Document Comparison

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers SAQ-Eligible Service Providers For use with PCI DSS Version 3.2

 Review firewall and router configuration standards (c) Are firewall and router rule sets reviewed at least every six months?  Examine documentation from firewall reviews 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:

 Review configuration standards  Examine system configurations (d) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?

 Review key-management procedures  Interview personnel (d) If retired or replaced cryptographic keys are retained, are these keys only used for decryption/verification purposes, and not used for encryption operations?  Review key-management procedures  Interview personnel

 Review database authentication policies and procedures  Examine database access control settings  Examine database application configuration settings (d) Are application IDs only able to be used by the applications (and not by individual users or other processes)?  Review database authentication policies and procedures  Examine database access control settings  Examine database application configuration settings 8.8 Are security policies and operational procedures for identification and authentication:

 Observe identification methods (e) Is access to the badge system limited to authorized personnel?  Observe physical controls and access controls for the badge system

PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (f) Is the visitor log retained for at least three months?  Review policies and procedures  Examine visitor log retention 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.

 Review time configuration standards and processes  Examine time-related system parameters (g) Do systems receive time only from designated central time server(s)?  Review time configuration standards and processes  Examine time-related system parameters 10.4.2 Is time data is protected as follows:

 Evaluate the methodology (h) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities?

 Examine output from recent wireless scans (i) If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), is monitoring configured to generate alerts to notify personnel?

 Examine system configurations and file permissions for shared system binaries (d) Is viewing of log entries restricted to the owning entity?  Examine system configurations and file permissions for viewing log entries (c) Are restrictions in place for the use of these system resources?  Disk space,  Bandwidth,  Memory,  CPU This ensures that each entity cannot monopolize server resources to exploit vulnerabilities (for example, error, race, and restart conditions, resulting in, for example, buffer overflows).