Document Comparison
PCI-DSS-v4-0-AOC-for-SAQ-D-Service-Provider.pdf
→
PCI-DSS-v4-0-AOC-SAQ-D-Service-Provider-r2.pdf
96% similar
12 → 12
Pages
2351 → 2442
Words
12
Content Changes
Content Changes
12 content changes. 12 administrative changes (dates, page numbers) hidden.
Added
p. 8
For all requirements identified as either “Not Applicable” or “Not Tested,” complete the “Justification for Approach” table below.
Note: One table to be completed for each service covered by this AOC. Additional copies of this section are available on the PCI SSC website.
Name of Service Assessed:
Justification for Approach For any Not Applicable responses, identify which sub- requirements were not applicable and the reason.
For any Not Tested responses, identify which sub- requirements were not tested and the reason.
Note: One table to be completed for each service covered by this AOC. Additional copies of this section are available on the PCI SSC website.
Name of Service Assessed:
Justification for Approach For any Not Applicable responses, identify which sub- requirements were not applicable and the reason.
For any Not Tested responses, identify which sub- requirements were not tested and the reason.
Modified
p. 2
Capitalized terms used but not otherwise defined in this document have the meanings set forth in the PCI DSS Self- Assessment Questionnaire.
Capitalized terms used but not otherwise defined in this document have the meanings set forth in the PCI DSS Self-Assessment Questionnaire.
Removed
p. 3
Managed Services (specify):
Removed
p. 4
Managed Services (specify):
Modified
p. 5
Indicate whether the environment includes segmentation to reduce the scope of the assessment. (Refer to “Segmentation” section of PCI DSS for guidance on segmentation.) Part 2d. In-Scope Locations/Facilities List all types of physical locations/facilitiesfor example, corporate offices, data centers, call centers, and mail roomsin scope for the PCI DSS assessment.
Indicate whether the environment includes segmentation to reduce the scope of the assessment. (Refer to “Segmentation” section of PCI DSS for guidance on segmentation.) Part 2d. In-Scope Locations/Facilities List all types of physical locations/facilities⎯for example, corporate offices, data centers, call centers, and mail rooms⎯in scope for the PCI DSS assessment.
Modified
p. 6
PCI SSC listing reference number Expiry date of listing (YYYY-MM-DD) ♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment Applications (PA-DSS), Point to Point Encryption (P2PE) solutions, Software-Based PIN Entry on COTS (SPoC) solutions, and Contactless Payments on COTS (CPoC) solutions.
PCI SSC listing reference number Expiry date of listing (YYYY-MM-DD) For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)⎯for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment Applications (PA- DSS), Point to Point Encryption (P2PE) solutions, Software-Based PIN Entry on COTS (SPoC) solutions, and Contactless Payments on COTS (CPoC) solutions.
Modified
p. 7
• Manage system components included in the scope of the entity’s PCI DSS assessmentfor example, via network security control services, anti-malware services, security incident and event management (SIEM), contact and call centers, web-hosting services, and IaaS, PaaS, SaaS, and FaaS cloud providers.
• Manage system components included in the scope of the entity’s PCI DSS assessment⎯for example, via network security control services, anti-malware services, security incident and event management (SIEM), contact and call centers, web-hosting services, and IaaS, PaaS, SaaS, and FaaS cloud providers.
Modified
p. 7
• Could impact the security of the entity’s CDEfor example, vendors providing support via remote access, and/or bespoke software developers.
• Could impact the security of the entity’s CDE⎯for example, vendors providing support via remote access, and/or bespoke software developers.
Modified
p. 8
In Place In Place with In Place with Remediation Not Applicable Not Tested Not in Place
In Place In Place with CCW Not Applicable Not Tested Not in Place
Modified
p. 10
Compliant: All sections of the PCI DSS SAQ are complete, and all assessed requirements are marked as being either 1) In Place, 2) In Place with Remediation, or 3) Not Applicable, resulting in an overall COMPLIANT rating; thereby (Service Provider Company Name) has demonstrated compliance with all PCI DSS requirements included in this SAQ except those noted as Not Tested above.
Compliant: All sections of the PCI DSS SAQ are complete, and all assessed requirements are marked as being either 1) In Place, 2) In Place with CCW, or 3) Not Applicable, resulting in an overall COMPLIANT rating; thereby (Service Provider Company Name) has demonstrated compliance with all PCI DSS requirements included in this SAQ except those noted as Not Tested above.
Modified
p. 10
Compliant but with Legal exception: One or more assessed requirements in the PCI DSS SAQ are marked as Not in Place due to a legal restriction that prevents the requirement from being met and all other assessed requirements are marked as being either 1) In Place, 2) In Place with Remediation, or 3) Not Applicable, resulting in an overall COMPLIANT BUT WITH LEGAL EXCEPTION rating; thereby (Service Provider Company Name) has demonstrated compliance with all PCI DSS requirements included in …
Compliant but with Legal exception: One or more assessed requirements in the PCI DSS SAQ are marked as Not in Place due to a legal restriction that prevents the requirement from being met and all other assessed requirements are marked as being either 1) In Place, 2) In Place with CCW, or 3) Not Applicable, resulting in an overall COMPLIANT BUT WITH LEGAL EXCEPTION rating; thereby (Service Provider Company Name) has demonstrated compliance with all PCI DSS requirements included in …
Modified
p. 12
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain network security controls 2 Apply secure configurations to all system components 3 Protect stored account data Protect cardholder data with strong cryptography during transmission over open, public networks 5 Protect all systems and networks from malicious software 6 Develop and maintain secure systems and software Restrict access to system components and …
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain network security controls 2 Apply secure configurations to all system components 3 Protect stored account data 4 Protect cardholder data with strong cryptography during transmission over open, public networks 5 Protect all systems and networks from malicious software 6 Develop and maintain secure systems and software 7 Restrict access to system …