Document Comparison
AOC-SAQ_P2PE-v3_2_1-r2.pdf
→
PCI-DSS-v4-0-AOC-for-SAQ-P2PE-r1.pdf
46% similar
9 → 10
Pages
1685 → 1910
Words
35
Content Changes
Content Changes
35 content changes. 13 administrative changes (dates, page numbers) hidden.
Added
p. 2
This AOC reflects the results documented in an associated Self-Assessment Questionnaire (SAQ).
Capitalized terms used but not otherwise defined in this document have the meanings set forth in the PCI DSS Self-Assessment Questionnaire.
Part 1. Contact Information Part 1a. Assessed Merchant Company name:
Company mailing address:
Company mailing address:
Company main website:
Company contact name:
Company contact title:
Contact phone number:
Contact e-mail address:
Part 1b. Assessor Provide the following information for all assessors involved in the assessment. If there was no assessor for a given assessor type, enter Not Applicable.
PCI SSC Internal Security Assessor(s) ISA name(s):
Assessor phone number:
Assessor e-mail address:
Assessor certificate number:
Indicate all payment channels used by the business that are included in this assessment.
Mail order/telephone order (MOTO) Card-present Are any payment channels not included in this assessment? If yes, indicate which channel(s) is not included in the assessment and provide a brief explanation about why the channel was excluded.
Part 2b. Description of Role with Payment Cards For each …
Capitalized terms used but not otherwise defined in this document have the meanings set forth in the PCI DSS Self-Assessment Questionnaire.
Part 1. Contact Information Part 1a. Assessed Merchant Company name:
Company mailing address:
Company mailing address:
Company main website:
Company contact name:
Company contact title:
Contact phone number:
Contact e-mail address:
Part 1b. Assessor Provide the following information for all assessors involved in the assessment. If there was no assessor for a given assessor type, enter Not Applicable.
PCI SSC Internal Security Assessor(s) ISA name(s):
Assessor phone number:
Assessor e-mail address:
Assessor certificate number:
Indicate all payment channels used by the business that are included in this assessment.
Mail order/telephone order (MOTO) Card-present Are any payment channels not included in this assessment? If yes, indicate which channel(s) is not included in the assessment and provide a brief explanation about why the channel was excluded.
Part 2b. Description of Role with Payment Cards For each …
Added
p. 4
Facility Type Total number of locations (How many locations of this type are in scope) Location(s) of facility (city, country) Example: Data centers 3 Boston, MA, USA Part 2e. PCI Validated P2PE Solution Provide the following information regarding the validated♦ PCI-listed P2PE solution used by the merchant:
P2PE Solution listing “Reference #”:
P2PE Solution “Reassessment Date”:
♦ P2PE solutions on the PCI list of Point-to-Point Solutions with Expired Validations are no longer considered “validated” per the P2PE Program Guide. Merchants using an expired P2PE solution should check with their acquirer or individual payment brands about acceptability of this SAQ.
• Store, process, or transmit account data on the merchant’s behalf (for example, payment gateways, payment processors, payment service providers (PSPs), and off- site storage)
• Manage system components included in the scope of the merchant’s PCI DSS assessmentfor example, via network security control services, anti-malware services, security incident and event management (SIEM), contact and call …
P2PE Solution listing “Reference #”:
P2PE Solution “Reassessment Date”:
♦ P2PE solutions on the PCI list of Point-to-Point Solutions with Expired Validations are no longer considered “validated” per the P2PE Program Guide. Merchants using an expired P2PE solution should check with their acquirer or individual payment brands about acceptability of this SAQ.
• Store, process, or transmit account data on the merchant’s behalf (for example, payment gateways, payment processors, payment service providers (PSPs), and off- site storage)
• Manage system components included in the scope of the merchant’s PCI DSS assessmentfor example, via network security control services, anti-malware services, security incident and event management (SIEM), contact and call …
Added
p. 6
PCI DSS Requirement * Requirement Responses More than one response may be selected for a given requirement.
Indicate all responses that apply.
In Place In Place with CCW Not Applicable Not in Place
* PCI DSS Requirements indicated above refer to the requirements in Section 2 of the SAQ associated with this AOC.
Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically; The merchant has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
Target Date for Compliance: YYYY-MM-DD A merchant submitting this form with a Non-Compliant status may be required to complete the Action Plan in Part 4 of this document. Confirm with the entity to which this AOC will be submitted before completing Part 4.
Compliant but with Legal exception: One or more requirements in the PCI DSS SAQ are marked as Not in …
Indicate all responses that apply.
In Place In Place with CCW Not Applicable Not in Place
* PCI DSS Requirements indicated above refer to the requirements in Section 2 of the SAQ associated with this AOC.
Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically; The merchant has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
Target Date for Compliance: YYYY-MM-DD A merchant submitting this form with a Non-Compliant status may be required to complete the Action Plan in Part 4 of this document. Confirm with the entity to which this AOC will be submitted before completing Part 4.
Compliant but with Legal exception: One or more requirements in the PCI DSS SAQ are marked as Not in …
Added
p. 9
PCI DSS controls will be maintained at all times, as applicable to the merchant’s environment.
QSA performed testing procedures.
QSA provided other assistance.
If selected, describe all role(s) performed:
If selected, describe all role(s) performed:
Signature of Lead QSA Date: YYYY-MM-DD Lead QSA Name:
ISA(s) performed testing procedures.
ISA(s) provided other assistance.
QSA performed testing procedures.
QSA provided other assistance.
If selected, describe all role(s) performed:
If selected, describe all role(s) performed:
Signature of Lead QSA Date: YYYY-MM-DD Lead QSA Name:
ISA(s) performed testing procedures.
ISA(s) provided other assistance.
Added
p. 10
If asked to complete this section, select the appropriate response for “Compliant to PCI DSS Requirements” for each requirement below. For any “No” responses, include the date the merchant expects to be compliant with the requirement and a brief description of the actions being taken to meet the requirement.
Removed
p. 3
Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Company Name: DBA (Doing Business As):
Business Address City:
Business Address City:
State/Province: Country: ZIP:
State/Province: Country: ZIP:
Lead QSA Contact Name: Title:
Part 2. Executive Summary Part 2a: Type of merchant business (check all that apply):
Retailer Telecommunication Grocery and Supermarkets Petroleum Mail/Telephone-Order (MOTO) Others (please specify):
What types of payment channels does your business serve?
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Part 2b. Description of Payment Card Business
Business Address City:
Business Address City:
State/Province: Country: ZIP:
State/Province: Country: ZIP:
Lead QSA Contact Name: Title:
Part 2. Executive Summary Part 2a: Type of merchant business (check all that apply):
Retailer Telecommunication Grocery and Supermarkets Petroleum Mail/Telephone-Order (MOTO) Others (please specify):
What types of payment channels does your business serve?
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Part 2b. Description of Payment Card Business
Modified
p. 3 → 2
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Security Assessment Procedures. Complete all sections. The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment against the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures. Complete all sections. The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the entity(ies) to which the Attestation of Compliance (AOC) will be submitted for reporting and submission procedures.
Modified
p. 3 → 2
Qualified Security Assessor Company name:
Modified
p. 3
Note: If your organization has a payment channel or process that is not covered by this SAQ, consult your acquirer or payment brand about validation for the other channels.
Note: If the organization has a payment channel that is not covered by this SAQ, consult with the entity(ies) to which this AOC will be submitted about validation for the other channels.
Removed
p. 4
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. P2PE Solution Provide the following information regarding the validated PCI P2PE solution your organization uses:
Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to Network Segmentation section of PCI DSS for guidance on network segmentation)
Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to Network Segmentation section of PCI DSS for guidance on network segmentation)
Modified
p. 4
Listed POI Devices used by Merchant (found under “PTS POI Devices Supported”):
Removed
p. 5
Description of services provided by QIR:
Does your company share cardholder data with any third-party service providers (for example, Qualified Integrator & Resellers (QIR), gateways, airline booking agents, loyalty program agents, etc.)? Name of service provider: Description of services provided:
Merchant verifies there is no legacy storage of electronic cardholder data in the environment.
If Merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically, and Merchant has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
Does your company share cardholder data with any third-party service providers (for example, Qualified Integrator & Resellers (QIR), gateways, airline booking agents, loyalty program agents, etc.)? Name of service provider: Description of services provided:
Merchant verifies there is no legacy storage of electronic cardholder data in the environment.
If Merchant does store cardholder data, such data is only in paper reports or copies of paper receipts and is not received electronically, and Merchant has implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
Modified
p. 5
Note: Requirement 12.8 applies to all entities listed in response to this question.
Note: Requirement 12.8 applies to all entities in this list.
Modified
p. 5 → 6
Part 2g. Eligibility to Complete SAQ P2PE Merchant certifies eligibility to complete this shortened version of the Self-Assessment Questionnaire because, for this payment channel:
Part 2h. Eligibility to Complete SAQ P2PE Merchant certifies eligibility to complete this Self-Assessment Questionnaire because, for this payment channel:
Modified
p. 5 → 6
All payment processing is via the validated PCI P2PE solution approved and listed by the PCI SSC (per above).
All payment processing is via a validated PCI-listed P2PE solution (per Part 2e above).
Modified
p. 5 → 6
The only systems in the merchant environment that store, process or transmit account data are the Point of Interaction (POI) devices that are approved for use with the validated and PCI-listed P2PE solution.
The only systems in the merchant environment that store, process or transmit account data are the payment terminals that are part of the validated* PCI-listed P2PE solution.
Modified
p. 5 → 6
The merchant does not otherwise receive, transmit, or store account data electronically.
Removed
p. 6
The assessment documented in this attestation and in the SAQ was completed on:
Have compensating controls been used to meet any requirement in the SAQ? Yes No Were any requirements in the SAQ identified as being not applicable (N/A)? Yes No Were any requirements in the SAQ unable to be met due to a legal constraint? Yes No
Have compensating controls been used to meet any requirement in the SAQ? Yes No Were any requirements in the SAQ identified as being not applicable (N/A)? Yes No Were any requirements in the SAQ unable to be met due to a legal constraint? Yes No
Modified
p. 6 → 7
Section 2: Self-Assessment Questionnaire P2PE This Attestation of Compliance reflects the results of a self-assessment, which is documented in an accompanying SAQ.
Section 2: Self-Assessment Questionnaire P2PE Self-assessment completion date: YYYY-MM-DD Were any requirements in the SAQ unable to be met due to a legal constraint? Yes No
Removed
p. 7
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4, since not all payment brands require this section.
Compliant but with Legal exception: One or more requirements are marked “No” due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand.
If checked, complete the following:
I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times.
Compliant but with Legal exception: One or more requirements are marked “No” due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand.
If checked, complete the following:
I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times.
Modified
p. 7 → 8
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ P2PE (Section 2), dated (SAQ completion date).
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ P2PE (Section 2), dated (Self-assessment completion date YYYY-MM-DD).
Modified
p. 7 → 8
Based on the results documented in the SAQ P2PE noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (check one):
Based on the results documented in the SAQ P2PE noted above, each signatory identified in any of Parts 3b−3d, as applicable, assert(s) the following compliance status for the merchant identified in Part 2 of this document.
Modified
p. 7 → 8
Compliant: All sections of the PCI DSS SAQ P2PE are complete, and all questions answered affirmatively, resulting in an overall COMPLIANT rating, thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Compliant: All sections of the PCI DSS SAQ are complete and all requirements are marked as being either 1) In Place, 2) In Place with CCW, or 3) Not Applicable, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated compliance with all PCI DSS requirements included in this SAQ.
Modified
p. 7 → 8
Non-Compliant: Not all sections of the PCI DSS SAQ P2PE are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or one or more requirements are marked as Not in Place, resulting in an overall NON-COMPLIANT rating; thereby (Merchant Company Name) has not demonstrated compliance with the PCI DSS requirements included in this SAQ.
Modified
p. 7 → 8
Affected Requirement Details of how legal constraint prevents requirement being met Part 3a. Acknowledgement of Status Signatory(s) confirms:
Affected Requirement Details of how legal constraint prevents requirement from being met
Modified
p. 7 → 9
(Select all that apply)
Modified
p. 7 → 9
PCI DSS Self-Assessment Questionnaire P2PE, Version (version of SAQ), was completed according to the instructions therein.
PCI DSS Self-Assessment Questionnaire P2PE, Version 4.0, was completed according to the instructions therein.
Modified
p. 7 → 9
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment.
All information within the above-referenced SAQ and in this attestation fairly represents the results of the merchant’s assessment in all material respects.
Removed
p. 8
No evidence of, full track data1, CAV2, CVC2, CVN2, CVV, or CVV2 data2, or PIN data3) was found on ANY system reviewed during this assessment.
Modified
p. 8 → 9
Part 3b. Merchant Attestation Signature of Merchant Executive Officer Date:
Part 3b. Merchant Attestation Signature of Merchant Executive Officer Date: YYYY-MM-DD Merchant Executive Officer Name: Title:
Modified
p. 8 → 9
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement If a QSA was involved or assisted with this assessment, indicate the role performed:
Modified
p. 8 → 9
Signature of Duly Authorized Officer of QSA Company Date:
Signature of Duly Authorized Officer of QSA Company Date: YYYY-MM-DD Duly Authorized Officer Name: QSA Company:
Modified
p. 8 → 9
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Part 3d. PCI SSC Internal Security Assessor (ISA) Involvement If an ISA(s) was involved or assisted with this assessment, indicate the role performed:
Removed
p. 9
Check with your acquirer or the payment brand(s) before completing Part 4, since not all payment brands require this section.
Modified
p. 9 → 10
PCI DSS Requirement* Description of Requirement Compliance to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored cardholder data 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel * PCI DSS Requirements indicated here refer to the questions in Section 2 of the SAQ.
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored account data 9 Restrict physical access to cardholder data 12 Support information security with organizational policies and programs * PCI DSS Requirements indicated above refer to the requirements in Section 2 of the SAQ associated with this AOC.