Document Comparison
PCI_DSS_v3-1_SAQ_P2PE_rev1-1.pdf
→
PCI-DSS-v3_2-SAQ-P2PE.pdf
93% similar
26 → 24
Pages
6419 → 6273
Words
23
Content Changes
Content Changes
23 content changes. 21 administrative changes (dates, page numbers) hidden.
Added
p. 9
Does your company share cardholder data with any third-party service providers (for example, Qualified Integrator & Resellers (QIR), gateways, airline booking agents, loyalty program agents, etc.)? Name of service provider: Description of services provided:
Added
p. 19
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS This appendix is not used for SAQ P2PE merchant assessments Appendix A3: Designated Entities Supplemental Validation (DESV) This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. Entities required to validate to this Appendix should use the DESV Supplemental Reporting Template and Supplemental Attestation of Compliance for reporting, and consult with the applicable payment brand and/or acquirer for submission procedures.
Added
p. 22
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ P2PE (Section 2), dated (SAQ completion date).
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance Merchants using Hardware Payment Terminals in a PCI SSC-Listed P2PE Solution Only
• No Electronic Cardholder Data Storage For use with PCI DSS Version3.1 Revision 1.1
• No Electronic Cardholder Data Storage For use with PCI DSS Version
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance Merchants using Hardware Payment Terminals in a PCI SSC-Listed P2PE Solution Only
• No Electronic Cardholder Data Storage For use with PCI DSS Version 3.2
• No Electronic Cardholder Data Storage For use with PCI DSS Version 3.2
Modified
p. 4
Section 1 (Part 1 & 2 of the AOC
• Assessment Information and Executive Summary) Section 2
• PCI DSS Self-Assessment Questionnaire (SAQ P2PE) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details, and Action Plan for Non-Compliant Requirements (if applicable)
• Assessment Information and Executive Summary) Section 2
• PCI DSS Self-Assessment Questionnaire (SAQ P2PE) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details, and Action Plan for Non-Compliant Requirements (if applicable)
Section 1 (Parts 1 & 2 of the AOC
• Assessment Information and Executive Summary) Section 2
• PCI DSS Self-Assessment Questionnaire (SAQ P2PE) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details, and Action Plan for Non-Compliant Requirements (if applicable)
• Assessment Information and Executive Summary) Section 2
• PCI DSS Self-Assessment Questionnaire (SAQ P2PE) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details, and Action Plan for Non-Compliant Requirements (if applicable)
Modified
p. 4
6. Submit the SAQ and the Attestation of Compliance•along with any other requested documentation•to your acquirer, payment brand, or other requester.
6. Submit the SAQ and the Attestation of Compliance (AOC), along with any other requested documentation, to your acquirer, payment brand, or other requester.
Removed
p. 7
ISA Name(s) (if applicable) Title:
Modified
p. 10
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.1 Are data-retention and disposal policies, procedures, and processes implemented as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 3.1 Are data-retention and disposal policies, procedures, and processes implemented as follows:
Removed
p. 11
Review policies and procedures Review roles that need access to displays of full PAN Examine system configurations Observe displays of PAN Guidance: A “Yes” answer to Requirement 3.3 means that any PANs displayed on paper show at most only the first six and last four digits.
If the merchant never displays or prints PAN on paper, the merchant should mark the “N/A” column and complete the “Explanation of Non-Applicability” worksheet in Appendix C.
If the merchant never displays or prints PAN on paper, the merchant should mark the “N/A” column and complete the “Explanation of Non-Applicability” worksheet in Appendix C.
Modified
p. 11
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (e) Does all stored cardholder data meet the requirements defined in the data-retention policy? Examine files and system records Guidance: “Yes” answers for requirements at 3.1 mean that if a merchant stores any paper (for example, receipts or paper reports) that contain account data, the merchant only stores the paper as long as it is needed for business, legal, and/or regulatory reasons and destroys …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A (e) Does all stored cardholder data meet the requirements defined in the data-retention policy? Examine files and system records Guidance: “Yes” answers for requirements at 3.1 mean that if a merchant stores any paper (for example, receipts or paper reports) that contain account data, the merchant only stores the paper as long as it is needed for business, legal, and/or regulatory reasons …
Removed
p. 13
Requirement 4: Encrypt transmission of cardholder data across open, public networks
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.2 (b) Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? Review policies and procedures Guidance: A “Yes” answer to Requirement 4.2 means that the merchant has a written document or policy for employees, so they know they cannot use e- mail, instant messaging or chat (or other end-user messaging technologies) to send PANs, for example, to other employees or to customers.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.2 (b) Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? Review policies and procedures Guidance: A “Yes” answer to Requirement 4.2 means that the merchant has a written document or policy for employees, so they know they cannot use e- mail, instant messaging or chat (or other end-user messaging technologies) to send PANs, for example, to other employees or to customers.
Modified
p. 14 → 12
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.
Modified
p. 15 → 13
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9 Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows? Note: This requirement applies to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.9 Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows? Note: This requirement applies to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key- entry components such as computer keyboards and POS keypads.
Modified
p. 16 → 14
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.2 (a) Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.9.2 (a) Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables …
Modified
p. 16 → 14
Interview personnel Observe inspection processes and compare to defined processes (b) Are personnel are aware of procedures for inspecting devices?
Interview personnel Observe inspection processes and compare to defined processes (b) Are personnel aware of procedures for inspecting devices?
Modified
p. 16 → 14
(a) Do training materials for personnel at point-of-sale locations include the following? Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Do not install, replace, or return devices without verification. Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). Report suspicious behavior and indications of device tampering or substitution to appropriate personnel …
(a) Do training materials for personnel at point-of- sale locations include the following? Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Do not install, replace, or return devices without verification. Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). Report suspicious behavior and indications of device tampering or substitution to appropriate …
Modified
p. 17 → 15
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? Interview personnel at POS locations Guidance: “Yes” answers to requirements at 9.9 mean the merchant has policies and procedures in place for Requirements 9.9.1
• 9.9.3, and that they maintain a current list of devices, conduct periodic device inspections, and train …
• 9.9.3, and that they maintain a current list of devices, conduct periodic device inspections, and train …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? Interview personnel at POS Guidance: “Yes” answers to requirements at 9.9 mean the merchant has policies and procedures in place for Requirements 9.9.1
• 9.9.3, and that they maintain a current list of devices, conduct periodic device inspections, and …
• 9.9.3, and that they maintain a current list of devices, conduct periodic device inspections, and …
Modified
p. 19 → 17
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? Review security awareness program Guidance: A Yes” answer for Requirement 12.6 means that the merchant has a security awareness program in place, consistent with the size and complexity of the merchant’s operations. For example, a simple awareness program could be a flyer …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? Review security awareness program Guidance: A Yes” answer for Requirement 12.6 means that the merchant has a security awareness program in place, consistent with the size and complexity of the merchant’s operations. For example, a simple awareness program could be a …
Modified
p. 24 → 22
Based on the results documented in the SAQ P2PE noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (check one):
Removed
p. 25
Signature of ISA Date:
Modified
p. 25 → 23
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Modified
p. 25 → 23
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Modified
p. 26 → 24
PCI DSS Requirement* Description of Requirement Compliance to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel * PCI DSS Requirements indicated here refer to the questions in Section 2 of the SAQ.
PCI DSS Requirement* Description of Requirement Compliance to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored cardholder data 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel * PCI DSS Requirements indicated here refer to the questions in Section 2 of the SAQ.