Document Comparison
AOC-SAQ-B-v3-2-1-r1.pdf
→
PCI-DSS-v4-0-AOC-for-SAQ-B-r1.pdf
45% similar
9 → 10
Pages
1747 → 1978
Words
29
Content Changes
Content Changes
29 content changes. 12 administrative changes (dates, page numbers) hidden.
Added
p. 2
This AOC reflects the results documented in an associated Self-Assessment Questionnaire (SAQ).
Capitalized terms used but not otherwise defined in this document have the meanings set forth in the PCI DSS Self-Assessment Questionnaire.
Part 1. Contact Information Part 1a. Assessed Merchant Company name:
Company mailing address:
Company mailing address:
Company main website:
Company contact name:
Company contact title:
Contact phone number:
Contact e-mail address:
Part 1b. Assessor Provide the following information for all assessors involved in the assessment. If there was no assessor for a given assessor type, enter Not Applicable.
PCI SSC Internal Security Assessor(s) ISA name(s):
Assessor phone number:
Assessor e-mail address:
Assessor certificate number:
Indicate all payment channels used by the business that are included in this assessment.
Mail order/telephone order (MOTO) E-Commerce Card-present Are any payment channels not included in this assessment? If yes, indicate which channel(s) is not included in the assessment and provide a brief explanation about why the channel was excluded.
Part 2b. Description of Role with Payment Cards For …
Capitalized terms used but not otherwise defined in this document have the meanings set forth in the PCI DSS Self-Assessment Questionnaire.
Part 1. Contact Information Part 1a. Assessed Merchant Company name:
Company mailing address:
Company mailing address:
Company main website:
Company contact name:
Company contact title:
Contact phone number:
Contact e-mail address:
Part 1b. Assessor Provide the following information for all assessors involved in the assessment. If there was no assessor for a given assessor type, enter Not Applicable.
PCI SSC Internal Security Assessor(s) ISA name(s):
Assessor phone number:
Assessor e-mail address:
Assessor certificate number:
Indicate all payment channels used by the business that are included in this assessment.
Mail order/telephone order (MOTO) E-Commerce Card-present Are any payment channels not included in this assessment? If yes, indicate which channel(s) is not included in the assessment and provide a brief explanation about why the channel was excluded.
Part 2b. Description of Role with Payment Cards For …
Added
p. 4
Facility Type Total number of locations (How many locations of this type are in scope) Location(s) of facility (city, country) Example: Data centers 3 Boston, MA, USA Part 2e. PCI SSC Validated Products and Solutions Does the merchant use any item identified on any PCI SSC Lists of Validated Products and Solutions♦? Provide the following information regarding each item the merchant uses from PCI SSC’s Lists of Validated Products and Solutions.
Name of PCI SSC- validated Product or Version of Product or
PCI SSC Standard to which product or solution was validated
PCI SSC listing reference number Expiry date of listing (YYYY-MM-DD) ♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment Applications (PA-DSS), Point to Point Encryption (P2PE) solutions, Software-Based PIN Entry …
Name of PCI SSC- validated Product or Version of Product or
PCI SSC Standard to which product or solution was validated
PCI SSC listing reference number Expiry date of listing (YYYY-MM-DD) ♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment Applications (PA-DSS), Point to Point Encryption (P2PE) solutions, Software-Based PIN Entry …
Added
p. 6
PCI DSS Requirement * Requirement Responses More than one response may be selected for a given requirement.
Indicate all responses that apply.
In Place In Place with CCW Not Applicable Not in Place
* PCI DSS Requirements indicated above refer to the requirements in Section 2 of the SAQ associated with this AOC.
The merchant uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line the merchant processor) to take customers’ payment card information; The standalone, dial-out terminals are not connected to any other systems within the merchant environment; The standalone, dial-out terminals are not connected to the Internet; Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically; and.
The merchant does not store account data in electronic format.
Target Date for Compliance: YYYY-MM-DD A merchant submitting this form with a Non-Compliant status may be required …
Indicate all responses that apply.
In Place In Place with CCW Not Applicable Not in Place
* PCI DSS Requirements indicated above refer to the requirements in Section 2 of the SAQ associated with this AOC.
The merchant uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line the merchant processor) to take customers’ payment card information; The standalone, dial-out terminals are not connected to any other systems within the merchant environment; The standalone, dial-out terminals are not connected to the Internet; Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically; and.
The merchant does not store account data in electronic format.
Target Date for Compliance: YYYY-MM-DD A merchant submitting this form with a Non-Compliant status may be required …
Added
p. 10
If asked to complete this section, select the appropriate response for “Compliant to PCI DSS Requirements” for each requirement below. For any “No” responses, include the date the merchant expects to be compliant with the requirement and a brief description of the actions being taken to meet the requirement.
Removed
p. 3
Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Company Name: DBA (doing business as):
Business Address: City:
Business Address: City:
State/Province: Country: Zip:
State/Province: Country: Zip:
Lead QSA Contact Name: Title:
Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail order/telephone order (MOTO) Others (please specify):
What types of payment channels does your business serve?
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Business Address: City:
Business Address: City:
State/Province: Country: Zip:
State/Province: Country: Zip:
Lead QSA Contact Name: Title:
Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail order/telephone order (MOTO) Others (please specify):
What types of payment channels does your business serve?
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Modified
p. 3 → 2
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment against the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures. Complete all sections. The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the entity(ies) to which the Attestation of Compliance (AOC) will be submitted for reporting and submission procedures.
Modified
p. 3 → 2
Qualified Security Assessor Company name:
Modified
p. 3
Note: If your organization has a payment channel or process that is not covered by this SAQ, consult your acquirer or payment brand about validation for the other channels.
Note: If the organization has a payment channel that is not covered by this SAQ, consult with the entity(ies) to which this AOC will be submitted about validation for the other channels.
Removed
p. 4
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Application Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Modified
p. 4 → 3
Indicate whether the environment includes segmentation to reduce the scope of the assessment. (Refer to “Segmentation” section of PCI DSS for guidance on segmentation.)
Removed
p. 5
Description of services provided by QIR:
Does your company share cardholder data with any third-party service providers (for example, Qualified Integrator & Resellers (QIR), gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.)? Name of service provider: Description of services provided:
Merchant uses only an imprint machine to imprint customers’ payment card information and does not transmit cardholder data over either a phone line or the Internet; and/or Merchant uses only standalone, dial-out terminals (connected via a phone line to your processor); and the standalone, dial-out terminals are not connected to the Internet or any other systems within the merchant environment; Merchant does not transmit cardholder data over a network (either an internal network or the Internet); Merchant does not store cardholder data in electronic format; and If Merchant does store cardholder data, such data is only paper reports or copies of paper receipts and …
Does your company share cardholder data with any third-party service providers (for example, Qualified Integrator & Resellers (QIR), gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.)? Name of service provider: Description of services provided:
Merchant uses only an imprint machine to imprint customers’ payment card information and does not transmit cardholder data over either a phone line or the Internet; and/or Merchant uses only standalone, dial-out terminals (connected via a phone line to your processor); and the standalone, dial-out terminals are not connected to the Internet or any other systems within the merchant environment; Merchant does not transmit cardholder data over a network (either an internal network or the Internet); Merchant does not store cardholder data in electronic format; and If Merchant does store cardholder data, such data is only paper reports or copies of paper receipts and …
Modified
p. 5 → 6
Part 2g. Eligibility to Complete SAQ B Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:
Part 2h. Eligibility to Complete SAQ B Merchant certifies eligibility to complete this Self-Assessment Questionnaire because, for this payment channel:
Removed
p. 6
The assessment documented in this attestation and in the SAQ was completed on:
Have compensating controls been used to meet any requirement in the SAQ? Yes No Were any requirements in the SAQ identified as being not applicable (N/A)? Yes No Were any requirements in the SAQ unable to be met due to a legal constraint? Yes No
Have compensating controls been used to meet any requirement in the SAQ? Yes No Were any requirements in the SAQ identified as being not applicable (N/A)? Yes No Were any requirements in the SAQ unable to be met due to a legal constraint? Yes No
Modified
p. 6 → 7
Section 2: Self-Assessment Questionnaire B This Attestation of Compliance reflects the results of a self-assessment, which is documented in an accompanying SAQ.
Section 2: Self-Assessment Questionnaire B Self-assessment completion date: YYYY-MM-DD Were any requirements in the SAQ unable to be met due to a legal constraint? Yes No
Removed
p. 7
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4.
Compliant but with Legal exception: One or more requirements are marked “No” due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand.
If checked, complete the following:
I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization.
I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times.
If my environment changes, I recognize I must reassess my environment and implement any additional PCI DSS requirements that apply.
Compliant but with Legal exception: One or more requirements are marked “No” due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand.
If checked, complete the following:
I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization.
I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times.
If my environment changes, I recognize I must reassess my environment and implement any additional PCI DSS requirements that apply.
Modified
p. 7 → 8
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ B (Section 2), dated (SAQ completion date).
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ B (Section 2), dated (Self-assessment completion date YYYY-MM-DD).
Modified
p. 7 → 8
Based on the results documented in the SAQ B noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (check one):
Based on the results documented in the SAQ B noted above, each signatory identified in any of Parts 3b−3d, as applicable, assert(s) the following compliance status for the merchant identified in Part 2 of this document.
Modified
p. 7 → 8
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Compliant: All sections of the PCI DSS SAQ are complete and all requirements are marked as being either 1) In Place, 2) In Place with CCW, or 3) Not Applicable, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated compliance with all PCI DSS requirements included in this SAQ.
Modified
p. 7 → 8
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or one or more requirements are marked as Not in Place, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated compliance with the PCI DSS requirements included in this SAQ.
Modified
p. 7 → 8
Affected Requirement Details of how legal constraint prevents requirement being met Part 3a. Acknowledgement of Status Signatory(s) confirms:
Affected Requirement Details of how legal constraint prevents requirement from being met
Modified
p. 7 → 9
(Select all that apply)
Modified
p. 7 → 9
PCI DSS Self-Assessment Questionnaire B, Version (version of SAQ), was completed according to the instructions therein.
PCI DSS Self-Assessment Questionnaire B, Version 4.0 was completed according to the instructions therein.
Modified
p. 7 → 9
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment in all material respects.
All information within the above-referenced SAQ and in this attestation fairly represents the results of the merchant’s assessment in all material respects.
Removed
p. 8
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name) Part 3b. Merchant Attestation Signature of Merchant Executive Officer Date:
Modified
p. 8 → 9
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement If a QSA was involved or assisted with this assessment, indicate the role performed:
Modified
p. 8 → 9
Signature of Duly Authorized Officer of QSA Company Date:
Signature of Duly Authorized Officer of QSA Company Date: YYYY-MM-DD Duly Authorized Officer Name: QSA Company:
Modified
p. 8 → 9
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Part 3d. PCI SSC Internal Security Assessor (ISA) Involvement If an ISA(s) was involved or assisted with this assessment, indicate the role performed:
Removed
p. 9
Check with your acquirer or the payment brand(s) before completing Part 4.
Modified
p. 9 → 10
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 7 Restrict access to cardholder data by business need to know 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel * PCI DSS Requirements indicated here refer to the questions in Section 2 …
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored account data Restrict access to system components and cardholder data by business need to know 9 Restrict physical access to cardholder data 12 Support information security with organizational policies and programs * PCI DSS Requirements indicated above refer to the requirements in Section 2 of the SAQ associated with this AOC.