Document Comparison
SAQ_D_v3_Merchant.pdf
→
PCI_DSS_v3-1_SAQ_D_Merchant_rev1-1.pdf
85% similar
82 → 87
Pages
20115 → 21423
Words
124
Content Changes
Content Changes
124 content changes. 29 administrative changes (dates, page numbers) hidden.
Added
p. 2
July 2015 3.1 1.1 Updated to remove references to “best practices” prior to June 30, 2015, and remove the PCI DSS v2 reporting option for Requirement 11.3.
Added
p. 8
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Application Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Added
p. 11
Review firewall configuration standards Observe network configurations to verify that a firewall(s) is in place (b) Is the current network diagram consistent with the firewall configuration standards?
Added
p. 12
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3 Is direct public access prohibited between the Internet and any system component in the cardholder data environment, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3 Is direct public access prohibited between the Internet and any system component in the cardholder data environment, as follows:
Added
p. 18
Review configuration standards Examine configuration settings If SSL/early TLS is used:
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS Review Risk Mitigation and Migration Plan
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS Review Risk Mitigation and Migration Plan
Added
p. 21
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (e) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols: Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS? Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (f) For all other environments using SSL and/or early TLS:
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in …
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in …
Added
p. 24
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2 (a) This testing procedure applies only to Issuers.
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
Added
p. 30
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.7 Do cryptographic key procedures include the prevention of unauthorized substitution of cryptographic keys?
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments; Overview of migration project plan including target migration completion date no later than 30th June 2016.
Review Risk Mitigation and Migration Plan
Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using …
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments; Overview of migration project plan including target migration completion date no later than 30th June 2016.
Review Risk Mitigation and Migration Plan
Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using …
Added
p. 41
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5 (a) Do software-development processes address common coding vulnerabilities?
- At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in
- Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
- At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in
- Is situated in front of public-facing web applications to detect and prevent web-based attacks. - Is actively running and up to date as applicable. - Is generating audit logs. - Is configured to either block web-based attacks, or generate an alert that is immediately investigated.
Added
p. 55
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.3 Is physical access to sensitive areas controlled for onsite personnel, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.6.2 Is media sent by secured courier or other delivery method that can be accurately tracked?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.1 (a) Does the list of devices include the following?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.6.2 Is media sent by secured courier or other delivery method that can be accurately tracked?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.1 (a) Does the list of devices include the following?
Added
p. 75
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.3 Are usage policies for critical technologies developed to define proper use of these technologies and require the following:
Modified
p. 1
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants Version 3.0
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants For use with PCI DSS Version 3.1 Revision 1.1
Modified
p. 5 → 4
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires
Removed
p. 10
Interview personnel 1.1.4 (a) Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone? Review firewall configuration standards Observe network configurations to verify that a firewall(s) is in place
Modified
p. 10
(b) Is there a process to ensure the diagram is kept current?
(b) Is there a process to ensure the diagram is kept current? Interview personnel
Modified
p. 11
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Is the current network diagram consistent with the firewall configuration standards?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.1.4 (a) Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone?
Modified
p. 11
Review firewall and router configuration standards (b) Are firewall and router rule sets reviewed at least every six months? Examine documentation from firewall reviews 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
Review firewall and router configuration standards (b) Are firewall and router rule sets reviewed at least every six months? Examine documentation from firewall reviews
Modified
p. 12
Review firewall and router configuration standards Examine router configuration files and router configurations 1.2.3 Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment? Review firewall and router configuration standards Examine firewall and router configurations 1.3 Is direct public access prohibited between the Internet and …
Review firewall and router configuration standards Examine router configuration files and router configurations 1.2.3 Are perimeter firewalls installed between all wireless networks and the cardholder data environment, and are these firewalls configured to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment? Review firewall and router configuration standards Examine firewall and router configurations
Modified
p. 12 → 13
Examine firewall and router configurations 1.3.3 Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment? Examine firewall and router configurations
Examine firewall and router configurations 1.3.3 Are direct connections prohibited for inbound or outbound traffic between the Internet and the cardholder data environment?
Modified
p. 13
Examine firewall and router configurations 1.3.4 Are anti-spoofing measures implemented to detect and block forged sourced IP addresses from entering the network?
Modified
p. 13
Examine firewall and router configurations 1.3.7 Are system components that store cardholder data (such as a database) placed in an internal network zone, segregated from the DMZ and other untrusted networks?
Examine firewall and router configurations 1.3.7 Are system components that store cardholder data (such as a database) placed in an internal network zone, segregated from the DMZ and other untrusted networks? Examine firewall and router configurations
Modified
p. 13 → 14
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3.8 (a) Are methods in place to prevent the disclosure of private IP addresses and routing information to the Internet? Note: Methods to obscure IP addressing may include, but are not limited to:
Modified
p. 13 → 14
Examine firewall and router configurations (b) Is any disclosure of private IP addresses and routing information to external entities authorized? Examine firewall and router configurations Interview personnel
Examine firewall and router configurations (b) Is any disclosure of private IP addresses and routing information to external entities authorized?
Modified
p. 14
Examine firewall and router configurations Interview personnel 1.4 (a) Is personal firewall software installed and active on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network?
Modified
p. 17
Examine system configurations (b) If virtualization technologies are used, is only one primary function implemented per virtual system component or device?
Examine system configurations (b) If virtualization technologies are used, is only one primary function implemented per virtual system component or device? Examine system configurations
Modified
p. 17 → 18
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)?
Modified
p. 18
Review configuration standards Examine system configurations (b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?
Modified
p. 18
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? For example, use secured technologies such as SSH, S- FTP, SSL or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
Review configuration standards Interview personnel Examine configuration settings Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? For example, use secured technologies such as SSH, S- FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
Modified
p. 18 → 19
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Modified
p. 19 → 20
Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
Use technologies such as SSH, VPN, or TLS for web- based management and other non-console administrative access.
Modified
p. 19 → 20
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components Review vendor documentation Interview personnel
Modified
p. 19 → 22
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.4 (a) Is an inventory maintained for systems components that are in scope for PCI DSS, including a list of hardware and software components and a description of function/use for each? Examine system inventory (b) Is the documented inventory kept current? Interview personnel 2.5 Are security policies and operational procedures for managing vendor defaults and other security parameters:
Modified
p. 20 → 23
(a) Is data storage amount and retention time limited to that required for legal, regulatory, and business requirements?
(a) Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements?
Modified
p. 20 → 23
Review data retention and disposal policies and procedures Interview personnel (b) Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, or business reasons?
Review data retention and disposal policies and procedures Interview personnel (b) Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, and/or business reasons?
Modified
p. 20 → 23
Review policies and procedures Interview personnel Observe deletion processes (e) Does all stored cardholder data meet the requirements defined in the data-retention policy? Examine files and system records 3.2 (a) This testing procedure applies only to Issuers.
Review policies and procedures Interview personnel Observe deletion processes (e) Does all stored cardholder data meet the requirements defined in the data-retention policy? Examine files and system records
Modified
p. 20 → 24
(c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? Review policies and procedures Examine system configurations Examine deletion processes
(c) Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process? Review policies and procedures Examine system configurations Examine deletion processes (d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
Removed
p. 21
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Incoming transaction data All logs History files Trace files Database schema Database contents 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Modified
p. 22 → 25
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization? Examine data sources including:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Modified
p. 23 → 26
Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls should be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity’s environment, additional controls must be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
Modified
p. 24 → 27
Examine user access lists 3.5.2 Are secret and private cryptographic keys used to encrypt/decrypt cardholder data stored in in one (or more) of the following forms at all times? Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key Within a secure cryptographic device (such as a host security module (HSM) or PTS-approved point-of- interaction device) As at least two full-length key …
Examine user access lists 3.5.2 Are secret and private cryptographic keys used to encrypt/decrypt cardholder data stored in one (or more) of the following forms at all times? Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS- approved point-of-interaction device) As at least two full-length key …
Modified
p. 26 → 29
Review key-management procedures Interview personnel and/or Observe processes 3.6.7 Do cryptographic key procedures include the prevention of unauthorized substitution of cryptographic keys? Review procedures Interview personnel and/or Observe processes
Review key-management procedures Interview personnel and/or Observe processes
Modified
p. 27 → 30
Review procedures Interview personnel and/or Observe processes 3.6.8 Are cryptographic key custodians required to formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities? Review procedures Review documentation or other evidence 3.7 Are security policies and operational procedures for protecting stored cardholder data:
Modified
p. 28 → 31
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1 (a) Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1 (a) Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and …
Modified
p. 28 → 31
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? Review vendor documentation Examine system configurations
Modified
p. 28 → 32
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified
p. 29 → 33
Review documented standards Review wireless networks Examine system configuration settings 4.2 (a) Are PANs rendered unreadable or secured with strong cryptography whenever they are sent via end- user messaging technologies (for example, e-mail, instant messaging, or chat)?
Review documented standards Review wireless networks Examine system configuration settings 4.2 (a) Are PANs rendered unreadable or secured with strong cryptography whenever they are sent via end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.)?
Modified
p. 32 → 37
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor- supplied security patches? Review policies and procedures (b) Are critical security patches installed within one month of release? Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
Modified
p. 32 → 37
Review policies and procedures Examine system components Compare list of security patches installed to recent vendor patch lists
Review policies and procedures Examine system components Compare list of security patches installed to recent vendor patch lists 6.3 (a) Are software- development processes based on industry standards and/or best practices?
Removed
p. 33
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.3 (a) Are software- development processes based on industry standards and/or best practices?
Modified
p. 34 → 38
Are code review results are reviewed and approved by management prior to release? Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.6.
Are code review results are reviewed and approved by management prior to release? Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public- facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.6.
Removed
p. 36
Trace changes to change control documentation Examine change control documentation 6.4.5.4 Back-out procedures? Trace changes to change control documentation Examine change control documentation 6.5 (a) Do software-development processes address common coding vulnerabilities?
Modified
p. 36 → 40
Trace changes to change control documentation Examine change control documentation (b) For custom code changes, testing of updates for compliance with PCI DSS Requirement 6.5 before being deployed into production?
Trace changes to change control documentation Examine change control documentation (b) For custom code changes, testing of updates for compliance with PCI DSS Requirement 6.5 before being deployed into production? Trace changes to change control documentation Examine change control documentation 6.4.5.4 Back-out procedures? Trace changes to change control documentation Examine change control documentation
Modified
p. 37 → 41
Examine software-development policies and procedures Interview responsible personnel 6.5.2 Do coding techniques address buffer overflow vulnerabilities?
Examine software-development policies and procedures Interview responsible personnel 6.5.2 Do coding techniques address buffer overflow vulnerabilities? Examine software-development policies and procedures Interview responsible personnel 6.5.3 Do coding techniques address insecure cryptographic storage? Examine software-development policies and procedures Interview responsible personnel 6.5.4 Do coding techniques address insecure communications? Examine software-development policies and procedures Interview responsible personnel
Modified
p. 37 → 42
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.5 Do coding techniques address improper error handling? Examine software-development policies and procedures Interview responsible personnel 6.5.6 Do coding techniques address all “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1)? Examine software-development policies and procedures Interview responsible personnel For web applications and application interfaces (internal or external), are applications …
Modified
p. 37 → 42
Examine software-development policies and procedures Interview responsible personnel 6.5.8 Do coding techniques address improper access control such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions? Examine software-development policies and procedures Interview responsible personnel
Examine software-development policies and procedures Interview responsible personnel 6.5.8 Do coding techniques address improper access control such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions?
Modified
p. 38 → 42
Examine software-development policies and procedures Interview responsible personnel 6.5.9 Do coding techniques address cross-site request forgery (CSRF)?
Modified
p. 38 → 42
Examine software-development policies and procedures Interview responsible personnel 6.5.10 Do coding techniques address broken authentication and session management? Note: Requirement 6.5.10 is a best practice until June 30, 2015, after which it becomes a requirement.
Examine software-development policies and procedures Interview responsible personnel 6.5.10 Do coding techniques address broken authentication and session management? Examine software-development policies and procedures Interview responsible personnel
Modified
p. 38 → 43
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.6 For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, as follows:
Modified
p. 38 → 43
Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
Requirement 6.5 are included in the assessment - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
Modified
p. 38 → 43
Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) in front of public-facing web applications to continually check all traffic.
Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) as follows:
Modified
p. 42 → 47
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices 8.1.4 Are inactive user accounts over 90 days old either removed or disabled?
Review password procedures Examine terminated users accounts Review current access lists Observe returned physical authentication devices 8.1.4 Are inactive user accounts either removed or disabled within 90 days?
Modified
p. 45 → 50
Review policies and procedures Examine system configurations Observe personnel 8.4 (a) Are authentication procedures and policies documented and communicated to all users?
Review policies and procedures Examine system configurations Observe personnel 8.4 (a) Are authentication policies and procedures documented and communicated to all users?
Modified
p. 45 → 50
Review policies and procedures Review distribution method Interview personnel Interview users (b) Do authentication procedures and policies include the following? Guidance on selecting strong authentication credentials Guidance for how users should protect their authentication credentials Instructions not to reuse previously used passwords Instructions that users should change passwords if there is any suspicion the password could be compromised Review policies and procedures Review documentation provided to users
Review policies and procedures Review distribution method Interview personnel Interview users (b) Do authentication policies and procedures include the following? Guidance on selecting strong authentication credentials Guidance for how users should protect their authentication credentials Instructions not to reuse previously used passwords Instructions that users should change passwords if there is any suspicion the password could be compromised Review policies and procedures Review documentation provided to users
Modified
p. 48 → 53
Observe physical access controls Observe personnel 9.1.1 (a) Are video cameras and/or access-control mechanisms in place to monitor individual physical access to sensitive areas? Note: “Sensitive areas” refers to any data center, server room, or any area that houses systems that store cardholder data. This excludes pubic-facing areas where only point-of-sale terminals are present such as the cashier areas in a retail store.
Observe physical access controls Observe personnel 9.1.1 (a) Are video cameras and/or access-control mechanisms in place to monitor individual physical access to sensitive areas? Note: “Sensitive areas” refers to any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present such as the cashier areas in a retail store.
Modified
p. 48 → 53
Review policies and procedures Interview security personnel (d) Is data collected from video cameras and/or access control mechanisms stored for at least three months unless otherwise restricted by law?
Review policies and procedures Interview security personnel (d) Is data collected from video cameras and/or access control mechanisms stored for at least three months unless otherwise restricted by law? Review data retention processes Observe data storage Interview security personnel
Modified
p. 48 → 54
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.1.2 Are physical and/or logical controls in place to restrict access to publicly accessible network jacks? For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.
Modified
p. 49 → 54
Review policies and procedures Interview personnel Observe locations 9.1.3 Is physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines restricted? Review policies and procedures Interview personnel Observe devices 9.2 (a) Are procedures developed to easily distinguish between onsite personnel and visitors, which include:
Modified
p. 49 → 54
Identifying new onsite personnel or visitors (for example, assigning badges), Changing access requirements, and Revoking terminated onsite personnel and expired visitor identification (such as ID badges) For the purposes of Requirement 9, “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short …
Identifying onsite personnel and visitors (for example, assigning badges), Changing access requirements, and Revoking terminated onsite personnel and expired visitor identification (such as ID badges) For the purposes of Requirement 9, “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors and consultants who are physically present on the entity’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, …
Modified
p. 49 → 54
Observe identification methods (c) Is access to the badge system limited to authorized personnel? Observe physical controls and access controls for the badge system 9.3 Is physical access to sensitive areas controlled for onsite personnel, as follows:
Observe identification methods (c) Is access to the badge system limited to authorized personnel? Observe physical controls and access controls for the badge system
Modified
p. 49 → 55
Is access revoked immediately upon termination Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disabled? Interview personnel Examine access control lists Observe onsite personnel Compare lists of terminated employees to access control lists
Is access revoked immediately upon termination Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disabled? Interview personnel Examine access control lists Observe onsite personnel Compare lists of terminated employees to access control lists 9.4 Is visitor identification and access handled as follows:
Removed
p. 50
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.4 Is visitor identification and access handled as follows:
Modified
p. 50 → 55
Observe badge use of personnel and visitors Examine identification (b) Do visitor badges or other identification expire? Observe process Examine identification 9.4.3 Are visitors asked to surrender the badge or other identification before leaving the facility or at the date of expiration?
Observe badge use of personnel and visitors Examine identification (b) Do visitor badges or other identification expire? Observe process Examine identification 9.4.3 Are visitors asked to surrender the badge or other identification before leaving the facility or at the date of expiration? Observe processes Observe visitors leaving facility
Modified
p. 50 → 56
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.4.4 (a) Is a visitor log in use to record physical access to the facility as well as for computer rooms and data centers where cardholder data is stored or transmitted?
Modified
p. 50 → 56
Review policies and procedures for physically securing media Interview personnel
Review policies and procedures for physically securing media Interview personnel 9.5.1 (a) Are media back-ups stored in a secure location, preferably in an off-site facility, such as an alternate or backup site, or a commercial storage facility?
Removed
p. 51
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.5.1 (a) Are media back-ups stored in a secure location, preferably in an off-site facility, such as an alternate or backup site, or a commercial storage facility?
Review policies and procedures for media classification Interview security personnel 9.6.2 Is media sent by secured courier or other delivery method that can be accurately tracked?
Review policies and procedures for media classification Interview security personnel 9.6.2 Is media sent by secured courier or other delivery method that can be accurately tracked?
Modified
p. 51 → 57
Examine inventory logs Interview personnel 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons? Review periodic media destruction policies and procedures
Examine inventory logs Interview personnel 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons?
Modified
p. 52 → 57
Review periodic media destruction policies and procedures (b) Is there a periodic media destruction policy that defines requirements for the following? Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
Modified
p. 52 → 57
Cardholder data on electronic media must be rendered unrecoverable via a secure wipe program (in accordance with industry-accepted standards for secure deletion), or by physically destroying the media.
Cardholder data on electronic media must be rendered unrecoverable (e.g. via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).
Modified
p. 52 → 58
Examine security of storage containers 9.8.2 Is cardholder data on electronic media rendered unrecoverable via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise by physically destroying the media, so that cardholder data cannot be reconstructed? Observe processes Interview personnel
Examine security of storage containers 9.8.2 Is cardholder data on electronic media rendered unrecoverable (e.g. via a secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise by physically destroying the media), so that cardholder data cannot be reconstructed?
Removed
p. 53
Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.
Review policies and procedures 9.9.1 (a) Does the list of devices include the following?
Review policies and procedures 9.9.1 (a) Does the list of devices include the following?
Modified
p. 53 → 58
Observe processes Interview personnel 9.9 Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows? Note: This requirement applies to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.
Modified
p. 53 → 58
(a) Do policies and procedures require that a list of such devices maintained?
(a) Do policies and procedures require that a list of such devices be maintained?
Modified
p. 53 → 58
Review policies and procedures (c) Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices?
Review policies and procedures (c) Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices? Review policies and procedures
Modified
p. 53 → 59
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.? Interview personnel
Make, model of device Location of device (for example, the address of the site or facility where the device is located) Device serial number or other method of unique identification Examine the list of devices (b) Is the list accurate and up to date? Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
Removed
p. 54
Interview personnel 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following?
Modified
p. 54 → 59
Interview personnel 9.9.2 (a) Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, …
Modified
p. 54 → 59
Interview personnel Observe inspection processes and compare to defined processes (b) Are personnel are aware of procedures for inspecting devices?
Interview personnel Observe inspection processes and compare to defined processes (b) Are personnel are aware of procedures for inspecting devices? Interview personnel
Modified
p. 54 → 60
(a) Do training materials for personnel at point-of-sale locations include the following? Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Do not install, replace, or return devices without verification. Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices). Report suspicious behavior and indications of device tampering or substitution to appropriate personnel …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following? (a) Do training materials for personnel at point-of-sale locations include the following? Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices. Do not install, replace, or …
Modified
p. 55 → 60
Review training materials (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices? Interview personnel at POS locations 9.10 Are security policies and operational procedures for restricting physical access to cardholder data:
Modified
p. 60 → 65
All security events Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) Review security policies and procedures (b) Are the above logs and security events reviewed at least daily? …
All security events Logs of all system components that store, process, or transmit CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) Review security policies and procedures (b) Are the above logs and security events reviewed at least daily? Observe processes Interview personnel 10.6.2 (a) Are written policies …
Modified
p. 62 → 67
Evaluate the methodology (c) Is the scan to identify authorized and unauthorized wireless access points performed at least quarterly for all system components and facilities?
Evaluate the methodology (c) If wireless scanning is utilized to identify authorized and unauthorized wireless access points, is the scan performed at least quarterly for all system components and facilities?
Modified
p. 62 → 67
Examine configuration settings 11.1.1 Is an inventory of authorized wireless access points maintained and a business justification documented for all authorized wireless access points?
Examine configuration settings 11.1.1 Is an inventory of authorized wireless access points maintained and a business justification documented for all authorized wireless access points? Examine inventory records
Modified
p. 62 → 68
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 11.1.2 (a) Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected?
Modified
p. 63 → 68
Examine incident response plan (see Requirement 12.10) (b) Is action taken when unauthorized wireless access points are found?
Modified
p. 63 → 68
For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re- scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
Modified
p. 64 → 69
Review results from the four most recent quarters of external vulnerability scans (b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)?
Review results from the four most recent quarters of external vulnerability scans (b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)? Review results of each external quarterly scan and rescan (c) Are quarterly external vulnerability scans performed by a
Modified
p. 65 → 70
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) Includes coverage for the entire CDE perimeter and critical systems Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope-reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review and …
Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) Includes coverage for the entire CDE perimeter and critical Includes testing from both inside and outside the network Includes testing to validate any segmentation and scope- reduction controls Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 Defines network-layer penetration tests to include components that support network functions as well as operating systems Includes review and …
Modified
p. 65 → 70
Examine scope of work Examine results from the most recent external penetration test (b) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Examine scope of work Interview responsible personnel
Examine scope of work Examine results from the most recent external penetration test (b) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)? Interview responsible personnel
Modified
p. 66 → 71
Interview responsible personnel 11.3.3 Are exploitable vulnerabilities found during penetration testing corrected, followed by repeated testing to verify the corrections? Examine penetration testing results 11.3.4 If segmentation is used to isolate the CDE from other networks:
Modified
p. 66 → 71
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems?
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
Modified
p. 66 → 71
Examine segmentation controls Review penetration-testing methodology (b) Does penetration testing to verify segmentation controls meet the following? Performed at least annually and after any changes to segmentation controls/methods Covers all segmentation controls/methods in use Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.
Examine segmentation controls Review penetration-testing methodology (b) Does penetration testing to verify segmentation controls meet the following? Performed at least annually and after any changes to segmentation controls/methods Covers all segmentation controls/methods in use Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Modified
p. 67 → 72
Examine system configurations Interview responsible personnel (c) Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date? Examine IDS/IPS configurations Examine vendor documentation 11.5 (a) Is a change-detection mechanism (for example, file- integrity monitoring tools) deployed within the cardholder data environment to detect unauthorized modification of critical system files, configuration files, or content files? Examples of files that should be monitored include:
Examine system configurations Interview responsible personnel (c) Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date? Examine IDS/IPS configurations Examine vendor documentation 11.5 (a) Is a change-detection mechanism (for example, file- integrity monitoring tools) deployed within the cardholder data environment to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:
Modified
p. 68 → 73
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system …
Removed
p. 69
Review the formal risk assessment (c) Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? Review risk assessment documentation Interview responsible personnel 12.3 Are usage policies for critical technologies developed to define proper use of these technologies and require the following:
Modified
p. 69 → 74
Review the information security policy Interview responsible personnel 12.2 (a) Is an annual risk assessment process implemented that identifies assets, threats, and vulnerabilities? Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800- 30.
Review the information security policy Interview responsible personnel 12.2 (a) Is an annual risk assessment process implemented that Identifies critical assets, threats, and vulnerabilities, Results in a formal, documented analysis of risk? Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.
Modified
p. 69 → 74
Review annual risk assessment process Interview personnel (b) Does the risk assessment process result in a formal risk assessment?
Review annual risk assessment process Interview personnel (b) Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)? Review risk assessment documentation Interview responsible personnel
Modified
p. 70 → 75
Review usage policies Interview responsible personnel 12.3.2 Authentication for use of the technology? Review usage policies Interview responsible personnel 12.3.3 A list of all such devices and personnel with access? Review usage policies Interview responsible personnel 12.3.4 A method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices)?
Modified
p. 70 → 75
Review usage policies Interview responsible personnel 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use?
Review usage policies Interview responsible personnel 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use? Review usage policies Interview responsible personnel
Modified
p. 70 → 76
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.3.10 (a) For personnel accessing cardholder data via remote- access technologies, does the policy specify the prohibition of copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need? Where there is an authorized business need, the usage policies must require the data be protected in accordance with all …
Modified
p. 70 → 76
Review usage policies Interview responsible personnel
Review usage policies Interview responsible personnel (b) For personnel with proper authorization, does the policy require the protection of cardholder data in accordance with PCI DSS Requirements?
Removed
p. 71
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested (b) For personnel with proper authorization, does the policy require the protection of cardholder data in accordance with PCI DSS Requirements?
Modified
p. 71 → 76
Review information security policy and procedures 12.5.3 Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations?
Review information security policy and procedures 12.5.3 Establishing, documenting, and distributing security incident response and escalation procedures to ensure timely and effective handling of all situations? Review information security policy and procedures
Modified
p. 71 → 77
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.5.4 Administering user accounts, including additions, deletions, and modifications?
Modified
p. 72 → 77
Interview personnel 12.6.2 Are personnel required to acknowledge at least annually that they have read and understood the security policy and procedures?
Interview personnel 12.6.2 Are personnel required to acknowledge at least annually that they have read and understood the security policy and procedures? Examine security awareness program procedures and documentation
Modified
p. 72 → 78
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.7 Are potential personnel (see definition of “personnel” above) screened prior to hire to minimize the risk of attacks from internal sources? Examples of background checks include previous employment history, criminal record, credit history and reference checks.
Modified
p. 73 → 78
Observe written agreements Review policies and procedures 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?
Observe written agreements Review policies and procedures 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement? Observe processes Review policies and procedures and supporting documentation
Modified
p. 73 → 79
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?
Modified
p. 74 → 79
Review incident response plan procedures Specific incident response procedures? Review incident response plan procedures Business recovery and continuity procedures? Review incident response plan procedures Data backup processes? Review incident response plan procedures Analysis of legal requirements for reporting compromises?
Review incident response plan procedures Specific incident response procedures? Review incident response plan procedures Business recovery and continuity procedures? Review incident response plan procedures Data backup processes? Review incident response plan procedures Analysis of legal requirements for reporting compromises? Review incident response plan procedures
Modified
p. 74 → 80
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested Coverage and responses of all critical system components?
Modified
p. 74 → 80
Review incident response plan procedures 12.10.2 Is the plan tested at least annually? Review incident response plan procedures Interview responsible personnel 12.10.3 Are specific personnel designated to be available on a 24/7 basis to respond to alerts? Observe processes Review policies Interview responsible personnel
Review incident response plan procedures 12.10.2 Is the plan tested at least annually? Review incident response plan procedures Interview responsible personnel 12.10.3 Are specific personnel designated to be available on a 24/7 basis to respond to alerts?
Modified
p. 75 → 80
Observe processes Review policies Interview responsible personnel 12.10.4 Is appropriate training provided to staff with security breach response responsibilities?
Modified
p. 75 → 80
Observe processes Review incident response plan procedures Interview responsible personnel 12.10.5 Are alerts from security monitoring systems, including intrusion-detection, intrusion-prevention, and file-integrity monitoring systems, included in the incident response plan?
Observe processes Review incident response plan procedures Interview responsible personnel 12.10.5 Are alerts from security monitoring systems included in the incident response plan?
Modified
p. 81 → 86
Signature of QSA Date:
Signature of Duly Authorized Officer of QSA Company Date:
Modified
p. 81 → 86
Duly Authorized Officer Name: QSA Company: