Document Comparison
PCI-DSS-v3_2-SAQ-D_Merchant-rev1_1.pdf
→
PCI-DSS-v3-2-1-SAQ-D-Merchant-r2.pdf
90% similar
85 → 86
Pages
21191 → 21131
Words
264
Content Changes
Content Changes
264 content changes. 43 administrative changes (dates, page numbers) hidden.
Added
p. 2
This document aligns with PCI DSS v3.2.1 r1.
• Merchants with electronic storage of cardholder data
• Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type
• Section 1 (Parts 1 & 2 of the AOC)
• Section 3 (Parts 3 & 4 of the AOC)
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization
• Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
• Merchants with electronic storage of cardholder data
• Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type
• Section 1 (Parts 1 & 2 of the AOC)
• Section 3 (Parts 3 & 4 of the AOC)
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization
• Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
Added
p. 12
• Observe network configurations to verify that a firewall(s) is in place.
Is the current network diagram consistent with the firewall configuration standards?
• Compare firewall configuration standards to current network diagram.
Is the current network diagram consistent with the firewall configuration standards?
• Compare firewall configuration standards to current network diagram.
Added
p. 12
(b) Are firewall and router rule sets reviewed at least every six months?
• Examine documentation from firewall reviews.
• Examine router configuration files and router configurations.
• Network Address Translation (NAT)
• Placing servers containing cardholder data behind proxy servers/firewalls,
• Removal or filtering of route advertisements for private networks that employ registered addressing,
• Internal use of RFC1918 address space instead of registered addresses.
• Examine mobile and/or employee- owned devices.
• Examine mobile and/or employee- owned devices.
(b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices?
• Review policies and configuration standards.
• Examine documentation from firewall reviews.
• Examine router configuration files and router configurations.
• Network Address Translation (NAT)
• Placing servers containing cardholder data behind proxy servers/firewalls,
• Removal or filtering of route advertisements for private networks that employ registered addressing,
• Internal use of RFC1918 address space instead of registered addresses.
• Examine mobile and/or employee- owned devices.
• Examine mobile and/or employee- owned devices.
(b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices?
• Review policies and configuration standards.
Added
p. 16
• Observe system configurations and account settings.
Are unnecessary default accounts removed or disabled before installing a system on the network?
• Review policies and procedures.
Are unnecessary default accounts removed or disabled before installing a system on the network?
• Review policies and procedures.
Added
p. 16
• Examine system configurations and account settings.
Added
p. 17
• Review system configuration standards.
• Review industry-accepted hardening standards.
• Review industry-accepted hardening standards.
Added
p. 19
• Compare enabled services, etc. to documented justifications.
• Examine security parameter settings.
• Compare settings to system configuration standards.
• Examine security parameters on system components.
• Examine security parameters on system components.
(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?
• Examine system components.
• Observe an administrator log on.
• Observe an administrator log on.
(b) Is the documented inventory kept current?
• Interview personnel.
• Known to all affected parties?
• Review security policies and operational procedures.
• Examine deletion mechanism.
• Examine retention requirements.
• Observe deletion processes.
• Examine security parameter settings.
• Compare settings to system configuration standards.
• Examine security parameters on system components.
• Examine security parameters on system components.
(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?
• Examine system components.
• Observe an administrator log on.
• Observe an administrator log on.
(b) Is the documented inventory kept current?
• Interview personnel.
• Known to all affected parties?
• Review security policies and operational procedures.
• Examine deletion mechanism.
• Examine retention requirements.
• Observe deletion processes.
Added
p. 21
• Review documented business justification.
(c) For all other entities: Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process?
• Review policies and procedures.
• Examine deletion processes.
• The cardholder’s name,
• Primary account number (PAN),
• Expiration date, and
(c) For all other entities: Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process?
• Review policies and procedures.
• Examine deletion processes.
• The cardholder’s name,
• Primary account number (PAN),
• Expiration date, and
Added
p. 23
• Review roles that need access to displays of full PAN.
• Observe displays of PAN.
• Truncation (hashing cannot be used to replace the truncated segment of PAN)
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key management processes and procedures.
• Examine data repositories.
• Examine removable media.
• Examine audit logs, including payment application logs.
• Observe the authentication process.
• Observe displays of PAN.
• Truncation (hashing cannot be used to replace the truncated segment of PAN)
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key management processes and procedures.
• Examine data repositories.
• Examine removable media.
• Examine audit logs, including payment application logs.
• Observe the authentication process.
Added
p. 25
• Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS- approved point-of-interaction device)
• As at least two full-length key components or key shares, in accordance with an industry-accepted method.
• Review documented procedures.
• As at least two full-length key components or key shares, in accordance with an industry-accepted method.
• Review documented procedures.
Added
p. 26
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.5.4 Are cryptographic keys stored in the fewest possible locations?
• Examine key-storage locations.
• Observe key-generation procedures.
• Observe the key-distribution method.
• Examine key-storage locations.
• Observe key-generation procedures.
• Observe the key-distribution method.
Added
p. 26
• Observe the method for secure storage of keys.
• Review key-management procedures.
• Interview personnel and/or.
• Review documented standards.
• Review all locations where CHD is transmitted or received.
(b) Are only trusted keys and/or certificates accepted?
• Observe inbound and outbound transmissions.
• Examine keys and certificates.
(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
• Examine system configurations.
• Cardholder data is only requested if “HTTPS” appears as part of the URL.
• Review wireless networks.
• Review key-management procedures.
• Interview personnel and/or.
• Review documented standards.
• Review all locations where CHD is transmitted or received.
(b) Are only trusted keys and/or certificates accepted?
• Observe inbound and outbound transmissions.
• Examine keys and certificates.
(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
• Examine system configurations.
• Cardholder data is only requested if “HTTPS” appears as part of the URL.
• Review wireless networks.
Added
p. 31
• Examine anti-virus configurations, including the master installation.
Added
p. 31
(b) Are automatic updates and periodic scans enabled and being performed?
• Examine anti-virus configurations, including the master installation.
• Review log retention processes.
• Examine anti-virus configurations.
• Using reputable outside sources for vulnerability information?
• Compare list of security patches installed to recent vendor patch lists.
• Examine anti-virus configurations, including the master installation.
• Review log retention processes.
• Examine anti-virus configurations.
• Using reputable outside sources for vulnerability information?
• Compare list of security patches installed to recent vendor patch lists.
Added
p. 34
(c) Are software applications developed in accordance with PCI DSS (for example, secure authentication and logging)?
• Review software development processes.
• Examine recent changes and change records.
• Examine network documentation and network device configurations.
• Examine access control settings.
• Review software development processes.
• Examine recent changes and change records.
• Examine network documentation and network device configurations.
• Examine access control settings.
Added
p. 36
• Examine production systems.
• Review change control processes and procedures.
Are the following performed and documented for all 6.4.5.1 Documentation of impact?
• Trace changes to change control documentation.
• Review change control processes and procedures.
Are the following performed and documented for all 6.4.5.1 Documentation of impact?
• Trace changes to change control documentation.
Added
p. 37
• Observe affected systems or networks.
• Examine training records.
• Examine software-development policies and procedures.
• Examine training records.
• Examine software-development policies and procedures.
Added
p. 40
• Review documented processes.
• Examine records of application security assessments.
• Examine written access control policy.
• Interview management.
• Review privileged user IDs.
• Compare assigned privileges with documented approvals.
• Examine records of application security assessments.
• Examine written access control policy.
• Interview management.
• Review privileged user IDs.
• Compare assigned privileges with documented approvals.
Added
p. 44
• Examine privileged and general user IDs and associated authorizations.
• Observe system settings.
• Observe system settings.
Added
p. 44
• Examine terminated users accounts.
• Review current access lists.
• Observe returned physical authentication devices.
• Review current access lists.
• Observe returned physical authentication devices.
Added
p. 44
• Observe user accounts.
• Something you have, such as a token device or smart card
• Something you are, such as a biometric
• Review password procedures.
• Observe authentication processes.
• Something you have, such as a token device or smart card
• Something you are, such as a biometric
• Review password procedures.
• Observe authentication processes.
Added
p. 45
• Observe password files.
• Observe data transmissions.
• Sample system components.
• Observe security personnel.
• Observe administrator logging into CDE.
• Observe personnel connecting remotely.
• Review distribution method.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.4 (cont.) Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials
- Guidance for how users should protect their authentication credentials
- Instructions not to reuse previously used passwords
- Instructions that users should change passwords if there is any suspicion the password could be compromised
• Review documentation provided to users.
• Generic user IDs and accounts are disabled or removed;
• Shared user IDs for system administration activities and other critical functions do not exist; and
• Shared and generic user IDs are not used to administer any system components?
• Review policies and procedures.
• Examine user ID lists.
• Physical and/or logical controls must be in place …
• Observe data transmissions.
• Sample system components.
• Observe security personnel.
• Observe administrator logging into CDE.
• Observe personnel connecting remotely.
• Review distribution method.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.4 (cont.) Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials
- Guidance for how users should protect their authentication credentials
- Instructions not to reuse previously used passwords
- Instructions that users should change passwords if there is any suspicion the password could be compromised
• Review documentation provided to users.
• Generic user IDs and accounts are disabled or removed;
• Shared user IDs for system administration activities and other critical functions do not exist; and
• Shared and generic user IDs are not used to administer any system components?
• Review policies and procedures.
• Examine user ID lists.
• Physical and/or logical controls must be in place …
Added
p. 50
• Observe data storage.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.1.3 Is physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines restricted?
• Review policies and procedures.
• Observe identification methods (e.g. badges).
• Observe visitor processes.
• Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disabled?
• Interview personnel.
• Examine access control lists.
• Observe onsite personnel.
• Compare lists of terminated employees to access control lists.
• Observe visitor processes.
• Observe visitor processes including how access is controlled.
• Observe visitors and badge use.
• Examine identification.
• Examine identification.
Do visitor badges or other identification expire?
• Observe process.
• Examine the visitor log.
• Examine the visitor log.
• Examine log retention.
(c) Is the visitor log retained for at least three months?
• Review policies and procedures.
• Examine visitor log retention.
• Review policies and procedures for physically securing media.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.1.3 Is physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines restricted?
• Review policies and procedures.
• Observe identification methods (e.g. badges).
• Observe visitor processes.
• Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disabled?
• Interview personnel.
• Examine access control lists.
• Observe onsite personnel.
• Compare lists of terminated employees to access control lists.
• Observe visitor processes.
• Observe visitor processes including how access is controlled.
• Observe visitors and badge use.
• Examine identification.
• Examine identification.
Do visitor badges or other identification expire?
• Observe process.
• Examine the visitor log.
• Examine the visitor log.
• Examine log retention.
(c) Is the visitor log retained for at least three months?
• Review policies and procedures.
• Examine visitor log retention.
• Review policies and procedures for physically securing media.
Added
p. 53
• Examine media distribution tracking logs and documentation.
• Examine media distribution tracking logs and documentation.
Are periodic media inventories conducted at least annually?
• Examine inventory logs.
• Examine procedures.
• Examine the list of devices.
(b) Is the list accurate and up to date?
• Observe devices and device locations and compare to list.
(c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
• Interview personnel.
• Observe inspection processes and compare to defined processes.
• Review training materials.
Is access to system components linked to individual users?
• Interview system administrator.
• Examine media distribution tracking logs and documentation.
Are periodic media inventories conducted at least annually?
• Examine inventory logs.
• Examine procedures.
• Examine the list of devices.
(b) Is the list accurate and up to date?
• Observe devices and device locations and compare to list.
(c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
• Interview personnel.
• Observe inspection processes and compare to defined processes.
• Review training materials.
Is access to system components linked to individual users?
• Interview system administrator.
Added
p. 60
• Review time configuration standards and processes.
Added
p. 62
• Review security policies and procedures.
Are the above logs and security events reviewed at least daily?
• Interview personnel.
Are audit logs retained for at least one year?
• Interview personnel.
• Examine audit logs.
(c) Are at least the last three months’ logs immediately available for analysis?
• Interview personnel.
Are the above logs and security events reviewed at least daily?
• Interview personnel.
Are audit logs retained for at least one year?
• Interview personnel.
• Examine audit logs.
(c) Are at least the last three months’ logs immediately available for analysis?
• Interview personnel.
Added
p. 64
• Evaluate the methodology.
(c) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities?
• Examine output from recent wireless scans.
• Inspect recent wireless scans and related responses.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.2.1 (a) Are quarterly internal vulnerability scans performed?
• Review scan reports.
• Review results from the four most recent quarters of external vulnerability scans.
(c) Are quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV?
• Review results of each external quarterly scan and rescan.
(c) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities?
• Examine output from recent wireless scans.
• Inspect recent wireless scans and related responses.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.2.1 (a) Are quarterly internal vulnerability scans performed?
• Review scan reports.
• Review results from the four most recent quarters of external vulnerability scans.
(c) Are quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV?
• Review results of each external quarterly scan and rescan.
Added
p. 67
• Includes coverage for the entire CDE perimeter and critical systems
• Includes testing from both inside and outside the network
• Includes testing to validate any segmentation and scope-reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results
• Examine penetration-testing methodology.
• Examine results from the most recent external penetration test.
• Includes testing from both inside and outside the network
• Includes testing to validate any segmentation and scope-reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results
• Examine penetration-testing methodology.
• Examine results from the most recent external penetration test.
Added
p. 68
• Examine results from the most recent internal penetration test.
• Review penetration-testing methodology.
- Covers all segmentation controls/methods in use.
- Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• Examine results from the most recent penetration test.
• Examine network diagrams.
(c) Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date?
• Examine IDS/IPS configurations.
• Application executables
• Configuration and parameter files
• Centrally stored, historical or archived, log, and audit files
• Additional critical files determined by entity (for example, through risk assessment or other means)
• Observe system settings and monitored files.
• Observe system settings and monitored files.
• Review results from monitoring activities.
• Review annual risk assessment process.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.3.1 Explicit approval by authorized parties to use the technologies?
• Review usage policies.
• Review penetration-testing methodology.
- Covers all segmentation controls/methods in use.
- Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• Examine results from the most recent penetration test.
• Examine network diagrams.
(c) Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date?
• Examine IDS/IPS configurations.
• Application executables
• Configuration and parameter files
• Centrally stored, historical or archived, log, and audit files
• Additional critical files determined by entity (for example, through risk assessment or other means)
• Observe system settings and monitored files.
• Observe system settings and monitored files.
• Review results from monitoring activities.
• Review annual risk assessment process.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.3.1 Explicit approval by authorized parties to use the technologies?
• Review usage policies.
Added
p. 74
• Review usage policies.
• Interview a sample of responsible personnel.
• Interview a sample of responsible personnel.
Added
p. 75
• Review security awareness program.
• Review security awareness program procedures.
• Review security awareness program attendance records.
(b) Are personnel educated upon hire and at least annually?
• Examine security awareness program procedures and documentation.
• Interview Human Resource department management.
• Review list of service providers.
• Observe written agreements.
• Review security awareness program procedures.
• Review security awareness program attendance records.
(b) Are personnel educated upon hire and at least annually?
• Examine security awareness program procedures and documentation.
• Interview Human Resource department management.
• Review list of service providers.
• Observe written agreements.
Added
p. 78
• Review incident response plan procedures.
- Specific incident response procedures?
• Review incident response plan procedures.
- Business recovery and continuity procedures?
• Review incident response plan procedures.
- Data backup processes?
• Review incident response plan procedures.
- Analysis of legal requirements for reporting compromises?
• Review incident response plan procedures.
- Coverage and responses of all critical system components?
• Review incident response plan procedures.
- Specific incident response procedures?
• Review incident response plan procedures.
- Business recovery and continuity procedures?
• Review incident response plan procedures.
- Data backup processes?
• Review incident response plan procedures.
- Analysis of legal requirements for reporting compromises?
• Review incident response plan procedures.
- Coverage and responses of all critical system components?
• Review incident response plan procedures.
Added
p. 80
Note: This requirement is intended to apply to the entity with the POS POI terminal, such as a merchant. This requirement is not intended for service providers who serve as the termination or connection point to those POS POI terminals. Requirements A2.2 and A2.3 apply to POS POI service providers.
• Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS.
A2.2 This requirement applies only to service providers.
A2.3 This requirement applies only to service providers.
• Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS.
A2.2 This requirement applies only to service providers.
A2.3 This requirement applies only to service providers.
Added
p. 86
Do not use vendor-supplied defaults for system passwords and other security parameters.
Added
p. 86
Appendix A2 Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card- Present POS POI Terminal Connections.
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants For use with PCI DSS Version 3.2 Revision 1.1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants For use with PCI DSS Version 3.2.1 Revision 2
Removed
p. 4
Section 2
• PCI DSS Self-Assessment Questionnaire (SAQ D) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non- Compliant Requirements (if applicable)
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
• PCI DSS Self-Assessment Questionnaire (SAQ D) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non- Compliant Requirements (if applicable)
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
Modified
p. 4
• E-commerce merchants who accept cardholder data on their website
Modified
p. 4
• Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment While many organizations completing SAQ D will need to validate compliance with every PCI DSS requirement, some organizations with very specific business models may find that some requirements do not apply. See the guidance below for information about the exclusion of certain, specific requirements.
Modified
p. 4
PCI DSS Self-Assessment Completion Steps
• PCI DSS Self-Assessment Questionnaire (SAQ D)
Modified
p. 4
• refer
PCI DSS Self-Assessment Completion Steps (a) Identify the applicable SAQ for your environment⎯refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
Modified
p. 4
(b) Confirm that your environment is properly scoped and meets the eligibility criteria for the SAQ you are using.
Modified
p. 4
(c) Assess your environment for compliance with PCI DSS requirements.
Modified
p. 4
(d) Complete all sections of this document:
Modified
p. 4
• Assessment Information and Executive
• Assessment Information and Executive Summary
Modified
p. 4
•such as ASV scan reports
•to your acquirer, payment
• Validation and Attestation Details and Action Plan for Non- Compliant Requirements (if applicable) (e) Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to your acquirer, payment brand, or other requester.
•such as ASV scan reports
•to your acquirer, payment brand, or other requester.
Modified
p. 4 → 5
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms
Modified
p. 6
• The questions specific to securing wireless technologies (for example, Requirements 1.2.3, 2.1.1, and 4.1.1) only need to be answered if wireless is present anywhere in your network. Note that Requirement 11.1 (use of processes to identify unauthorized wireless access points) must still be answered even if you don’t use wireless technologies in your network, since the process detects any rogue or unauthorized devices that may have been added without your knowledge.
Modified
p. 6
• The questions specific to application development and secure coding (Requirements 6.3 and 6.5) only need to be answered if your organization develops its own custom applications.
Modified
p. 6
• The questions for Requirements 9.1.1 and 9.3 only need to be answered for facilities with “sensitive areas” as defined here: “Sensitive areas” refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store, but does include retail store back-office server rooms that store cardholder data, and storage areas for large quantities …
Modified
p. 6 → 7
• An organization may be asked by their acquirer to validate a subset of requirements
•for example: using the prioritized approach to validate certain milestones.
•for example: using the prioritized approach to validate certain milestones.
Modified
p. 6 → 7
• An organization may wish to validate a new security control that impacts only a subset of requirements
•for example, implementation of a new encryption methodology that requires assessment of PCI DSS Requirements 2, 3, and 4.
•for example, implementation of a new encryption methodology that requires assessment of PCI DSS Requirements 2, 3, and 4.
Modified
p. 6 → 7
• A service provider organization might offer a service which covers only a limited number of PCI DSS requirements
•for example, a physical storage provider may only wish to validate the physical security controls per PCI DSS Requirement 9 for their storage facility.
•for example, a physical storage provider may only wish to validate the physical security controls per PCI DSS Requirement 9 for their storage facility.
Modified
p. 7 → 8
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Modified
p. 8 → 9
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Application Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Applications Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Modified
p. 8 → 9
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation.)
Modified
p. 10 → 11
(b) Is there a process to ensure the diagram is kept current? • Interview personnel.
Modified
p. 10 → 11
(b) Is there a process to ensure the diagram is kept current? Interview personnel
(b) Is there a process to ensure the diagram is kept current? • Interview responsible personnel.
Removed
p. 11
Review firewall configuration standards Observe network configurations to verify that a firewall(s) is in place (b) Is the current network diagram consistent with the firewall configuration standards?
Modified
p. 11 → 12
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.1.4 (a) Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.1.4 (a) Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone? • Review firewall configuration standards.
Modified
p. 11 → 12
Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service? • Review firewall and router configuration standards.
Modified
p. 12 → 13
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.2.1 (a) Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.2.1 (a) Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment? • Review firewall and router configuration standards.
Modified
p. 12 → 13
Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)? • Review firewall and router configuration standards.
Removed
p. 13
Network Address Translation (NAT) Placing servers containing cardholder data behind proxy servers/firewalls, Removal or filtering of route advertisements for private networks that employ registered addressing, Internal use of RFC1918 address space instead of registered addresses.
Modified
p. 13 → 14
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3.4 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3.4 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized? • Examine firewall and router configurations.
Modified
p. 13 → 14
Is any disclosure of private IP addresses and routing information to external entities authorized? • Examine firewall and router configurations.
Modified
p. 13 → 15
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.4 Is personal firewall software (or equivalent functionality) installed and active on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE? • Review policies and configuration standards.
Removed
p. 14
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices? Review policies and configuration standards Examine mobile and/or employee- owned devices 1.5 Are security policies and operational procedures for managing firewalls:
Removed
p. 15
Review policies and procedures Examine vendor documentation Observe system configurations and account settings Interview personnel (b) Are unnecessary default accounts removed or disabled before installing a system on the network? Review policies and procedures Review vendor documentation Examine system configurations and account settings Interview personnel 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, are ALL wireless vendor defaults changed at installations, as follows:
Modified
p. 15 → 16
(a) Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions?
(a) Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions? • Review policies and procedures.
Modified
p. 15 → 16
(b) Are default SNMP community strings on wireless devices changed at installation? • Review policies and procedures.
Modified
p. 15 → 16
(c) Are default passwords/passphrases on access points changed at installation? • Review policies and procedures.
Modified
p. 16 → 17
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1.1 (cont.) (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks? • Review policies and procedures.
Modified
p. 16 → 17
(e) Are other security-related wireless vendor defaults changed, if applicable? • Review policies and procedures.
Modified
p. 16 → 17
(b) Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1? • Review policies and procedures.
Modified
p. 16 → 17
(c) Are system configuration standards applied when new systems are configured? • Review policies and procedures.
Modified
p. 17 → 18
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2 (cont.) (d) Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server? - Enabling only necessary services, protocols, daemons, etc., as required for the function of the …
Modified
p. 17 → 18
If virtualization technologies are used, is only one primary function implemented per virtual system component or device? • Examine system configurations.
Modified
p. 17 → 20
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (d) Do system configuration standards include all of the following:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.5 (cont.) (c) Is only documented functionality present on system components?
• Review documentation.
• Review documentation.
Modified
p. 18 → 19
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)? • Review configuration standards.
Modified
p. 18 → 19
(b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards? • Review configuration standards
Modified
p. 18 → 19
Are common system security parameters settings included in the system configuration standards? • Review system configuration standards.
Modified
p. 18 → 19
(c) Are security parameter settings set appropriately on system components? • Examine system components.
Modified
p. 18 → 19
Are enabled functions documented and do they support secure configuration? • Review documentation.
Removed
p. 19
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (c) Is only documented functionality present on system components? Review documentation Examine security parameters on system components 2.3 Is non-console administrative access encrypted as follows:
Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed (a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?
Examine system inventory (b) Is the documented inventory kept current? Interview personnel 2.5 Are security policies and operational procedures for managing vendor defaults and other security parameters: Documented In use Known to all affected parties? Review security policies and operational procedures Interview personnel 2.6 This requirement applies only to service providers.
Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed (a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?
Examine system inventory (b) Is the documented inventory kept current? Interview personnel 2.5 Are security policies and operational procedures for managing vendor defaults and other security parameters: Documented In use Known to all affected parties? Review security policies and operational procedures Interview personnel 2.6 This requirement applies only to service providers.
Modified
p. 19 → 20
(b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? • Examine system components.
Modified
p. 19 → 20
• Examine services and file.s (c) Is administrator access to web-based management interfaces encrypted with strong cryptography? • Examine system components.
Modified
p. 19 → 20
(d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? • Examine system components.
Modified
p. 20 → 21
(a) Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements?
(a) Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements? • Review data retention and disposal policies and procedures.
Modified
p. 20 → 21
(b) Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, and/or business reasons? • Review policies and procedures.
Modified
p. 20 → 21
(c) Are there specific retention requirements for cardholder data? For example, cardholder data needs to be held for X period for Y business reasons.
Modified
p. 20 → 21
(d) Is there a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements? • Review policies and procedures.
Modified
p. 20 → 21
(e) Does all stored cardholder data meet the requirements defined in the data-retention policy? • Examine files and system records.
Removed
p. 21
(b) This testing procedure applies only to Issuers.
Incoming transaction data All logs History files Trace files Database schema Database contents
Incoming transaction data All logs History files Trace files Database schema Database contents
Modified
p. 21 → 22
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2 (a) This testing procedure applies only to Issuers.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2 (cont.) (b) For issuers and/or companies that support issuing services and store sensitive authentication data: Is the data secured?
• Examine data stores and system configuration files.
• Examine data stores and system configuration files.
Modified
p. 21 → 22
(d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
Modified
p. 21 → 22
• Service code To minimize risk, store only these data elements as needed for business.
Modified
p. 21 → 22
• Examine data sources including:
Removed
p. 22
Review policies and procedures Review roles that need access to displays of full PAN Examine system configurations Observe displays of PAN
Modified
p. 22 → 23
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.2 The card verification code or value (three-digit or four- digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? • Examine data sources including:
Modified
p. 22 → 23
- Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? • Examine data sources including:
Modified
p. 22 → 23
- Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand requirements for point-of-sale (POS) receipts.
Modified
p. 23 → 24
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.4 Is PAN rendered unreadable anywhere it is stored (including data repositories, portable digital media, backup media, and in audit logs), by using any of the following approaches? One-way hashes based on strong cryptography (hash must be of the entire PAN) Truncation (hashing cannot be used to replace the truncated segment of PAN) Index tokens and pads (pads …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.4 Is PAN rendered unreadable anywhere it is stored (including data repositories, portable digital media, backup media, and in audit logs), by using any of the following approaches? • One-way hashes based on strong cryptography (hash must be of the entire PAN)
Modified
p. 23 → 24
(a) Is logical access to encrypted file systems managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials)? Examine system configurations Observe the authentication process
(a) Is logical access to encrypted file systems managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials)? • Examine system configurations.
Modified
p. 24
(b) Are cryptographic keys stored securely (for example, stored on removable media that is adequately protected with strong access controls)? • Interview personnel.
Modified
p. 24 → 25
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.4.1 (cont.) (c) Is cardholder data on removable media encrypted wherever stored? Note: If disk encryption is not used to encrypt removable media, the data stored on this media will need to be rendered unreadable through some other method.
Modified
p. 24 → 25
Note: This requirement applies to keys used to encrypt stored cardholder data, and also applies to key- encrypting keys used to protect data-encrypting keys. Such key-encrypting keys must be at least as strong as the data-encrypting key.
Note: This requirement applies to keys used to encrypt stored cardholder data, and also applies to key-encrypting keys used to protect data-encrypting keys. Such key- encrypting keys must be at least as strong as the data- encrypting key.
Modified
p. 25
• Examine system configurations and key storage locations, including for key-encrypting keys.
Modified
p. 25 → 26
Are key-management processes and procedures implemented to require the following:
Modified
p. 26 → 27
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.5 (a) Do cryptographic key procedures include retirement or replacement (for example, archiving, destruction, and/or revocation) of cryptographic keys when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear- text key)? • Review key-management procedures.
Modified
p. 26 → 27
Do cryptographic key procedures include replacement of known or suspected compromised keys? • Review key-management procedures.
Modified
p. 26 → 27
(c) If retired or replaced cryptographic keys are retained, are these keys only used for decryption/verification purposes, and not used for encryption operations? • Review key-management procedures.
Modified
p. 26 → 28
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.3 Do cryptographic key procedures include secure cryptographic key storage?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.7 Do cryptographic key procedures include the prevention of unauthorized substitution of cryptographic keys?
• Interview personnel and/or
• Interview personnel and/or
Removed
p. 27
Review key-management procedures Interview personnel and/or Observe processes 3.6.7 Do cryptographic key procedures include the prevention of unauthorized substitution of cryptographic keys?
Modified
p. 27
• Do split knowledge procedures require that key components are under the control of at least two people who only have knowledge of their own key components?
Modified
p. 27
• Do dual control procedures require that at least two people are required to perform any key management operations and no one person has access to the authentication materials (for example, passwords or keys) of another? Note: Examples of manual key management operations include, but are not limited to: key generation, transmission, loading, storage and destruction.
Removed
p. 28
Review documented standards Review policies and procedures Review all locations where CHD is transmitted or received Examine system configurations (b) Are only trusted keys and/or certificates accepted? Observe inbound and outbound transmissions Examine keys and certificates (c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
Modified
p. 28 → 29
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).
Modified
p. 28 → 29
(d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? • Review vendor documentation.
Modified
p. 28 → 29
(e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified
p. 28 → 29
• “HTTPS” appears as the browser Universal Record Locator (URL) protocol, and
Modified
p. 28 → 29
• Examine system configurations.
Modified
p. 29 → 30
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1.1 Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1.1 Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? • Review documented standards.
Modified
p. 29 → 30
Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? • Review policies and procedures.
Removed
p. 30
Examine policies and procedures Examine anti-virus configurations, including the master installation Examine system components (b) Are automatic updates and periodic scans enabled and being performed?
Modified
p. 30 → 31
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software? • Examine system configurations.
Modified
p. 30 → 31
(a) Are all anti-virus software and definitions kept current?
(a) Are all anti-virus software and definitions kept current? • Examine policies and procedures.
Modified
p. 30 → 31
(c) Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? • Examine anti-virus configurations.
Modified
p. 31 → 32
• Unable to be disabled or altered by users? Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.
Modified
p. 32 → 33
• Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities? Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score and/or the classification by the vendor, and/or type of systems affected.
Modified
p. 32 → 33
• Review policies and procedures.
Removed
p. 33
Review policies and procedures Examine system components Compare list of security patches installed to recent vendor patch lists 6.3 (a) Are software- development processes based on industry standards and/or best practices?
PCI DSS (for example, secure authentication and logging)? Review software development processes Observe processes Interview personnel (d) Do software development processes ensure the following at 6.3.1 - 6.3.2:
PCI DSS (for example, secure authentication and logging)? Review software development processes Observe processes Interview personnel (d) Do software development processes ensure the following at 6.3.1 - 6.3.2:
Modified
p. 33 → 34
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor- supplied security patches? Review policies and procedures (b) Are critical security patches installed within one month of release? Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches? • Review policies and procedures.
Modified
p. 33 → 34
Is information security included throughout the software-development life cycle? • Review software development processes.
Modified
p. 34 → 35
• Are code changes reviewed by individuals other than the originating code author, and by individuals who are knowledgeable about code review techniques and secure coding practices?
Modified
p. 34 → 35
• Do code reviews ensure code is developed according to secure coding guidelines?
Modified
p. 34 → 35
• Are appropriate corrections are implemented prior to release?
Modified
p. 34 → 35
• Are code review results are reviewed and approved by management prior to release? Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.6.
Modified
p. 34 → 35
Is access control in place to enforce the separation between the development/test environments and the production environment? • Review change control processes and procedures.
Removed
p. 35
Review change control processes and procedures Observe processes Interview personnel 6.4.3 Are production data (live PANs) not used for testing or development?
Modified
p. 35 → 36
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.2 Is there separation of duties between personnel assigned to the development/test environments and those assigned to the production environment?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.2 Is there separation of duties between personnel assigned to the development/test environments and those assigned to the production environment? • Review change control processes and procedures.
Removed
p. 36
Trace changes to change control documentation Examine change control documentation 6.4.5.4 Back-out procedures? Trace changes to change control documentation Examine change control documentation 6.4.6 Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
Trace changes to change control documentation Examine change control documentation Interview personnel Observe affected systems or networks
Trace changes to change control documentation Examine change control documentation Interview personnel Observe affected systems or networks
Modified
p. 36 → 37
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.5.2 Documented approval by authorized parties? Trace changes to change control documentation Examine change control documentation 6.4.5.3 (a) Functionality testing to verify that the change does not adversely impact the security of the system?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.5.2 Documented approval by authorized parties? • Trace changes to change control documentation.
Modified
p. 36 → 37
(b) For custom code changes, testing of updates for compliance with PCI DSS Requirement 6.5 before being deployed into production? • Trace changes to change control documentation.
Removed
p. 37
Examine software- development policies and procedures Interview responsible personnel 6.5.2 Do coding techniques address buffer overflow vulnerabilities?
Modified
p. 37 → 38
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5 (a) Do software-development processes address common coding vulnerabilities?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5 (a) Do software-development processes address common coding vulnerabilities? • Review software-development policies and procedures.
Modified
p. 37 → 38
(b) Are developers trained at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities? • Examine software-development policies and procedures.
Modified
p. 38 → 39
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.4 Do coding techniques address insecure communications? Examine software- development policies and procedures Interview responsible personnel 6.5.5 Do coding techniques address improper error handling? Examine software- development policies and procedures Interview responsible personnel 6.5.6 Do coding techniques address all “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1)? Examine …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.5 Do coding techniques address improper error handling? • Examine software-development policies and procedures.
Removed
p. 39
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.9 Do coding techniques address cross-site request forgery (CSRF)?
Removed
p. 40
Review documented processes Interview personnel Examine records of application security assessments Examine system configuration settings
Modified
p. 40
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.6 For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.6 For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, as follows:
Modified
p. 40
• Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) as follows:
Modified
p. 42
• Is there a written policy for access control that incorporates the following? - Defining access needs and privilege assignments for each role - Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities, - Assignment of access based on individual personnel’s job classification and function - Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved
Modified
p. 42
• System components and data resources that each role needs to access for their job function?
Modified
p. 42
• Level of privilege required (for example, user, administrator, etc.) for accessing resources? • Examine roles and access need.
Modified
p. 42
• To least privileges necessary to perform job responsibilities?
Modified
p. 42
• Assigned only to roles that specifically require that privileged access? • Interview personnel.
Removed
p. 43
Review vendor documentation Examine configuration settings 7.2.3 Does the access control system(s) have a default “deny- all” setting? Review vendor documentation Examine configuration settings 7.3 Are security policies and operational procedures for restricting access to cardholder data:
Modified
p. 43
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 7.1.4 Is documented approval by authorized parties required, specifying required privileges? Review user IDs Compare with documented approvals Compare assigned privileges with documented approvals 7.2 Is an access control system(s) in place for system components to restrict access based on a user’s need to know, and is it set to “deny all” unless specifically allowed, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 7.1.4 Is documented approval by authorized parties required, specifying required privileges? • Compare with documented approvals.
Removed
p. 44
Review password procedures Examine privileged and general user IDs and associated authorizations Observe system settings 8.1.3 Is access for any terminated users immediately deactivated or removed?
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices 8.1.4 Are inactive user accounts either removed or disabled within 90 days?
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices 8.1.4 Are inactive user accounts either removed or disabled within 90 days?
Modified
p. 44
Are third-party remote access accounts monitored when in use? • Interview personnel.
Removed
p. 45
Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Review password procedures Observe authentication processes 8.2.1 (a) Is strong cryptography used to render all authentication credentials (such as passwords/passphrases) unreadable during transmission and storage on all system components? Review password procedures Review vendor documentation Examine system configuration settings Observe password files Observe data transmissions (b) This testing procedure applies only to service providers.
Modified
p. 45
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.1.6 (a) Are repeated access attempts limited by locking out the user ID after no more than six attempts? Review password procedures Examine system configuration settings (b) This testing procedure applies only to service providers.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.1.6 (a) Are repeated access attempts limited by locking out the user ID after no more than six attempts? • Review password procedures.
Modified
p. 45
In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? • Something you know, such as a password or passphrase
Modified
p. 46
• Examine system configuration settings to verify password parameters.
Modified
p. 47
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.3 Is all individual non-console administrative access and all remote access to the CDE secured using multi-factor authentication as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.3 Is all individual non-console administrative access and all remote access to the CDE secured using multi-factor authentication, as follows:
Removed
p. 48
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Do authentication policies and procedures include the following? Guidance on selecting strong authentication credentials Guidance for how users should protect their authentication credentials Instructions not to reuse previously used passwords Instructions that users should change passwords if there is any suspicion the password could be compromised Review policies and procedures Review documentation provided to users 8.5 Are group, shared, or generic accounts, passwords, or other authentication methods prohibited as follows:
Generic user IDs and accounts are disabled or Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components? Review policies and procedures Examine user ID lists Interview personnel 8.5.1 This requirement …
Generic user IDs and accounts are disabled or Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components? Review policies and procedures Examine user ID lists Interview personnel 8.5.1 This requirement …
Removed
p. 49
Review database authentication policies and procedures Examine database and application configuration settings (b) Is user direct access to or queries to of databases restricted to database administrators?
Review database authentication policies and procedures Examine database access control settings Examine database application configuration settings (c) Are application IDs only able to be used by the applications (and not by individual users or other processes)? Review database authentication policies and procedures Examine database access control settings Examine database application configuration settings 8.8 Are security policies and operational procedures for identification and authentication:
Review database authentication policies and procedures Examine database access control settings Examine database application configuration settings (c) Are application IDs only able to be used by the applications (and not by individual users or other processes)? Review database authentication policies and procedures Examine database access control settings Examine database application configuration settings 8.8 Are security policies and operational procedures for identification and authentication:
Modified
p. 49
(a) Is all user access to, user queries of, and user actions on (for example, move, copy, delete), the database through programmatic methods only (for example, through stored procedures)?
(a) Is all user access to, user queries of, and user actions on (for example, move, copy, delete), the database through programmatic methods only (for example, through stored procedures)? • Review database authentication policies and procedures.
Modified
p. 50
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment? • Observe physical access controls.
Modified
p. 50
Are either video cameras or access control mechanisms (or both) protected from tampering or disabling? • Interview personnel.
Modified
p. 50
(c) Is data collected from video cameras and/or access control mechanisms reviewed and correlated with other entries? • Review policies and procedures.
Modified
p. 50
(d) Is data collected from video cameras and/or access control mechanisms stored for at least three months unless otherwise restricted by law? • Review data retention processes.
Removed
p. 51
Review policies and procedures Interview personnel Observe locations 9.1.3 Is physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines restricted? Review policies and procedures Interview personnel Observe devices 9.2 (a) Are procedures developed to easily distinguish between onsite personnel and visitors, which include:
Modified
p. 51
Do identification methods (such as ID badges) clearly identify visitors and easily distinguish between onsite personnel and visitors? • Observe identification methods.
Modified
p. 51
(c) Is access to the badge system limited to authorized personnel? • Observe physical controls and access controls for the badge system.
Removed
p. 52
Is access revoked immediately upon termination Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disabled? Interview personnel Examine access control lists Observe onsite personnel Compare lists of terminated employees to access control lists 9.4 Is visitor identification and access handled as follows:
Modified
p. 52 → 51
• Is access authorized and based on individual job function? • Is access revoked immediately upon termination
Modified
p. 52
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.3 Is physical access to sensitive areas controlled for onsite personnel, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.4 Is visitor identification and access handled as follows:
Removed
p. 53
Review policies and procedures for physically securing media Interview personnel 9.5.1 Is the location where media back-ups are stored reviewed at least annually to confirm storage is secure?
Modified
p. 53 → 52
Does the visitor log contain the visitor’s name, the firm represented, and the onsite personnel authorizing physical access? • Review policies and procedures.
Removed
p. 54
Examine inventory logs Interview personnel 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons?
Modified
p. 54 → 53
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.6.2 Is media sent by secured courier or other delivery method that can be accurately tracked?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.5.1 Is the location where media back-ups are stored reviewed at least annually to confirm storage is secure?
• Review policies and procedures for reviewing offsite media locations.
• Review policies and procedures for reviewing offsite media locations.
Modified
p. 54
Is there a periodic media destruction policy that defines requirements for the following? - Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Modified
p. 54
- Storage containers used for materials that are to be destroyed must be secured.
Modified
p. 54
- Cardholder data on electronic media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).
Modified
p. 54
• Review periodic media destruction policies and procedures.
Modified
p. 55 → 54
Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents? • Examine security of storage containers.
Modified
p. 55
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9 Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows? Note: This requirement applies to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS …
Modified
p. 55
(a) Do policies and procedures require that a list of such devices be maintained?
(a) Do policies and procedures require that a list of such devices be maintained? • Review policies and procedures.
Modified
p. 55
(b) Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? • Review policies and procedures.
Modified
p. 55
(c) Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? • Review policies and procedures.
Modified
p. 56
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.2 (a) Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments …
Modified
p. 56
Are personnel aware of procedures for inspecting devices? • Interview personnel.
Modified
p. 56 → 57
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.1 (a) Does the list of devices include the following?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.3 (cont.) (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices?
• Interview personnel at POS locations.
• Interview personnel at POS locations.
Removed
p. 57
Review training materials (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? Interview personnel at POS locations 9.10 Are security policies and operational procedures for restricting physical access to cardholder data:
Modified
p. 57 → 54
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons?
• Review periodic media destruction policies and procedures.
• Review periodic media destruction policies and procedures.
Modified
p. 58
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.1 (a) Are audit trails enabled and active for system components?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 10.1 (a) Are audit trails enabled and active for system components? • Interview system administrator.
Modified
p. 59
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.2.6 Initialization, stopping, or pausing of the audit logs? Interview personnel Observe audit logs Examine audit log settings 10.2.7 Creation and deletion of system-level objects? Interview personnel Observe audit logs Examine audit log settings 10.3 Are the following audit trail entries recorded for all system components for each event:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 10.2.6 Initialization, stopping, or pausing of the audit logs? • Interview personnel.
Modified
p. 60
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.4 Are all critical system clocks and times synchronized through use of time synchronization technology, and is the technology kept current? Note: One example of time synchronization technology is Network Time Protocol (NTP).
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 10.4 Are all critical system clocks and times synchronized through use of time synchronization technology, and is the technology kept current? Note: One example of time synchronization technology is Network Time Protocol (NTP).
Modified
p. 60
(a) Do only designated central time server(s) receive time signals from external sources, and are time signals from external sources based on International Atomic Time or UTC?
(a) Do only designated central time server(s) receive time signals from external sources, and are time signals from external sources based on International Atomic Time or UTC? • Review time configuration standards and processes.
Modified
p. 60
Where there is more than one designated time server, do the time servers peer with each other to keep accurate time? • Review time configuration standards and processes.
Modified
p. 60
(c) Do systems receive time only from designated central time server(s)? • Review time configuration standards and processes.
Modified
p. 60
(a) Is access to time data restricted to only personnel with a business need to access time data?
(a) Is access to time data restricted to only personnel with a business need to access time data? • Examine system configurations and time- synchronization settings.
Modified
p. 60
(b) Are changes to time settings on critical systems logged, monitored, and reviewed? • Examine system configurations and time- synchronization settings and logs.
Modified
p. 61
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested Are time settings received from specific, industry- accepted time sources? (This is to prevent a malicious individual from changing the clock).
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested Are time settings received from specific, industry- accepted time sources? (This is to prevent a malicious individual from changing the clock).
Modified
p. 61
Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media? • Interview system administrators.
Modified
p. 62
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.5.5 Is file-integrity monitoring or change-detection software used on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 10.5.5 Is file-integrity monitoring or change-detection software used on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)? • Examine settings, monitored files, and results from monitoring activities.
Modified
p. 62
• based on the organization’s policies and risk management strategy?
• based on the organization’s policies and risk management strategy? • Review security policies and procedures.
Modified
p. 62
Are reviews of all other system components performed in accordance with organization’s policies and risk management strategy? • Review risk assessment documentation.
Removed
p. 63
Review security policies and procedures (b) Are audit logs retained for at least one year? Interview personnel Examine audit logs (c) Are at least the last three months’ logs immediately available for analysis? Interview personnel Observe processes 10.8 This requirement applies only to service providers 10.9 Are security policies and operational procedures for monitoring all access to network resources and cardholder data:
Modified
p. 63
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 10.6.3 (a) Are written policies and procedures defined for following up on exceptions and anomalies identified during the review process?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 10.6.3 (a) Are written policies and procedures defined for following up on exceptions and anomalies identified during the review process? • Review security policies and procedures.
Modified
p. 63
Is follow up to exceptions and anomalies performed? • Interview personnel.
Removed
p. 64
Evaluate the methodology (c) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities?
Modified
p. 64
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.1 (a) Are processes implemented for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis? Note: Methods that may be used in the process include, but are not limited to, wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.1 (a) Are processes implemented for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis? Note: Methods that may be used in the process include, but are not limited to, wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.
Modified
p. 64
Does the methodology detect and identify any unauthorized wireless access points, including at least the following? - WLAN cards inserted into system components; - Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.); and - Wireless devices attached to a network port or network device.
Modified
p. 64
(d) If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), is monitoring configured to generate alerts to notify personnel? • Examine configuration settings.
Modified
p. 65
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.1.2 (a) Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.1.2 (a) Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected? • Examine incident response plan (see Requirement 12.10).
Modified
p. 65
Is action taken when unauthorized wireless access points are found? • Interview responsible personnel.
Modified
p. 65
For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re- scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
Modified
p. 66
(c) Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? • Interview personnel.
Modified
p. 66
(b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)? • Review results of each external quarterly scan and rescan.
Modified
p. 66 → 67
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.2.3 (a) Are internal and external scans, and rescans as needed, performed after any significant change? Note: Scans must be performed by qualified personnel.
Modified
p. 66 → 67
• Examine and correlate change control documentation and scan reports.
Modified
p. 66 → 67
- For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS, - For internal scans, a passing result is obtained or all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved? • Review scan reports.
Modified
p. 66 → 67
(c) Are scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? • Interview personnel.
Removed
p. 67
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) Includes coverage for the entire CDE perimeter and critical systems Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope- reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review and consideration of threats and vulnerabilities experienced in the last 12 months Specifies retention of penetration testing results and remediation activities results Examine penetration-testing methodology Interview responsible personnel 11.3.1 (a) Is external penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an …
Modified
p. 67 → 68
(b) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? • Interview responsible personnel.
Modified
p. 67 → 69
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.3 Does the penetration-testing methodology include the following?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested If segmentation is used to isolate the CDE from other networks:
Modified
p. 68
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.3.2 (a) Is internal penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.3.1 (a) Is external penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)? • Examine scope of work.
Modified
p. 68
(b) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? • Interview responsible personnel.
Modified
p. 68 → 69
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE? • Examine segmentation controls.
Modified
p. 68 → 69
(b) Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods.
Modified
p. 68 → 69
(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? • Interview responsible personnel.
Removed
p. 69
System executables Application executables Configuration and parameter files Centrally stored, historical or archived, log, and audit files Additional critical files determined by entity (for example, through risk assessment or other means) Observe system settings and monitored files Examine system configuration settings
Modified
p. 69 → 70
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.3.4.1 This requirement applies only to service providers 11.4 (a) Are intrusion-detection and/or intrusion-prevention techniques that detect and/or prevent intrusions into the network in place to monitor all traffic:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.3.4.1 This requirement applies only to service providers.
Modified
p. 69 → 70
- At the perimeter of the cardholder data environment, and - At critical points in the cardholder data environment.
Modified
p. 69 → 70
(b) Are intrusion-detection and/or intrusion-prevention techniques configured to alert personnel of suspected compromises? • Examine system configurations.
Modified
p. 70 → 71
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.5 (cont.) (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system …
Modified
p. 70 → 71
• Known to all affected parties? • Examine security policies and operational procedures.
Modified
p. 71 → 72
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel? • Review the information security policy.
Modified
p. 71 → 72
- Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk? Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.
Modified
p. 71 → 72
(b) Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? • Review risk assessment documentation.
Removed
p. 72
Review usage policies Interview responsible personnel 12.3.2 Authentication for use of the technology? Review usage policies Interview responsible personnel 12.3.3 A list of all such devices and personnel with access? Review usage policies Interview responsible personnel 12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices)?
Review usage policies Interview responsible personnel 12.3.5 Acceptable uses of the technologies? Review usage policies Interview responsible personnel 12.3.6 Acceptable network locations for the technologies? Review usage policies Interview responsible personnel 12.3.7 List of company-approved products? Review usage policies Interview responsible personnel 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity?
Review usage policies Interview responsible personnel 12.3.5 Acceptable uses of the technologies? Review usage policies Interview responsible personnel 12.3.6 Acceptable network locations for the technologies? Review usage policies Interview responsible personnel 12.3.7 List of company-approved products? Review usage policies Interview responsible personnel 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity?
Modified
p. 73 → 74
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.3.10 (a) For personnel accessing cardholder data via remote- access technologies, does the policy specify the prohibition of copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need? Where there is an authorized business need, the usage policies must require the data be protected in accordance with all …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.3.10 (a) For personnel accessing cardholder data via remote-access technologies, does the policy specify the prohibition of copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need? Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS …
Modified
p. 73 → 74
(b) For personnel with proper authorization, does the policy require the protection of cardholder data in accordance with PCI DSS Requirements? • Review usage policies.
Removed
p. 74
Review security awareness program Review security awareness program procedures Review security awareness program attendance records (b) Are personnel educated upon hire and at least annually?
Modified
p. 74 → 75
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.5.4 Administering user accounts, including additions, deletions, and modifications?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.5.4 Administering user accounts, including additions, deletions, and modifications? • Review information security policy and procedures.
Modified
p. 74 → 75
(c) Have employees completed awareness training and are they aware of the importance of cardholder data security? • Interview personnel.
Modified
p. 75 → 76
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.7 Are potential personnel (see definition of “personnel” above) screened prior to hire to minimize the risk of attacks from internal sources? Examples of background checks include previous employment history, criminal record, credit history and reference checks.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.7 Are potential personnel (see definition of “personnel” above) screened prior to hire to minimize the risk of attacks from internal sources? Examples of background checks include previous employment history, criminal record, credit history and reference checks.
Modified
p. 75 → 77
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement? • Review policies and procedures and supporting documentation.
Removed
p. 76
Review incident response plan procedures Specific incident response procedures? Review incident response plan procedures Business recovery and continuity procedures? Review incident response plan procedures Data backup processes? Review incident response plan procedures Analysis of legal requirements for reporting compromises? Review incident response plan procedures
Modified
p. 76 → 78
- Roles, responsibilities, and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum? • Review incident response plan procedures.
Modified
p. 76 → 79
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.10.3 Are specific personnel designated to be available on a 24/7 basis to respond to alerts?
• Interview responsible personnel.
• Interview responsible personnel.
Removed
p. 77
Review incident response plan procedures Interview responsible personnel 12.10.3 Are specific personnel designated to be available on a 24/7 basis to respond to alerts?
Modified
p. 77 → 78
- Reference or inclusion of incident response procedures from the payment brands? • Review incident response plan procedures.
Modified
p. 77 → 80
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested Coverage and responses of all critical system components?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested A2.1 For POS POI terminals (at the merchant or payment- acceptance location) using SSL and/or early TLS: Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS
Removed
p. 78
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results …
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results …
Modified
p. 78 → 80
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card-Present POS POI Terminal Connections
Removed
p. 79
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested A2.3 This requirement applies only to service providers Appendix A3: Designated Entities Supplemental Validation (DESV) This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. Entities required to validate to this Appendix should use the DESV Supplemental Reporting Template and Supplemental Attestation of Compliance for reporting, and consult with the applicable payment brand and/or acquirer for submission procedures.
Modified
p. 83 → 84
Based on the results documented in the SAQ D noted above , the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Based on the results documented in the SAQ D noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Modified
p. 84 → 85
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name) Part 3b. Merchant Attestation Signature of Merchant Executive Officer Date:
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name).
Modified
p. 85 → 86
Check with your acquirer or the payment brand(s) before completing Part 4.
Check with the applicable payment brand(s) before completing Part 4.
Modified
p. 85 → 86
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti- virus software or programs 6 Develop and maintain secure …
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain a firewall configuration to protect cardholder data.