Document Comparison
PCI-DSS-v3_2-SAQ-C_VT.pdf
→
PCI-DSS-v3_2-SAQ-C_VT-rev1_1.pdf
94% similar
36 → 37
Pages
8532 → 9037
Words
6
Content Changes
Content Changes
6 content changes. 24 administrative changes (dates, page numbers) hidden.
Added
p. 2
Requirements added from PCI DSS v3.2 Requirements 8, 9, and Appendix A2.
January 2017 3.2 1.1 Updated Document Changes to clarify requirements added in the April 2016 update.
Added footnote to Before You Begin section to clarify intent of permitted systems.
Added Requirement 8.3.1 to align with intent of Requirement 2.3.
Added Requirement 11.3.4 to verify segmentation controls, if segmentation is used.
January 2017 3.2 1.1 Updated Document Changes to clarify requirements added in the April 2016 update.
Added footnote to Before You Begin section to clarify intent of permitted systems.
Added Requirement 8.3.1 to align with intent of Requirement 2.3.
Added Requirement 11.3.4 to verify segmentation controls, if segmentation is used.
Added
p. 24
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 8.3 Is all individual non-console administrative access and all remote access to the CDE secured using multi- factor authentication, as follows:
Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
Added
p. 27
Requirement 11: Regularly test security systems and processes
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.3.4 If segmentation is used to isolate the CDE from other networks:
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
Examine segmentation controls Review penetration-testing methodology (b) Does penetration testing to verify segmentation controls meet the following? Performed at least annually and after any changes to segmentation controls/methods Covers all segmentation controls/methods in use Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Examine results from the most recent penetration test (c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.3.4 If segmentation is used to isolate the CDE from other networks:
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
Examine segmentation controls Review penetration-testing methodology (b) Does penetration testing to verify segmentation controls meet the following? Performed at least annually and after any changes to segmentation controls/methods Covers all segmentation controls/methods in use Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
Examine results from the most recent penetration test (c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required …
Modified
p. 4
Your company’s only payment processing is via a virtual payment terminal accessed by an Internet- connected web browser; Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider; Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network …
Your company’s only payment processing is via a virtual payment terminal accessed by an Internet- connected web browser; Your company’s virtual payment terminal solution is provided and hosted by a PCI DSS validated third-party service provider; Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network …
Modified
p. 24
Examine system configurations Observe administrator logging into 8.5 Are group, shared, or generic accounts, passwords, or other authentication methods prohibited as follows:
Modified
p. 36 → 37
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti- virus software or programs 6 Develop and maintain secure …
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti- virus software or programs 6 Develop and maintain secure …