Document Comparison
PCI-DSS-v3_2-SAQ-B_IP.pdf
→
PCI-DSS-v3_2-SAQ-B_IP-rev1_1.pdf
92% similar
37 → 39
Pages
8685 → 9189
Words
17
Content Changes
Content Changes
17 content changes. 25 administrative changes (dates, page numbers) hidden.
Added
p. 2
Requirements added from PCI DSS v3.2 Appendix A2.
January 2017 3.2 1.1 Updated Document Changes to clarify requirements added in the April 2016 update.
Updated Before You Begin section to clarify term “SCR” and intent of permitted systems.
Added Requirement 8.3.1 to align with intent of Requirement 2.3.
Added Requirement 11.3.4 to verify segmentation controls, if segmentation is used.
January 2017 3.2 1.1 Updated Document Changes to clarify requirements added in the April 2016 update.
Updated Before You Begin section to clarify term “SCR” and intent of permitted systems.
Added Requirement 8.3.1 to align with intent of Requirement 2.3.
Added Requirement 11.3.4 to verify segmentation controls, if segmentation is used.
Added
p. 23
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 8.5 Are group, shared, or generic accounts, passwords, or other authentication methods prohibited as follows:
Review policies and procedures 9.9.1 (a) Does the list of devices include the following?
Review policies and procedures 9.9.1 (a) Does the list of devices include the following?
Added
p. 28
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE? Examine segmentation controls Review penetration-testing methodology
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A (b) Does penetration testing to verify segmentation controls meet the following? Performed at least annually and after any changes to segmentation controls/methods Covers all segmentation controls/methods in use Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Examine results from the most recent penetration test (c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A (b) Does penetration testing to verify segmentation controls meet the following? Performed at least annually and after any changes to segmentation controls/methods Covers all segmentation controls/methods in use Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Examine results from the most recent penetration test (c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel
Modified
p. 4
Your company uses only standalone, PTS-approved point-of-interaction (POI) devices (excludes SCRs) connected via IP to your payment processor to take your customers’ payment card information; The standalone IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs); The standalone IP-connected POI devices are not connected to any other systems within your environment (this can be achieved via network segmentation to isolate POI devices from other systems); The …
Your company uses only standalone, PTS-approved point-of-interaction (POI) devices (excludes SCRs) connected via IP to your payment processor to take your customers’ payment card information; The standalone IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs); The standalone IP-connected POI devices are not connected to any other systems within your environment (this can be achieved via network segmentation to isolate POI devices from other systems)1; The …
Modified
p. 23 → 24
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.6 (a) Is strict control maintained over the internal or external distribution of any kind of media? Review policies and procedures for distribution of media (b) Do controls include the following:
Modified
p. 23 → 24
Interview personnel Examine media distribution tracking logs and documentation 9.7 Is strict control maintained over the storage and accessibility of media? Review policies and procedures
Interview personnel Examine media distribution tracking logs and documentation 9.7 Is strict control maintained over the storage and accessibility of media?
Modified
p. 24
Review policies and procedures 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons? Review periodic media destruction policies and procedures (c) Is media destruction performed as follows:
Modified
p. 24
Review periodic media destruction policies and procedures Interview personnel Observe processes (b) Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?
Review periodic media destruction policies and procedures Interview personnel Observe processes (b) Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents? Examine security of storage containers
Modified
p. 24 → 25
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.9 Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows? Note: This requirement applies to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.
Modified
p. 24 → 25
Review policies and procedures (c) Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? Review policies and procedures
Review policies and procedures (c) Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices?
Removed
p. 25
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.9.1 (a) Does the list of devices include the following?
Modified
p. 25
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.? Interview personnel
Modified
p. 25 → 26
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.9.2 (a) Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables …
Modified
p. 25 → 26
Interview personnel Observe inspection processes and compare to defined processes (b) Are personnel aware of procedures for inspecting devices? Interview personnel
Interview personnel Observe inspection processes and compare to defined processes (b) Are personnel aware of procedures for inspecting devices?
Modified
p. 26
Interview personnel 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following?
Modified
p. 26 → 27
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? Interview personnel at POS locations
Modified
p. 27 → 28
Review results of each external quarterly scan and rescan (c) Are quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV? Review results of each external quarterly scan and rescan
Review results of each external quarterly scan and rescan (c) Are quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV? Review results of each external quarterly scan and rescan 11.3.4 If segmentation is used to isolate the CDE from other networks: