<Report Findings Here> Describe how the change control documentation and scan reports were inspected and correlated to verify that all system components subject to significant change were scanned after the change.
<Report Findings Here> Describe how the change control documentation and scan reports verified that all system components subject to significant change were scanned after the change.
Modified p. 154
For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.
For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.
Modified p. 154
For internal scans, all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.
For internal scans, all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.
Removed p. 155
Describe how it was validated that the scan was performed by a qualified internal resource(s) or qualified external third party.
Modified p. 155
<Report Findings Here> Indicate whether an internal resource performed the scans. (yes/no) If “no,” mark the remainder of 11.2.3.c as “Not Applicable.” If “yes,” complete the following:
Indicate whether an internal resource performed the scans. (yes/no) If “no,” mark the remainder of 11.2.3.c as “Not Applicable.” If “yes,” complete the following:
Removed p. 156
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.3 Penetration Testing

Note: The update to Requirement 11.3 is a best practice until June 30, 2015, after which it becomes a requirement. PCI DSS v2.0 requirements for penetration testing must be followed until v3.1 is in place. Do not answer both v2.0 and 3.1 reporting instructions.

Indicate whether 11.3 for this ROC is being assessed against PCI DSS v2.0 or v3.1 (either is acceptable until June 30, 2015.) (2.0/3.1) <Report Findings Here> If assessing against PCI DSS v2.0 for 11.3, please complete the following section in purple:
Removed p. 156
11.3.a Obtain and examine the results from the most recent penetration test to verify that penetration testing is performed at least annually and after any significant changes to the environment.

 Identify the documented penetration test results which confirm:

i. Internal penetration tests are performed annually. ii. External penetration tests are performed annually.  Identify whether any significant infrastructure or application upgrade or modification occurred during the past 12 months.

 Identify the documented penetration test results confirming that penetration tests are performed after:

i. Significant internal infrastructure or application upgrade. ii. Significant external infrastructure or application upgrade.

PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.3.b Verify that noted exploitable vulnerabilities were corrected and testing repeated.

 Identify whether any exploitable vulnerabilities were noted in the most recent:

i. Internal penetration test results. ii. External penetration test results.  Identify the …
Modified p. 159 → 155
i. Internal penetration testing includes application-layer penetration tests. ii. External penetration testing includes application-layer penetration tests. iii. The application-layer tests include, at a minimum, the vulnerabilities listed in PCI DSS Requirement 6.5.
 Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5.
Modified p. 159 → 155
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115).
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115).
Modified p. 159 → 155
Includes coverage for the entire CDE perimeter and critical systems.
Includes coverage for the entire CDE perimeter and critical systems.
Modified p. 159 → 155
Includes testing from both inside and outside of the network.
Includes testing from both inside and outside of the network.
Modified p. 159 → 155
Includes testing to validate any segmentation and scope reduction controls.
Includes testing to validate any segmentation and scope reduction controls.
Modified p. 159 → 155
Includes review and consideration of threats and vulnerabilities experienced in the last 12 months.
Includes review and consideration of threats and vulnerabilities experienced in the last 12 months.
Modified p. 159 → 155
Specifies retention of penetration testing results and remediation activities results.
Specifies retention of penetration testing results and remediation activities results.
Modified p. 160 → 156
Includes coverage for the entire CDE perimeter and critical systems.
Includes coverage for the entire CDE perimeter and critical systems.
Modified p. 160 → 156
Includes testing to validate any segmentation and scope reduction controls.
Includes testing to validate any segmentation and scope reduction controls.
Modified p. 160 → 156
Includes review and consideration of threats and vulnerabilities experienced in the last 12 months.
Includes review and consideration of threats and vulnerabilities experienced in the last 12 months.
Modified p. 160 → 156
Specifies retention of penetration testing results and remediation activities results.
Specifies retention of penetration testing results and remediation activities results.
Modified p. 160 → 156
Is based on industry-accepted penetration testing approaches.
Is based on industry-accepted penetration testing approaches.
Modified p. 160 → 156
Includes testing from both inside and outside the network.
Includes testing from both inside and outside the network.
Modified p. 160 → 156
Based on industry-accepted penetration testing approaches.
Based on industry-accepted penetration testing approaches.
Modified p. 160 → 156
Coverage for the entire CDE perimeter and critical systems.
Coverage for the entire CDE perimeter and critical systems.
Modified p. 160 → 156
Testing from both inside and outside the network.
Testing from both inside and outside the network.
Modified p. 160 → 156
Testing to validate any segmentation and scope reduction controls.
Testing to validate any segmentation and scope reduction controls.
Modified p. 160 → 156
Review and consideration of threats and vulnerabilities experienced in the last 12 months.
Review and consideration of threats and vulnerabilities experienced in the last 12 months.
Modified p. 160 → 156
Retention of penetration testing results and remediation activities results.
Retention of penetration testing results and remediation activities results.
Removed p. 161
<Report Findings Here> Describe how the penetration-testing methodology was examined to verify that the implemented methodology includes at least the following:

 Based on industry-accepted penetration testing approaches.

<Report Findings Here>  Coverage for the entire CDE perimeter and critical systems.

<Report Findings Here>  Testing from both inside the network, and from outside of the network attempting to get in.

<Report Findings Here>  Testing to validate any segmentation and scope- reduction controls.
Modified p. 161 → 157
Based on industry-accepted penetration testing approaches.
Based on industry-accepted penetration testing approaches.
Modified p. 161 → 157
Coverage for the entire CDE perimeter and critical systems.
Coverage for the entire CDE perimeter and critical systems.
Modified p. 161 → 157
Testing from both inside and outside the network.
Testing from both inside and outside the network.
Modified p. 161 → 157
Testing to validate any segmentation and scope reduction controls.
Testing to validate any segmentation and scope reduction controls.
Modified p. 161 → 157
Review and consideration of threats and vulnerabilities experienced in the last 12 months.
Review and consideration of threats and vulnerabilities experienced in the last 12 months.
Modified p. 161 → 157
Retention of penetration testing results and remediation activities results.
Retention of penetration testing results and remediation activities results.
Removed p. 162
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested  Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5.

<Report Findings Here>  Defines network-layer penetration tests to include components that support network functions as well as operating systems.

<Report Findings Here>  Review and consideration of threats and vulnerabilities experienced in the last 12 months.

<Report Findings Here>  Retention of penetration testing results and remediation activities results.
Modified p. 162 → 157
Per the defined methodology
Per the defined methodology  At least annually <Report Findings Here>
Modified p. 162 → 157
After any significant changes to the environment Identify the documented external penetration test results reviewed to verify that external penetration testing is performed:
 Per the defined methodology  At least annually  After any significant changes to the environment Identify the documented external penetration test results reviewed to verify that external penetration testing is performed:
Modified p. 162 → 157
At least annually <Report Findings Here> Describe how the scope of work was reviewed to verify that external penetration testing is performed:
 Per the defined methodology  At least annually <Report Findings Here> Describe how the scope of work verified that external penetration testing is performed:
Modified p. 162 → 158
• At least annually <Report Findings Here> Identify whether any significant external infrastructure or application upgrade or modification occurred during the past 12 months.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Identify whether any significant external infrastructure or application upgrade or modification occurred during the past 12 months.
Modified p. 162 → 158
<Report Findings Here> 11.3.1.b Verify that the test was performed by a qualified internal resource or qualified external third party, d if li bl i i l Describe how it was validated that the test was performed by a qualified internal resource(s) or qualified external third party.
<Report Findings Here> 11.3.1.b Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
Removed p. 163
• At least annually <Report Findings Here> Describe how the scope of work was reviewed to verify that internal penetration testing is performed:
Modified p. 163 → 158
Per the defined methodology
Per the defined methodology  At least annually <Report Findings Here>
Modified p. 163 → 158
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Indicate whether an internal resource performed the test. (yes/no) If “no,” mark the remainder of 11.3.1.b as “Not Applicable.” If “yes,” complete the following:
Indicate whether an internal resource performed the test. (yes/no) If “no,” mark the remainder of 11.3.1.b as “Not Applicable.” If “yes,” complete the following:
Modified p. 163 → 158
.<Report Findings Here> Describe how the personnel who perform the penetration tests demonstrated they are qualified to perform the tests.
<Report Findings Here> Describe how the personnel who perform the penetration tests demonstrated they are qualified to perform the tests.
Modified p. 163 → 158
• After any significant changes to the environment Identify the documented internal penetration test results reviewed to verify that internal penetration testing is performed:
 Per the defined methodology Identify the documented internal penetration test results reviewed to verify that internal penetration testing is performed:
Modified p. 163 → 159
At least annually <Report Findings Here> Indicate whether any significant internal infrastructure or application upgrade or modification occurred during the past 12 months. (yes/no) <Report Findings Here> Identify the documented internal penetration test results reviewed to verify that internal penetration tests are performed after significant internal infrastructure or application upgrade.
 Per the defined methodology  At least annually <Report Findings Here> Indicate whether any significant internal infrastructure or application upgrade or modification occurred during the past 12 months. (yes/no) <Report Findings Here> Identify the documented internal penetration test results reviewed to verify that internal penetration tests are performed after significant internal infrastructure or application upgrade.
Modified p. 163 → 159
<Report Findings Here> 11.3.2.b Verify that the test was performed by a qualified internal resource or qualified external third party, Describe how it was validated that the test was performed by a qualified internal resource(s) or qualified external third party.
<Report Findings Here> 11.3.2.b Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
Removed p. 164
 Test all segmentation methods to confirm they are operational and effective.
Modified p. 164 → 159
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place  At least annually  After any significant changes to the environment Describe how the scope of work verified that internal penetration testing is performed:
Modified p. 164 → 160
11.3.4.a Examine segmentation controls and review penetration-testing methodology to verify that penetration- testing procedures are defined to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.3.4.a Examine segmentation controls and review penetration-testing methodology to verify that penetration- testing procedures are defined to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Modified p. 164 → 160
Indicate whether segmentation is used to isolate the CDE from other networks. (yes/no) If “no,” mark the remainder of 11.3.4.a and 11.3.4.b as “Not Applicable.” <Report Findings Here> If “yes,” Describe segmentation controls examined for this testing procedure.
Indicate whether segmentation is used to isolate the CDE from other networks. (yes/no) If “no,” mark the remainder of 11.3.4.a and 11.3.4.b as “Not Applicable.” <Report Findings Here> If “yes,” identify the defined penetration-testing methodology examined to verify procedures are defined to test all segmentation methods to confirm they are operational and effective, and isolate all out- of-scope systems from systems in the CDE.
Modified p. 164 → 160
<Report Findings Here> Describe how the segmentation controls and penetration-testing methodology were examined to verify that penetration testing procedures are defined to:
<Report Findings Here> Describe how the segmentation controls verified that segmentation methods:
Removed p. 165
• Penetration testing to verify segmentation controls is performed at least annually and after any changes to segmentation controls/methods.

• The penetration testing covers all segmentation controls/methods in use.

• At the perimeter of the cardholder data environment.

• At critical points in the cardholder data environment.

• At critical points in the cardholder data environment.
Modified p. 165 → 160
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested  Isolate all out-of-scope systems from systems in the CDE.
 Are operational and effective. <Report Findings Here>  Isolate all out-of-scope systems from systems in the CDE.
Modified p. 165 → 160
The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
 Penetration testing to verify segmentation controls is performed at least annually and after any changes to segmentation controls/methods.  The penetration testing covers all segmentation controls/methods in use.  The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Modified p. 165 → 160
Penetration testing to verify segmentation controls is performed at least annually and after any changes to segmentation controls/methods.
Penetration testing to verify segmentation controls is performed at least annually and after any changes to segmentation controls/methods.
Modified p. 165 → 160
The penetration testing covers all segmentation controls/methods in use.
The penetration testing covers all segmentation controls/methods in use.
Modified p. 165 → 161
• the penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
 The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Modified p. 165 → 161
At the perimeter of the cardholder data environment.
At the perimeter of the cardholder data environment.
Modified p. 165 → 161
At critical points in the cardholder data environment.
At critical points in the cardholder data environment.
Modified p. 165 → 162
<Report Findings Here> Identify the techniques observed to be in place to monitor all traffic:
Describe how system configurations verifiedthat techniques are in place to monitor all traffic:
Modified p. 165 → 162
At the perimeter of the cardholder data environment.
At critical points in the cardholder data environment.
Modified p. 166 → 162
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Describe how system configurations were examined to verify that techniques are in place to monitor all traffic:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place  At the perimeter of the cardholder data environment.
Modified p. 166 → 162
Describe how system configurations for intrusion- detection, and/or intrusion-prevention techniques were examined to verify they are configured to alert personnel of suspected compromises.
Describe how system configurations for intrusion- detection and/or intrusion-prevention techniques verified that they are configured to alert personnel of suspected compromises.
Modified p. 166 → 162
<Report Findings Here> Describe how alerts to personnel are generated. <Report Findings Here> Identify the responsible personnel interviewed who confirm that the generated alerts are received as intended.
&lt;Report Findings Here&gt; Identify the responsible personnel interviewed who confirm that the generated alerts are received as intended.
Modified p. 166 → 162
Identify the vendor document(s) examined to verify defined vendor instructions for intrusion-detection and/or intrusion-prevention techniques <Report Findings Here> Describe how IDS/IPS configurations were examined and compared to vendor documentation to verify intrusion-detection, and/or intrusion-prevention techniques are:
Identify the vendor document(s) examined to verify defined vendor instructions for intrusion-detection and/or intrusion-prevention techniques.
Removed p. 167
Examples of files that should be monitored:

• System executables

• Application executables

• Configuration and parameter files

• Centrally stored, historical or archived, log and audit files

• Additional critical files determined by entity (i.e., through risk assessment or other means) Describe the change-detection mechanism deployed. <Report Findings Here> Identify the results from monitored files reviewed. <Report Findings Here> Describe how change-detection mechanism settings and results from monitored files were observed to monitor changes to:

Identify the personnel interviewed for this testing procedure.

<Report Findings Here> For the interview, summarize details of the interview that verify that all alerts are investigated and resolved.
Modified p. 167 → 163
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.5.a Verify the use of a change- detection mechanism within the cardholder data environment by observing system settings and monitored files, as well as reviewing results from monitoring activities.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 11.5.a Verify the use of a change- detection mechanism by observing system settings and monitored files, as well as reviewing results from monitoring activities.
Modified p. 167 → 163
Critical system files <Report Findings Here>  Critical configuration files <Report Findings Here>  Critical content files <Report Findings Here> 11.5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions and deletions) of critical files, and to perform critical file comparisons at least weekly.
System settings <Report Findings Here>  Monitored files <Report Findings Here> 11.5.b Verify the mechanism is configured to alert personnel to unauthorized modification (including changes, additions and deletions) of critical files, and to perform critical file comparisons at least weekly.
Modified p. 167 → 163
Describe how it was verified that the change-detection mechanism is configured to:
Describe how system settings verified that the change-detection mechanism is configured to:
Modified p. 167 → 163
<Report Findings Here> 11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 11.6 Examine documentation and interview personnel to verify that security policies and operational procedures for Identify the document reviewed to verify that security policies and operational procedures for security monitoring and testing are documented.
Identify the responsible personnel interviewed who confirm that all alerts are investigated and resolved <Report Findings Here> 11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. ☐ ☐ ☐ ☐ ☐ 11.6 Examine documentation and interview personnel to verify that security Identify the document reviewed to verify that security policies and operational procedures for security monitoring and testing are documented.
Modified p. 168 → 164
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place security monitoring and testing are:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place policies and operational procedures for security monitoring and testing are:
Modified p. 168 → 164
Identify responsible personnel interviewed who confirm that the above documented security policies and operational procedures for security monitoring and testing are:
Identify the responsible personnel interviewed who confirm that the above documented security policies and operational procedures for security monitoring and testing are:
Removed p. 169
Identify the document reviewed to verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

• Identifies critical assets, threats, and vulnerabilities, and

• Results in a formal, documented analysis of risk.

Describe how it was verified that an annual risk-assessment process is documented that:
Modified p. 169 → 165
<Report Findings Here> Describe how the information security policy was examined to verify that it is published and disseminated to:
<Report Findings Here> Describe how the information security policy was verified to be published and disseminated to:
Modified p. 169 → 165
<Report Findings Here> Describe how the information security policy was verified to be:
Describe how the information security policy was verified to be:
Modified p. 169 → 165
Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),  Identifies critical assets, threats, and vulnerabilities, and  Results in a formal, documented analysis of risk.
Modified p. 169 → 165
Identifies critical assets, threats and vulnerabilities. <Report Findings Here>
Identifies critical assets, threats, and vulnerabilities  Results in a formal, documented analysis of risk.
Removed p. 170
Identify the risk assessment result documentation reviewed to verify that:

• The risk assessment process is performed at least annually.

• The risk assessment is performed upon significant changes to the environment.

• The documented risk assessment process was followed.
Modified p. 170 → 165
Results in a formal, documented analysis of risk.
 Identifies critical assets, threats, and vulnerabilities  Results in a formal, documented analysis of risk.
Modified p. 170 → 166
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place

• Identifies critical assets, threats, and vulnerabilities
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.2.b Review risk-assessment documentation to verify that the risk- assessment process is performed at least annually and upon significant changes to the environment.
Modified p. 170 → 166
 Results in formal, documented analysis of risk. <Report Findings Here> 12.2.b Review risk-assessment documentation to verify that the risk- assessment process is performed at least annually and upon significant changes to the environment.
Identify the risk assessment result documentation reviewed to verify that the risk-assessment process is performed at least annually and upon significant changes to the environment.
Modified p. 171 → 167
Explicit approval from authorized parties to use the technologies.
Explicit approval from authorized parties to use the technologies.
Modified p. 171 → 167
All technology use to be authenticated with user ID and password or other authentication item.
All technology use to be authenticated with user ID and password or other authentication item.
Modified p. 171 → 167
A list of all devices and personnel authorized to use the devices.
A list of all devices and personnel authorized to use the devices.
Modified p. 171 → 167
A method to accurately and readily determine owner, contact information, and purpose.
A method to accurately and readily determine owner, contact information, and purpose.
Modified p. 171 → 167
Acceptable uses for the technology.
Acceptable uses for the technology.
Modified p. 171 → 167
Acceptable network locations for the technology.
Acceptable network locations for the technology.
Modified p. 171 → 167
A list of company-approved products.
A list of company-approved products.
Modified p. 171 → 167
Automatic disconnect of sessions for remote- access technologies after a specific period of inactivity.
Automatic disconnect of sessions for remote- access technologies after a specific period of inactivity.
Modified p. 171 → 167
Activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.
Activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.
Modified p. 171 → 167
Prohibit copying, moving, or storing of cardholder data onto local hard drives and removable electronic media when accessing such data via remote-access technologies.
Prohibit copying, moving, or storing of cardholder data onto local hard drives and removable electronic media when accessing such data via remote-access technologies.
Removed p. 172
<Report Findings Here> 12.3.2 Authentication for use of the technology. ☐ ☐ ☐ ☐ ☐
Modified p. 172 → 168
Explicit approval from authorized parties to use the technologies.
Explicit approval from authorized parties to use the technologies.
Modified p. 172 → 168
All technology use to be authenticated with user ID and password or other authentication item.
All technology use to be authenticated with user ID and password or other authentication item.
Modified p. 172 → 168
A list of all devices and personnel authorized to use the devices.
A list of all devices and personnel authorized to use the devices.
Modified p. 172 → 168
A method to accurately and readily determine owner, contact information, and purpose.
A method to accurately and readily determine owner, contact information, and purpose.
Modified p. 172 → 168
Acceptable uses for the technology.
Acceptable uses for the technology.
Modified p. 172 → 168
Acceptable network locations for the technology.
Acceptable network locations for the technology.
Modified p. 172 → 168
A list of company-approved products.
A list of company-approved products.
Modified p. 172 → 168
Automatic disconnect of sessions for remote- access technologies after a specific period of inactivity.
Automatic disconnect of sessions for remote- access technologies after a specific period of inactivity.
Modified p. 172 → 168
Activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.
Activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.
Modified p. 172 → 168
Prohibit copying, moving, or storing of cardholder data onto local hard drives and removable electronic media when accessing such data via remote-access technologies.
Prohibit copying, moving, or storing of cardholder data onto local hard drives and removable electronic media when accessing such data via remote-access technologies.
Modified p. 173 → 169
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.3.2 Verify that the usage policies include processes for all technology use to be authenticated with user ID and password or other authentication item (for example, token).
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.3.2 Authentication for use of the technology. ☐ ☐ ☐ ☐ ☐ 12.3.2 Verify that the usage policies include processes for all technology use to be authenticated with user ID and password or other authentication item (for example, token).
Modified p. 173 → 169
Provide the name of the assessor who attests that the usage policies were verified to include processes s for all technology used to be authenticated with user ID and password or other authentication item.
Provide the name of the assessor who attests that the usage policies were verified to include processes for all technology use to be authenticated with user ID and password or other authentication item.
Modified p. 173 → 169
<Report Findings Here> 12.3.3 A list of all such devices and personnel with access. ☐ ☐ ☐ ☐ ☐ 12.3.3 Verify that the usage policies define a list of all devices and personnel authorized to use the devices.
<Report Findings Here> 12.3.3 A list of all such devices and personnel with access. ☐ ☐ ☐ ☐ ☐ 12.3.3 Verify that the usage policies define:
Modified p. 173 → 169
Provide the name of the assessor who attests that the usage policies were verified to include processes define a list of all devices and personnel authorized to use the devices.
Provide the name of the assessor who attests that the usage policies were verified to define:
Modified p. 173 → 169
Contact Information <Report Findings Here> 12.3.5 Acceptable uses of the technology. ☐ ☐ ☐ ☐ ☐ 12.3.5 Verify that the usage policies define acceptable uses for the technology.
Contact Information <Report Findings Here> 12.3.5 Acceptable uses of the technology. ☐ ☐ ☐ ☐ ☐ 12.3.5 Verify that the usage policies define acceptable uses for the technology.
Modified p. 173 → 169
<Report Findings Here> 12.3.7 List of company-approved products. ☐ ☐ ☐ ☐ ☐ 12.3.7 Verify that the usage policies include a list of company-approved products.
&lt;Report Findings Here&gt; 12.3.7 List of company-approved products. ☐ ☐ ☐ ☐ ☐
Modified p. 173 → 170
&lt;Report Findings Here&gt; 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity. ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity. ☐ ☐ ☐ ☐ ☐ 12.3.8.a Verify that the usage policies require automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.
Removed p. 174
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.3.8.a Verify that the usage policies require automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.

Describe how configurations for remote access technologies were examined to verify that remote access sessions will be automatically disconnected after a specific period of inactivity.
Modified p. 174 → 170
<Report Findings Here> Identify any remote access technologies in use. <Report Findings Here> Identify the period of inactivity specified. <Report Findings Here> 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use. ☐ ☐ ☐ ☐ ☐ 12.3.9 Verify that the usage policies require activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.
&lt;Report Findings Here&gt; 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use. ☐ ☐ ☐ ☐ ☐ 12.3.9 Verify that the usage policies require activation of remote-access technologies used by vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use.
Modified p. 174 → 171
<Report Findings Here> 12.3.10.b For personnel with proper authorization, verify that usage policies require the protection of cardholder data in accordance with PCI DSS Requirements.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.3.10.b For personnel with proper authorization, verify that usage policies require the protection of cardholder data in accordance with PCI DSS Requirements.
Removed p. 175
<Report Findings Here> Provide the name of the assessor who attests that the interviews of responsible personnel conducted verified that they understand the security policies.

• Responsibility for establishing, documenting and distributing security policies and procedures.

• Monitoring and analyzing security alerts and distributing information to appropriate information security and business unit management personnel.

• Establishing, documenting, and distributing security incident response and escalation procedures.

• Administering user account and authentication management.

• Monitoring and controlling all access to data.
Modified p. 175 → 171
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel. ☐ ☐ ☐ ☐ ☐ 12.4.a Verify that information security policy and procedures clearly define information security responsibilities for all personnel.
<Report Findings Here> 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel. ☐ ☐ ☐ ☐ ☐ 12.4.a Verify that information security policy and procedures clearly define information security responsibilities for all personnel.
Modified p. 175 → 171
<Report Findings Here> 12.5 Assign to an individual or team the following information security management responsibilities: ☐ ☐ ☐ ☐ ☐ 12.5 Examine information security policies and procedures to verify:
&lt;Report Findings Here&gt; 12.5 Assign to an individual or team the following information security management responsibilities: ☐ ☐ ☐ ☐ ☐
Modified p. 175 → 172
The formal assignment of information security to a Chief Security Officer or other security- knowledgeable member of management.
The formal assignment of information security to a Chief Security Officer or other security- knowledgeable member of management.
Modified p. 175 → 172
The following information security responsibilities are specifically and formally assigned:
The following information security responsibilities are specifically and formally assigned:
Modified p. 175 → 172
Identify the information security policies reviewed to verify the specific and formal assignment of the following (including 12.5.1-12.5.5):
Identify the information security policies and procedures reviewed to verify:
Modified p. 175 → 172
• Information security to a Chief Security Officer or other security-knowledgeable member of management.
 The formal assignment of information security to a Chief Security Officer or other security- knowledgeable member of management.
Modified p. 175 → 172
&lt;Report Findings Here&gt; 12.5.1 Establish, document, and distribute security policies and procedures. ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 12.5.1 Establish, document, and distribute security policies and procedures. ☐ ☐ ☐ ☐ ☐ 12.5.1 Verify that responsibility for establishing, documenting and distributing security policies and procedures is formally assigned.
Modified p. 176 → 172
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.5.1 Verify that responsibility for establishing, documenting and distributing security policies and procedures is formally assigned.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.5 Examine information security policies and procedures to verify:
Modified p. 176 → 172
Establishing security policies and procedures.
Establishing security policies and procedures.
Modified p. 176 → 172
Documenting security policies and procedures.
Documenting security policies and procedures.
Modified p. 176 → 172
Distributing security policies and procedures.
Distributing security policies and procedures.
Modified p. 176 → 172
Monitoring and analyzing security alerts.
Monitoring and analyzing security alerts.
Modified p. 176 → 172
Distributing information to appropriate information security and business unit management personnel.
Distributing information to appropriate information security and business unit management personnel.
Modified p. 176 → 172
<Report Findings Here> 12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. ☐ ☐ ☐ ☐ ☐ 12.5.3 Verify that responsibility for establishing, documenting, and distributing security incident response and escalation procedures is formally assigned.
&lt;Report Findings Here&gt; 12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. ☐ ☐ ☐ ☐ ☐
Modified p. 176 → 173
Establishing security incident response and escalation procedures.
Establishing security incident response and escalation procedures.
Modified p. 176 → 173
Documenting security incident response and escalation procedures.
Documenting security incident response and escalation procedures.
Modified p. 176 → 173
Distributing security incident response and escalation procedures.
Distributing security incident response and escalation procedures.
Modified p. 176 → 173
&lt;Report Findings Here&gt; 12.5.5 Monitor and control all access to data. ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 12.5.5 Monitor and control all access to data. ☐ ☐ ☐ ☐ ☐ 12.5.5 Verify that responsibility for monitoring and controlling all access to data is formally assigned.
Removed p. 177
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.5.5 Verify that responsibility for monitoring and controlling all access to data is formally assigned.

• Monitoring all access to data

• Personnel attend security awareness training:
Modified p. 177 → 173
Controlling all access to data <Report Findings Here> 12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. ☐ ☐ ☐ ☐ ☐ 12.6.a Review the security awareness program to verify it provides awareness to all personnel about the importance of cardholder data security.
 Monitoring all access to data  Controlling all access to data <Report Findings Here> 12.6 Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. ☐ ☐ ☐ ☐ ☐ 12.6.a Review the security awareness program to verify it provides awareness to all personnel about the cardholder data security policy and procedures.
Modified p. 177 → 173
Identify the documented security awareness program reviewed to verify it provides awareness to all personnel about the importance of cardholder data security.
Provide the name of the assessor who attests that the security awareness program was verified to provide awareness to all personnel about the cardholder data security policy and procedures.
Modified p. 177 → 174
<Report Findings Here> 12.6.b Examine security awareness program procedures and documentation and perform the following:
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.6.b Examine security awareness program procedures and documentation and perform the following:
Modified p. 177 → 174
The security awareness program provides multiple methods of communicating awareness and educating personnel.
The security awareness program provides multiple methods of communicating awareness and educating personnel.
Modified p. 177 → 174
Personnel acknowledge, in writing or electronically and at least annually, that they have read and understand the information security policy.
 Personnel attend security awareness training: - Upon hire, and - At least annually  Personnel acknowledge, in writing or electronically and at least annually, that they have read and understand the information security policy.
Modified p. 177 → 174
<Report Findings Here> 12.6.1.b Verify that personnel attend Describe how it was observed that all personnel attend security awareness training:
<Report Findings Here> 12.6.1.b Verify that personnel attend security awareness training upon hire and at least annually.
Removed p. 178
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place security awareness training upon hire and at least annually.
Modified p. 178 → 174
Identify the sample of personnel interviewed who confirm they have completed security awareness training.
Identify the sample of personnel interviewed for this testing procedure..
Modified p. 178 → 174
<Report Findings Here> For the interview, summarize details of the interview that verify their awareness of the importance of cardholder data security.
<Report Findings Here> For the interview, summarize the relevant details discussed that verify they have completed awareness training and are aware of the importance of cardholder data security.
Modified p. 178 → 174
<Report Findings Here> 12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. ☐ ☐ ☐ ☐ ☐ 12.6.2 Verify that the security awareness program requires personnel to acknowledge, in writing or electronically, at least annually that they have read and understand the information security policy.
&lt;Report Findings Here&gt; 12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. ☐ ☐ ☐ ☐ ☐
Modified p. 178 → 175
Describe how it was verified that, per the security awareness program, all personnel:
Describe how it was observed that, per the security awareness program, all personnel:
Removed p. 179
Identify the documented policy reviewed to verify requirement for background checks to be conducted:

• On potential personnel who will have access to cardholder data or the cardholder data environment.

• On potential personnel who will have access to cardholder data or the cardholder data environment.

• Prior to hiring the personnel.

• Prior to hiring the personnel.

<Report Findings Here> Identify the Human Resources personnel interviewed who confirm background checks are conducted:

 On potential personnel who will have access to cardholder data or the cardholder data environment.
Modified p. 179 → 175
<Report Findings Here> Describe how it was verified that background checks are conducted (within the constraints of local laws):
<Report Findings Here> Describe how it was observed that background checks are conducted (within the constraints of local laws) prior to hire on potential personnel who will have access to cardholder data or the cardholder data environment.
Modified p. 179 → 175
<Report Findings Here>  Prior to hiring the personnel. <Report Findings Here> 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: ☐ ☐ ☐ ☐ ☐
<Report Findings Here> 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: ☐ ☐ ☐ ☐ ☐ 12.8 Through observation, review of policies and procedures, and review of supporting documentation, verify that processes are implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data as follows:
Removed p. 180
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.8 Through observation, review of policies and procedures, and review of supporting documentation, verify that processes are implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data (for example, backup tape storage facilities, managed service providers such as web-hosting companies or security service providers, those that receive data for fraud modeling purposes, etc.), as follows:

• Maintain a list of service providers.

• Maintain a written agreement that includes an acknowledgement that the service providers will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer’s cardholder data or sensitive authentication data, or manages the customer's cardholder data environment on behalf of a customer.

• Ensure …
Modified p. 180 → 175
Identify the documented policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, reviewed to verify policy defines the following from 12.8.1•12.8.5:
Identify the documented policies and procedures reviewed to verify that processes are implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, per 12.8.1•12.8.5:
Modified p. 180 → 175
<Report Findings Here> 12.8.1 Maintain a list of service providers. ☐ ☐ ☐ ☐ ☐ 12.8.1 Verify that a list of service providers is maintained.
<Report Findings Here> 12.8.1 Maintain a list of service providers including a description of the service provided. ☐ ☐ ☐ ☐ ☐
Modified p. 180 → 176
Describe how the documented list of service providers was observed to be maintained (kept up-to- date).
Describe how the documented list of service providers was observed to be maintained (kept up-to- date) and includes a list of the services provided.
Modified p. 181 → 176
Describe how written agreements for each service provider were observed to confirm they include an acknowledgement by service providers that they will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer’s cardholder data or sensitive authentication data, or manages the customer's cardholder data environment on behalf of a customer.
Describe how written agreements for each service provider were observed to include an acknowledgement by service providers that they will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer’s cardholder data or sensitive authentication data, or manages the customer&#x27;s cardholder data environment on behalf of a customer.
Modified p. 181 → 176
Describe how it was verified that the procedures for proper due diligence prior to engaging a service provider are implemented, as documented in the policies and procedures at 12.8.
Identify the policies and procedures reviewed to verify that processes included proper due diligence prior to engaging any service provider.
Modified p. 181 → 176
Describe how it was verified that the entity maintains a program to monitor its service providers’ PCI DSS compliance status at least annually.
Describe how it was observed that the entity maintains a program to monitor its service providers’ PCI DSS compliance status at least annually.
Removed p. 182
Note: This requirement is a best practice until June 30, 2015, after which it becomes a requirement.

Indicate whether the assessed entity is a service provider. (yes/no) If “no,” mark the remainder of 12.9 as “Not Applicable.” <Report Findings Here> Indicate whether this ROC is being completed prior to June 30, 2015. (yes/no) <Report Findings Here> If “yes” AND the assessed entity does not have this in place ahead of the requirement’s effective date, mark the remainder of 12.9 as “Not Applicable.” If “no” OR if the assessed entity has this in place ahead of the requirement’s effective date:
Modified p. 182 → 177
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
<Report Findings Here> 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
Modified p. 182 → 178
Identify the service provider’s policies and procedures reviewed to verify that the service provider acknowledges in writing to customers that the service provider will maintain all applicable PCI DSS requirements to the extent the service provider possesses or otherwise stores, processes, or transmits cardholder data on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
Describe how the templates used for written agreement verified that the service provider acknowledges in writing to customers that the service provider will maintain all applicable PCI DSS requirements to the extent the service provider possesses or otherwise stores, processes, or transmits cardholder data on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
Removed p. 183
• Provide appropriate training to staff with security breach response responsibilities.
Modified p. 183 → 178
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Describe how templates used for written agreement were observed to verify that the service provider acknowledges in writing to customers that the service provider will maintain all applicable PCI DSS requirements to the extent the service provider possesses or otherwise stores, processes, or transmits cardholder data on behalf of the customer, or to the extent that they …
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place of the customer’s cardholder data environment.
Modified p. 183 → 178
Create the incident response plan to be implemented in the event of system breach.
Create the incident response plan to be implemented in the event of system breach.
Modified p. 183 → 178
Test the plan at least annually.
Test the plan at least annually.
Modified p. 183 → 178
Designate specific personnel to be available on a 24/7 basis to respond to alerts: - 24/7 incident monitoring - 24/7 incident response
Designate specific personnel to be available on a 24/7 basis to respond to alerts: - 24/7 incident monitoring - 24/7 incident response  Provide appropriate training to staff with security breach response responsibilities.
Modified p. 183 → 178
Include alerts from security monitoring systems, including but not limited to intrusion- detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.
Include alerts from security monitoring systems, including but not limited to intrusion- detection, intrusion-prevention, firewalls, and file-integrity monitoring systems.
Modified p. 183 → 178
Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.
Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.
Removed p. 184
• Roles, responsibilities, and communication strategies in the event of a compromise including notification of the payment brands, at a minimum.

• Specific incident response procedures.

• Business recovery and continuity procedures

• Data back-up processes

• Coverage and responses for all critical system components.

• Reference or inclusion of incident response procedures from the payment brands.
Modified p. 184 → 179
Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum. Specific incident response procedures. Business recovery and continuity procedures. Data back-up processes. Analysis of legal requirements for reporting compromises. Coverage and responses of all critical system components. Reference or inclusion of incident response procedures from the payment brands.
Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum. Specific incident response procedures. Business recovery and continuity procedures. Data back-up processes. Analysis of legal requirements for reporting compromises. Coverage and responses of all critical system components. Reference or inclusion of incident response procedures from the payment brands.
Modified p. 184 → 179
Analysis of legal requirements for reporting compromises (for example, California Bill 1386, which requires notification of affected consumers in the event of an actual or suspected compromise for any business with California residents in their database).
 Roles, responsibilities, and communication strategies in the event of a compromise including notification of the payment brands, at a minimum.  Specific incident response procedures.  Business recovery and continuity procedures  Data back-up processes  Analysis of legal requirements for reporting compromises (for example, California Bill 1386, which requires notification of affected consumers in the event of an actual or suspected compromise for any business with California residents in their database).  Coverage and responses for all critical …
Modified p. 184 → 179
Roles and responsibilities.
Roles and responsibilities.
Modified p. 184 → 179
Communication strategies.
Communication strategies.
Modified p. 184 → 179
Requirement for notification of the payment brands.
Requirement for notification of the payment brands.
Modified p. 184 → 179
Specific incident response procedures.
Specific incident response procedures.
Modified p. 184 → 179
Business recovery and continuity procedures.
Business recovery and continuity procedures.
Modified p. 184 → 179
Data back-up processes.
Data back-up processes.
Modified p. 184 → 179
Analysis of legal requirements for reporting compromises.
Analysis of legal requirements for reporting compromises.
Modified p. 184 → 179
Coverage for all critical system components.
Coverage for all critical system components.
Modified p. 184 → 179
Responses for all critical system components.
Responses for all critical system components.
Modified p. 184 → 179
Reference or inclusion of incident response procedures from the payment brands.
Reference or inclusion of incident response procedures from the payment brands.
Removed p. 185
Describe how it was observed that the incident response plan is tested at least annually.
Modified p. 185 → 180
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested 12.10.1.b Interview personnel and review documentation from a sample of previously reported incidents or alerts to verify that the documented incident response plan and procedures were followed.
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place verify that the documented incident response plan and procedures were followed.
Modified p. 185 → 180
<Report Findings Here> Identify the sample of previously reported incidents or alerts reviewed for this testing procedure.
Identify the sample of previously reported incidents or alerts selected for this testing procedure.
Modified p. 185 → 180
<Report Findings Here> For each item in the sample, describe how documentation was reviewed to confirm that the documented incident response plan and procedures are followed.
<Report Findings Here> For each item in the sample, describe how the documented incident response plan and procedures were observed to be followed.
Modified p. 185 → 180
<Report Findings Here> 12.10.2 Test the plan at least annually. ☐ ☐ ☐ ☐ ☐ 12.10.2 Verify that the plan is tested at least annually.
<Report Findings Here> 12.10.2 Review and test the plan at least annually, including all elements listed in Requirement 12.10.1. ☐ ☐ ☐ ☐ ☐ 12.10.2 Interview personnel and review documentation from testing to verify that the plan is tested at least annually and that testing includes all elements listed in Requirement 12.10.1.
Modified p. 185 → 180
<Report Findings Here> 12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts. ☐ ☐ ☐ ☐ ☐ 12.10.3 Verify through observation, review of policies, and interviews of responsible personnel that designated personnel are available for 24/7 incident response and monitoring coverage for any evidence of unauthorized activity, detection of unauthorized wireless access points, critical IDS alerts, and/or reports of unauthorized critical system or content file changes.
<Report Findings Here> 12.10.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts. ☐ ☐ ☐ ☐ ☐ 12.10.3 Verify through observation, review of policies, and interviews of responsible personnel that designated personnel are available for 24/7 incident response and monitoring coverage for any evidence of unauthorized activity, detection of unauthorized wireless access points, critical IDS alerts, and/or Identify the document requiring 24/7 incident response and monitoring coverage for:
Modified p. 185 → 180
Any evidence of unauthorized activity.
Any evidence of unauthorized activity.
Modified p. 185 → 180
Detection of unauthorized wireless access points.
Detection of unauthorized wireless access points.
Modified p. 185 → 180
Critical IDS alerts.
Critical IDS alerts.
Modified p. 185 → 180
Reports of unauthorized critical system or content file changes.
Reports of unauthorized critical system or content file changes.
Modified p. 185 → 180
<Report Findings Here> Identify the sample of responsible personnel interviewed who confirm 24/7 incident response and monitoring coverage for:
Identify the responsible personnel interviewed who confirm that the incident response plan is tested at least annually and that testing includes all elements listed in Requirement 12.10.1.
Modified p. 185 → 181
Identify the sample of personnel interviewed who confirm that the documented incident response plan and procedures are followed.
Identify the responsible personnel interviewed who confirm 24/7 incident response and monitoring coverage for:
Modified p. 185 → 181
Any evidence of unauthorized activity.
Any evidence of unauthorized activity.
Modified p. 185 → 181
Detection of unauthorized wireless access points.
Detection of unauthorized wireless access points.
Modified p. 185 → 181
Critical IDS alerts.
Critical IDS alerts.
Modified p. 185 → 181
Reports of unauthorized critical system or content file changes.
Reports of unauthorized critical system or content file changes.
Modified p. 186 → 181
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested  Any evidence of unauthorized activity. <Report Findings Here>  Detection of unauthorized wireless access points. <Report Findings Here>  Critical IDS alerts. <Report Findings Here>  Reports of unauthorized critical system or content file changes.
Any evidence of unauthorized activity. Detection of unauthorized wireless access points. Critical IDS alerts. Reports of unauthorized critical system or content file changes.
Modified p. 186 → 181
Identify the sample of responsible personnel interviewed who confirm that staff with responsibilities for security breach response are periodically trained.
Identify the responsible personnel interviewed who confirm that staff with responsibilities for security breach response are periodically trained.
Modified p. 186 → 181
<Report Findings Here> Identify the documented policy reviewed that defines that staff with responsibilities for security breach response are periodically trained.
<Report Findings Here> Identify the documented policy reviewed to verify that staff with responsibilities for security breach response are periodically trained.
Modified p. 186 → 181
<Report Findings Here> 12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems. ☐ ☐ ☐ ☐ ☐ 12.10.5 Verify through observation and review of processes that monitoring and responding to alerts from security monitoring systems are covered in the Incident Response Plan.
&lt;Report Findings Here&gt; 12.10.5 Include alerts from security monitoring systems, including but not limited to intrusion-detection, intrusion-prevention, firewalls, and file-integrity monitoring systems. ☐ ☐ ☐ ☐ ☐
Modified p. 186 → 182
<Report Findings Here> 12.10.6 Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments. ☐ ☐ ☐ ☐ ☐ 12.10.6 Verify through observation, review of policies, and interviews of responsible personnel that there is a process to modify and evolve the incident response plan according to Identify the documented policy reviewed to verify that processes are defined to modify and evolve the incident response plan:
<Report Findings Here> 12.10.6 Develop a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments. ☐ ☐ ☐ ☐ ☐ 12.10.6 Verify through observation, review of policies, and interviews of responsible personnel that there is a process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.
Modified p. 186 → 182
According to lessons learned.
According to lessons learned.
Modified p. 186 → 182
To incorporate industry developments.
To incorporate industry developments.
Removed p. 187
PCI DSS Requirements and Testing Procedures Reporting Instruction Reporting Details: Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Place lessons learned and to incorporate industry developments.
Modified p. 187 → 182
According to lessons learned.
According to lessons learned.
Modified p. 187 → 182
To incorporate industry developments.
To incorporate industry developments.
Modified p. 187 → 182
Identify the sample of responsible personnel interviewed who confirm that processes are implemented to modify and evolve the incident response plan:
<Report Findings Here> Identify the responsible personnel interviewed who confirm that processes are implemented to modify and evolve the incident response plan:
Modified p. 188 → 186
<Report Findings Here> A.1 Protect each entity’s (that is, merchant, service provider, or other entity) hosted environment and data, per A.1.1 through A.1.4:
<Report Findings Here> A1 Protect each entity’s (that is, merchant, service provider, or other entity) hosted environment and data, per A1.1 through A1.4:
Modified p. 188 → 186
A.1 Specifically for a PCI DSS assessment of a shared hosting provider, to verify that shared hosting providers protect entities’ (merchants and service providers) hosted environment and data, select a sample of servers (Microsoft Windows and Unix/Linux) across a representative sample of hosted merchants and service providers, and perform A.1.1 through A.1.4 below:
A1 Specifically for a PCI DSS assessment of a shared hosting provider, to verify that shared hosting providers protect entities’ (merchants and service providers) hosted environment and data, select a sample of servers (Microsoft Windows and Unix/Linux) across a representative sample of hosted merchants and service providers, and perform A1.1 through A1.4 below:
Modified p. 188 → 186
A.1.1 Ensure that each entity only runs processes that have access to that entity’s cardholder data environment. ☐ ☐ ☐ ☐ ☐ A.1.1 If a shared hosting provider allows entities (for example, merchants or service providers) to run their own applications, verify these application processes run using the unique ID of the entity. For example:
A1.1 Ensure that each entity only runs processes that have access to that entity’s cardholder data environment. ☐ ☐ ☐ ☐ ☐ A1.1 If a shared hosting provider allows entities (for example, merchants or service providers) to run their own applications, verify these application processes run using the unique ID of the entity. For example:
Modified p. 188 → 186
No entity on the system can use a shared web server user ID.
No entity on the system can use a shared web server user ID.
Modified p. 188 → 186
• All CGI scripts used by an entity must Indicate whether the hosting provider allows hosted entities to run their own applications. (yes/no) <Report Findings Here> Identify the document reviewed to verify processes are defined to require that entities must not run their own applications.
Indicate whether the hosting provider allows hosted entities to run their own applications. (yes/no) <Report Findings Here> Describe how it was observed that hosted entities are not able to run their own applications.
Removed p. 189
Identify the document requiring that application processes use a unique ID for each entity.

 Entities on the system cannot use a shared web server user ID.

<Report Findings Here>  All CGI scripts used by an entity are created and run as the entity’s unique user ID.
Modified p. 189 → 187
Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested be created and run as the entity’s unique user ID.
Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested  All CGI scripts used by an entity must be created and run as the entity’s unique user ID.
Modified p. 189 → 187
<Report Findings Here> Identify the sample of servers observed. <Report Findings Here> Identify the sample of hosted merchants and service providers (hosted entities) observed.
Identify the sample of hosted merchants and service providers (hosted entities) selected for this testing procedure.
Modified p. 189 → 187
<Report Findings Here> For each item in the sample, describe how the observed system configurations require that all hosted entities’ application processes are run using the unique ID of that entity.
<Report Findings Here> For each item in the sample, describe how the system configurations verified that all hosted entities’ application processes are run using the unique ID of that entity.
Modified p. 189 → 187
<Report Findings Here> Describe how the hosted entities’ application processes were observed to be running using unique IDs for each entity, including:
<Report Findings Here> Describe how the hosted entities’ application processes were observed to be running using the unique ID of the entity.
Modified p. 189 → 187
<Report Findings Here> A.1.2 Restrict each entity’s access and privileges to its own cardholder data environment only. ☐ ☐ ☐ ☐ ☐ A.1.2.a Verify the user ID of any application process is not a privileged user (root/admin).
<Report Findings Here> A1.2 Restrict each entity’s access and privileges to its own cardholder data environment only. ☐ ☐ ☐ ☐ ☐ A1.2.a Verify the user ID of any application process is not a privileged user (root/admin).
Modified p. 189 → 187
Identify the document examined to verify processes require that user IDs for hosted entities’ application processes are not privileged users.
Describe how the system configurations verified that user IDs for hosted entities’ application processes are not privileged users.
Removed p. 190
Describe the observed system configurations examined to verify that user IDs for hosted entities’ application processes are not privileged users.

<Report Findings Here> Describe how running application processes IDs were observed to verify that the running application processes IDs are not privileged users.

<Report Findings Here> A.1.2.b Verify each entity (merchant, service provider) has read, write, or execute permissions only for files and directories it owns or for necessary system files (restricted via file system permissions, access control lists, chroot, jailshell, etc.) Important: An entity’s files may not be shared by group.

Identify the document examined to verify permissions for hosted entities are defined as follows:

• Access permissions are only assigned for the files and directories the hosted entity owns, or for necessary systems files.

• Assigned permissions for hosted entities must be restricted.

• An entity’s files must not be shared by group.
Modified p. 190 → 188
Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Using the sample of servers and hosted merchants and service providers from A.1.1, for each item perform the following:
Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested  Read permissions are only assigned for the files and directories the hosted entity owns, or for necessary systems files.
Modified p. 190 → 188
• Read permissions are only assigned for the files and directories the hosted entity owns, or for necessary systems files.
<Report Findings Here>  Write permissions are only assigned for the files and directories the hosted entity owns, or for necessary systems files.
Modified p. 190 → 188
• Write permissions are only assigned for the files and directories the hosted entity owns, or for necessary systems files.
<Report Findings Here>  Access permissions are only assigned for the files and directories the hosted entity owns, or for necessary systems files.
Removed p. 191
• Access permissions are only assigned for the files and directories the hosted entity owns, or for necessary systems files.

• Assigned permissions for hosted entities must be restricted.

• Read permissions are only assigned for the files and directories the hosted entity owns, or for necessary systems files.

• Write permissions are only assigned for the files and directories the hosted entity owns, or for necessary systems files.

• An entity’s files must not be shared by group. <Report Findings Here> For each item in the sample, perform the following:

Describe permission observed to verify permissions are restricted.

<Report Findings Here> Describe how the entity’s files were observed to verify they are not shared by group.

<Report Findings Here> A.1.2.c Verify that an entity’s users do not have write access to shared system binaries.

<Report Findings Here> Using the sample of servers and hosted merchants and service providers from A.1.1, for each item in the summary describe …
Modified p. 191 → 189
Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Using the sample of servers and hosted merchants and service providers from A.1.1, for each item describe the system configuration setting observed to verify permissions are assigned as follows:
Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested A1.3 Verify the shared hosting provider has enabled logging as follows, for each merchant and service provider environment:
Modified p. 191 → 189
&lt;Report Findings Here&gt;
<Report Findings Here>  Logs are active by default.
Modified p. 191 → 189
Identify the document examined to verify processes require a hosted entity’s users do not write access to shared system binaries.
Identify the document examined to verify that written policies provide for a timely forensics investigation of related servers in the event of a compromise.
Modified p. 191 → 189
<Report Findings Here> A.1.2.d Verify that viewing of log entries is restricted to the owning entity.
<Report Findings Here>  Log locations are clearly communicated to the owning entity.
Removed p. 192
Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested Using the sample of servers and hosted merchants and service providers from A.1.1, for each item in the summary describe the observed system configurations observed to verify that viewing of log entries is restricted to the owning entity.

<Report Findings Here> A.1.2.e To ensure each entity cannot monopolize server resources to exploit vulnerabilities (for example, error, race, and restart conditions resulting in, for example, buffer overflows), verify restrictions are in place for the use of these system resources:

• Bandwidth Identify the document examined to verify processes require restricts for the use of the following to ensure each entity cannot monopolize server resources to exploit vulnerabilities:

• Bandwidth <Report Findings Here> Using the sample of servers and hosted merchants and service providers from A.1.1, perform the following:

Describe the system configuration setting observed to verify restriction are implemented for the use …
Removed p. 193
• Logs are enabled for common third- party applications.

• Logs are active by default.

• Logs are active by default.

• Logs are available for review by the owning entity.

• Logs are available for review by the owning entity.

• Log locations are clearly communicated to the owning entity.

• Log locations are clearly communicated to the owning entity.

Identify the document examined to verify processes require that logging is enabled for each hosting environment, with the following required for each hosted entity environment:

• Logs are enabled for common third-party applications.

<Report Findings Here> Using the sample of servers and hosted merchants and service providers from A.1.1, describe how processes were observed to verify the following:

 Logging is enabled for each hosted entity. <Report Findings Here>  Logs are enabled for common third-party applications.

<Report Findings Here>  Logs are active by default. <Report Findings Here>  Logs are available for review by the owning entity. <Report …
Modified p. 193 → 192
Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested A.1.3 Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10. ☐ ☐ ☐ ☐ ☐ A.1.3 Verify the shared hosting provider has enabled logging as follows, for each merchant and service provider environment:
Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested A2.2 Review the documented Risk Mitigation and Migration Plan to verify it includes:
Removed p. 194
<Report Findings Here> Describe how processes were observed to verify that processes are implemented to provide for timely forensics investigation in the event of a compromise to any hosted entity.
Modified p. 194 → 193
Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested servers in the event of a compromise. Identify the responsible personnel interviewed who confirm that processes are implemented in accordance with the documented policies.
Assessor’s Response Summary of Assessment Findings (check one) In Place w/ Not Tested service provider offers a secure protocol option for their service.
Modified p. 195
a) Existing PCI DSS requirements CANNOT be considered as compensating controls if they are already required for the item under review. For example, passwords for non-console administrative access must be sent encrypted to mitigate the risk of intercepting clear-text administrative passwords. An entity cannot use other PCI DSS password requirements (intruder lockout, complex passwords, etc.) to compensate for lack of encrypted passwords, since those other password requirements do not mitigate the risk of interception of clear-text passwords. Also, the other …
a) Existing PCI DSS requirements CANNOT be considered as compensating controls if they are already required for the item under review. For example, passwords for non-console administrative access must be sent encrypted to mitigate the risk of intercepting clear-text administrative passwords. An entity cannot use other PCI DSS password requirements (intruder lockout, complex passwords, etc.) to compensate for lack of encrypted passwords, since those other password requirements do not mitigate the risk of interception of clear-text passwords. Also, the other …