Document Comparison
PCIDSS_QRGv3_1.pdf
→
PCIDSS_QRGv3_2.pdf
92% similar
40 → 40
Pages
10724 → 10901
Words
45
Content Changes
Content Changes
45 content changes. 5 administrative changes (dates, page numbers) hidden.
Added
p. 4
Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including:
• point-of-sale devices;
• mobile devices, personal computers or servers;
• web shopping applications;
• paper-based storage systems;
• the transmission of cardholder data to service providers;
• in remote access connections.
• point-of-sale devices;
• mobile devices, personal computers or servers;
• web shopping applications;
• paper-based storage systems;
• the transmission of cardholder data to service providers;
• in remote access connections.
Added
p. 7
PIN Transaction Security (PTS) Requirements The PCI PTS is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. The PTS standards include PIN Security Requirements, Point of Interaction (POI) Modular Security Requirements, and Hardware Security Module (HSM) Security Requirements. The device requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC, listed at: www.pcisecuritystandards.org/assessors_and_solutions/ pin_transaction_devices.
Payment Application Data Security Standard (PA-DSS) The PA-DSS is for software vendors and others who develop payment applications that store, process or transmit cardholder data and/or sensitive authentication data as part of authorization or settlement, when these applications are sold, distributed or licensed to third parties. Most …
Payment Application Data Security Standard (PA-DSS) The PA-DSS is for software vendors and others who develop payment applications that store, process or transmit cardholder data and/or sensitive authentication data as part of authorization or settlement, when these applications are sold, distributed or licensed to third parties. Most …
Added
p. 8
PCI Card Production Logical Security Requirements and Physical Security Requirements The Card Production Logical and Physical Security Requirements address card production activities including card manufacturing, chip embedding, data preparation, pre-personalization, card personalization, chip personalization, fulfillment, packaging, storage, mailing, shipping, PIN printing and mailing (personalized, credit or debit), PIN printing (non-personalized prepaid cards), and electronic PIN distribution.
PCI Token Service Provider Security Requirements The Token Service Provider (TSP) Security Requirements are intended for Token Service Providers that generate and issue EMV Payment Tokens, as defined under the EMV® Payment Tokenisation Specification Technical Framework.
The PCI Standards can all be downloaded from the PCI SSC Document Library: https://www.pcisecuritystandards.org/document_library This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 9 The PCI Data Security Standard
PCI Token Service Provider Security Requirements The Token Service Provider (TSP) Security Requirements are intended for Token Service Providers that generate and issue EMV Payment Tokens, as defined under the EMV® Payment Tokenisation Specification Technical Framework.
The PCI Standards can all be downloaded from the PCI SSC Document Library: https://www.pcisecuritystandards.org/document_library This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 9 The PCI Data Security Standard
Added
p. 27
4. Attest
• complete the appropriate Attestation of Compliance (AOC)
5. Submit
• submit the SAQ, ROC, AOC and other requested supporting documentation such as ASV scan reports to the acquirer (for merchants) or to the payment brand/requestor (for service providers)
• complete the appropriate Attestation of Compliance (AOC)
5. Submit
• submit the SAQ, ROC, AOC and other requested supporting documentation such as ASV scan reports to the acquirer (for merchants) or to the payment brand/requestor (for service providers)
Added
p. 36
Note: For some entities, these best practices are also requirements to ensure ongoing PCI DSS compliance. All organizations should consider implementing these best practices into their environment, even where the organization is not required to validate to them.
PCI SSC approved products, solutions and providers PIN Transaction Security (PTS) Devices: https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices Payment Applications: https://www.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement P2PE Solutions: https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions Approved QSAs: https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors Approved ASVs: https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors
PCI SSC approved products, solutions and providers PIN Transaction Security (PTS) Devices: https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices Payment Applications: https://www.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement P2PE Solutions: https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions Approved QSAs: https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors Approved ASVs: https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors
Modified
p. 1
PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1 For merchants and other entities involved in payment card processing
PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.2 For merchants and other entities involved in payment card processing
Modified
p. 2
PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 3.1.
PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 3.2.
Modified
p. 4
It’s a serious problem
• more than868 million records with sensitive information have been breached between January 2005 and June 2014, according to PrivacyRights.org. As you are a key participant in payment card transactions, it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.
• more than
It’s a serious problem
• more than 898 million records with sensitive information have been breached from 4,823 data breaches made public between January 2005 and April 2016, according to PrivacyRights. org. As you are a key participant in payment card transactions, it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.
• more than 898 million records with sensitive information have been breached from 4,823 data breaches made public between January 2005 and April 2016, according to PrivacyRights. org. As you are a key participant in payment card transactions, it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.
Modified
p. 4
Vulnerabilities may also extend to systems operated by service providers and acquirers, which are the financial institutions that initiate and maintain the relationships with merchants that accept payment cards (see diagram on page 5).
Modified
p. 6
PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data
• with requirements for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of theCouncil, American Express, Discover Financial Services, …
• with requirements for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the
PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data
• with requirements for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, …
• with requirements for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, …
Removed
p. 7
PCI Security Standards Include: PCI Data Security Standard (PCI DSS) The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you. PIN Transaction Security (PTS) Requirements The PCI PTS is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC (www.pcisecuritystandards.org/ approved_companies_providers/approved_pin_transaction_security.php). Payment Application Data Security Standard (PA-DSS) The PA-DSS is for software vendors and others who develop payment applications that store, …
Removed
p. 10
• American Express: www.americanexpress.com/datasecurity
• Discover: www.discovernetwork.com/fraudsecurity/disc.html
• JCB International: http://partner.jcbcard.com/security/jcbprogram/
• MasterCard: www.mastercard.com/sdp
• Discover: www.discovernetwork.com/fraudsecurity/disc.html
• JCB International: http://partner.jcbcard.com/security/jcbprogram/
• MasterCard: www.mastercard.com/sdp
Modified
p. 10
Qualified Assessors. The Council manages programs that will help facilitate the assessment of compliance with PCI DSS: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs are approved by the Council to assess compliance with the PCI DSS. ASVs are approved by the Council to validate adherence to the PCI DSS scan requirements by performing vulnerability scans of Internet-facing environments of merchants and service providers. The Council also provides PCI DSS training for Internal Security Assessors (ISAs). Additional details …
Modified
p. 12
Requirement 1: Install and maintain a firewall configuration to protect cardholder data Firewalls are devices that control computer traffic allowed into and out of an organization’s network, and into sensitive areas within its internal network. Firewall functionality can also appear in other system components. Routers are hardware or software that connects two or more networks. All such networking devices are in scope for assessment of Requirement 1 if used within the cardholder data environment. 1.1 Establish and implement firewall and …
Requirement 1: Install and maintain a firewall configuration to protect cardholder data Firewalls are devices that control computer traffic allowed into and out of an organization’s network, and into sensitive areas within its internal network. Firewall functionality can also appear in other system components. Routers are hardware or software that connects two or more networks. All such networking devices are in scope for assessment of Requirement 1 if used within the cardholder data environment. 1.1 Establish and implement firewall and …
Modified
p. 17
VULNERABILITY MANAGEMENT Create policy governing security controls according to industry standard best practices (e.g., IEEE 802.11i) Regularly scan systems for vulnerabilities Create remediation schedule based on risk and priority Pre-test and deploy patches Rescan to verify compliance Update security software with the most current signatures and technology Use only software or systems that were securely developed by industry standard best practices This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
VULNERABILITY MANAGEMENT Create policy governing security controls according to industry standard best practices Regularly scan systems for vulnerabilities Create remediation schedule based on risk and priority Pre-test and deploy patches Rescan to verify compliance Update security software with the most current signatures and technology Use only software or systems that were securely developed by industry standard best practices This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Modified
p. 18
Restrict Access to Cardholder Data Environments by employing access controls Limit access to only those individuals whose job requires such access Formalize an access control policy that includes a list of who gets access to specified cardholder data and systems Deny all access to anyone who is not specifically allowed to access cardholder data and systems Photo: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 19 7.2 …
Restrict Access to Cardholder Data Environments by employing access controls Limit access to only those individuals whose job requires such access Formalize an access control policy that includes a list of who gets access to specified cardholder data and systems Deny all access to anyone who is not specifically allowed to access cardholder data and systems Photo: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 19 7.2 …
Modified
p. 19
Requirement 8: Identify and authenticate access to system components Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Requirements apply to all accounts, including point of sale accounts, with administrative capabilities and all accounts with access to stored cardholder data.
Requirement 8: Identify and authenticate access to system components Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Requirements apply to all accounts, including point of sale accounts, with administrative capabilities and all accounts with access to stored cardholder data. Requirements do not apply to accounts used by consumers (e.g., cardholders).
Modified
p. 20
Requirement 9: Restrict physical access to cardholder data Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted. “Onsite personnel” are full- and part-time employees, temporary employees, contractors, and consultants who are physically present on the entity’s premises. “Visitors” are vendors and guests that enter the facility for a short duration - usually up to one day. “Media” is all …
Requirement 9: Restrict physical access to cardholder data Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted. “Onsite personnel” are full- and part-time employees, temporary employees, contractors, and consultants who are physically present on the entity’s premises. “Visitors” are vendors and guests that enter the facility for a short duration • usually up to one day. “Media” is all …
Modified
p. 20
Illustration: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 21 9.4 Ensure all visitors are authorized before entering areas where cardholder data is processed or maintained; given a physical token that expires and that identifies visitors as not onsite personnel; and are asked to surrender the physical token before leaving the facility or at the date of expiration. Use a visitor log to maintain a physical audit …
Illustration: Wikimedia Commons This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 21 9.4 Ensure all visitors are authorized before entering areas where cardholder data is processed or maintained, given a physical badge or other identification that expires and identifies visitors as not onsite personnel, and are asked to surrender the physical badge before leaving the facility or at the date of expiration. Use a visitor log to maintain a …
Modified
p. 23
SEVERITY LEVELS FOR VULNERABILITY SCANNING CVSS Score Severity Level Scan Results 7.0 through 10.0 High Severity Fail 4.0 through 6.9 Medium Severity Fail 0.0 through 3.9 Low Severity Pass “To demonstrate compliance, a scan must not contain high- level vulnerabilities in any component in the cardholder data environment. Generally, to be considered compliant, none of those components may contain any vulnerability that has been assigned a Common Vulnerability Scoring System (CVSS) base score equal to or higher than 4.0.” This …
SEVERITY LEVELS FOR VULNERABILITY SCANNING CVSS Score Severity Level Scan Results 7.0 through 10.0 High Severity Fail 4.0 through 6.9 Medium Severity Fail 0.0 through 3.9 Low Severity Pass “To demonstrate compliance, internal scans must not contain high-risk vulnerabilities in any component in the cardholder data environment. For external scans, none of those components may contain any vulnerability that has been assigned a Common Vulnerability Scoring System (CVSS) base score equal to or higher than 4.0.” This Guide provides supplemental …
Removed
p. 24
“With version 3.0, PCI DSS is more mature than ever, and covers a broad base of technologies and processes such as encryption, access control, and vulnerability scanning to offer a sound baseline of security. The range of supporting standards, roadmaps, guidance, and methodologies is expanding. And our research suggests that organizations are complying at a higher rate than in previous years.” (2014 Verizon PCI Compliance Report) This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 25 12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
Modified
p. 27
Depending on an entity’s classification or risk level (determined by the individual payment card brands), processes for validating compliance and reporting to acquiring financial institutions usually follow this track:
Depending on an entity’s classification or risk level (determined by the individual payment card brands), processes for compliance usually follow these steps:
Modified
p. 27
1. PCI DSS Scoping
• determine which system components and networks are in scope for PCI DSS
• determine which system components and networks are in scope for PCI DSS
1. Scope
• determine which system components and networks are in scope for PCI DSS
• determine which system components and networks are in scope for PCI DSS
Modified
p. 27
2. Assessing
• examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement
• examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement
2. Assess
• examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement
• examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement
Modified
p. 27
3. Reporting
• assessor and/or entitysubmits required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC), including documentation of all compensating controls
• assessor and/or entity
3. Report
• assessor and/or entity completes required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all compensating controls
• assessor and/or entity completes required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all compensating controls
Modified
p. 27
•
6. Remediate
• if required, perform remediation to address requirements that are not in place, and provide an updated report How to Comply With PCI DSS PREPARING FOR A PCI DSS ASSESSMENT Gather Documentation: Security policies, change control records, network diagrams, scan reports, system documentation, training records and so on Schedule Resources: Ensure participation of senior management, as well as a project manager and key people from IT, security, applications, human resources and legal Describe the Environment: Organize information about the …
• if required, perform remediation to address requirements that are not in place, and provide an updated report How to Comply With PCI DSS PREPARING FOR A PCI DSS ASSESSMENT Gather Documentation: Security policies, change control records, network diagrams, scan reports, system documentation, training records and so on Schedule Resources: Ensure participation of senior management, as well as a project manager and key people from IT, security, applications, human resources and legal Describe the Environment: Organize information about the …
Modified
p. 28
• Produce the final report ISA PROGRAM The PCI SSC Internal Security Assessor (ISA) Program provides an opportunity for eligible internal security assessment professionals of qualifying organizations to receive PCI DSS training and qualification that will improve the organization’s understanding of the PCI DSS, facilitate the organization’s interactions with QSAs, enhance the quality, reliability, and consistency of the organization’s internal PCI DSS self-assessments, and support the consistent and proper application of PCI DSS measures and controls. Please see the PCI …
• Produce the final report ISA PROGRAM The PCI SSC Internal Security Assessor (ISA) Program provides an opportunity for eligible internal security assessment professionals of qualifying organizations to receive PCI DSS training and qualification that will improve the organization’s understanding of the PCI DSS, facilitate the organization’s interactions with QSAs, enhance the quality, reliability, and consistency of the organization’s internal PCI DSS self-assessments, and support the consistent and proper application of PCI DSS measures and controls. Please see the PCI …
Modified
p. 29
Choosing an Approved Scanning Vendor An Approved Scanning Vendor (ASV) is a data security firm using a scanning solution to determine whether or not the customer meets the PCI DSS external vulnerability scanning requirement. ASVs are qualified by the PCI Security Standards Council to perform external network and system scans as required by the PCI DSS. An ASV may use its own software or an approved commercial or open source solution. ASV solutions must be non-disruptive to customers’ systems and …
Choosing an Approved Scanning Vendor An Approved Scanning Vendor (ASV) is a data security firm using a scanning solution to determine whether or not the customer meets the PCI DSS external vulnerability scanning requirement. ASVs are qualified by the PCI Security Standards Council to perform external network and system scans as required by the PCI DSS. An ASV may use its own software or an approved commercial or open source solution. ASV solutions must be non-disruptive to customers’ systems and …
Modified
p. 30
Scoping must occur at least annually and prior to the annual assessment. Merchants and other entities must identify all locations and flows of cardholder data, and identify all systems that are connected to or if compromised could impact the CDE (e.g. authentication servers) to ensure all applicable system components are included in scope for PCI DSS. Entities should confirm the accuracy of the defined CDE by performing these steps:
Scoping must occur at least annually and prior to the annual assessment. Merchants and other entities must identify all locations and flows of cardholder data, and identify all systems that are connected to or if compromised could impact the CDE (e.g. authentication servers) to ensure all applicable system components are included in scope for PCI DSS. All types of systems and locations should be considered as part of the scoping process, including backup/recovery sites and fail-over systems.
Modified
p. 30
• The assessed entity identifies and documents the existence of all cardholder data in their environment, to verify that no cardholder data exists outside of the currently defined cardholder data environment (CDE).
• Identify and document the existence of all cardholder data in the environment, to verify that no cardholder data exists outside of the currently defined cardholder data environment (CDE).
Modified
p. 30
• Once all locations of cardholder data are identified and documented, the entity uses the results to verify that PCI DSS scope is appropriate (for example, the results may be a diagram or an inventory of cardholder data locations).
• Once all locations of cardholder data are identified and documented, verify that PCI DSS scope is appropriate (for example, the results may be a diagram or an inventory of cardholder data locations).
Modified
p. 30
• The entity considers any cardholder data found to be in scope of the PCI DSS assessment and part of the CDE. If the entity identifies data that is not currently included in the CDE, such data should be securely deleted, migrated/consolidated into the currently defined CDE, or the CDE redefined to include these data.
• Consider any cardholder data found to be in scope of the PCI DSS assessment and part of the CDE. If data is identified that is not currently included in the CDE, such data should be securely deleted, migrated/consolidated into the currently defined CDE, or the CDE redefined to include these data.
Modified
p. 30
• The entity retains documentation that shows how PCI DSS scope was determined. The documentation is retained for assessor review and/or for reference during the next annual PCI DSS scope confirmation activity.
• Retain documentation that shows how PCI DSS scope was determined. The documentation is retained for assessor review and/or for reference during the next annual PCI DSS scope confirmation activity.
Modified
p. 33
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 33 Using the Self-Assessment Questionnaire The “SAQ” is a validation tool for merchants and service providers to report the results of their PCI DSS self-assessment, if they are not required to submit a Report on Compliance (ROC). The SAQ includes a series of yes-or-no questions for each applicable PCI DSS requirement. If an answer is no, the organization may be required …
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 33 Using the Self-Assessment Questionnaire (SAQ) The “SAQ” is a validation tool for merchants and service providers to report the results of their PCI DSS self-assessment, if they are not required to submit a Report on Compliance (ROC). The SAQ includes a series of yes-or-no questions for each applicable PCI DSS requirement. If an answer is no, the organization may be …
Modified
p. 34
P2PE Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.
Modified
p. 35
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 35 Reports are the official mechanism by which merchants and other entities report their compliance status with PCI DSS to their respective acquiring financial institutions or payment card brand. Depending on payment card brand requirements, merchants and service providers may need to submit an SAQ for self- assessments, or a Report on Compliance for on-site assessments. Quarterly submission of a report …
This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents. 35 Reports are the official mechanism by which merchants and other entities report their PCI DSS compliance status to their respective acquiring financial institutions or payment card brand. Depending on payment card brand requirements, merchants and service providers may need to submit an SAQ for self-assessments, or a Report on Compliance for on-site assessments. Quarterly submission of a report for network …
Modified
p. 35
2. Executive Summary (description of entity’s payment card business; high level network diagram)
Modified
p. 35
3. Description of Scope of Work and Approach Taken (description of how the assessment was made, environment, network segmentation used, details for each sample set selected and tested, wholly owned or international entities requiring compliance with PCI DSS, wireless networks or applications that could impact security of cardholder data, version of PCI DSS used to conduct the assessment)
Modified
p. 35
4. Details about Reviewed Environment (diagram of each network, description of cardholder data environment, list of all hardware and software in the CDE, service providers used, third party payment applications, individuals interviewed, documentation reviewed, details for reviews of managed service providers)
Modified
p. 35
1. Contact Information and Report Date
Removed
p. 36
Note: These best practices for implementing PCI DSS into business-as-usual processes are provided as recommendations and guidance only, and they do not replace or extend PCI DSS requirements.
Removed
p. 37
PCI SSC approved products, solutions and providers PIN Transaction Security (PTS) Devices: www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php Payment Applications: www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php P2PE Solutions: https://www.pcisecuritystandards.org/approved_companies_providers/validated_p2pe_solutions.php Approved QSAs: https://www.pcisecuritystandards.org/approved_companies_providers/qualified_security_assessors.php Approved ASVs: ttps://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php
Modified
p. 37
PCI Security Standards Council Web site, including Frequently Asked Questions (FAQs): www.pcisecuritystandards.org Membership Information www.pcisecuritystandards.org/get_involved/join.php Webinars www.pcisecuritystandards.org/news_events/events.shtml Training QSA: www.pcisecuritystandards.org/training/qsa_training.php PA-QSA: www.pcisecuritystandards.org/training/pa-dss_training.php ISA: https://www.pcisecuritystandards.org/training/isa_training.php PCIP: https://www.pcisecuritystandards.org/training/pcip_training.php Other Training Programs: https://www.pcisecuritystandards.org/training/index.php
PCI Security Standards Council Web site: www.pcisecuritystandards.org Frequently Asked Questions (FAQs): www.pcisecuritystandards.org/faqs PCI SSC Blog: blog.pcisecuritystandards.org/ Membership Information www.pcisecuritystandards.org/get_involved/join.php Webinars www.pcisecuritystandards.org/program_training_and_qualification/webinars Training QSA: https://www.pcisecuritystandards.org/program_training_and_qualification/qsa_certification PA-QSA: https://www.pcisecuritystandards.org/program_training_and_qualification/payment_application-qsa_certification ISA: https://www.pcisecuritystandards.org/program_training_and_qualification/internal_security_assessor_certification PCIP: https://www.pcisecuritystandards.org/program_training_and_qualification/pci_professional_qualification Other Training Programs: https://www.pcisecuritystandards.org/program_training_and_qualification/
Modified
p. 37
PCI Data Security Standard (PCI DSS) The Standard: https://www.pcisecuritystandards.org/documents/pci_dss_v3.pdf Supporting Documents: https://www.pcisecuritystandards.org/security_standards/documents.php Self-Assessment Questionnaires: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php Glossary: https://www.pcisecuritystandards.org/security_standards/glossary.php Web Resources 39 This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
PCI Data Security Standard (PCI DSS) The Standard: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf Supporting Documents: https://www.pcisecuritystandards.org/document_library Self-Assessment Questionnaires: www.pcisecuritystandards.org/document_library?category=saqs#results Glossary: https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3-2.pdf Web Resources 39 This Guide provides supplemental information that does not replace or supersede PCI SSC Security Standards or their supporting documents.
Modified
p. 39
About the PCI Security Standards Council About the PCI Security Standards Council The PCI Security Standards Council (PCI SSC) is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. The Council maintains, evolves, and promotes the Payment Card Industry security standards. It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.
About the PCI Security Standards Council About the PCI Security Standards Council The PCI Security Standards Council (PCI SSC) is a global body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. The Council maintains, evolves, and promotes the Payment Card Industry security standards. It also provides critical tools needed for implementation of the standards such as assessment and scanning qualifications, self- assessment questionnaires, training and education, and product certification programs.