PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

pci_dss_saq_instr_guide_v2.0.pdf pci_dss_SAQ_Instr_Guide_v2.1.pdf
91% similar
17 → 19 Pages
4713 → 5216 Words
22 Content Changes

Content Changes

22 content changes. 17 administrative changes (dates, page numbers) hidden.

Added p. 2
June 2012 2.1 Addition of SAQ P2PE-HW for merchants who process cardholder data only via hardware payment terminals included in a validated and PCI SSC-listed PCI Point-to-Point Encryption (P2PE) solution.

This document is for use with PCI DSS version 2.0.

 PCI DSS Self-Assessment: How it All Fits Together  PCI DSS: Related Documents  SAQ Overview  Why is Compliance with PCI DSS Important?

PCI Data Security Standard: Self-Assessment Questionnaire P2PE-HW and Attestation Eligible merchants1
Added p. 10
Note: For SAQ P2PE- HW, there are no compensating controls allowed, nor is there a “Special” column.

C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage. This would never apply to e-commerce merchants.

C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.

P2PE-HW Merchants using only hardware payment terminals included in a PCI SSC-listed, validated, P2PE solution, no electronic cardholder data storage. This would never apply to e-commerce merchants.

 Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions;  Your company does not store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions;  Your company has confirmed that the third party(s) handling storage, processing, and/or transmission of cardholder data is PCI DSS compliant;  Your company retains only paper reports or receipts with cardholder data, and these documents are …
Added p. 17
• Completion Steps,” (or “SAQ Completion Steps” for SAQ P2PE-HW) and provide all required documentation to your acquirer or payment brand as appropriate.
Modified p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 2.0
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 2.1
Modified p. 6
Self-Assessment Questionnaire D and Attestation Eligible merchants and service providers1
PCI Data Security Standard: Self-Assessment Questionnaire D and Attestation Eligible merchants and service providers1
Modified p. 6
PCI Data Security Standard and Payment Application Data Security Standard: Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 1 To determine the appropriate Self-Assessment Questionnaire, see “Selecting the SAQ and Attestation That Best Apply to Your Organization,” on page 12 of this document.
PCI Data Security Standard and Payment Application Data Security Standard: Glossary of Terms, Abbreviations, and Acronyms All merchants and service providers 1 To determine the appropriate Self-Assessment Questionnaire, see “Selecting the SAQ and Attestation That Best Apply to Your Organization,” on page 9 of this document.
Modified p. 8
 Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised entities are unaware that their systems are storing this data.
Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised entities are unaware that their systems are storing this data.
Modified p. 8
 Inadequate access controls due to improperly installed merchant POS systems, allowing malicious users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2 and 8.3)  Default system settings and passwords not changed when system was set up (Requirement 2.1)  Unnecessary and insecure services not removed or secured when system was set up (Requirements 2.2.2 and 2.2.4)  Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder …
Inadequate access controls due to improperly installed merchant POS systems, allowing malicious users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2 and 8.3) Default system settings and passwords not changed when system was set up (Requirement 2.1) Unnecessary and insecure services not removed or secured when system was set up (Requirements 2.2.2 and 2.2.4) Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder …
Modified p. 9
2. If you are a merchant, ask your POS vendor about the security of your system, with the following suggested questions: a. Is my POS software validated to the Payment Application Data Security Standard (PA-DSS)? (Refer to PCI SSC’s list of Validated Payment Applications.) b. Does my POS software store magnetic stripe data (track data) or PIN blocks? If so, this storage is prohibited, so how quickly can you help me remove it? c. Does my POS software store primary …
(Refer to PCI SSC’s list of Validated Payment Applications.) b. Does my POS software store magnetic stripe data (track data) or PIN blocks? If so, this storage is prohibited, so how quickly can you help me remove it? c. Does my POS software store primary account numbers (PANs)? If so, this storage must be protected, so how is the POS protecting this data? d. Will you document the list of files written by the application with a summary of the …
Modified p. 11
The Navigating PCI DSS Guide The PCI DSS Glossary of Terms, Abbreviations and Acronyms Frequently Asked Questions (FAQs) Information Supplements and Guidelines Attestations of Compliance Please refer to www.pcisecuritystandards.org for more information.
The Navigating PCI DSS Guide The PCI DSS Glossary of Terms, Abbreviations and Acronyms Frequently Asked Questions (FAQs)  Webinars  Information Supplements and Guidelines Attestations of Compliance Please refer to www.pcisecuritystandards.org for more information.
Removed p. 12
 Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions;  Your company does not store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions;  Your company has confirmed that the third party(s) handling storage, processing, and/or transmission of cardholder data is PCI DSS compliant;  Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically; and  Your company does not store any cardholder data in electronic format.
Modified p. 12
B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial- out terminal merchants with no electronic cardholder data storage C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.
B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage. This would never apply to e-commerce merchants.
Modified p. 13
 Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information;  The standalone, dial-out terminals are not connected to any other systems within your environment;  The standalone, dial-out terminals are not connected to the Internet;  Your company does not transmit cardholder data over a network (either an internal network or the Internet);  Your company retains only paper reports …
Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information; The standalone, dial-out terminals are not connected to any other systems within your environment; The standalone, dial-out terminals are not connected to the Internet; Your company does not transmit cardholder data over a network (either an internal network or the Internet); Your company retains only paper reports …
Modified p. 13
A virtual terminal is web-browser based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.
A virtual terminal is web-browser-based access to an acquirer, processor or third-party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.
Modified p. 13
These merchants process cardholder data only via a virtual terminal and do not store cardholder data on any computer system. These virtual terminals are connected to the Internet to access a third party that hosts the virtual terminal payment processing function. This third party may be a processor, acquirer, or other third-party service provider who stores, processes, and/or transmits cardholder data to authorize and/or settle merchants’ virtual terminal payment transactions.
These merchants process cardholder data only via a virtual terminal and do not store cardholder data on any computer system. These virtual terminals are connected to the Internet to access a third party that hosts the virtual terminal payment-processing function. This third party may be a processor, acquirer, or other third-party service provider who stores, processes, and/or transmits cardholder data to authorize and/or settle merchants’ virtual terminal payment transactions.
Modified p. 14
 Your company’s only payment processing is done via a virtual terminal accessed by an Internet- connected web browser;  Your company’s virtual terminal solution is provided and hosted by a PCI DSS validated third- party service provider;  Your company accesses the PCI DSS compliant virtual terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network …
Your company’s only payment processing is done via a virtual terminal accessed by an Internet- connected web browser; Your company’s virtual terminal solution is provided and hosted by a PCI DSS validated third- party service provider; Your company accesses the PCI DSS-compliant virtual terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network segmentation …
Modified p. 14
 Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN);  The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems);  Your company store is not connected to other store locations, and any LAN is for a single store only;
Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN); The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems); Your company store is not connected to other store locations, and any LAN is for a single store only;  Your company retains only …
Modified p. 16
 Requirements 1.2.3, 2.1.1 and 4.1.1 (SAQs C and D): These questions specific to wireless only need to be answered if wireless is present anywhere in your network. Note that Requirement 11.1 (use of a process to identify unauthorized wireless access points) must still be answered even if wireless is not in your network, since the process detects any rogue or unauthorized devices that may have been added without your knowledge.
Requirements 1.2.3, 2.1.1 and 4.1.1 (SAQs C and D): These questions specific to wireless only need to be answered if wireless is present anywhere in your network. Note that Requirement 11.1 (use of a process to identify unauthorized wireless access points) must still be answered even if wireless is not in your network, since the process detects any rogue or unauthorized devices that may have been added without your knowledge.
Modified p. 16
 Requirements 6.3 and 6.5 (SAQ D): These questions are specific to custom applications and code, and only need to be answered if your organization develops its own custom applications.
Requirements 6.3 and 6.5 (SAQ D): These questions are specific to custom applications and code, and only need to be answered if your organization develops its own custom applications.
Modified p. 16
 Requirements 9.1 through 9.4 (SAQ D): These questions only need to be answered for facilities with “sensitive areas” as defined here. “Sensitive areas” refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store, but does include retail store back-office server rooms that store cardholder data, and storage areas for large …
Requirements 9.1 through 9.4 (SAQ D): These questions only need to be answered for facilities with “sensitive areas” as defined here. “Sensitive areas” refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present, such as the cashier areas in a retail store, but does include retail store back-office server rooms that store cardholder data, and storage areas for large …
Modified p. 16 → 17
4. Use the appropriate Self Assessment Questionnaire as a tool to validate compliance with the PCI DSS.
4. Use the appropriate Self-Assessment Questionnaire as a tool to validate compliance with the PCI DSS.
Modified p. 16 → 17
5. Follow the instructions in the appropriate Self-Assessment Questionnaire at “PCI DSS Compliance • Completion Steps,” and provide all required documentation to your acquirer or payment brand as appropriate.
5. Follow the instructions in the appropriate Self-Assessment Questionnaire at “PCI DSS Compliance