Document Comparison
PCI-DSS-v3_2-SAQ-B-rev1_1.pdf
→
PCI-DSS-v3-2-1-SAQ-B-r2.pdf
89% similar
26 → 26
Pages
5797 → 5864
Words
48
Content Changes
Content Changes
48 content changes. 25 administrative changes (dates, page numbers) hidden.
Added
p. 2
This document aligns with PCI DSS v3.2.1 r1.
• Section 1 (Parts 1 & 2 of the AOC)
• Section 3 (Parts 3 & 4 of the AOC)
• Section 1 (Parts 1 & 2 of the AOC)
• Section 3 (Parts 3 & 4 of the AOC)
Added
p. 10
• Examine system configurations.
• Examine deletion processes.
• The cardholder’s name,
• Primary account number (PAN),
• Expiration date, and
• Examine deletion processes.
• The cardholder’s name,
• Primary account number (PAN),
• Expiration date, and
Added
p. 11
• Examine system configurations.
• Review policies and procedures.
• Review roles that need access to displays of full PAN.
• Observe displays of PAN.
• Review policies and procedures.
• Review roles that need access to displays of full PAN.
• Observe displays of PAN.
Added
p. 13
• Interview management.
• Interview management.
• Review privileged user IDs.
• Review policies and procedures for physically securing media.
• Interview security personnel.
• Examine media distribution tracking logs and documentation.
• Examine media distribution tracking logs and documentation.
• Interview personnel
• Interview management.
• Review privileged user IDs.
• Review policies and procedures for physically securing media.
• Interview security personnel.
• Examine media distribution tracking logs and documentation.
• Examine media distribution tracking logs and documentation.
• Interview personnel
Added
p. 15
• Examine the list of devices.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.1 (cont.) (b) Is the list accurate and up to date?
• Observe devices and device locations and compare to list.
(c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
• Interview personnel.
Are personnel aware of procedures for inspecting devices?
• Interview personnel.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.1 (cont.) (b) Is the list accurate and up to date?
• Observe devices and device locations and compare to list.
(c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
• Interview personnel.
Are personnel aware of procedures for inspecting devices?
• Interview personnel.
Added
p. 18
• Interview a sample of responsible personnel.
• Review policies and procedures.
• Review policies and procedures.
Added
p. 19
• Review list of service providers.
• Observe written agreements.
• Review incident response plan procedures.
• Observe written agreements.
• Review incident response plan procedures.
Modified
p. 4
• Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information; • The standalone, dial-out terminals are not connected to any other systems within your environment; • The standalone, dial-out terminals are not connected to the Internet; • Your company does not transmit cardholder data over a network (either an internal network or the Internet); • Any cardholder data your company retains …
Modified
p. 4
1. Identify the applicable SAQ for your environment
• refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
• refer
1. Identify the applicable SAQ for your environment⎯refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
Modified
p. 4
• Assessment Information and Executive
• Assessment Information and Executive Summary
Modified
p. 4
• PCI DSS Self-Assessment Questionnaire (SAQ B) Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable)
• Validation and Attestation Details and Action Plan for Non-Compliant Requirements (if applicable)
Modified
p. 4
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to your acquirer, paymentbrand or other requester.
•such as ASV scan reports
•to your acquirer, payment
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to your acquirer, payment brand, or other requester.
•such as ASV scan reports
•to your acquirer, payment brand, or other requester.
Removed
p. 5
(PCI Data Security Standard Requirements and Security Assessment Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls SAQ Instructions and Guidelines documents Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization
Modified
p. 5
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
(PCI Data Security Standard Requirements and Security Assessment Procedures)
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms • Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources …
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms • Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources …
Modified
p. 7
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Modified
p. 8
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Application Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Applications Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Modified
p. 8
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation)
Does your business use network segmentation to affect the scope of your PCI DSS environment? (Refer to “Network Segmentation” section of PCI DSS for guidance on network segmentation.)
Removed
p. 10
Incoming transaction data All logs History files Trace files Database schema Database contents
Modified
p. 10
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? Review policies and procedures Examine system configurations Examine deletion processes (d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2 (c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? • Review policies and procedures.
Modified
p. 10
• Service code To minimize risk, store only these data elements as needed for business.
Modified
p. 10
• Examine data sources including:
Removed
p. 11
Review policies and procedures Review roles that need access to displays of full PAN Examine system configurations Observe displays of PAN
Modified
p. 11
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.2 The card verification code or value (three-digit or four- digit number printed on the front or back of a payment card) is not stored after authorization? • Examine data sources including:
Modified
p. 11
- Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? • Examine data sources including:
Modified
p. 11
- Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand requirements for point-of-sale (POS) receipts.
Modified
p. 12
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 4.2 (b) Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? Review policies and procedures
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.2 Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies? • Review policies and procedures.
Modified
p. 13
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows:
Modified
p. 13
• To least privileges necessary to perform job responsibilities?
Modified
p. 13
• Assigned only to roles that specifically require that privileged access? • Examine written access control
Modified
p. 14
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.
Removed
p. 15
Review policies and procedures 9.9.1 (a) Does the list of devices include the following?
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.? Interview personnel
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.? Interview personnel
Modified
p. 15
• Observe processes Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents? • Examine security of storage containers.
Modified
p. 15
(a) Do policies and procedures require that a list of such devices be maintained?
(a) Do policies and procedures require that a list of such devices be maintained? • Review policies and procedures.
Modified
p. 15
(b) Do policies and procedures require that devices are periodically inspected to look for tampering or substitution? • Review policies and procedures.
Modified
p. 15
(c) Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? • Review policies and procedures.
Removed
p. 16
Interview personnel 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following?
Modified
p. 16
• Observe inspection processes and compare to defined processes.
Modified
p. 16 → 17
(a) Do training materials for personnel at point-of-sale locations include the following? Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Do not install, replace, or return devices without verification. Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). Report suspicious behavior and indications of device tampering or substitution to appropriate personnel …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following? (a) Do training materials for personnel at point-of-sale locations include the following? - Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. - Do not install, replace, or return devices without verification. …
Modified
p. 16 → 17
• Review training materials.
Modified
p. 17
(b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? • Interview personnel at POS locations.
Removed
p. 18
Review usage policies Interview responsible personnel 12.3.3 A list of all such devices and personnel with access? Review usage policies Interview responsible personnel 12.3.5 Acceptable uses of the technologies? Review usage policies Interview responsible personnel 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel? Review information security policy and procedures Interview a sample of responsible
Modified
p. 18
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel? • Review the information security policy.
Modified
p. 19
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 12.5 (b) Are the following information security management responsibilities formally assigned to an individual or team:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.5 (b) Are the following information security management responsibilities formally assigned to an individual or team:
Modified
p. 20
PCI DSS Question Expected Testing Response (Check one response for each question) Yes Yes with CCW No N/A 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually? • Review policies and procedures and supporting documentation.
Modified
p. 21
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS This appendix is not used for SAQ B merchant assessments Appendix A3: Designated Entities Supplemental Validation (DESV) This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. Entities required to validate to this Appendix should use the DESV Supplemental Reporting Template and Supplemental Attestation of Compliance for reporting, and consult with the applicable payment brand and/or acquirer …
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS for Card-Present POS POI Terminal Connections This appendix is not used for SAQ B merchant assessments Appendix A3: Designated Entities Supplemental Validation (DESV) This Appendix applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements. Entities required to validate to this Appendix should use the DESV Supplemental Reporting Template and Supplemental Attestation of Compliance for reporting, and consult with …
Modified
p. 24
Based on the results documented in the SAQ B noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Based on the results documented in the SAQ B noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document (check one):
Modified
p. 25
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name) Part 3b. Merchant Attestation Signature of Merchant Executive Officer Date:
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name).
Modified
p. 26
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 7 Restrict access to cardholder data by business need to know 9 Restrict physical access to cardholder data Maintain a policy that addresses information security for all personnel * PCI DSS Requirements indicated here refer to the questions in Section 2 …
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 3 Protect stored cardholder data.