Document Comparison
SAQ-SPoC-for-PCI-DSS-v4_0.pdf
→
PCI-DSS-v4-0-1-SAQ-SPoC.pdf
95% similar
32 → 32
Pages
8304 → 8527
Words
43
Content Changes
Content Changes
43 content changes. 32 administrative changes (dates, page numbers) hidden.
Added
p. 2
September 2023 4.0 New Self-Assessment Questionnaire for merchants using Software-based PIN entry on COTS (SPoC) solutions.
Added
p. 2
Added ASV Resource Guide to section “Additional PCI SSC Resources.”
Added
p. 7
Note: A legal exception is a legal restriction due to a local or regional law, regulation, or regulatory requirement, where meeting a PCI DSS requirement would violate that law, regulation, or regulatory requirement.
Added
p. 20
These requirements do not apply to:
• Components used only for manual PAN key entry.
• Components used only for manual PAN key entry.
Added
p. 22
♦ Refer to the “Requirement Responses” section (page v) for information about these response options.
Added
p. 24
The TPSP’s written acknowledgment is a confirmation that states the TPSP is responsible for the security of the account data it may store, process, or transmit on behalf of the customer or to the extent the TPSP may impact the security of a customer’s cardholder data and/or sensitive authentication data.
Added
p. 32
Note: The PCI Security Standards Council is a global standards body that provides resources for payment security professionals developed collaboratively with our stakeholder community. Our materials are accepted in numerous compliance programs worldwide. Please check with your individual compliance-accepting organization to ensure that this form is acceptable in its program. For more information about PCI SSC and our stakeholder community please visit: https://www.pcisecuritystandards.org/about_us/.
Modified
p. 4
All payment processing is only via a card-present payment channel.
Modified
p. 4
All cardholder data entry is via an SCRP that is part of a validated1 SPoC solution approved and listed by PCI SSC; The only systems in the merchant’s SPoC environment that store, process, or transmit account data are those used as part of the validated1 SPoC solution approved and listed by PCI SSC; The merchant does not otherwise receive, transmit, or store account data electronically; This payment channel is not connected to any other systems/networks within …
Modified
p. 5
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). Cardholder data and sensitive authentication data are considered account data and are defined as follows:
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of cardholder data and/or sensitive authentication data. Cardholder data and sensitive authentication data are considered account data and are defined as follows:
Modified
p. 5
Section 1: Assessment Information (Parts 1 & 2 of the Attestation of Compliance (AOC) • Contact Information and Executive Summary).
Modified
p. 5
Section 2: Self-Assessment Questionnaire SPoC.
Modified
p. 5
Section 3: Validation and Attestation Details (Parts 3 & 4 of the AOC • PCI DSS Validation and Action Plan for Non-Compliant Requirements (if Part 4 is applicable)).
Modified
p. 5
5. Submit the SAQ and AOC, along with any other requested documentation•such as ASV scan reports•to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).
5. Submit the SAQ and AOC, along with any other requested documentation
•such as ASV scan reports
•to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).
•such as ASV scan reports
•to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).
Modified
p. 5
Examine: The merchant critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.
Modified
p. 6
Interview: The merchant converses with individual personnel. Interview objectives may include confirmation of whether an activity is performed, descriptions of how an activity is performed, and whether personnel have particular knowledge or understanding.
Removed
p. 7
Note: A legal restriction is one where meeting the PCI DSS requirement would violate a local or regional law or regulation.
Removed
p. 8
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls
• Appendix G: Glossary of Terms, Abbreviations, and Acronyms SAQ Instructions and Guidelines
• Information about all SAQs and their eligibility criteria
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls
• Appendix G: Glossary of Terms, Abbreviations, and Acronyms SAQ Instructions and Guidelines
• Information about all SAQs and their eligibility criteria
Modified
p. 8
PCI Data Security Standard Requirements and Testing Procedures (PCI DSS) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls Appendix G: Glossary of Terms, Abbreviations, and Acronyms SAQ Instructions and Guidelines Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization Frequently Asked Questions (FAQs) Guidance and information about SAQs Online PCI DSS …
Modified
p. 8
− Understanding PCI DSS Scoping and Network Segmentation − Third-Party Security Assurance − Multi-Factor Authentication Guidance − Best Practices for Maintaining PCI DSS Compliance Getting Started with PCI • Resources for smaller merchants including:
− Understanding PCI DSS Scoping and Network Segmentation − Third-Party Security Assurance − Multi-Factor Authentication Guidance − Best Practices for Maintaining PCI DSS Compliance Getting Started with PCI Resources for smaller merchants including:
Modified
p. 8
− Guide to Safe Payments − Common Payment Systems − Questions to Ask Your Vendors − Glossary of Payment and Information Security Terms − PCI Firewall Basics These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org).
− Guide to Safe Payments − Common Payment Systems − Questions to Ask Your Vendors − Glossary of Payment and Information Security Terms − PCI Firewall Basics − ASV Resource Guide These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org).
Modified
p. 12
• Manage system components included in the scope of the merchant’s PCI DSS assessment⎯for example, via network security control services, anti-malware services, security incident and event management (SIEM), contact and call centers, web-hosting services, and IaaS, PaaS, SaaS, and FaaS cloud providers.
• Manage system components included in the scope of the merchant’s PCI DSS assessmentfor example, via network security control services, anti-malware services, security incident and event management (SIEM), contact and call centers, web-hosting services, and IaaS, PaaS, SaaS, and FaaS cloud providers.
Modified
p. 14
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
Modified
p. 15
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.2 Storage of account data is kept to a minimum.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 3.2 Storage of account data is kept to a minimum.
Modified
p. 16
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place SAQ Completion Guidance:
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place SAQ Completion Guidance:
Modified
p. 17
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.3 Strong authentication for users and administrators is established and managed 8.3.1 All user access to system components for users and administrators is authenticated via at least one of the following authentication factors:
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 8.3 Strong authentication for users and administrators is established and managed 8.3.1 All user access to system components for users and administrators is authenticated via at least one of the following authentication factors:
Modified
p. 18
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.1 Processes and mechanisms for restricting physical access to cardholder data are defined and understood.
Modified
p. 19
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.4.6 Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows:
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.4.6 Hard-copy materials with cardholder data are destroyed when no longer needed for business or legal reasons, as follows:
Modified
p. 19
• Examine the periodic media destruction policy.
• Examine the media destruction policy.
Removed
p. 20
This requirement is recommended, but not required, for manual PAN key-entry components such as computer keyboards.
Modified
p. 20
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.5 Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.5 Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.
Modified
p. 20
Applicability Notes These requirements apply to deployed POI devices used in card-present transactions (that is, a payment card form factor such as a card that is swiped, tapped, or dipped). This requirement is not intended to apply to manual PAN key-entry components such as computer keyboards.
Applicability Notes These requirements apply to deployed POI devices used in card-present transactions (that is, a payment card form factor such as a card that is swiped, tapped, or dipped).
Modified
p. 20
• Commercial off-the-shelf (COTS) devices (for example, smartphones or tablets), which are mobile merchant-owned devices designed for mass-market distribution.
Modified
p. 21
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.5.1.3 Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes:
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 9.5.1.3 Training is provided for personnel in POI environments to be aware of attempted tampering or replacement of POI devices, and includes:
Removed
p. 22
Refer to the “Requirement Responses” section (page v) for information about these response options.
Modified
p. 22
Note: Requirement 12 specifies that merchants have information security policies for their personnel, but these policies can be as simple or complex as needed for the size and complexity of the merchant’s operations. The policy document must be provided to all personnel so they are aware of their responsibilities for protecting payment terminals, any paper documents with account data, etc. If a merchant has no employees, then it is expected that the merchant understands and acknowledges their responsibility for security …
Note: Requirement 12 specifies that merchants have information security policies for their personnel, but these policies can be as simple or complex as needed for the size and complexity of the merchant’s operations. The policy document must be provided to all personnel so they are aware of their responsibilities for protecting payment terminals, any paper documents with cardholder data and/or sensitive authentication data, etc. If a merchant has no employees, then it is expected that the merchant understands and acknowledges …
Modified
p. 22
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.1 A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.1 A comprehensive information security policy that governs and provides direction for protection of the entity’s information assets is known and current.
Removed
p. 23
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place SAQ Completion Guidance:
Modified
p. 24
PCI DSS Requirement Expected Testing Response (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.8.2 Written agreements with TPSPs are maintained as follows:
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not in Place 12.8.2 Written agreements with TPSPs are maintained as follows:
Modified
p. 24
• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.
• Written agreements include acknowledgments from TPSPs that TPSPs are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that the TPSP could impact the security of the entity’s cardholder data and/or sensitive authentication data.
Modified
p. 24
Applicability Notes The exact wording of an acknowledgment will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgment does not have to include the exact wording provided in this requirement.
Applicability Notes The exact wording of an agreement will depend on the details of the service being provided, and the responsibilities assigned to each party. The agreement does not have to include the exact wording provided in this requirement.
Modified
p. 24
Evidence that a TPSP is meeting PCI DSS requirements (for example, a PCI DSS Attestation of Compliance (AOC) or a declaration on a company’s website) is not the same as a written agreement specified in this requirement.
Evidence that a TPSP is meeting PCI DSS requirements (is not the same as a written acknowledgment specified in this requirement. For example, a PCI DSS Attestation of Compliance (AOC), a declaration on a company’s website, a policy statement, a responsibility matrix, or other evidence not included in a written agreement is not a written acknowledgment.
Modified
p. 31
PCI DSS Self-Assessment Questionnaire SPOC, Version 4.0, was completed according to the instructions therein.
PCI DSS Self-Assessment Questionnaire SPOC, Version 4.0.1, was completed according to the instructions therein.