Document Comparison
PCI-DSS-v3-2-1-SAQ-D-Merchant-r2.pdf
→
PCI-DSS-v4-0-SAQ-D-Merchant-r1.pdf
28% similar
86 → 113
Pages
21131 → 29873
Words
437
Content Changes
Content Changes
437 content changes. 78 administrative changes (dates, page numbers) hidden.
Added
p. 2
Rearranged, retitled, and expanded information in the “Completing the Self-Assessment Questionnaire” section (previously titled “Before You Begin”).
Aligned content in Sections 1 and 3 of Attestation of Compliance (AOC) with PCI DSS v4.0 Report on Compliance AOC.
Added appendices to support new reporting responses.
December 2022 4.0 1 Removed “In Place with Remediation” as a reporting option from Requirement Responses table, Attestation of Compliance (AOC) Part 2g, SAQ Section 2 Response column, and AOC Section 3. Also removed former Appendix C.
Added “In Place with CCW” to AOC Section 3.
Added guidance for responding to future-dated requirements.
Added minor clarifications and addressed typographical errors.
Aligned content in Sections 1 and 3 of Attestation of Compliance (AOC) with PCI DSS v4.0 Report on Compliance AOC.
Added appendices to support new reporting responses.
December 2022 4.0 1 Removed “In Place with Remediation” as a reporting option from Requirement Responses table, Attestation of Compliance (AOC) Part 2g, SAQ Section 2 Response column, and AOC Section 3. Also removed former Appendix C.
Added “In Place with CCW” to AOC Section 3.
Added guidance for responding to future-dated requirements.
Added minor clarifications and addressed typographical errors.
Added
p. 4
Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment.
This SAQ is not applicable to service providers.
Defining Account Data, Cardholder Data, and Sensitive Authentication Data
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). Cardholder data and sensitive authentication data are considered account data and are defined as follows:
Account Data Cardholder Data includes: Sensitive Authentication Data includes:
• Full track data (magnetic-stripe data or equivalent on a chip)
• Card verification code
• PINs/PIN blocks Refer to PCI DSS Section 2, PCI DSS Applicability Information, for further details.
This SAQ is not applicable to service providers.
Defining Account Data, Cardholder Data, and Sensitive Authentication Data
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) or could impact the security of the cardholder data environment (CDE). Cardholder data and sensitive authentication data are considered account data and are defined as follows:
Account Data Cardholder Data includes: Sensitive Authentication Data includes:
• Full track data (magnetic-stripe data or equivalent on a chip)
• Card verification code
• PINs/PIN blocks Refer to PCI DSS Section 2, PCI DSS Applicability Information, for further details.
Added
p. 5
1. Confirm by review of the eligibility criteria in this SAQ and the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website that this is the correct SAQ for the merchant’s environment.
2. Confirm that the merchant environment is properly scoped.
• Section 1: Assessment Information (Parts 1 & 2 of the Attestation of Compliance (AOC)
• Section 2: Self-Assessment Questionnaire D for Merchants.
• PCI DSS Validation and Action Plan for Non-Compliant Requirements (if Part 4 is applicable)).
5. Submit the SAQ and AOC, along with any other requested documentation
•such as ASV scan reports
•to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).
The intent behind each testing method is described as follows:
Examine: The merchant critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.
Observe: The merchant watches an action or views something in the environment. Examples …
2. Confirm that the merchant environment is properly scoped.
• Section 1: Assessment Information (Parts 1 & 2 of the Attestation of Compliance (AOC)
• Section 2: Self-Assessment Questionnaire D for Merchants.
• PCI DSS Validation and Action Plan for Non-Compliant Requirements (if Part 4 is applicable)).
5. Submit the SAQ and AOC, along with any other requested documentation
•such as ASV scan reports
•to the requesting organization (those organizations that manage compliance programs such as payment brands and acquirers).
The intent behind each testing method is described as follows:
Examine: The merchant critically evaluates data evidence. Common examples include documents (electronic or physical), screenshots, configuration files, audit logs, and data files.
Observe: The merchant watches an action or views something in the environment. Examples …
Added
p. 6
This response is also used if a requirement cannot be met due to a legal restriction. (See “Legal Exception” below for more guidance).
Added
p. 7
For each response where Not Applicable is selected in this SAQ, complete Appendix C: Explanation of Requirements Noted as Not Applicable.
A merchant is confirming a new security control that impacts only a subset of requirements•for example, implementation of a new encryption methodology that only requires assessment of PCI DSS Requirements 2, 3, and 4.
If any requirements are completely excluded from the merchant’s self-assessment, select Not Tested for that specific requirement, and complete Appendix D: Explanation of Requirements Not Tested for each “Not Tested” entry. An assessment with any Not Tested responses is a “Partial” PCI DSS assessment and will be noted as such by the merchant in the Attestation of Compliance in Section 3, Part 3 of this SAQ.
A merchant is confirming a new security control that impacts only a subset of requirements•for example, implementation of a new encryption methodology that only requires assessment of PCI DSS Requirements 2, 3, and 4.
If any requirements are completely excluded from the merchant’s self-assessment, select Not Tested for that specific requirement, and complete Appendix D: Explanation of Requirements Not Tested for each “Not Tested” entry. An assessment with any Not Tested responses is a “Partial” PCI DSS assessment and will be noted as such by the merchant in the Attestation of Compliance in Section 3, Part 3 of this SAQ.
Added
p. 8
Note: A legal restriction is one where meeting the PCI DSS requirement would violate a local or regional law or regulation.
Contractual obligations or legal advice are not legal restrictions.
Use of the Customized Approach SAQs cannot be used to document use of the Customized Approach to meet PCI DSS requirements. For this reason, the Customized Approach Objectives are not included in SAQs. Entities wishing to validate using the Customized Approach may be able to use the PCI DSS Report on Compliance (ROC) Template to document the results of their assessment.
The use of the customized approach may be regulated by organizations that manage compliance programs, such as payment brands and acquirers. Questions about use of a customized approach should always be referred to those organizations. This includes whether an entity that is eligible for an SAQ may instead complete a ROC to use a customized approach, and whether an entity is required …
Contractual obligations or legal advice are not legal restrictions.
Use of the Customized Approach SAQs cannot be used to document use of the Customized Approach to meet PCI DSS requirements. For this reason, the Customized Approach Objectives are not included in SAQs. Entities wishing to validate using the Customized Approach may be able to use the PCI DSS Report on Compliance (ROC) Template to document the results of their assessment.
The use of the customized approach may be regulated by organizations that manage compliance programs, such as payment brands and acquirers. Questions about use of a customized approach should always be referred to those organizations. This includes whether an entity that is eligible for an SAQ may instead complete a ROC to use a customized approach, and whether an entity is required …
Added
p. 9
(PCI Data Security Standard Requirements and Testing Procedures) Guidance on Scoping Guidance on the intent of all PCI DSS Requirements Details of testing procedures Guidance on Compensating Controls Appendix G: Glossary of Terms, Abbreviations, and Acronyms SAQ Instructions and Guidelines Information about all SAQs and their eligibility criteria How to determine which SAQ is right for your organization Frequently Asked Questions (FAQs) Guidance and information about SAQs.
Online PCI DSS Glossary PCI DSS Terms, Abbreviations, and Acronyms Information Supplements and Guidelines Guidance on a variety of PCI DSS topics including:
− Understanding PCI DSS Scoping and Network Segmentation − Third-Party Security Assurance − Multi-Factor Authentication Guidance − Best Practices for Maintaining PCI DSS Compliance Getting Started with PCI Resources for smaller merchants including:
− Guide to Safe Payments − Common Payment Systems − Questions to Ask Your Vendors − Glossary of Payment …
Online PCI DSS Glossary PCI DSS Terms, Abbreviations, and Acronyms Information Supplements and Guidelines Guidance on a variety of PCI DSS topics including:
− Understanding PCI DSS Scoping and Network Segmentation − Third-Party Security Assurance − Multi-Factor Authentication Guidance − Best Practices for Maintaining PCI DSS Compliance Getting Started with PCI Resources for smaller merchants including:
− Guide to Safe Payments − Common Payment Systems − Questions to Ask Your Vendors − Glossary of Payment …
Added
p. 12
Facility Type Total number of locations (How many locations of this type are in scope) Location(s) of facility (city, country) Example: Data centers 3 Boston, MA, USA Part 2e. PCI SSC Validated Products and Solutions Does the merchant use any item identified on any PCI SSC Lists of Validated Products and Solutions♦? Provide the following information regarding each item the merchant uses from PCI SSC’s Lists of Validated Products and Solutions.
Name of PCI SSC- validated Product or Version of Product or
PCI SSC Standard to which product or solution was validated
PCI SSC listing Expiry date of listing (YYYY-MM-DD) YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD ♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment Applications (PA- DSS), Point …
Name of PCI SSC- validated Product or Version of Product or
PCI SSC Standard to which product or solution was validated
PCI SSC listing Expiry date of listing (YYYY-MM-DD) YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD YYYY-MM-DD ♦ For purposes of this document, ”Lists of Validated Products and Solutions” means the lists of validated products, solutions, and/or components appearing on the PCI SSC website (www.pcisecuritystandards.org)for example, 3DS Software Development Kits, Approved PTS Devices, Validated Payment Software, Payment Applications (PA- DSS), Point …
Added
p. 14
PCI DSS Requirement Requirement Responses More than one response may be selected for a given requirement.
Indicate all responses that apply.
In Place In Place with CCW Not Applicable Not Tested Not in Place
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.1 Processes and mechanisms for installing and maintaining network security controls are defined and understood.
Indicate all responses that apply.
In Place In Place with CCW Not Applicable Not Tested Not in Place
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.1 Processes and mechanisms for installing and maintaining network security controls are defined and understood.
Added
p. 15
• Examine configurations standards.
Added
p. 16
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.2.2 All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1.
Added
p. 16
• Examine change control records.
Applicability Notes Changes to network connections include the addition, removal, or modification of a connection.
Changes to NSC configurations include those related to the component itself as well as those affecting how it performs its security function.
Applicability Notes A current network diagram(s) or other technical or topological solution that identifies network connections and devices can be used to meet this requirement.
Applicability Notes Changes to network connections include the addition, removal, or modification of a connection.
Changes to NSC configurations include those related to the component itself as well as those affecting how it performs its security function.
Applicability Notes A current network diagram(s) or other technical or topological solution that identifies network connections and devices can be used to meet this requirement.
Added
p. 16
• Shows all account data flows across systems and networks.
• Updated as needed upon changes to the environment.
• Examine data flow diagrams.
• Observe network configurations.
Applicability Notes A data-flow diagram(s) or other technical or topological solution that identifies flows of account data across systems and networks can be used to meet this requirement.
• Updated as needed upon changes to the environment.
• Examine data flow diagrams.
• Observe network configurations.
Applicability Notes A data-flow diagram(s) or other technical or topological solution that identifies flows of account data across systems and networks can be used to meet this requirement.
Added
p. 17
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.
• Examine documentation from reviews performed.
• Examine documentation from reviews performed.
Added
p. 17
• Secured from unauthorized access.
• Kept consistent with active network configurations.
• Examine NSC configuration files.
Applicability Notes Any file or setting used to configure or synchronize NSCs is considered to be a “configuration file.” This includes files, automated and system-based controls, scripts, settings, infrastructure as code, or other parameters that are backed up, archived, or stored remotely.
• Kept consistent with active network configurations.
• Examine NSC configuration files.
Applicability Notes Any file or setting used to configure or synchronize NSCs is considered to be a “configuration file.” This includes files, automated and system-based controls, scripts, settings, infrastructure as code, or other parameters that are backed up, archived, or stored remotely.
Added
p. 17
• To only traffic that is necessary,
• All other traffic is specifically denied.
• All other traffic is specifically denied.
• All other traffic is specifically denied.
• All other traffic is specifically denied.
Added
p. 17
• Examine NSC configurations.
• Examine NSC configurations.
• Examine NSC configurations.
Added
p. 17
• To only traffic that is necessary.
Added
p. 17
• All wireless traffic from wireless networks into the CDE is denied by default.
• Only wireless traffic with an authorized business purpose is allowed into the CDE.
• Only wireless traffic with an authorized business purpose is allowed into the CDE.
Added
p. 17
• Examine current network diagrams.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted to:
• Stateful responses to communications initiated by system components in a trusted network.
• All other traffic is denied.
• Examine NSC documentation.
• Examine NSC documentation.
Applicability Notes The intent of this requirement is to address communication sessions between trusted and untrusted networks, rather than the specifics of protocols.
This requirement does not limit the use of UDP or other connectionless network protocols if state is maintained by the NSC.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted to:
• Stateful responses to communications initiated by system components in a trusted network.
• All other traffic is denied.
• Examine NSC documentation.
• Examine NSC documentation.
Applicability Notes The intent of this requirement is to address communication sessions between trusted and untrusted networks, rather than the specifics of protocols.
This requirement does not limit the use of UDP or other connectionless network protocols if state is maintained by the NSC.
Added
p. 18
• Examine the data-flow diagram and network diagram.
Applicability Notes This requirement is not intended to apply to storage of account data in volatile memory but does apply where memory is being treated as persistent storage (for example, RAM disk). Account data can only be stored in volatile memory during the time necessary to support the associated business process (for example, until completion of the related payment card transaction).
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.5 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
Applicability Notes This requirement is not intended to apply to storage of account data in volatile memory but does apply where memory is being treated as persistent storage (for example, RAM disk). Account data can only be stored in volatile memory during the time necessary to support the associated business process (for example, until completion of the related payment card transaction).
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 1.5 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
Added
p. 19
• Specific configuration settings are defined to prevent threats being introduced into the entity’s network.
• Security controls are actively running.
• Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period.
Applicability Notes These security controls may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If these security controls need to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period during which these security controls are not active.
This requirement applies to employee-owned and company-owned computing devices. Systems that cannot be managed by corporate policy introduce weaknesses and provide opportunities that malicious individuals may exploit.
Requirement 2: Apply Secure Configurations to All System Components
PCI DSS Requirement Expected Testing Response♦ (Check one response for each …
• Security controls are actively running.
• Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period.
Applicability Notes These security controls may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If these security controls need to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period during which these security controls are not active.
This requirement applies to employee-owned and company-owned computing devices. Systems that cannot be managed by corporate policy introduce weaknesses and provide opportunities that malicious individuals may exploit.
Requirement 2: Apply Secure Configurations to All System Components
PCI DSS Requirement Expected Testing Response♦ (Check one response for each …
Added
p. 20
• Cover all system components.
• Address all known security vulnerabilities.
• Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.
• Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1.
• Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 2.2.2 Vendor default accounts are managed as follows:
• If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6.
• If the vendor default account(s) will not be used, the account is removed or disabled.
• Address all known security vulnerabilities.
• Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.
• Be updated as new vulnerability issues are identified, as defined in Requirement 6.3.1.
• Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 2.2.2 Vendor default accounts are managed as follows:
• If the vendor default account(s) will be used, the default password is changed per Requirement 8.3.6.
• If the vendor default account(s) will not be used, the account is removed or disabled.
Added
p. 21
• Observe a system administrator logging on using vendor default accounts.
• Examine configuration files.
Applicability Notes This applies to ALL vendor default accounts and passwords, including, but not limited to, those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, and Simple Network Management Protocol (SNMP) defaults.
This requirement also applies where a system component is not installed within an entity’s environment, for example, software and applications that are part of the CDE and are accessed via a cloud subscription service.
• Examine configuration files.
Applicability Notes This applies to ALL vendor default accounts and passwords, including, but not limited to, those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, and Simple Network Management Protocol (SNMP) defaults.
This requirement also applies where a system component is not installed within an entity’s environment, for example, software and applications that are part of the CDE and are accessed via a cloud subscription service.
Added
p. 21
• Only one primary function exists on a system component, OR
• Primary functions with differing security levels that exist on the same system component are isolated from each other, OR
• Primary functions with differing security levels on the same system component are all secured to the level required by the function with the highest security need.
• Primary functions with differing security levels that exist on the same system component are isolated from each other, OR
• Primary functions with differing security levels on the same system component are all secured to the level required by the function with the highest security need.
Added
p. 22
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 2.2.5 If any insecure services, protocols, or daemons are present:
• Business justification is documented.
• Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.
• Examine configuration standards.
• Business justification is documented.
• Additional security features are documented and implemented that reduce the risk of using insecure services, protocols, or daemons.
• Examine configuration standards.
Added
p. 22
Applicability Notes This includes administrative access via browser-based interfaces and application programming interfaces (APIs).
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 2.3 Wireless environments are configured and managed securely.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 2.3 Wireless environments are configured and managed securely.
Added
p. 23
• Default wireless encryption keys.
• Passwords on wireless access points.
• Any other security-related wireless vendor defaults.
Applicability Notes This includes, but is not limited to, default wireless encryption keys, passwords on wireless access points, SNMP defaults, and any other security-related wireless vendor defaults.
• Whenever personnel with knowledge of the key leave the company or the role for which the knowledge was necessary.
• Whenever a key is suspected of or known to be compromised.
• Examine key-management documentation.
• Passwords on wireless access points.
• Any other security-related wireless vendor defaults.
Applicability Notes This includes, but is not limited to, default wireless encryption keys, passwords on wireless access points, SNMP defaults, and any other security-related wireless vendor defaults.
• Whenever personnel with knowledge of the key leave the company or the role for which the knowledge was necessary.
• Whenever a key is suspected of or known to be compromised.
• Examine key-management documentation.
Added
p. 24
Requirement 3: Protect Stored Account Data
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.2 Storage of account data is kept to a minimum.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.1 Processes and mechanisms for protecting stored account data are defined and understood.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.2 Storage of account data is kept to a minimum.
Added
p. 25
• Coverage for all locations of stored account data.
• Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.
• Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements.
• Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification.
• Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy.
• A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable.
• Examine the data retention and disposal policies, procedures, and processes.
• Examine files and system records on system components where account data is stored.
• Observe the mechanisms used to render account …
• Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.
• Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements.
• Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification.
• Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy.
• A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable.
• Examine the data retention and disposal policies, procedures, and processes.
• Examine files and system records on system components where account data is stored.
• Observe the mechanisms used to render account …
Added
p. 26
• Observe the secure data deletion processes.
Applicability Notes Part of this Applicability Note was intentionally removed for this SAQ as it does not apply to merchant assessments. Sensitive authentication data includes the data cited in Requirements 3.3.1.1 through 3.3.1.3.
Applicability Notes Part of this Applicability Note was intentionally removed for this SAQ as it does not apply to merchant assessments. Sensitive authentication data includes the data cited in Requirements 3.3.1.1 through 3.3.1.3.
Added
p. 26
Applicability Notes In the normal course of business, the following data elements from the track may need to be retained:
• Primary account number (PAN).
• Service code. To minimize risk, store securely only these data elements as needed for business.
• Primary account number (PAN).
• Service code. To minimize risk, store securely only these data elements as needed for business.
Added
p. 26
Applicability Notes The card verification code is the three- or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions.
Added
p. 27
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place Applicability Notes PIN blocks are encrypted during the natural course of transaction processes, but even if an entity encrypts the PIN block again, it is still not allowed to be stored after the completion of the authorization process.
Added
p. 27
• Examine data stores and system configurations.
Applicability Notes Whether SAD is permitted to be stored prior to authorization is determined by the organizations that manage compliance programs (for example, payment brands and acquirers). Contact the organizations of interest for any additional criteria.
This requirement applies to all storage of SAD, even if no PAN is present in the environment.
Refer to Requirement 3.2.1 for an additional requirement that applies if SAD is stored prior to completion of authorization.
Part of this Applicability Note was intentionally removed for this SAQ as it does not apply to merchant assessments.
This requirement does not replace how PIN blocks are required to be managed, nor does it mean that a properly encrypted PIN block needs to be encrypted again.
Applicability Notes Whether SAD is permitted to be stored prior to authorization is determined by the organizations that manage compliance programs (for example, payment brands and acquirers). Contact the organizations of interest for any additional criteria.
This requirement applies to all storage of SAD, even if no PAN is present in the environment.
Refer to Requirement 3.2.1 for an additional requirement that applies if SAD is stored prior to completion of authorization.
Part of this Applicability Note was intentionally removed for this SAQ as it does not apply to merchant assessments.
This requirement does not replace how PIN blocks are required to be managed, nor does it mean that a properly encrypted PIN block needs to be encrypted again.
Added
p. 28
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.4 Access to displays of full PAN and ability to copy PAN is restricted.
Added
p. 28
• Examine the documented list of roles that need access to more than the BIN and last four digits of the PAN (includes full PAN).
• Examine displays of PAN (for example, on screen, on paper receipts).
Applicability Notes This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment brand requirements for point-of-sale (POS) receipts. This requirement relates to protection of PAN where it is displayed on screens, paper receipts, printouts, etc., and is not to be confused with Requirement 3.5.1 for protection of PAN when stored, processed, or transmitted.
• Examine displays of PAN (for example, on screen, on paper receipts).
Applicability Notes This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment brand requirements for point-of-sale (POS) receipts. This requirement relates to protection of PAN where it is displayed on screens, paper receipts, printouts, etc., and is not to be confused with Requirement 3.5.1 for protection of PAN when stored, processed, or transmitted.
Added
p. 28
• Examine documented policies and procedures and documented evidence for technical controls.
• Examine configurations for remote-access technologies.
Applicability Notes Storing or relocating PAN onto local hard drives, removable electronic media, and other storage devices brings these devices into scope for PCI DSS. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.5 Primary account number (PAN) is secured wherever it is stored.
• Examine configurations for remote-access technologies.
Applicability Notes Storing or relocating PAN onto local hard drives, removable electronic media, and other storage devices brings these devices into scope for PCI DSS. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.5 Primary account number (PAN) is secured wherever it is stored.
Added
p. 29
• One-way hashes based on strong cryptography of the entire PAN.
• Truncation (hashing cannot be used to replace the truncated segment of PAN).
• If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN
• Strong cryptography with associated key- management processes and procedures.
• Examine documentation about the system used to render PAN unreadable.
• Examine controls to verify that the hashed and truncated PANs cannot be correlated to reconstruct the original PAN.
Applicability Notes It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. This requirement applies to PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well …
• Truncation (hashing cannot be used to replace the truncated segment of PAN).
• If hashed and truncated versions of the same PAN, or different truncation formats of the same PAN, are present in an environment, additional controls are in place such that the different versions cannot be correlated to reconstruct the original PAN
• Strong cryptography with associated key- management processes and procedures.
• Examine documentation about the system used to render PAN unreadable.
• Examine controls to verify that the hashed and truncated PANs cannot be correlated to reconstruct the original PAN.
Applicability Notes It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. This requirement applies to PANs stored in primary storage (databases, or flat files such as text files spreadsheets) as well …
Added
p. 30
• On removable electronic media. OR
• If used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1.
• Observe encryption processes.
• Observe encryption processes.
Applicability Notes While disk encryption may still be present on these types of devices, it cannot be the only mechanism used to protect PAN stored on those systems. Any stored PAN must also be rendered unreadable per Requirement 3.5.1•for example, through truncation or a data-level encryption mechanism. Full disk encryption helps to protect data in the event of physical loss of a disk and therefore its use is appropriate only for removable electronic media storage devices.
Media that is part of a data center architecture (for example, hot-swappable drives, bulk tape- backups) is considered non-removable electronic media to which Requirement 3.5.1 applies. Disk or partition encryption implementations must also meet all other PCI DSS encryption and key-management requirements. This requirement is a …
• If used for non-removable electronic media, PAN is also rendered unreadable via another mechanism that meets Requirement 3.5.1.
• Observe encryption processes.
• Observe encryption processes.
Applicability Notes While disk encryption may still be present on these types of devices, it cannot be the only mechanism used to protect PAN stored on those systems. Any stored PAN must also be rendered unreadable per Requirement 3.5.1•for example, through truncation or a data-level encryption mechanism. Full disk encryption helps to protect data in the event of physical loss of a disk and therefore its use is appropriate only for removable electronic media storage devices.
Media that is part of a data center architecture (for example, hot-swappable drives, bulk tape- backups) is considered non-removable electronic media to which Requirement 3.5.1 applies. Disk or partition encryption implementations must also meet all other PCI DSS encryption and key-management requirements. This requirement is a …
Added
p. 32
• Access to keys is restricted to the fewest number of custodians necessary.
• Key-encrypting keys are at least as strong as the data-encrypting keys they protect.
• Key-encrypting keys are stored separately from data- encrypting keys.
• Keys are stored securely in the fewest possible locations and forms.
• Key-encrypting keys are at least as strong as the data-encrypting keys they protect.
• Key-encrypting keys are stored separately from data- encrypting keys.
• Keys are stored securely in the fewest possible locations and forms.
Added
p. 32
Applicability Notes This requirement applies to keys used to encrypt stored account data and to key-encrypting keys used to protect data-encrypting keys. The requirement to protect keys used to protect stored account data from disclosure and misuse applies to both data-encrypting keys and key-encrypting keys. Because one key-encrypting key may grant access to many data-encrypting keys, the key-encrypting keys require strong protection measures.
Added
p. 33
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.6.1.2 Secret and private keys used to encrypt/decrypt stored account data are stored in one (or more) of the following forms at all times:
• Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key.
• Within a secure cryptographic device (SCD), such as a hardware security module (HSM) or PTS-approved point-of-interaction device.
Applicability Notes It is not required that public keys be stored in one of these forms.
Cryptographic keys stored as part of a key-management system (KMS) that employs SCDs are acceptable.
A cryptographic key that is split into two parts does not meet this requirement. Secret or private keys stored as key components or key shares must be generated via one of the …
• Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key.
• Within a secure cryptographic device (SCD), such as a hardware security module (HSM) or PTS-approved point-of-interaction device.
Applicability Notes It is not required that public keys be stored in one of these forms.
Cryptographic keys stored as part of a key-management system (KMS) that employs SCDs are acceptable.
A cryptographic key that is split into two parts does not meet this requirement. Secret or private keys stored as key components or key shares must be generated via one of the …
Added
p. 33
• Examine key storage locations.
Added
p. 33
• Observe the method for generating keys.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.7.2 Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data.
• Observe the method for distributing keys.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 3.7.2 Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data.
• Observe the method for distributing keys.
Added
p. 34
• Observe the method for storing keys.
Added
p. 34
• A defined cryptoperiod for each key type in use.
• A process for key changes at the end of the defined cryptoperiod.
• Observe key storage locations.
• A process for key changes at the end of the defined cryptoperiod.
• Observe key storage locations.
Added
p. 34
• The key has reached the end of its defined cryptoperiod.
• The integrity of the key has been weakened, including when personnel with knowledge of a cleartext key component leaves the company, or the role for which the key component was known.
• The key is suspected of or known to be compromised. Retired or replaced keys are not used for encryption operations.
• According to ISO 19592 or equivalent industry standard for generation of secret key shares.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place If retired or replaced cryptographic keys need to be retained, these keys must be securely archived (for example, by using a key-encryption key).
• The integrity of the key has been weakened, including when personnel with knowledge of a cleartext key component leaves the company, or the role for which the key component was known.
• The key is suspected of or known to be compromised. Retired or replaced keys are not used for encryption operations.
• According to ISO 19592 or equivalent industry standard for generation of secret key shares.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place If retired or replaced cryptographic keys need to be retained, these keys must be securely archived (for example, by using a key-encryption key).
Added
p. 35
Applicability Notes This control is applicable for manual key-management operations or where key management is not controlled by the encryption product.
A cryptographic key that is simply split into two parts does not meet this requirement. Secret or private keys stored as key components or key shares must be generated via one of the following:
• Using an approved random number generator and within a secure cryptographic device (SCD), such as a hardware security module (HSM) or PTS-approved point-of-interaction device, OR
A cryptographic key that is simply split into two parts does not meet this requirement. Secret or private keys stored as key components or key shares must be generated via one of the following:
• Using an approved random number generator and within a secure cryptographic device (SCD), such as a hardware security module (HSM) or PTS-approved point-of-interaction device, OR
Added
p. 35
• Review documentation or other evidence of key custodian acknowledgments.
Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 4.1 Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented.
• Interview responsible personnel ♦ Refer to the “Requirement Responses” section (page v) for information about these response options.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 4.2 PAN is protected with strong cryptography during transmission.
Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 4.1 Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented.
• Interview responsible personnel ♦ Refer to the “Requirement Responses” section (page v) for information about these response options.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 4.2 PAN is protected with strong cryptography during transmission.
Added
p. 37
• Only trusted keys and certificates are accepted.
• Examine cardholder data transmissions.
• Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.
• The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
• The encryption strength is appropriate for the encryption methodology in use.
Applicability Notes There could be occurrences where an entity receives cardholder data unsolicited via an insecure communication channel that was not intended for the purpose of receiving sensitive data. In this situation, the entity can choose to either include the channel in the scope of their CDE and secure it according to PCI DSS or implement measures to prevent the channel from being used …
• Examine cardholder data transmissions.
• Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.
• The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations.
• The encryption strength is appropriate for the encryption methodology in use.
Applicability Notes There could be occurrences where an entity receives cardholder data unsolicited via an insecure communication channel that was not intended for the purpose of receiving sensitive data. In this situation, the entity can choose to either include the channel in the scope of their CDE and secure it according to PCI DSS or implement measures to prevent the channel from being used …
Added
p. 38
• Examine system configurations and vendor documentation.
Applicability Notes This requirement also applies if a customer, or other third-party, requests that PAN is sent to them via end-user messaging technologies. There could be occurrences where an entity receives unsolicited cardholder data via an insecure communication channel that was not intended for transmissions of sensitive data. In this situation, the entity can choose to either include the channel in the scope of their CDE and secure it according to PCI DSS or delete the cardholder data and implement measures to prevent the channel from being used for cardholder data.
Requirement 5: Protect All Systems and Networks from Malicious Software
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 5.1 Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.
Applicability Notes This requirement also applies if a customer, or other third-party, requests that PAN is sent to them via end-user messaging technologies. There could be occurrences where an entity receives unsolicited cardholder data via an insecure communication channel that was not intended for transmissions of sensitive data. In this situation, the entity can choose to either include the channel in the scope of their CDE and secure it according to PCI DSS or delete the cardholder data and implement measures to prevent the channel from being used for cardholder data.
Requirement 5: Protect All Systems and Networks from Malicious Software
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 5.1 Processes and mechanisms for protecting all systems and networks from malicious software are defined and understood.
Added
p. 39
• Examine the periodic evaluations.
Added
p. 39
• Detects all known types of malware.
• Removes, blocks, or contains all known types of malware.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 5.2.3 Any system components that are not at risk for malware are evaluated periodically to include the following:
• A documented list of all system components not at risk for malware.
• Identification and evaluation of evolving malware threats for those system components.
• Confirmation whether such system components continue to not require anti-malware protection.
• Examine the list of system components not at risk for malware and compare against the system components without an anti- malware solution deployed.
Applicability Notes System components covered by this requirement are those for which there is no anti-malware solution deployed per Requirement 5.2.1.
• Removes, blocks, or contains all known types of malware.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 5.2.3 Any system components that are not at risk for malware are evaluated periodically to include the following:
• A documented list of all system components not at risk for malware.
• Identification and evaluation of evolving malware threats for those system components.
• Confirmation whether such system components continue to not require anti-malware protection.
• Examine the list of system components not at risk for malware and compare against the system components without an anti- malware solution deployed.
Applicability Notes System components covered by this requirement are those for which there is no anti-malware solution deployed per Requirement 5.2.1.
Added
p. 40
• Examine documented results of periodic evaluations.
Added
p. 40
• Examine anti-malware solution(s) configurations, including any master installation.
• Examine anti-malware solution(s) configurations, including any master installation.
• Examine system components and logs.
• Examine anti-malware solution(s) configurations, including any master installation.
• Examine system components and logs.
Added
p. 40
• Performs periodic scans and active or real-time scans OR
• Performs continuous behavioral analysis of systems or processes.
• Examine logs and scan results.
• Examine logs and scan results.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 5.3.2.1 If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
• Examine documented results of periodic malware scans.
Applicability Notes This requirement applies to entities conducting periodic malware scans to meet Requirement 5.3.2. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
• Performs continuous behavioral analysis of systems or processes.
• Examine logs and scan results.
• Examine logs and scan results.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 5.3.2.1 If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
• Examine documented results of periodic malware scans.
Applicability Notes This requirement applies to entities conducting periodic malware scans to meet Requirement 5.3.2. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Added
p. 41
• Performs automatic scans of when the media is inserted, connected, or logically mounted, OR
• Performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted.
• Examine anti-malware solution(s) configurations.
• Examine anti-malware solution(s) configurations.
• Examine system components with removable electronic media.
• Performs continuous behavioral analysis of systems or processes when the media is inserted, connected, or logically mounted.
• Examine anti-malware solution(s) configurations.
• Examine anti-malware solution(s) configurations.
• Examine system components with removable electronic media.
Added
p. 41
• Examine anti-malware configurations.
Applicability Notes (Continued)
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place Anti-malware solutions may be temporarily disabled only if there is a legitimate technical need, as authorized by management on a case-by-case basis. If anti-malware protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period during which anti-malware protection is not active.
Applicability Notes (Continued)
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place Anti-malware solutions may be temporarily disabled only if there is a legitimate technical need, as authorized by management on a case-by-case basis. If anti-malware protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period during which anti-malware protection is not active.
Added
p. 42
• Observe implemented processes.
• Examine mechanisms.
Applicability Notes This requirement applies to the automated mechanism. It is not intended that the systems and services providing such automated mechanisms (such as e-mail servers) are brought into scope for PCI DSS. The focus of this requirement is on protecting personnel with access to system components in- scope for PCI DSS. Meeting this requirement for technical and automated controls to detect and protect personnel against phishing is not the same as Requirement 12.6.3.1 for security awareness training. Meeting this requirement does not also meet the requirement for providing personnel with security awareness training, and vice versa. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Requirement 6: Develop and Maintain Secure Systems and Software
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place …
• Examine mechanisms.
Applicability Notes This requirement applies to the automated mechanism. It is not intended that the systems and services providing such automated mechanisms (such as e-mail servers) are brought into scope for PCI DSS. The focus of this requirement is on protecting personnel with access to system components in- scope for PCI DSS. Meeting this requirement for technical and automated controls to detect and protect personnel against phishing is not the same as Requirement 12.6.3.1 for security awareness training. Meeting this requirement does not also meet the requirement for providing personnel with security awareness training, and vice versa. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Requirement 6: Develop and Maintain Secure Systems and Software
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place …
Added
p. 43
• Based on industry standards and/or best practices for secure development.
• In accordance with PCI DSS (for example, secure authentication and logging).
• Incorporating consideration of information security issues during each stage of the software development lifecycle.
• In accordance with PCI DSS (for example, secure authentication and logging).
• Incorporating consideration of information security issues during each stage of the software development lifecycle.
Added
p. 43
Applicability Notes This applies to all software developed for or by the entity for the entity’s own use. This includes both bespoke and custom software. This does not apply to third-party software.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.2.2 Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows:
• On software security relevant to their job function and development languages.
• Including secure software design and secure coding techniques.
• Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software.
Applicability Notes Software development personnel remain knowledgeable about secure development practices; software security; and attacks against the languages, frameworks, or applications they develop. Personnel are able to access assistance and guidance when required.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.2.2 Software development personnel working on bespoke and custom software are trained at least once every 12 months as follows:
• On software security relevant to their job function and development languages.
• Including secure software design and secure coding techniques.
• Including, if security testing tools are used, how to use the tools for detecting vulnerabilities in software.
Applicability Notes Software development personnel remain knowledgeable about secure development practices; software security; and attacks against the languages, frameworks, or applications they develop. Personnel are able to access assistance and guidance when required.
Added
p. 44
• Code reviews ensure code is developed according to secure coding guidelines.
• Code reviews look for both existing and emerging software vulnerabilities.
• Appropriate corrections are implemented prior to release.
• Examine evidence of changes to bespoke and custom software.
Applicability Notes This requirement for code reviews applies to all bespoke and custom software (both internal and public-facing), as part of the system development lifecycle. Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.4. Code reviews may be performed using either manual or automated processes, or a combination of both.
• Examine evidence of changes to bespoke and custom software.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place If manual code reviews are performed for bespoke and custom software prior to release to production, …
• Code reviews look for both existing and emerging software vulnerabilities.
• Appropriate corrections are implemented prior to release.
• Examine evidence of changes to bespoke and custom software.
Applicability Notes This requirement for code reviews applies to all bespoke and custom software (both internal and public-facing), as part of the system development lifecycle. Public-facing web applications are also subject to additional controls, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.4. Code reviews may be performed using either manual or automated processes, or a combination of both.
• Examine evidence of changes to bespoke and custom software.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place If manual code reviews are performed for bespoke and custom software prior to release to production, …
Added
p. 45
• Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws.
• Interview responsible software development personnel.
• Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data.
• Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation.
Applicability Notes This applies to all software developed for or by the entity for the entity’s own use. This includes both bespoke and custom software. This does not apply to third-party software.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.2.4 (cont.)
• Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, client-side functionality, or other system/application functions and resources. This includes cross-site scripting …
• Interview responsible software development personnel.
• Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data.
• Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation.
Applicability Notes This applies to all software developed for or by the entity for the entity’s own use. This includes both bespoke and custom software. This does not apply to third-party software.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.2.4 (cont.)
• Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, client-side functionality, or other system/application functions and resources. This includes cross-site scripting …
Added
p. 46
Security vulnerabilities are identified and managed as follows:
• New security vulnerabilities are identified using industry- recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs).
• Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.
• Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment.
• Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place Applicability Notes (Continued) This requirement is not achieved by, nor is it the same as, vulnerability scans performed for Requirements 11.3.1 and 11.3.2. This requirement is for a process to actively monitor industry sources for vulnerability information and for the entity to determine the risk …
• New security vulnerabilities are identified using industry- recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs).
• Vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact.
• Risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment.
• Vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place Applicability Notes (Continued) This requirement is not achieved by, nor is it the same as, vulnerability scans performed for Requirements 11.3.1 and 11.3.2. This requirement is for a process to actively monitor industry sources for vulnerability information and for the entity to determine the risk …
Added
p. 47
Applicability Notes This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows:
• Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.
• All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity (for example, within three months of release).
• Examine system components and related software.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.4 Public-facing web applications are protected against attacks.
• Critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release.
• All other applicable security patches/updates are installed within an appropriate time frame as determined by the entity (for example, within three months of release).
• Examine system components and related software.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.4 Public-facing web applications are protected against attacks.
Added
p. 48
• At least once every 12 months and after significant changes.
• By an entity that specializes in application security.
• Including, at a minimum, all common software attacks in Requirement 6.2.4.
• All vulnerabilities are ranked in accordance with Requirement 6.3.1.
• All vulnerabilities are corrected.
• The application is re-evaluated after the corrections OR
• Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:
• Installed in front of public-facing web applications to detect and prevent web-based attacks.
• Actively running and up to date as applicable.
• Generating audit logs.
• Configured to either block web-based attacks or generate an alert that is immediately investigated.
• Examine documented processes.
• Examine the system configuration settings and audit logs.
• Actively running and up to date as applicable.
• Generating audit logs.
• Configured to either block web-based attacks or generate an alert that is immediately investigated.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In …
• By an entity that specializes in application security.
• Including, at a minimum, all common software attacks in Requirement 6.2.4.
• All vulnerabilities are ranked in accordance with Requirement 6.3.1.
• All vulnerabilities are corrected.
• The application is re-evaluated after the corrections OR
• Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:
• Installed in front of public-facing web applications to detect and prevent web-based attacks.
• Actively running and up to date as applicable.
• Generating audit logs.
• Configured to either block web-based attacks or generate an alert that is immediately investigated.
• Examine documented processes.
• Examine the system configuration settings and audit logs.
• Actively running and up to date as applicable.
• Generating audit logs.
• Configured to either block web-based attacks or generate an alert that is immediately investigated.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In …
Added
p. 49
• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
• Examine the system configuration settings.
Applicability Notes This new requirement will replace Requirement 6.4.1 once its effective date is reached. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
• Examine the system configuration settings.
Applicability Notes This new requirement will replace Requirement 6.4.1 once its effective date is reached. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Added
p. 49
• A method is implemented to confirm that each script is authorized.
• A method is implemented to assure the integrity of each script.
• An inventory of all scripts is maintained with written justification as to why each is necessary.
Applicability Notes This requirement applies to all scripts loaded from the entity’s environment and scripts loaded from third and fourth parties.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.5 Changes to all system components are managed securely.
• A method is implemented to assure the integrity of each script.
• An inventory of all scripts is maintained with written justification as to why each is necessary.
Applicability Notes This requirement applies to all scripts loaded from the entity’s environment and scripts loaded from third and fourth parties.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.5 Changes to all system components are managed securely.
Added
p. 50
• Reason for, and description of, the change.
• Documentation of security impact.
• Documented change approval by authorized parties.
• Testing to verify that the change does not adversely impact system security.
• For bespoke and custom software changes, all updates are tested for compliance with Requirement 6.2.4 before being deployed into production.
• Procedures to address failures and return to a secure state.
• Examine documented change control procedures.
• Examine recent changes to system components and trace changes to change control documentation.
• Documentation of security impact.
• Documented change approval by authorized parties.
• Testing to verify that the change does not adversely impact system security.
• For bespoke and custom software changes, all updates are tested for compliance with Requirement 6.2.4 before being deployed into production.
• Procedures to address failures and return to a secure state.
• Examine documented change control procedures.
• Examine recent changes to system components and trace changes to change control documentation.
Added
p. 50
• Examine documentation for significant changes.
• Observe the affected systems/networks.
Applicability Notes These significant changes should also be captured and reflected in the entity’s annual PCI DSS scope confirmation activity per Requirement 12.5.2.
• Observe the affected systems/networks.
Applicability Notes These significant changes should also be captured and reflected in the entity’s annual PCI DSS scope confirmation activity per Requirement 12.5.2.
Added
p. 50
• Examine network documentation and configurations of network security controls.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.5.4 Roles and functions are separated between production and pre-production environments to provide accountability such that only reviewed and approved changes are deployed.
Applicability Notes In environments with limited personnel where individuals perform multiple roles or functions, this same goal can be achieved with additional procedural controls that provide accountability. For example, a developer may also be an administrator that uses an administrator-level account with elevated privileges in the development environment and, for their developer role, they use a separate account with user-level access to the production environment.
PCI DSS Requirement Expected Testing ((Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 6.5.4 Roles and functions are separated between production and pre-production environments to provide accountability such that only reviewed and approved changes are deployed.
Applicability Notes In environments with limited personnel where individuals perform multiple roles or functions, this same goal can be achieved with additional procedural controls that provide accountability. For example, a developer may also be an administrator that uses an administrator-level account with elevated privileges in the development environment and, for their developer role, they use a separate account with user-level access to the production environment.
Added
p. 51
• Observe testing processes.
• Examine pre-production test data.
• Examine pre-production test data.
Added
p. 51
• Observe testing processes for both off-the-shelf software and in-house applications.
• Examine data and accounts for recently installed or updated off-the-shelf software and in-house applications.
• Examine data and accounts for recently installed or updated off-the-shelf software and in-house applications.
Added
p. 52
Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 7.1 Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 7.1 Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood.
Added
p. 52
• Appropriate access depending on the entity’s business and access needs.
• Access to system components and data resources that is based on users’ job classification and functions.
• The least privileges required (for example, user, administrator) to perform a job function.
• Examine access control model settings.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 7.2.2 Access is assigned to users, including privileged users, based on:
• Job classification and function.
• Least privileges necessary to perform job responsibilities.
• Examine user access settings, including for privileged users.
• Interview responsible management personnel.
• Interview personnel responsible for assigning access.
• Access to system components and data resources that is based on users’ job classification and functions.
• The least privileges required (for example, user, administrator) to perform a job function.
• Examine access control model settings.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 7.2.2 Access is assigned to users, including privileged users, based on:
• Job classification and function.
• Least privileges necessary to perform job responsibilities.
• Examine user access settings, including for privileged users.
• Interview responsible management personnel.
• Interview personnel responsible for assigning access.
Added
p. 53
• Examine user IDs and assigned privileges.
• Examine documented approvals.
• Examine documented approvals.
Added
p. 53
• At least once every six months.
• To ensure user accounts and access remain appropriate based on job function.
• Any inappropriate access is addressed.
• Management acknowledges that access remains appropriate.
• Examine documented results of periodic reviews of user accounts.
Applicability Notes This requirement applies to all user accounts and related access privileges, including those used by personnel and third parties/vendors, and accounts used to access third-party cloud services.
See Requirements 7.2.5 and 7.2.5.1 and 8.6.1 through 8.6.3 for controls for application and system accounts.
• Any inappropriate access is addressed.
• Management acknowledges that access remains appropriate.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 7.2.5 All application and system accounts and related access privileges are assigned and managed as follows:
• Based on the least privileges necessary for the operability of the system or application.
• Access is limited …
• To ensure user accounts and access remain appropriate based on job function.
• Any inappropriate access is addressed.
• Management acknowledges that access remains appropriate.
• Examine documented results of periodic reviews of user accounts.
Applicability Notes This requirement applies to all user accounts and related access privileges, including those used by personnel and third parties/vendors, and accounts used to access third-party cloud services.
See Requirements 7.2.5 and 7.2.5.1 and 8.6.1 through 8.6.3 for controls for application and system accounts.
• Any inappropriate access is addressed.
• Management acknowledges that access remains appropriate.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 7.2.5 All application and system accounts and related access privileges are assigned and managed as follows:
• Based on the least privileges necessary for the operability of the system or application.
• Access is limited …
Added
p. 54
• Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).
• The application/system access remains appropriate for the function being performed.
• Examine documented results of periodic reviews of system and application accounts and related privileges.
Applicability Notes This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment 7.2.6 All user access to query repositories of stored cardholder data is restricted as follows:
• Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges.
• Only the responsible administrator(s) can directly access or query repositories of stored CHD.
• Examine configuration settings for querying repositories of stored cardholder data.
Applicability Notes (cont.)
See Requirements 7.2.5 and 7.2.5.1 and 8.6.1 through 8.6.3 for controls for application and system accounts.
PCI DSS Requirement Expected …
• The application/system access remains appropriate for the function being performed.
• Examine documented results of periodic reviews of system and application accounts and related privileges.
Applicability Notes This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment 7.2.6 All user access to query repositories of stored cardholder data is restricted as follows:
• Via applications or other programmatic methods, with access and allowed actions based on user roles and least privileges.
• Only the responsible administrator(s) can directly access or query repositories of stored CHD.
• Examine configuration settings for querying repositories of stored cardholder data.
Applicability Notes (cont.)
See Requirements 7.2.5 and 7.2.5.1 and 8.6.1 through 8.6.3 for controls for application and system accounts.
PCI DSS Requirement Expected …
Added
p. 56
Requirement 8: Identify Users and Authenticate Access to System Components
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.
Added
p. 56
• Examine audit logs and other evidence.
Added
p. 57
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.2.2 Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows:
• Account use is prevented unless needed for an exceptional circumstance.
• Use is limited to the time needed for the exceptional circumstance.
• Business justification for use is documented.
• Use is explicitly approved by management.
• Individual user identity is confirmed before access to an account is granted.
• Every action taken is attributable to an individual user.
• Examine authentication policies and procedures.
• Account use is prevented unless needed for an exceptional circumstance.
• Use is limited to the time needed for the exceptional circumstance.
• Business justification for use is documented.
• Use is explicitly approved by management.
• Individual user identity is confirmed before access to an account is granted.
• Every action taken is attributable to an individual user.
• Examine authentication policies and procedures.
Added
p. 57
• Authorized with the appropriate approval.
• Implemented with only the privileges specified on the documented approval.
• Examine documented authorizations across various phases of the account lifecycle (additions, modifications, and deletions).
Applicability Notes This requirement applies to all user accounts, including employees, contractors, consultants, temporary workers, and third-party vendors.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.2.5 Access for terminated users is immediately revoked.
• Examine information sources for terminated users.
• Review current user access lists.
• Implemented with only the privileges specified on the documented approval.
• Examine documented authorizations across various phases of the account lifecycle (additions, modifications, and deletions).
Applicability Notes This requirement applies to all user accounts, including employees, contractors, consultants, temporary workers, and third-party vendors.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.2.5 Access for terminated users is immediately revoked.
• Examine information sources for terminated users.
• Review current user access lists.
Added
p. 58
• Examine user accounts and last logon information.
Added
p. 58
• Enabled only during the time period needed and disabled when not in use.
• Use is monitored for unexpected activity.
• Examine documentation for managing accounts.
• Use is monitored for unexpected activity.
• Examine documentation for managing accounts.
Added
p. 58
Applicability Notes This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals). This requirement is not meant to prevent legitimate activities from being performed while the console/PC is unattended.
Added
p. 58
• Something you know, such as a password or passphrase.
• Something you have, such as a token device or smart card.
• Something you are, such as a biometric element.
• Examine documentation describing the authentication factor(s) used.
• For each type of authentication factor used with each type of system component, observe the authentication process.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place Applicability Notes This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
This requirement does not supersede multi-factor authentication (MFA) requirements but applies to those in-scope systems not otherwise subject to MFA requirements.
A digital certificate is a valid option for “something you have” if it is …
• Something you have, such as a token device or smart card.
• Something you are, such as a biometric element.
• Examine documentation describing the authentication factor(s) used.
• For each type of authentication factor used with each type of system component, observe the authentication process.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place Applicability Notes This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
This requirement does not supersede multi-factor authentication (MFA) requirements but applies to those in-scope systems not otherwise subject to MFA requirements.
A digital certificate is a valid option for “something you have” if it is …
Added
p. 59
• Examine procedures for modifying authentication factors.
Added
p. 59
• Locking out the user ID after not more than 10 attempts.
• Setting the lockout duration to a minimum of 30 minutes or until the user’s identity is confirmed.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.3.5 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user as follows:
• Set to a unique value for first-time use and upon reset.
• Forced to be changed immediately after the first use.
• Examine procedures for setting and resetting passwords/passphrases.
• Setting the lockout duration to a minimum of 30 minutes or until the user’s identity is confirmed.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.3.5 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user as follows:
• Set to a unique value for first-time use and upon reset.
• Forced to be changed immediately after the first use.
• Examine procedures for setting and resetting passwords/passphrases.
Added
p. 60
• A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters).
• Contain both numeric and alphabetic characters.
Applicability Notes This requirement is not intended to apply to:
• User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
• Application or system accounts, which are governed by requirements in section 8.6. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
• Contain both numeric and alphabetic characters.
Applicability Notes This requirement is not intended to apply to:
• User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals).
• Application or system accounts, which are governed by requirements in section 8.6. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.
Added
p. 61
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.3.8 Authentication policies and procedures are documented and communicated to all users including:
• Guidance on selecting strong authentication factors.
• Guidance for how users should protect their authentication factors.
• Instructions not to reuse previously used passwords/passphrases.
• Instructions to change passwords/passphrases if there is any suspicion or knowledge that the password/passphrases have been compromised and how to report the incident.
• Review authentication policies and procedures that are distributed to users.
• Guidance on selecting strong authentication factors.
• Guidance for how users should protect their authentication factors.
• Instructions not to reuse previously used passwords/passphrases.
• Instructions to change passwords/passphrases if there is any suspicion or knowledge that the password/passphrases have been compromised and how to report the incident.
• Review authentication policies and procedures that are distributed to users.
Added
p. 61
• Passwords/passphrases are changed at least once every 90 days,
• The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.
• Inspect system configuration settings.
Applicability Notes This requirement applies to in-scope system components that are not in the CDE because these components are not subject to MFA requirements. This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals). This requirement does not apply to service providers’ customer accounts but does apply to accounts for service provider personnel.
• The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.
• Inspect system configuration settings.
Applicability Notes This requirement applies to in-scope system components that are not in the CDE because these components are not subject to MFA requirements. This requirement is not intended to apply to user accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction (such as IDs used by cashiers on point-of-sale terminals). This requirement does not apply to service providers’ customer accounts but does apply to accounts for service provider personnel.
Added
p. 62
• Examine authentication policies and procedures.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.3.11 Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used:
• Factors are assigned to an individual user and not shared among multiple users.
• Physical and/or logical controls ensure only the intended user can use that factor to gain access.
• Examine system configuration settings and/or observe physical controls, as applicable.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.3.11 Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used:
• Factors are assigned to an individual user and not shared among multiple users.
• Physical and/or logical controls ensure only the intended user can use that factor to gain access.
• Examine system configuration settings and/or observe physical controls, as applicable.
Added
p. 62
• Observe administrator personnel logging into the CDE.
Applicability Notes The requirement for MFA for non-console administrative access applies to all personnel with elevated or increased privileges accessing the CDE via a non-console connection•that is, via logical access occurring over a network interface rather than via a direct, physical connection.
MFA is considered a best practice for non-console administrative access to in-scope system components that are not part of the CDE.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.4.2 MFA is implemented for all access into the CDE.
• Examine network and/or system configurations.
• Observe personnel logging in to the CDE.
Applicability Notes This requirement does not apply to:
• Application or system accounts performing automated functions.
• User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction …
Applicability Notes The requirement for MFA for non-console administrative access applies to all personnel with elevated or increased privileges accessing the CDE via a non-console connection•that is, via logical access occurring over a network interface rather than via a direct, physical connection.
MFA is considered a best practice for non-console administrative access to in-scope system components that are not part of the CDE.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.4.2 MFA is implemented for all access into the CDE.
• Examine network and/or system configurations.
• Observe personnel logging in to the CDE.
Applicability Notes This requirement does not apply to:
• Application or system accounts performing automated functions.
• User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction …
Added
p. 65
• The MFA system is not susceptible to replay attacks.
• MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period.
• At least two different types of authentication factors are used.
• Success of all authentication factors is required before access is granted.
• Examine vendor system documentation.
• Examine system configurations for the MFA implementation.
• Interview responsible personnel and observe processes.
• Observe personnel logging into system components in the CDE.
• Observe personnel connecting remotely from outside the entity’s network.
• Every action taken is attributable to an individual user.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.6 Use of application and system accounts and associated authentication factors is strictly managed.
• MFA systems cannot be bypassed by any users, including administrative users unless specifically documented, and authorized by management on an exception basis, for a limited time period.
• At least two different types of authentication factors are used.
• Success of all authentication factors is required before access is granted.
• Examine vendor system documentation.
• Examine system configurations for the MFA implementation.
• Interview responsible personnel and observe processes.
• Observe personnel logging into system components in the CDE.
• Observe personnel connecting remotely from outside the entity’s network.
• Every action taken is attributable to an individual user.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.6 Use of application and system accounts and associated authentication factors is strictly managed.
Added
p. 66
• Interactive use is prevented unless needed for an exceptional circumstance.
• Interactive use is limited to the time needed for the exceptional circumstance.
• Business justification for interactive use is documented.
• Interactive use is explicitly approved by management.
• Individual user identity is confirmed before access to account is granted.
• Examine application and system accounts that can be used interactively.
• Interview administrative personnel.
• Interactive use is limited to the time needed for the exceptional circumstance.
• Business justification for interactive use is documented.
• Interactive use is explicitly approved by management.
• Individual user identity is confirmed before access to account is granted.
• Examine application and system accounts that can be used interactively.
• Interview administrative personnel.
Added
p. 66
• Examine system development procedures.
• Examine scripts, configuration/property files, and bespoke and custom source code for application and system accounts that can be used for interactive login.
Applicability Notes Stored passwords/passphrases are required to be encrypted in accordance with PCI DSS Requirement 8.3.2.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse as follows:
• Passwords/passphrases are changed periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise.
• Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in …
• Examine scripts, configuration/property files, and bespoke and custom source code for application and system accounts that can be used for interactive login.
Applicability Notes Stored passwords/passphrases are required to be encrypted in accordance with PCI DSS Requirement 8.3.2.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse as follows:
• Passwords/passphrases are changed periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise.
• Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in …
Added
p. 68
• Observe physical entry controls.
Added
p. 68
• Entry and exit points to/from sensitive areas within the CDE are monitored.
• Monitoring devices or mechanisms are protected from tampering or disabling.
• Collected data is reviewed and correlated with other entries.
• Collected data is stored for at least three months, unless otherwise restricted by law.
• Observe locations where individual physical access to sensitive areas within the CDE occurs.
• Observe the physical access control mechanisms and/or examine video cameras.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.2.2 Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility.
• Observe locations of publicly accessible network jacks.
• Monitoring devices or mechanisms are protected from tampering or disabling.
• Collected data is reviewed and correlated with other entries.
• Collected data is stored for at least three months, unless otherwise restricted by law.
• Observe locations where individual physical access to sensitive areas within the CDE occurs.
• Observe the physical access control mechanisms and/or examine video cameras.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.2.2 Physical and/or logical controls are implemented to restrict use of publicly accessible network jacks within the facility.
• Observe locations of publicly accessible network jacks.
Added
p. 69
• Observe locations of hardware and lines.
Added
p. 69
• Observe a system administrator’s attempt to log into consoles in sensitive areas.
Added
p. 69
• Identifying personnel.
• Managing changes to an individual’s physical access requirements.
• Revoking or terminating personnel identification.
• Limiting access to the identification process or system to authorized personnel.
• Observe identification methods, such as ID badges.
• Managing changes to an individual’s physical access requirements.
• Revoking or terminating personnel identification.
• Limiting access to the identification process or system to authorized personnel.
• Observe identification methods, such as ID badges.
Added
p. 69
• Access is authorized and based on individual job function.
• Access is revoked immediately upon termination.
• All physical access mechanisms, such as keys, access cards, etc., are returned or disabled upon termination.
• Observe personnel in sensitive areas within the CDE.
• Examine physical access control lists.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.3.2 Procedures are implemented for authorizing and managing visitor access to the CDE, including:
• Visitors are authorized before entering.
• Visitors are escorted at all times.
• Visitors are clearly identified and given a badge or other identification that expires.
• Visitor badges or other identification visibly distinguishes visitors from personnel.
• Observe processes when visitors are present in the CDE.
• Observe the use of visitor badges or other identification.
• Access is revoked immediately upon termination.
• All physical access mechanisms, such as keys, access cards, etc., are returned or disabled upon termination.
• Observe personnel in sensitive areas within the CDE.
• Examine physical access control lists.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.3.2 Procedures are implemented for authorizing and managing visitor access to the CDE, including:
• Visitors are authorized before entering.
• Visitors are escorted at all times.
• Visitors are clearly identified and given a badge or other identification that expires.
• Visitor badges or other identification visibly distinguishes visitors from personnel.
• Observe processes when visitors are present in the CDE.
• Observe the use of visitor badges or other identification.
Added
p. 70
• Observe visitors leaving the facility
Added
p. 70
• The visitor’s name and the organization represented.
• The date and time of the visit.
• The name of the personnel authorizing physical access.
• Retaining the log for at least three months, unless otherwise restricted by law.
• Examine visitor log storage locations.
• The date and time of the visit.
• The name of the personnel authorizing physical access.
• Retaining the log for at least three months, unless otherwise restricted by law.
• Examine visitor log storage locations.
Added
p. 70
• Examine logs or other documentation.
• Interview responsible personnel at the storge location(s).
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.4.1.2 The security of the offline media backup location(s) with cardholder data is reviewed at least once every 12 months.
• Examine documented procedures, logs, or other documentation.
• Interview responsible personnel at the storage location(s).
• Interview responsible personnel at the storge location(s).
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.4.1.2 The security of the offline media backup location(s) with cardholder data is reviewed at least once every 12 months.
• Examine documented procedures, logs, or other documentation.
• Interview responsible personnel at the storage location(s).
Added
p. 71
• Examine media logs or other documentation.
Added
p. 71
• Media sent outside the facility is logged.
• Media is sent by secured courier or other delivery method that can be accurately tracked.
• Offsite tracking logs include details about media location.
• Examine offsite tracking logs for all media.
• Media is sent by secured courier or other delivery method that can be accurately tracked.
• Offsite tracking logs include details about media location.
• Examine offsite tracking logs for all media.
Added
p. 71
• Examine offsite media tracking logs.
Applicability Notes Individuals approving media movements should have the appropriate level of management authority to grant this approval. However, it is not specifically required that such individuals have “manager” as part of their title.
Applicability Notes Individuals approving media movements should have the appropriate level of management authority to grant this approval. However, it is not specifically required that such individuals have “manager” as part of their title.
Added
p. 71
• Examine electronic media inventory logs.
• Examine electronic media inventory logs.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.4.5.1 Inventories of electronic media with cardholder data are conducted at least once every 12 months.
• Examine electronic media inventory logs.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.4.5.1 Inventories of electronic media with cardholder data are conducted at least once every 12 months.
Added
p. 72
• Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.
• Materials are stored in secure storage containers prior to destruction.
• Examine the periodic media destruction policy.
• Examine the periodic media destruction policy.
• Observe storage containers.
Applicability Notes These requirements for media destruction when that media is no longer needed for business or legal reasons are separate and distinct from PCI DSS Requirement 3.2.1, which is for securely deleting cardholder data when no longer needed per the entity’s cardholder data retention policies.
Applicability Notes These requirements for media destruction when that media is no longer needed for business or legal reasons are separate and distinct from PCI DSS Requirement 3.2.1, which is for securely deleting cardholder data when no longer needed per the entity’s cardholder data retention policies.
• Materials are stored in secure storage containers prior to destruction.
• Examine the periodic media destruction policy.
• Examine the periodic media destruction policy.
• Observe storage containers.
Applicability Notes These requirements for media destruction when that media is no longer needed for business or legal reasons are separate and distinct from PCI DSS Requirement 3.2.1, which is for securely deleting cardholder data when no longer needed per the entity’s cardholder data retention policies.
Applicability Notes These requirements for media destruction when that media is no longer needed for business or legal reasons are separate and distinct from PCI DSS Requirement 3.2.1, which is for securely deleting cardholder data when no longer needed per the entity’s cardholder data retention policies.
Added
p. 72
• The electronic media is destroyed.
• The cardholder data is rendered unrecoverable so that it cannot be reconstructed.
• Observe the media destruction process.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.5 Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.
• The cardholder data is rendered unrecoverable so that it cannot be reconstructed.
• Observe the media destruction process.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.5 Point-of-interaction (POI) devices are protected from tampering and unauthorized substitution.
Added
p. 73
• Maintaining a list of POI devices.
• Periodically inspecting POI devices to look for tampering or unauthorized substitution.
• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices.
Applicability Notes These requirements apply to deployed POI devices used in card-present transactions (that is, a payment card form factor such as a card that is swiped, tapped, or dipped). This requirement is not intended to apply to manual PAN key-entry components such as computer keyboards.
This requirement is recommended, but not required, for manual PAN key-entry components such as computer keyboards. This requirement does not apply to commercial off-the-shelf (COTS) devices (for example, smartphones or tablets), which are mobile merchant-owned devices designed for mass- market distribution.
• Periodically inspecting POI devices to look for tampering or unauthorized substitution.
• Training personnel to be aware of suspicious behavior and to report tampering or unauthorized substitution of devices.
Applicability Notes These requirements apply to deployed POI devices used in card-present transactions (that is, a payment card form factor such as a card that is swiped, tapped, or dipped). This requirement is not intended to apply to manual PAN key-entry components such as computer keyboards.
This requirement is recommended, but not required, for manual PAN key-entry components such as computer keyboards. This requirement does not apply to commercial off-the-shelf (COTS) devices (for example, smartphones or tablets), which are mobile merchant-owned devices designed for mass- market distribution.
Added
p. 73
• Make and model of the device.
• Location of device.
• Device serial number or other methods of unique identification.
• Examine the list of POI devices.
• Observe POI devices and device locations.
• Location of device.
• Device serial number or other methods of unique identification.
• Examine the list of POI devices.
• Observe POI devices and device locations.
Added
p. 73
• Observe inspection processes.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.5.1.2.1 The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
• Examine documented results of periodic device inspections.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 9.5.1.2.1 The frequency of periodic POI device inspections and the type of inspections performed is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
• Examine documented results of periodic device inspections.
Added
p. 74
• Verifying the identity of any third-party persons claiming to be repair or maintenance personnel, before granting them access to modify or troubleshoot devices.
• Procedures to ensure devices are not installed, replaced, or returned without verification.
• Being aware of suspicious behavior around devices.
• Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel.
• Review training materials for personnel in POI environments.
• Procedures to ensure devices are not installed, replaced, or returned without verification.
• Being aware of suspicious behavior around devices.
• Reporting suspicious behavior and indications of device tampering or substitution to appropriate personnel.
• Review training materials for personnel in POI environments.
Added
p. 75
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.1 Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.1 Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented.
Added
p. 75
• Interview the system administrator.
Added
p. 76
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.2.1.5 Audit logs capture all changes to identification and authentication credentials including, but not limited to:
• Creation of new accounts.
• Elevation of privileges.
• All changes, additions, or deletions to accounts with administrative access.
• Creation of new accounts.
• Elevation of privileges.
• All changes, additions, or deletions to accounts with administrative access.
Added
p. 76
• All initialization of new audit logs, and
• All starting, stopping, or pausing of the existing audit logs.
• All starting, stopping, or pausing of the existing audit logs.
Added
p. 76
• Success and failure indication.
• Origination of event.
• Identity or name of affected data, system component, resource, or service (for example, name and protocol).
• Origination of event.
• Identity or name of affected data, system component, resource, or service (for example, name and protocol).
Added
p. 76
• Examine system configurations and privileges.
• Examine system configurations and privileges.
• Examine system configurations and privileges.
Added
p. 77
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.3.3 Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify.
• Examine backup configurations or log files.
• Examine backup configurations or log files.
Added
p. 77
• Examine system settings.
• Examine monitored files.
• Examine results from monitoring activities.
• Examine monitored files.
• Examine results from monitoring activities.
Added
p. 77
• All security events.
• Logs of all system components that store, process, or transmit CHD and/or SAD.
• Logs of all critical system components.
• Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers).
• Logs of all system components that store, process, or transmit CHD and/or SAD.
• Logs of all critical system components.
• Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers).
Added
p. 77
• Examine log review mechanisms.
Added
p. 77
• Examine documented results of log reviews.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place Applicability Notes This requirement is applicable to all other in-scope system components not included in Requirement 10.4.1.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place Applicability Notes This requirement is applicable to all other in-scope system components not included in Requirement 10.4.1.
Added
p. 78
• Examine documented results of periodic log reviews.
Added
p. 78
• Examine documented audit log retention policies and procedures.
• Examine configurations of audit log history.
• Examine configurations of audit log history.
Added
p. 78
Applicability Notes Keeping time-synchronization technology current includes managing vulnerabilities and patching the technology according to PCI DSS Requirements 6.3.1 and 6.3.3.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.6.2 Systems are configured to the correct and consistent time as follows:
• One or more designated time servers are in use.
• Only the designated central time server(s) receives time from external sources.
• Time received from external sources is based on International Atomic Time or Coordinated Universal Time (UTC).
• The designated time server(s) accept time updates only from specific industry-accepted external sources.
• Where there is more than one designated time server, the time servers peer with one another to keep accurate time.
• Internal systems receive time information only from designated central time server(s).
• Examine system configuration settings for acquiring, distributing, and storing the correct time.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.6.2 Systems are configured to the correct and consistent time as follows:
• One or more designated time servers are in use.
• Only the designated central time server(s) receives time from external sources.
• Time received from external sources is based on International Atomic Time or Coordinated Universal Time (UTC).
• The designated time server(s) accept time updates only from specific industry-accepted external sources.
• Where there is more than one designated time server, the time servers peer with one another to keep accurate time.
• Internal systems receive time information only from designated central time server(s).
• Examine system configuration settings for acquiring, distributing, and storing the correct time.
Added
p. 79
• Access to time data is restricted to only personnel with a business need.
• Any changes to time settings on critical systems are logged, monitored, and reviewed.
• Examine system configurations and time-synchronization settings and logs.
• Any changes to time settings on critical systems are logged, monitored, and reviewed.
• Examine system configurations and time-synchronization settings and logs.
Added
p. 80
• Examine documented processes.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.7.2 Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems:
• Network security controls.
• Anti-malware solutions.
• Physical access controls.
• Logical access controls.
• Audit logging mechanisms.
• Segmentation controls (if used).
• Audit log review mechanisms.
• Automated security testing tools (if used).
Applicability Notes This requirement applies to all entities, including service providers, and will supersede Requirement 10.7.1 as of 31 March 2025. It includes two additional critical security control systems not in Requirement 10.7.1.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.7.3 Failures of any critical security controls systems are responded to promptly, …
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.7.2 Failures of critical security control systems are detected, alerted, and addressed promptly, including but not limited to failure of the following critical security control systems:
• Network security controls.
• Anti-malware solutions.
• Physical access controls.
• Logical access controls.
• Audit logging mechanisms.
• Segmentation controls (if used).
• Audit log review mechanisms.
• Automated security testing tools (if used).
Applicability Notes This requirement applies to all entities, including service providers, and will supersede Requirement 10.7.1 as of 31 March 2025. It includes two additional critical security control systems not in Requirement 10.7.1.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 10.7.3 Failures of any critical security controls systems are responded to promptly, …
Added
p. 82
Requirement 11: Test Security of Systems and Networks Regularly
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.1 Processes and mechanisms for regularly testing security of systems and networks are defined and understood.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.2 Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.1 Processes and mechanisms for regularly testing security of systems and networks are defined and understood.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.2 Wireless access points are identified and monitored, and unauthorized wireless access points are addressed.
Added
p. 83
• The presence of wireless (Wi-Fi) access points is tested for.
• All authorized and unauthorized wireless access points are detected and identified.
• Testing, detection, and identification occurs at least once every three months.
• If automated monitoring is used, personnel are notified via generated alerts.
• Examine the methodology(ies) in use and the resulting documentation.
• Examine wireless assessment results.
Applicability Notes The requirement applies even when a policy exists that prohibits the use of wireless technology since attackers do not read and follow company policy.
Methods used to meet this requirement must be sufficient to detect and identify both authorized and unauthorized devices, including unauthorized devices attached to devices that themselves are authorized.
• All authorized and unauthorized wireless access points are detected and identified.
• Testing, detection, and identification occurs at least once every three months.
• If automated monitoring is used, personnel are notified via generated alerts.
• Examine the methodology(ies) in use and the resulting documentation.
• Examine wireless assessment results.
Applicability Notes The requirement applies even when a policy exists that prohibits the use of wireless technology since attackers do not read and follow company policy.
Methods used to meet this requirement must be sufficient to detect and identify both authorized and unauthorized devices, including unauthorized devices attached to devices that themselves are authorized.
Added
p. 84
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed.
Added
p. 84
• At least once every three months.
• High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
• Rescans are performed that confirm all high- risk and critical vulnerabilities (as noted above) have been resolved.
• Scan tool is kept up to date with latest vulnerability information.
• Scans are performed by qualified personnel and organizational independence of the tester exists.
• Examine internal scan report results.
• Examine scan tool configurations.
Applicability Notes It is not required to use a QSA or ASV to conduct internal vulnerability scans.
Internal vulnerability scans can be performed by qualified, internal staff that are reasonably independent of the system component(s) being scanned (for example, a network administrator should not be responsible for scanning the network), or an entity may choose to have internal vulnerability scans performed by a firm specializing in vulnerability scanning.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) …
• High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
• Rescans are performed that confirm all high- risk and critical vulnerabilities (as noted above) have been resolved.
• Scan tool is kept up to date with latest vulnerability information.
• Scans are performed by qualified personnel and organizational independence of the tester exists.
• Examine internal scan report results.
• Examine scan tool configurations.
Applicability Notes It is not required to use a QSA or ASV to conduct internal vulnerability scans.
Internal vulnerability scans can be performed by qualified, internal staff that are reasonably independent of the system component(s) being scanned (for example, a network administrator should not be responsible for scanning the network), or an entity may choose to have internal vulnerability scans performed by a firm specializing in vulnerability scanning.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) …
Added
p. 85
• Examine internal scan report results or other documentation.
Applicability Notes The timeframe for addressing lower-risk vulnerabilities is subject to the results of a risk analysis per Requirement 12.3.1 that includes (minimally) identification of assets being protected, threats, and likelihood and/or impact of a threat being realized.
• High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
• Examine scan tool configurations.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.3.1.2 Internal vulnerability scans are performed via authenticated scanning as follows:
• Systems that are unable to accept credentials for authenticated scanning are documented.
• Examine scan report results.
• Examine accounts used for authenticated scanning.
• Sufficient privileges are used for those systems that accept credentials for scanning.
• If accounts used for authenticated scanning can be used for interactive login, they are managed …
Applicability Notes The timeframe for addressing lower-risk vulnerabilities is subject to the results of a risk analysis per Requirement 12.3.1 that includes (minimally) identification of assets being protected, threats, and likelihood and/or impact of a threat being realized.
• High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
• Examine scan tool configurations.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.3.1.2 Internal vulnerability scans are performed via authenticated scanning as follows:
• Systems that are unable to accept credentials for authenticated scanning are documented.
• Examine scan report results.
• Examine accounts used for authenticated scanning.
• Sufficient privileges are used for those systems that accept credentials for scanning.
• If accounts used for authenticated scanning can be used for interactive login, they are managed …
Added
p. 86
• Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV).
• Examine internal scan and rescan report as applicable.
Applicability Notes Authenticated internal vulnerability scanning per Requirement 11.3.1.2 is not required for scans performed after significant changes.
• At least once every three months.
• Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV).
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.3.2 External vulnerability scans are performed as follows:
• By a PCI SSC Approved Scanning Vendor (ASV)
• Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met.
• Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan.
• Examine …
• Examine internal scan and rescan report as applicable.
Applicability Notes Authenticated internal vulnerability scanning per Requirement 11.3.1.2 is not required for scans performed after significant changes.
• At least once every three months.
• Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV).
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.3.2 External vulnerability scans are performed as follows:
• By a PCI SSC Approved Scanning Vendor (ASV)
• Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met.
• Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan.
• Examine …
Added
p. 87
• Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved.
• Examine external scan, and as applicable rescan reports.
Applicability Notes (cont.)
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.4 External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.
• Examine external scan, and as applicable rescan reports.
Applicability Notes (cont.)
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.4 External and internal penetration testing is regularly performed, and exploitable vulnerabilities and security weaknesses are corrected.
Added
p. 88
• Industry-accepted penetration testing approaches.
• Coverage for the entire CDE perimeter and critical systems.
• Testing from both inside and outside the network.
• Testing to validate any segmentation and scope-reduction controls.
• Application-layer penetration testing to identify, at a minimum, the vulnerabilities listed in Requirement 6.2.4.
• Network-layer penetration tests that encompass all components that support network functions as well as operating systems.
• Review and consideration of threats and vulnerabilities experienced in the last 12 months.
• Documented approach to assessing and addressing the risk posed by exploitable vulnerabilities and security weaknesses found during penetration testing.
• Retention of penetration testing results and remediation activities results for at least 12 months.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place Testing from inside the network (or “internal penetration testing”) means testing from both inside the CDE and into the CDE …
• Coverage for the entire CDE perimeter and critical systems.
• Testing from both inside and outside the network.
• Testing to validate any segmentation and scope-reduction controls.
• Application-layer penetration testing to identify, at a minimum, the vulnerabilities listed in Requirement 6.2.4.
• Network-layer penetration tests that encompass all components that support network functions as well as operating systems.
• Review and consideration of threats and vulnerabilities experienced in the last 12 months.
• Documented approach to assessing and addressing the risk posed by exploitable vulnerabilities and security weaknesses found during penetration testing.
• Retention of penetration testing results and remediation activities results for at least 12 months.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place Testing from inside the network (or “internal penetration testing”) means testing from both inside the CDE and into the CDE …
Added
p. 89
• Per the entity’s defined methodology.
• Per the entity’s defined methodology.
• At least once every 12 months.
• At least once every 12 months.
• After any significant infrastructure or application upgrade or change.
• After any significant infrastructure or application upgrade or change.
• By a qualified internal resource or qualified external third-party
• Per the entity’s defined methodology.
• At least once every 12 months.
• At least once every 12 months.
• After any significant infrastructure or application upgrade or change.
• After any significant infrastructure or application upgrade or change.
• By a qualified internal resource or qualified external third-party
Added
p. 89
• By a qualified internal resource or qualified external third-party.
Added
p. 89
• In accordance with the entity’s assessment of the risk posed by the security issue as defined in Requirement 6.3.1.
• Penetration testing is repeated to verify the corrections.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.4.5 If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows:
• At least once every 12 months and after any changes to segmentation controls/methods
• Covering all segmentation controls/methods in use.
• According to the entity’s defined penetration testing methodology.
• Confirming that the segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems.
• Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3).
• Performed by a qualified internal resource or qualified external third party.
• Examine the results from the …
• Penetration testing is repeated to verify the corrections.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.4.5 If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows:
• At least once every 12 months and after any changes to segmentation controls/methods
• Covering all segmentation controls/methods in use.
• According to the entity’s defined penetration testing methodology.
• Confirming that the segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems.
• Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3).
• Performed by a qualified internal resource or qualified external third party.
• Examine the results from the …
Added
p. 91
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.5 Network intrusions and unexpected file changes are detected and responded to.
Added
p. 91
• All traffic is monitored at the perimeter of the CDE.
• All traffic is monitored at critical points in the CDE.
• Personnel are alerted to suspected compromises.
• All intrusion-detection and prevention engines, baselines, and signatures are kept up to date.
• Examine system configurations and network diagrams.
• All traffic is monitored at critical points in the CDE.
• Personnel are alerted to suspected compromises.
• All intrusion-detection and prevention engines, baselines, and signatures are kept up to date.
• Examine system configurations and network diagrams.
Added
p. 91
• To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files.
• To perform critical file comparisons at least once weekly.
Applicability Notes For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change- detection mechanisms such as file integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).
• Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.6 Unauthorized changes on payment pages are detected …
• To perform critical file comparisons at least once weekly.
Applicability Notes For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change- detection mechanisms such as file integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider).
• Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 11.6 Unauthorized changes on payment pages are detected …
Added
p. 93
• Disseminated to all relevant personnel, as well as to relevant vendors and business partners.
Added
p. 93
• Updated as needed to reflect changes to business objectives or risks to the environment
Added
p. 94
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.2 Acceptable use policies for end-user technologies are defined and implemented.
• Explicit approval by authorized parties.
• List of products approved by the company for employee use, including hardware and software.
Applicability Notes Examples of end-user technologies for which acceptable use policies are expected include, but are not limited to, remote access and wireless technologies, laptops, tablets, mobile phones, and removable electronic media, e-mail usage, and Internet usage.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.3 Risks to the cardholder data environment are formally identified, evaluated, and managed.
• Explicit approval by authorized parties.
• List of products approved by the company for employee use, including hardware and software.
Applicability Notes Examples of end-user technologies for which acceptable use policies are expected include, but are not limited to, remote access and wireless technologies, laptops, tablets, mobile phones, and removable electronic media, e-mail usage, and Internet usage.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.3 Risks to the cardholder data environment are formally identified, evaluated, and managed.
Added
p. 95
• Identification of the assets being protected.
• Identification of the threat(s) that the requirement is protecting against.
• Identification of factors that contribute to the likelihood and/or impact of a threat being realized.
• Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized.
• Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed
• Performance of updated risk analyses when needed, as determined by the annual review.
• Identification of the threat(s) that the requirement is protecting against.
• Identification of factors that contribute to the likelihood and/or impact of a threat being realized.
• Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized.
• Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed
• Performance of updated risk analyses when needed, as determined by the annual review.
Added
p. 96
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.3.3 Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months, including at least the following:
• An up-to-date inventory of all cryptographic cipher suites and protocols in use, including purpose and where used.
• Active monitoring of industry trends regarding continued viability of all cryptographic cipher suites and protocols in use.
• A documented strategy to respond to anticipated changes in cryptographic vulnerabilities.
Applicability Notes The requirement applies to all cryptographic suites and protocols used to meet PCI DSS requirements.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.3.4 Hardware and software technologies in use are reviewed at least once every 12 months, including at …
• An up-to-date inventory of all cryptographic cipher suites and protocols in use, including purpose and where used.
• Active monitoring of industry trends regarding continued viability of all cryptographic cipher suites and protocols in use.
• A documented strategy to respond to anticipated changes in cryptographic vulnerabilities.
Applicability Notes The requirement applies to all cryptographic suites and protocols used to meet PCI DSS requirements.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.3.4 Hardware and software technologies in use are reviewed at least once every 12 months, including at …
Added
p. 98
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.5.2 PCI DSS scope is documented and confirmed by the entity at least once every 12 months and upon significant change to the in-scope environment.
At a minimum, the scoping validation includes:
• Identifying all data flows for the various payment stages (for example, authorization, capture settlement, chargebacks, and refunds) and acceptance channels (for example, card-present, card-not-present, and e-commerce).
• Updating all data-flow diagrams per requirement 1.2.4.
• Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: 1) any locations outside of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, and 4) file backups.
• Identifying all system components in the CDE, connected to the CDE, or that could impact security of the CDE.
• Identifying all …
At a minimum, the scoping validation includes:
• Identifying all data flows for the various payment stages (for example, authorization, capture settlement, chargebacks, and refunds) and acceptance channels (for example, card-present, card-not-present, and e-commerce).
• Updating all data-flow diagrams per requirement 1.2.4.
• Identifying all locations where account data is stored, processed, and transmitted, including but not limited to: 1) any locations outside of the currently defined CDE, 2) applications that process CHD, 3) transmissions between systems and networks, and 4) file backups.
• Identifying all system components in the CDE, connected to the CDE, or that could impact security of the CDE.
• Identifying all …
Added
p. 99
• Reviewed at least once every 12 months, and
• Updated as needed to address any new threats and vulnerabilities that may impact the security of the entity’s CDE, or the information provided to personnel about their role in protecting cardholder data.
• Updated as needed to address any new threats and vulnerabilities that may impact the security of the entity’s CDE, or the information provided to personnel about their role in protecting cardholder data.
Added
p. 99
• Upon hire and at least once every 12 months.
• Multiple methods of communication are used.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.6.3.1 Security awareness training includes awareness of threats and vulnerabilities that could impact the security of the CDE, including but not limited to:
• Phishing and related attacks.
• Social engineering.
Applicability Notes See Requirement 5.4.1 in PCI DSS for guidance on the difference between technical and automated controls to detect and protect users from phishing attacks, and this requirement for providing users security awareness training about phishing and social engineering. These are two separate and distinct requirements, and one is not met by implementing controls required by the other one.
• Multiple methods of communication are used.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.6.3.1 Security awareness training includes awareness of threats and vulnerabilities that could impact the security of the CDE, including but not limited to:
• Phishing and related attacks.
• Social engineering.
Applicability Notes See Requirement 5.4.1 in PCI DSS for guidance on the difference between technical and automated controls to detect and protect users from phishing attacks, and this requirement for providing users security awareness training about phishing and social engineering. These are two separate and distinct requirements, and one is not met by implementing controls required by the other one.
Added
p. 101
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
Added
p. 101
Applicability Notes The use of a PCI DSS compliant TPSP does not make an entity PCI DSS compliant, nor does it remove the entity’s responsibility for its own PCI DSS compliance.
Added
p. 101
• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.
Applicability Notes The exact wording of an acknowledgment will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgment does not have to include the exact wording provided in this requirement.
Evidence that a TPSP is meeting PCI DSS requirements (for example, a PCI DSS Attestation of Compliance (AOC) or a declaration on a company’s website) is not the same as a written agreement specified in this requirement.
Applicability Notes The exact wording of an acknowledgment will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgment does not have to include the exact wording provided in this requirement.
Evidence that a TPSP is meeting PCI DSS requirements (for example, a PCI DSS Attestation of Compliance (AOC) or a declaration on a company’s website) is not the same as a written agreement specified in this requirement.
Added
p. 102
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.8.4 A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months.
Applicability Notes Where an entity has an agreement with a TPSP for meeting PCI DSS requirements on behalf of the entity (for example, via a firewall service), the entity must work with the TPSP to make sure the applicable PCI DSS requirements are met. If the TPSP does not meet those applicable PCI DSS requirements, then those requirements are also “not in place” for the entity.
Applicability Notes Where an entity has an agreement with a TPSP for meeting PCI DSS requirements on behalf of the entity (for example, via a firewall service), the entity must work with the TPSP to make sure the applicable PCI DSS requirements are met. If the TPSP does not meet those applicable PCI DSS requirements, then those requirements are also “not in place” for the entity.
Added
p. 103
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.10 Suspected and confirmed security incidents that could impact the CDE are responded to immediately.
• Incident response procedures with specific containment and mitigation activities for different types of incidents.
• Data backup processes.
• Examine documentation from previously reported incidents.
• Incident response procedures with specific containment and mitigation activities for different types of incidents.
• Data backup processes.
• Examine documentation from previously reported incidents.
Added
p. 103
• Reviewed and the content is updated as needed.
Added
p. 104
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.10.4.1 The frequency of periodic training for incident response personnel is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
Added
p. 104
• Intrusion-detection and intrusion-prevention systems.
• Change-detection mechanisms for critical files.
• The change-and tamper-detection mechanism for payment pages. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.
Applicability Notes The bullet above (for monitoring and responding to alerts from a change- and tamper-detection mechanism for payment pages) is a best practice until 31 March 2025, after which it will be required as part of Requirement 12.10.5 and must be fully considered during a PCI DSS assessment.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.10.7 Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expected, and include:
• Determining what to do if PAN is discovered outside the CDE, including its retrieval, secure deletion, and/or migration into the currently …
• Change-detection mechanisms for critical files.
• The change-and tamper-detection mechanism for payment pages. This bullet is a best practice until its effective date; refer to Applicability Notes below for details.
Applicability Notes The bullet above (for monitoring and responding to alerts from a change- and tamper-detection mechanism for payment pages) is a best practice until 31 March 2025, after which it will be required as part of Requirement 12.10.5 and must be fully considered during a PCI DSS assessment.
PCI DSS Requirement Expected Testing Response♦ (Check one response for each requirement) In Place In Place with CCW Not Applicable Not Tested Not in Place 12.10.7 Incident response procedures are in place, to be initiated upon the detection of stored PAN anywhere it is not expected, and include:
• Determining what to do if PAN is discovered outside the CDE, including its retrieval, secure deletion, and/or migration into the currently …
Added
p. 112
PCI DSS controls will be maintained at all times, as applicable to the merchant’s environment.
QSA performed testing procedures.
QSA provided other assistance.
If selected, describe all role(s) performed:
If selected, describe all role(s) performed:
Signature of Lead QSA Date: YYYY-MM-DD Lead QSA Name:
ISA(s) performed testing procedures.
ISA(s) provided other assistance.
QSA performed testing procedures.
QSA provided other assistance.
If selected, describe all role(s) performed:
If selected, describe all role(s) performed:
Signature of Lead QSA Date: YYYY-MM-DD Lead QSA Name:
ISA(s) performed testing procedures.
ISA(s) provided other assistance.
Added
p. 113
If asked to complete this section, select the appropriate response for “Compliant to PCI DSS Requirements” for each requirement below. For any “No” responses, include the date the merchant expects to be compliant with the requirement and a brief description of the actions being taken to meet the requirement.
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain network security controls 2 Apply secure configurations to all system components 3 Protect stored account data 4 Protect cardholder data with strong cryptography during transmission over open, public networks 5 Protect all systems and networks from malicious software 6 Develop and maintain secure systems and software 7 Restrict access to system components and cardholder data by business need to know 8 Identify users and authenticate access to system components 9 Restrict physical access …
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain network security controls 2 Apply secure configurations to all system components 3 Protect stored account data 4 Protect cardholder data with strong cryptography during transmission over open, public networks 5 Protect all systems and networks from malicious software 6 Develop and maintain secure systems and software 7 Restrict access to system components and cardholder data by business need to know 8 Identify users and authenticate access to system components 9 Restrict physical access …
Removed
p. 2
This document aligns with PCI DSS v3.2.1 r1.
Removed
p. 4
• Merchants with environments that might meet the criteria of another SAQ type, but that have additional PCI DSS requirements applicable to their environment While many organizations completing SAQ D will need to validate compliance with every PCI DSS requirement, some organizations with very specific business models may find that some requirements do not apply. See the guidance below for information about the exclusion of certain, specific requirements.
PCI DSS Self-Assessment Completion Steps (a) Identify the applicable SAQ for your environment⎯refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
(b) Confirm that your environment is properly scoped and meets the eligibility criteria for the SAQ you are using.
• Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non- Compliant Requirements (if applicable) (e) Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as …
PCI DSS Self-Assessment Completion Steps (a) Identify the applicable SAQ for your environment⎯refer to the Self-Assessment Questionnaire Instructions and Guidelines document on PCI SSC website for information.
(b) Confirm that your environment is properly scoped and meets the eligibility criteria for the SAQ you are using.
• Section 3 (Parts 3 & 4 of the AOC)
• Validation and Attestation Details and Action Plan for Non- Compliant Requirements (if applicable) (e) Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as …
Modified
p. 4
E-commerce merchants that accept account data on their website.
Modified
p. 4
Merchants with electronic storage of account data.
Modified
p. 4
Merchants that don’t store account data electronically but that do not meet the criteria of another SAQ type.
Modified
p. 4 → 5
3. Assess environment for compliance with PCI DSS requirements.
Modified
p. 4 → 5
4. Complete all sections of this document:
Modified
p. 4 → 5
• Section 1 (Parts 1 & 2 of the AOC)
• Section 3: Validation and Attestation Details (Parts 3 & 4 of the AOC
Modified
p. 4 → 5
• Assessment Information and Executive Summary
• Contact Information and Executive Summary).
Modified
p. 4 → 5
PCI DSS Self-Assessment Completion Steps
Removed
p. 5
Additional resources that provide guidance on PCI DSS requirements and how to complete the self- assessment questionnaire have been provided to assist with the assessment process. An overview of some of these resources is provided below:
(PCI Data Security Standard Requirements and Security Assessment Procedures)
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms
• Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
Completing the Self-Assessment Questionnaire For each question, there is a choice of responses …
(PCI Data Security Standard Requirements and Security Assessment Procedures)
• Guidance on Scoping
• Guidance on the intent of all PCI DSS Requirements
• Details of testing procedures
• Guidance on Compensating Controls SAQ Instructions and Guidelines documents
• Information about all SAQs and their eligibility criteria
• How to determine which SAQ is right for your organization
PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms
• Descriptions and definitions of terms used in the PCI DSS and self-assessment questionnaires These and other resources can be found on the PCI SSC website (www.pcisecuritystandards.org). Organizations are encouraged to review the PCI DSS and other supporting documents before beginning an assessment.
Completing the Self-Assessment Questionnaire For each question, there is a choice of responses …
Modified
p. 5
Expected Testing The instructions provided in the “Expected Testing” column are based on the testing procedures in the PCI DSS, and provide a high-level description of the types of testing activities that should be performed in order to verify that a requirement has been met. Full details of testing procedures for each requirement can be found in the PCI DSS.
Expected Testing The instructions provided in the “Expected Testing” column are based on the testing procedures in PCI DSS and provide a high-level description of the types of testing activities that a merchant is expected to perform to verify that a requirement has been met.
Modified
p. 5 → 6
In Place The expected testing has been performed, and all elements of the requirement have been met as stated.
Modified
p. 5 → 6
In Place with CCW (Compensating Controls Worksheet) The expected testing has been performed, and the requirement has been met with the assistance of a compensating control.
Modified
p. 5 → 6
All responses in this column require completion of a Compensating Control Worksheet (CCW) in Appendix B of the SAQ.
All responses in this column require completion of a Compensating Controls Worksheet (CCW) in Appendix B of this SAQ.
Modified
p. 5 → 6
Information on the use of compensating controls and guidance on how to complete the worksheet is provided in the PCI DSS.
Information on the use of compensating controls and guidance on how to complete the worksheet is provided in PCI DSS Appendices B and C.
Removed
p. 6
Guidance for Non-Applicability of Certain, Specific Requirements While many organizations completing SAQ D will need to validate compliance with every PCI DSS requirement, some organizations with very specific business models may find that some requirements do not apply. For example, a company that does not use wireless technology in any capacity would not be expected to validate compliance with the sections of the PCI DSS that are specific to managing wireless technology. Similarly, an organization that does not store any cardholder data electronically at any time would not need to validate requirements related to secure storage of cardholder data (for example, Requirement 3.4).
Examples of requirements with specific applicability include:
• The questions specific to securing wireless technologies (for example, Requirements 1.2.3, 2.1.1, and 4.1.1) only need to be answered if wireless is present anywhere in your network. Note that Requirement 11.1 (use of processes to identify unauthorized wireless access points) must …
Examples of requirements with specific applicability include:
• The questions specific to securing wireless technologies (for example, Requirements 1.2.3, 2.1.1, and 4.1.1) only need to be answered if wireless is present anywhere in your network. Note that Requirement 11.1 (use of processes to identify unauthorized wireless access points) must …
Modified
p. 6
Not in Place Some or all elements of the requirement have not been met, or are in the process of being implemented, or require further testing before the merchant can confirm they are in place. Responses in this column may require the completion of Part 4, if requested by the entity to which this SAQ will be submitted.
Modified
p. 6
Not Applicable The requirement does not apply to the merchant’s environment. (See “Guidance for Not Applicable Requirements” below for examples.) All responses in this column require a supporting explanation in Appendix C of this SAQ.
Modified
p. 6
Not Tested The requirement was not included for consideration in the assessment, and was not tested in any way. (See Understanding the difference between Not Applicable and Not Tested below for examples of when this option should be used.) All responses in this column require a supporting explanation in Appendix D of the SAQ.
Not Tested The requirement was not included for consideration in the assessment and was not tested in any way. (See “Understanding the Difference between Not Applicable and Not Tested” below for examples of when this option should be used.) All responses in this column require a supporting explanation in Appendix D of this SAQ.
Removed
p. 7
• An organization may wish to validate a new security control that impacts only a subset of requirements
•for example, implementation of a new encryption methodology that requires assessment of PCI DSS Requirements 2, 3, and 4.
• A service provider organization might offer a service which covers only a limited number of PCI DSS requirements
•for example, a physical storage provider may only wish to validate the physical security controls per PCI DSS Requirement 9 for their storage facility.
•for example, implementation of a new encryption methodology that requires assessment of PCI DSS Requirements 2, 3, and 4.
• A service provider organization might offer a service which covers only a limited number of PCI DSS requirements
•for example, a physical storage provider may only wish to validate the physical security controls per PCI DSS Requirement 9 for their storage facility.
Modified
p. 7
•for example:
A merchant is asked by their acquirer to validate a subset of requirements•for example, using the PCI DSS Prioritized Approach to validate only certain milestones.
Modified
p. 7
In these scenarios, the organization only wishes to validate certain PCI DSS requirements even though other requirements might also apply to their environment.
In these scenarios, the merchant’s assessment only includes certain PCI DSS requirements even though other requirements might also apply to its environment.
Modified
p. 7 → 8
Legal Exception If your organization is subject to a legal restriction that prevents the organization from meeting a PCI DSS requirement, check the “No” column for that requirement and complete the relevant attestation in Part 3.
Legal Exception If your organization is subject to a legal restriction that prevents the organization from meeting a PCI DSS requirement, select Not in Place for that requirement and complete the relevant attestation in Section 3, Part 3 of this SAQ.
Removed
p. 8
Part 1. Merchant and Qualified Security Assessor Information Part 1a. Merchant Organization Information Company Name: DBA (doing business as):
Business Address: City:
Business Address: City:
State/Province: Country: Zip:
State/Province: Country: Zip:
Lead QSA Contact Name: Title:
Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail order/telephone order (MOTO) Others (please specify):
What types of payment channels does your business serve?
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Business Address: City:
Business Address: City:
State/Province: Country: Zip:
State/Province: Country: Zip:
Lead QSA Contact Name: Title:
Part 2. Executive Summary Part 2a. Type of Merchant Business (check all that apply) Retailer Telecommunication Grocery and Supermarkets Petroleum E-Commerce Mail order/telephone order (MOTO) Others (please specify):
What types of payment channels does your business serve?
Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face) Which payment channels are covered by this SAQ? Mail order/telephone order (MOTO) E-Commerce Card-present (face-to-face)
Modified
p. 8 → 10
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment with the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures (PCI DSS). Complete all sections: The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact your acquirer (merchant bank) or the payment brands to determine reporting and submission procedures.
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant’s self-assessment against the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures. Complete all sections. The merchant is responsible for ensuring that each section is completed by the relevant parties, as applicable. Contact the entity(ies) to which the Attestation of Compliance (AOC) will be submitted for reporting and submission procedures.
Modified
p. 8 → 10
Qualified Security Assessor Company name:
Modified
p. 8 → 11
Note: If your organization has a payment channel or process that is not covered by this SAQ, consult your acquirer or payment brand about validation for the other channels.
Note: If the organization has a payment channel that is not covered by this SAQ, consult with the entity(ies) to which this AOC will be submitted about validation for the other channels.
Removed
p. 9
Type of facility Number of facilities of this type Location(s) of facility (city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Applications Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Payment Application Version Number Application Is application PA-DSS Listed? PA-DSS Listing Expiry date (if applicable) Part 2e. Description of Environment Provide a high-level description of the environment covered by this assessment.
For example:
• Connections into and out of the cardholder data environment (CDE).
• Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable.
Modified
p. 9 → 11
Indicate whether the environment includes segmentation to reduce the scope of the assessment. (Refer to “Segmentation” section of PCI DSS for guidance on segmentation.)
Removed
p. 10
Does your company share cardholder data with any third-party service providers (for example, Qualified Integrator & Resellers (QIR), gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.)? Name of service provider: Description of services provided:
Removed
p. 11
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.1 Are firewall and router configuration standards established and implemented to include the following:
Removed
p. 11
(b) Is there a process to ensure the diagram is kept current?
• Interview responsible personnel.
• Interview responsible personnel.
Removed
p. 11
(b) Is there a process to ensure the diagram is kept current?
• Interview personnel.
• Interview personnel.
Modified
p. 11 → 15
Note: The following questions are numbered according to PCI DSS requirements and testing procedures, as defined in the PCI DSS Requirements and Security Assessment Procedures document.
Note: The following requirements mirror the requirements in the PCI DSS Requirements and Testing Procedures document.
Modified
p. 11 → 15
Self-assessment completion date: Build and Maintain a Secure Network and Systems
Self-assessment completion date: YYYY-MM-DD Build and Maintain a Secure Network and Systems
Modified
p. 11 → 15
Requirement 1: Install and maintain a firewall configuration to protect data
Requirement 1: Install and Maintain Network Security Controls
Removed
p. 12
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.1.4 (a) Is a firewall required and implemented at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone?
• Review firewall configuration standards.
• Observe network configurations to verify that a firewall(s) is in place.
Is the current network diagram consistent with the firewall configuration standards?
• Compare firewall configuration standards to current network diagram.
• Review firewall configuration standards.
• Observe network configurations to verify that a firewall(s) is in place.
Is the current network diagram consistent with the firewall configuration standards?
• Compare firewall configuration standards to current network diagram.
Removed
p. 12
Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service?
• Review firewall and router configuration standards.
• Review firewall and router configuration standards.
Removed
p. 12
(b) Are firewall and router rule sets reviewed at least every six months?
• Examine documentation from firewall reviews.
• Examine documentation from firewall reviews.
Removed
p. 12
Note: An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage.
Removed
p. 13
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.2.1 (a) Is inbound and outbound traffic restricted to that which is necessary for the cardholder data environment?
• Review firewall and router configuration standards.
Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)?
• Review firewall and router configuration standards.
• Review firewall and router configuration standards.
Is all other inbound and outbound traffic specifically denied (for example by using an explicit “deny all” or an implicit deny after allow statement)?
• Review firewall and router configuration standards.
Modified
p. 13 → 19
• Examine firewall and router configurations.
• Examine policies and configuration standards.
Modified
p. 13 → 20
• Examine router configuration files and router configurations.
• Examine system configuration standards.
Removed
p. 14
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.3.4 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
• Examine firewall and router configurations.
• Examine firewall and router configurations.
Removed
p. 14
• Network Address Translation (NAT)
• Placing servers containing cardholder data behind proxy servers/firewalls,
• Removal or filtering of route advertisements for private networks that employ registered addressing,
• Internal use of RFC1918 address space instead of registered addresses.
• Placing servers containing cardholder data behind proxy servers/firewalls,
• Removal or filtering of route advertisements for private networks that employ registered addressing,
• Internal use of RFC1918 address space instead of registered addresses.
Modified
p. 14 → 19
• Examine firewall and router configurations.
• Examine device configuration settings.
Removed
p. 15
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 1.4 Is personal firewall software (or equivalent functionality) installed and active on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE?
• Review policies and configuration standards.
• Examine mobile and/or employee- owned devices.
• Examine mobile and/or employee- owned devices.
(b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices?
• Review policies and configuration standards.
• Review policies and configuration standards.
• Examine mobile and/or employee- owned devices.
• Examine mobile and/or employee- owned devices.
(b) Is the personal firewall software (or equivalent functionality) configured to specific configuration settings, actively running, and not alterable by users of mobile and/or employee-owned devices?
• Review policies and configuration standards.
Modified
p. 15 → 20
• Known to all affected parties?
• Review security policies and operational procedures.
• Review security policies and operational procedures.
• Known to all affected parties.
Removed
p. 16
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
Removed
p. 16
Are unnecessary default accounts removed or disabled before installing a system on the network?
• Review policies and procedures.
(a) Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions?
• Review policies and procedures.
(b) Are default SNMP community strings on wireless devices changed at installation?
• Review policies and procedures.
(c) Are default passwords/passphrases on access points changed at installation?
• Review policies and procedures.
• Review policies and procedures.
(a) Are encryption keys changed from default at installation, and changed anytime anyone with knowledge of the keys leaves the company or changes positions?
• Review policies and procedures.
(b) Are default SNMP community strings on wireless devices changed at installation?
• Review policies and procedures.
(c) Are default passwords/passphrases on access points changed at installation?
• Review policies and procedures.
Modified
p. 16 → 21
• Observe system configurations and account settings.
• Examine system configuration standards.
Modified
p. 16 → 23
• Examine system configurations and account settings.
• Examine wireless configuration settings.
Removed
p. 17
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.1.1 (cont.) (d) Is firmware on wireless devices updated to support strong encryption for authentication and transmission over wireless networks?
• Review policies and procedures.
(e) Are other security-related wireless vendor defaults changed, if applicable?
• Review policies and procedures.
• Review policies and procedures.
(e) Are other security-related wireless vendor defaults changed, if applicable?
• Review policies and procedures.
Removed
p. 17
• Review system configuration standards.
(b) Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1?
• Review policies and procedures.
(c) Are system configuration standards applied when new systems are configured?
• Review policies and procedures.
(b) Are system configuration standards updated as new vulnerability issues are identified, as defined in Requirement 6.1?
• Review policies and procedures.
(c) Are system configuration standards applied when new systems are configured?
• Review policies and procedures.
Modified
p. 17 → 30
• Review vendor documentation.
• Examine configurations and/or vendor documentation.
Modified
p. 17 → 38
• Review policies and procedures.
• Examine documented policies and procedures.
Removed
p. 18
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2 (cont.) (d) Do system configuration standards include all of the following: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts? - Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server? - Enabling only necessary services, protocols, daemons, etc., as required for the function of the system? - Implementing additional security features for any required services, protocols or daemons that are considered to be insecure? - Configuring system security parameters to prevent misuse? - Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers?
• Review system configuration standards.
• Review system configuration standards.
Removed
p. 18
If virtualization technologies are used, is only one primary function implemented per virtual system component or device?
• Examine system configurations.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)?
• Review configuration standards.
(b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?
• Review configuration standards
• Compare enabled services, etc. to documented justifications.
• Examine system configurations.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)?
• Review configuration standards.
(b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?
• Review configuration standards
• Compare enabled services, etc. to documented justifications.
Removed
p. 19
Are common system security parameters settings included in the system configuration standards?
• Review system configuration standards.
(c) Are security parameter settings set appropriately on system components?
• Examine system components.
• Review system configuration standards.
(c) Are security parameter settings set appropriately on system components?
• Examine system components.
Removed
p. 19
Are enabled functions documented and do they support secure configuration?
• Review documentation.
• Review documentation.
Modified
p. 19 → 57
• Examine security parameter settings.
• Examine system settings.
Modified
p. 19 → 57
• Examine security parameters on system components.
• Examine user account lists on system components and applicable documentation.
Modified
p. 19 → 58
• Compare settings to system configuration standards.
• Examine system configuration settings.
Removed
p. 20
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 2.2.5 (cont.) (c) Is only documented functionality present on system components?
• Review documentation.
• Review documentation.
Removed
p. 20
(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?
• Examine system components.
(b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands?
• Examine system components.
• Examine services and file.s (c) Is administrator access to web-based management interfaces encrypted with strong cryptography?
• Examine system components.
(d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?
• Examine system components.
• Examine system components.
(b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands?
• Examine system components.
• Examine services and file.s (c) Is administrator access to web-based management interfaces encrypted with strong cryptography?
• Examine system components.
(d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?
• Examine system components.
Removed
p. 20
(b) Is the documented inventory kept current?
• Interview personnel.
• Interview personnel.
Modified
p. 20 → 62
• Examine security parameters on system components.
• Examine network and/or system configurations.
Modified
p. 20 → 76
• Observe an administrator log on.
• Interview system administrators.
Modified
p. 20 → 76
• Observe an administrator log on.
• Interview system administrators
Modified
p. 20 → 82
• Known to all affected parties?
• Review security policies and operational procedures.
• Review security policies and operational procedures.
• Known to all affected parties.
Removed
p. 21
Requirement 3: Protect stored cardholder data
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.1 Are data-retention and disposal policies, procedures, and processes implemented as follows:
(a) Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements?
• Review data retention and disposal policies and procedures.
(b) Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, and/or business reasons?
• Review policies and procedures.
(c) Are there specific retention requirements for cardholder data? For example, cardholder data needs to be held for X period for Y business reasons.
(d) Is there a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements?
• Review policies and procedures.
(e) Does all stored cardholder data meet the requirements defined in the data-retention policy?
• Examine files and system records.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.1 Are data-retention and disposal policies, procedures, and processes implemented as follows:
(a) Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements?
• Review data retention and disposal policies and procedures.
(b) Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, and/or business reasons?
• Review policies and procedures.
(c) Are there specific retention requirements for cardholder data? For example, cardholder data needs to be held for X period for Y business reasons.
(d) Is there a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements?
• Review policies and procedures.
(e) Does all stored cardholder data meet the requirements defined in the data-retention policy?
• Examine files and system records.
Modified
p. 21 → 76
• Review documented business justification.
• User identification.
Modified
p. 21 → 80
• Examine deletion mechanism.
• Change-detection mechanisms.
Modified
p. 21 → 80
• Observe deletion processes.
• Observe detection and alerting processes.
Modified
p. 21 → 90
• Examine retention requirements.
• Examine segmentation controls.
Removed
p. 22
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2 (cont.) (b) For issuers and/or companies that support issuing services and store sensitive authentication data: Is the data secured?
• Examine data stores and system configuration files.
(c) For all other entities: Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process?
• Review policies and procedures.
• Examine deletion processes.
(d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
• Examine data stores and system configuration files.
(c) For all other entities: Is sensitive authentication data deleted or rendered unrecoverable upon completion of the authorization process?
• Review policies and procedures.
• Examine deletion processes.
(d) Do all systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorization (even if encrypted):
Removed
p. 22
Note: In the normal course of business, the following data elements from the magnetic stripe may need to be retained:
• The cardholder’s name,
• Primary account number (PAN),
• Expiration date, and
• Service code To minimize risk, store only these data elements as needed for business.
• Examine data sources including:
• The cardholder’s name,
• Primary account number (PAN),
• Expiration date, and
• Service code To minimize risk, store only these data elements as needed for business.
• Examine data sources including:
Removed
p. 23
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization?
• Examine data sources including:
- Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization?
• Examine data sources including:
- Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand requirements for point-of-sale (POS) receipts.
• Review roles that need access to displays …
• Examine data sources including:
- Database contents 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization?
• Examine data sources including:
- Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand requirements for point-of-sale (POS) receipts.
• Review roles that need access to displays …
Removed
p. 24
Note: This requirement applies in addition to all other PCI DSS encryption and key management requirements.
(a) Is logical access to encrypted file systems managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials)?
• Examine system configurations.
(b) Are cryptographic keys stored securely (for example, stored on removable media that is adequately protected with strong access controls)?
• Interview personnel.
(a) Is logical access to encrypted file systems managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials)?
• Examine system configurations.
(b) Are cryptographic keys stored securely (for example, stored on removable media that is adequately protected with strong access controls)?
• Interview personnel.
Modified
p. 24 → 91
• Examine data repositories.
• Examine monitored files.
Modified
p. 24 → 92
• Examine removable media.
• Examine monitored payment pages.
Removed
p. 25
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.4.1 (cont.) (c) Is cardholder data on removable media encrypted wherever stored? Note: If disk encryption is not used to encrypt removable media, the data stored on this media will need to be rendered unreadable through some other method.
Removed
p. 25
Note: This requirement applies to keys used to encrypt stored cardholder data, and also applies to key-encrypting keys used to protect data-encrypting keys. Such key- encrypting keys must be at least as strong as the data- encrypting key.
Removed
p. 25
• Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS- approved point-of-interaction device)
Note: It is not required that public keys be stored in one of these forms.
• Review documented procedures.
Note: It is not required that public keys be stored in one of these forms.
• Review documented procedures.
Modified
p. 25 → 92
• Examine system configurations.
• Examine the mechanism configuration settings.
Removed
p. 26
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.5.4 Are cryptographic keys stored in the fewest possible locations?
• Examine key-storage locations.
• Examine key-storage locations.
Removed
p. 26
(b) This testing procedure applies only to service providers.
Are key-management processes and procedures implemented to require the following:
Are key-management processes and procedures implemented to require the following:
Removed
p. 26
• Observe key-generation procedures.
Removed
p. 26
• Observe the key-distribution method.
Removed
p. 26
• Observe the method for secure storage of keys.
Removed
p. 27
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.5 (a) Do cryptographic key procedures include retirement or replacement (for example, archiving, destruction, and/or revocation) of cryptographic keys when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear- text key)?
• Review key-management procedures.
Do cryptographic key procedures include replacement of known or suspected compromised keys?
• Review key-management procedures.
(c) If retired or replaced cryptographic keys are retained, are these keys only used for decryption/verification purposes, and not used for encryption operations?
• Review key-management procedures.
• Review key-management procedures.
Do cryptographic key procedures include replacement of known or suspected compromised keys?
• Review key-management procedures.
(c) If retired or replaced cryptographic keys are retained, are these keys only used for decryption/verification purposes, and not used for encryption operations?
• Review key-management procedures.
Removed
p. 27
• Do split knowledge procedures require that key components are under the control of at least two people who only have knowledge of their own key components?
• Do dual control procedures require that at least two people are required to perform any key management operations and no one person has access to the authentication materials (for example, passwords or keys) of another? Note: Examples of manual key management operations include, but are not limited to: key generation, transmission, loading, storage and destruction.
• Review key-management procedures.
• Interview personnel and/or.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.7 Do cryptographic key procedures include the prevention of unauthorized substitution of cryptographic keys?
• Interview personnel and/or
• Do dual control procedures require that at least two people are required to perform any key management operations and no one person has access to the authentication materials (for example, passwords or keys) of another? Note: Examples of manual key management operations include, but are not limited to: key generation, transmission, loading, storage and destruction.
• Review key-management procedures.
• Interview personnel and/or.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 3.6.7 Do cryptographic key procedures include the prevention of unauthorized substitution of cryptographic keys?
• Interview personnel and/or
Removed
p. 29
Requirement 4: Encrypt transmission of cardholder data across open, public networks
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).
• Review documented standards.
• Review all locations where CHD is transmitted or received.
(b) Are only trusted keys and/or certificates accepted?
• Observe inbound and outbound transmissions.
(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
• Examine system configurations.
(d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?
• …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).
• Review documented standards.
• Review all locations where CHD is transmitted or received.
(b) Are only trusted keys and/or certificates accepted?
• Observe inbound and outbound transmissions.
(c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
• Examine system configurations.
(d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?
• …
Modified
p. 29 → 91
• Examine keys and certificates.
• Examine results from monitoring activities.
Modified
p. 29 → 91
• Examine system configurations.
• Examine system settings for the change-detection mechanism.
Modified
p. 29 → 92
• Examine system configurations.
• Examine system settings and mechanism configuration settings.
Modified
p. 29 → 92
• Examine system configurations.
• Examine results from monitoring activities.
Removed
p. 30
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 4.1.1 Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment?
• Review documented standards.
• Review wireless networks.
• Review documented standards.
• Review wireless networks.
Removed
p. 30
Are policies in place that state that unprotected PANs are not to be sent via end-user messaging technologies?
• Review policies and procedures.
• Review policies and procedures.
Removed
p. 31
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software?
• Examine system configurations.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software?
• Examine system configurations.
Removed
p. 31
(a) Are all anti-virus software and definitions kept current?
• Examine policies and procedures.
• Examine anti-virus configurations, including the master installation.
(b) Are automatic updates and periodic scans enabled and being performed?
• Examine anti-virus configurations, including the master installation.
(c) Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7?
• Examine anti-virus configurations.
• Review log retention processes.
• Examine policies and procedures.
• Examine anti-virus configurations, including the master installation.
(b) Are automatic updates and periodic scans enabled and being performed?
• Examine anti-virus configurations, including the master installation.
(c) Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7?
• Examine anti-virus configurations.
• Review log retention processes.
Removed
p. 32
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 5.3 Are all anti-virus mechanisms:
• Unable to be disabled or altered by users? Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.
• Examine anti-virus configurations.
• Unable to be disabled or altered by users? Note: Anti-virus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case basis. If anti-virus protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-virus protection is not active.
• Examine anti-virus configurations.
Removed
p. 33
Requirement 6: Develop and maintain secure systems and applications
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.1 Is there a process to identify security vulnerabilities, including the following:
• Using reputable outside sources for vulnerability information?
• Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities? Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score and/or the classification by the vendor, and/or type of systems affected.
Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization’s environment and risk assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a “high risk” to the environment. In addition to the risk ranking, vulnerabilities may be considered …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.1 Is there a process to identify security vulnerabilities, including the following:
• Using reputable outside sources for vulnerability information?
• Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities? Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score and/or the classification by the vendor, and/or type of systems affected.
Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization’s environment and risk assessment strategy. Risk rankings should, at a minimum, identify all vulnerabilities considered to be a “high risk” to the environment. In addition to the risk ranking, vulnerabilities may be considered …
Removed
p. 34
Is information security included throughout the software-development life cycle?
• Review software development processes.
(c) Are software applications developed in accordance with PCI DSS (for example, secure authentication and logging)?
• Review software development processes.
(d) Do software development processes ensure the following at 6.3.1 - 6.3.2:
• Review software development processes.
(c) Are software applications developed in accordance with PCI DSS (for example, secure authentication and logging)?
• Review software development processes.
(d) Do software development processes ensure the following at 6.3.1 - 6.3.2:
Removed
p. 35
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.3.2 Is all custom code reviewed prior to release to production or customers to identify any potential coding vulnerability (using either manual or automated processes as follows:
• Are code changes reviewed by individuals other than the originating code author, and by individuals who are knowledgeable about code review techniques and secure coding practices?
• Do code reviews ensure code is developed according to secure coding guidelines?
• Are appropriate corrections are implemented prior to release?
• Are code review results are reviewed and approved by management prior to release? Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public-facing web applications are also subject to additional controls, to …
• Are code changes reviewed by individuals other than the originating code author, and by individuals who are knowledgeable about code review techniques and secure coding practices?
• Do code reviews ensure code is developed according to secure coding guidelines?
• Are appropriate corrections are implemented prior to release?
• Are code review results are reviewed and approved by management prior to release? Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development life cycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Public-facing web applications are also subject to additional controls, to …
Removed
p. 35
• Examine network documentation and network device configurations.
Is access control in place to enforce the separation between the development/test environments and the production environment?
• Review change control processes and procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.2 Is there separation of duties between personnel assigned to the development/test environments and those assigned to the production environment?
• Review change control processes and procedures.
Is access control in place to enforce the separation between the development/test environments and the production environment?
• Review change control processes and procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.2 Is there separation of duties between personnel assigned to the development/test environments and those assigned to the production environment?
• Review change control processes and procedures.
Removed
p. 36
• Examine production systems.
Removed
p. 36
• Review change control processes and procedures.
Are the following performed and documented for all 6.4.5.1 Documentation of impact?
• Trace changes to change control documentation.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.5.2 Documented approval by authorized parties?
• Trace changes to change control documentation.
Are the following performed and documented for all 6.4.5.1 Documentation of impact?
• Trace changes to change control documentation.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.4.5.2 Documented approval by authorized parties?
• Trace changes to change control documentation.
Removed
p. 37
(b) For custom code changes, testing of updates for compliance with PCI DSS Requirement 6.5 before being deployed into production?
• Trace changes to change control documentation.
• Trace changes to change control documentation.
Removed
p. 37
• Observe affected systems or networks.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5 (a) Do software-development processes address common coding vulnerabilities?
• Review software-development policies and procedures.
(b) Are developers trained at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities?
• Examine software-development policies and procedures.
(c) Are applications developed based on secure coding guidelines to protect applications from, at a minimum, the following vulnerabilities:
Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are update d (for example, the Open Web Application Security Project (OWASP) Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5 (a) Do software-development processes address common coding vulnerabilities?
• Review software-development policies and procedures.
(b) Are developers trained at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities?
• Examine software-development policies and procedures.
(c) Are applications developed based on secure coding guidelines to protect applications from, at a minimum, the following vulnerabilities:
Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are update d (for example, the Open Web Application Security Project (OWASP) Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements.
Removed
p. 38
• Examine software-development policies and procedures.
Removed
p. 39
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.5.5 Do coding techniques address improper error handling?
• Examine software-development policies and procedures.
• Examine software-development policies and procedures.
Removed
p. 39
For web applications and application interfaces (internal or external), are applications developed based on secure coding guidelines to protect applications from the following additional vulnerabilities:
Removed
p. 40
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 6.6 For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods?
• Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, as follows:
- At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in
Requirement 6.5 are included in the assessment - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
• Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) as follows:
- Is situated in front of …
• Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, as follows:
- At least annually - After any changes - By an organization that specializes in application security - That, at a minimum, all vulnerabilities in
Requirement 6.5 are included in the assessment - That all vulnerabilities are corrected - That the application is re-evaluated after the corrections Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.
• Installing an automated technical solution that detects and prevents web-based attacks (for example, a web- application firewall) as follows:
- Is situated in front of …
Removed
p. 42
Requirement 7: Restrict access to cardholder data by business need to know
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows:
• Is there a written policy for access control that incorporates the following? - Defining access needs and privilege assignments for each role - Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities, - Assignment of access based on individual personnel’s job classification and function - Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved
• Examine written access control policy.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows:
• Is there a written policy for access control that incorporates the following? - Defining access needs and privilege assignments for each role - Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities, - Assignment of access based on individual personnel’s job classification and function - Documented approval (electronically or in writing) by authorized parties for all access, including listing of specific privileges approved
• Examine written access control policy.
Removed
p. 42
• System components and data resources that each role needs to access for their job function?
• Level of privilege required (for example, user, administrator, etc.) for accessing resources?
• Examine roles and access need.
• Level of privilege required (for example, user, administrator, etc.) for accessing resources?
• Examine roles and access need.
Removed
p. 42
• To least privileges necessary to perform job responsibilities?
• Assigned only to roles that specifically require that privileged access?
• Interview personnel.
• Interview management.
• Review privileged user IDs.
• Assigned only to roles that specifically require that privileged access?
• Interview personnel.
• Interview management.
• Review privileged user IDs.
Removed
p. 43
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 7.1.4 Is documented approval by authorized parties required, specifying required privileges?
• Compare with documented approvals.
• Compare assigned privileges with documented approvals.
• Compare with documented approvals.
• Compare assigned privileges with documented approvals.
Modified
p. 43 → 93
• Examine configuration settings.
• Examine the information security policy.
Modified
p. 43 → 93
• Examine configuration settings.
• Examine the information security policy.
Modified
p. 43 → 95
• Examine
• Examine documented policies and procedures.
Removed
p. 44
Requirement 8: Identify and authenticate access to system components
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.1 Are policies and procedures for user identification management controls defined and in place for non- consumer users and administrators on all system components, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.1 Are policies and procedures for user identification management controls defined and in place for non- consumer users and administrators on all system components, as follows:
Removed
p. 44
• Examine privileged and general user IDs and associated authorizations.
• Observe system settings.
• Observe system settings.
Removed
p. 44
• Review current access lists.
• Observe returned physical authentication devices.
• Observe returned physical authentication devices.
Removed
p. 44
• Observe user accounts.
Removed
p. 44
Are third-party remote access accounts monitored when in use?
• Interview personnel.
• Interview personnel.
Modified
p. 44 → 104
• Examine terminated users accounts.
• Examine the targeted risk analysis.
Removed
p. 45
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.1.6 (a) Are repeated access attempts limited by locking out the user ID after no more than six attempts?
• Review password procedures.
• Review password procedures.
Removed
p. 45
In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users?
• Something you know, such as a password or passphrase
• Something you know, such as a password or passphrase
Removed
p. 45
• Observe password files.
• Observe data transmissions.
• Observe data transmissions.
Modified
p. 45 → 93
• Examine system configuration settings.
• Examine the information security policy.
Modified
p. 45 → 93
• Examine system configuration settings.
• Examine the information security policy.
Modified
p. 45 → 101
• Examine system configuration settings.
• Examine list of TPSPs.
Modified
p. 45 → 101
• Review password procedures.
• Examine policies and procedures.
Modified
p. 45 → 104
• Observe authentication processes.
• Observe incident response processes.
Removed
p. 46
(b) This testing procedure applies only to service providers.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.2.2 Is user identity verified before modifying any authentication credential (for example, performing password resets, provisioning new tokens, or generating new keys)?
• Review authentication procedures.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.2.2 Is user identity verified before modifying any authentication credential (for example, performing password resets, provisioning new tokens, or generating new keys)?
• Review authentication procedures.
Removed
p. 46
• Examine system configuration settings to verify password parameters.
Modified
p. 46 → 97
• Observe security personnel.
• Interview personnel.
Modified
p. 46 → 103
• Sample system components.
• Coverage and responses of all critical system components.
Removed
p. 47
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.3 Is all individual non-console administrative access and all remote access to the CDE secured using multi-factor authentication, as follows:
Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
Removed
p. 47
• Observe administrator logging into CDE.
Removed
p. 47
• Review distribution method.
Modified
p. 47 → 99
• Observe personnel connecting remotely.
• Examine personnel acknowledgements.
Removed
p. 48
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.4 (cont.) Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials
- Guidance for how users should protect their authentication credentials
- Instructions not to reuse previously used passwords
- Instructions that users should change passwords if there is any suspicion the password could be compromised
- Guidance for how users should protect their authentication credentials
- Instructions not to reuse previously used passwords
- Instructions that users should change passwords if there is any suspicion the password could be compromised
Removed
p. 48
• Generic user IDs and accounts are disabled or removed;
• Shared user IDs for system administration activities and other critical functions do not exist; and
• Shared and generic user IDs are not used to administer any system components?
• Review policies and procedures.
• Shared user IDs for system administration activities and other critical functions do not exist; and
• Shared and generic user IDs are not used to administer any system components?
• Review policies and procedures.
Removed
p. 48
• Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access
• Examine system configuration settings and/or physical controls.
• Examine system configuration settings and/or physical controls.
Modified
p. 48 → 94
• Examine user ID lists.
• Examine acceptable use policies.
Modified
p. 48 → 97
• Review documentation provided to users.
• Examine documentation.
Removed
p. 49
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 8.7 Is all access to any database containing cardholder data (including access by applications, administrators, and all other users) restricted as follows:
(a) Is all user access to, user queries of, and user actions on (for example, move, copy, delete), the database through programmatic methods only (for example, through stored procedures)?
• Review database authentication policies and procedures.
• Examine database and application configuration settings.
Is user direct access to or queries to of databases restricted to database administrators?
• Review database authentication policies and procedures.
• Examine database application configuration settings.
• Examine database application configuration settings.
(c) Are application IDs only able to be used by the applications (and not by individual users or other processes)?
• Review database authentication policies and procedures.
(a) Is all user access to, user queries of, and user actions on (for example, move, copy, delete), the database through programmatic methods only (for example, through stored procedures)?
• Review database authentication policies and procedures.
• Examine database and application configuration settings.
Is user direct access to or queries to of databases restricted to database administrators?
• Review database authentication policies and procedures.
• Examine database application configuration settings.
• Examine database application configuration settings.
(c) Are application IDs only able to be used by the applications (and not by individual users or other processes)?
• Review database authentication policies and procedures.
Modified
p. 49 → 99
• Examine database access control settings.
• Examine security awareness program content.
Modified
p. 49 → 100
• Examine database access control settings.
• Examine security awareness training content.
Modified
p. 49 → 102
• Examine
• Examine policies and procedures.
Removed
p. 50
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.1 Are appropriate facility entry controls in place to limit and monitor physical access to systems in the cardholder data environment?
• Observe physical access controls.
• Observe physical access controls.
Removed
p. 50
• Observe physical monitoring mechanisms.
Are either video cameras or access control mechanisms (or both) protected from tampering or disabling?
• Interview personnel.
(c) Is data collected from video cameras and/or access control mechanisms reviewed and correlated with other entries?
• Review policies and procedures.
(d) Is data collected from video cameras and/or access control mechanisms stored for at least three months unless otherwise restricted by law?
• Review data retention processes.
• Observe data storage.
Are either video cameras or access control mechanisms (or both) protected from tampering or disabling?
• Interview personnel.
(c) Is data collected from video cameras and/or access control mechanisms reviewed and correlated with other entries?
• Review policies and procedures.
(d) Is data collected from video cameras and/or access control mechanisms stored for at least three months unless otherwise restricted by law?
• Review data retention processes.
• Observe data storage.
Modified
p. 50 → 99
• Interview personnel.
• Interview applicable personnel.
Modified
p. 50 → 104
• Observe security features.
• Network security controls.
Modified
p. 50 → 105
• Interview security personnel.
• Interview personnel.
Removed
p. 51
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.1.3 Is physical access to wireless access points, gateways, handheld devices, networking/communications hardware, and telecommunication lines restricted?
• Review policies and procedures.
• Review policies and procedures.
Removed
p. 51
• Observe identification methods (e.g. badges).
• Observe visitor processes.
Do identification methods (such as ID badges) clearly identify visitors and easily distinguish between onsite personnel and visitors?
• Observe identification methods.
(c) Is access to the badge system limited to authorized personnel?
• Observe physical controls and access controls for the badge system.
• Observe visitor processes.
Do identification methods (such as ID badges) clearly identify visitors and easily distinguish between onsite personnel and visitors?
• Observe identification methods.
(c) Is access to the badge system limited to authorized personnel?
• Observe physical controls and access controls for the badge system.
Removed
p. 51
• Is access authorized and based on individual job function?
• Is access revoked immediately upon termination
• Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disabled?
• Interview personnel.
• Compare lists of terminated employees to access control lists.
• Is access revoked immediately upon termination
• Upon termination, are all physical access mechanisms, such as keys, access cards, etc., returned or disabled?
• Interview personnel.
• Compare lists of terminated employees to access control lists.
Modified
p. 51 → 94
• Observe onsite personnel.
• Interview responsible personnel.
Modified
p. 51 → 99
• Examine access control lists.
• Examine evidence of reviews.
Removed
p. 52
• Observe visitor processes.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.4 Is visitor identification and access handled as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.4 Is visitor identification and access handled as follows:
Removed
p. 52
• Observe visitor processes including how access is controlled.
• Observe visitors and badge use.
• Observe visitors and badge use.
Removed
p. 52
Do visitor badges or other identification expire?
• Observe process.
• Observe process.
Removed
p. 52
Does the visitor log contain the visitor’s name, the firm represented, and the onsite personnel authorizing physical access?
• Review policies and procedures.
(c) Is the visitor log retained for at least three months?
• Review policies and procedures.
• Review policies and procedures.
(c) Is the visitor log retained for at least three months?
• Review policies and procedures.
Removed
p. 52
• Review policies and procedures for physically securing media.
Modified
p. 52 → 97
• Examine the visitor log.
• Examine the inventory.
Modified
p. 52 → 99
• Examine the visitor log.
• Examine the security awareness program.
Modified
p. 52 → 102
• Examine identification.
• Examine documentation.
Modified
p. 52 → 102
• Examine identification.
• Examine documentation.
Modified
p. 52 → 103
• Examine log retention.
• Examine documentation.
Modified
p. 52 → 105
• Examine visitor log retention.
• Examine records of response actions.
Removed
p. 53
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.5.1 Is the location where media back-ups are stored reviewed at least annually to confirm storage is secure?
• Review policies and procedures for reviewing offsite media locations.
• Review policies and procedures for reviewing offsite media locations.
Removed
p. 53
Do controls include the following:
Removed
p. 53
Are periodic media inventories conducted at least annually?
• Examine inventory logs.
• Examine inventory logs.
Modified
p. 53 → 103
• Examine media distribution tracking logs and documentation.
• Examine training documentation.
Modified
p. 53 → 103
• Examine media distribution tracking logs and documentation.
• Examine documentation.
Removed
p. 54
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons?
• Review periodic media destruction policies and procedures.
Is there a periodic media destruction policy that defines requirements for the following? - Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
- Storage containers used for materials that are to be destroyed must be secured.
- Cardholder data on electronic media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).
• Review periodic media destruction policies and procedures.
• Review periodic media destruction policies and procedures.
Is there a periodic media destruction policy that defines requirements for the following? - Hard-copy materials must be crosscut shredded, incinerated, or pulped such that there is reasonable assurance the hard-copy materials cannot be reconstructed.
- Storage containers used for materials that are to be destroyed must be secured.
- Cardholder data on electronic media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).
• Review periodic media destruction policies and procedures.
Removed
p. 54
Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?
• Examine security of storage containers.
• Examine security of storage containers.
Modified
p. 54 → 92
• The mechanism functions are performed as follows:
Modified
p. 54 → 93
• Examine procedures.
• Examine documented evidence.
Removed
p. 55
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9 Are devices that capture payment card data via direct physical interaction with the card protected against tampering and substitution as follows? Note: This requirement applies to card-reading devices used in card-present transactions (that is, card swipe or dip) at the point of sale. This requirement is not intended to apply to manual key-entry components such as computer keyboards and POS keypads.
(a) Do policies and procedures require that a list of such devices be maintained?
• Review policies and procedures.
(b) Do policies and procedures require that devices are periodically inspected to look for tampering or substitution?
• Review policies and procedures.
(c) Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices?
• Review policies and procedures.
(a) Do policies and procedures require that a list of such devices be maintained?
• Review policies and procedures.
(b) Do policies and procedures require that devices are periodically inspected to look for tampering or substitution?
• Review policies and procedures.
(c) Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices?
• Review policies and procedures.
Removed
p. 55
(b) Is the list accurate and up to date?
• Observe devices and device locations and compare to list.
(c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
• Interview personnel.
• Observe devices and device locations and compare to list.
(c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
• Interview personnel.
Modified
p. 55 → 98
• Examine the list of devices.
• Examine documented results of scope reviews.
Removed
p. 56
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.2 (a) Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, or changes to the serial number or other external markings.
• Observe inspection processes and compare to defined processes.
Are personnel aware of procedures for inspecting devices?
• Interview personnel.
• Observe inspection processes and compare to defined processes.
Are personnel aware of procedures for inspecting devices?
• Interview personnel.
Removed
p. 56
• Review training materials.
Modified
p. 56 → 103
• Interview personnel.
• Interview incident response personnel.
Removed
p. 57
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A Not Tested 9.9.3 (cont.) (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices?
• Interview personnel at POS locations.
• Interview personnel at POS locations.
Removed
p. 57
• Known to all affected parties?
• Examine security policies and operational procedures.
• Examine security policies and operational procedures.
Removed
p. 58
Requirement 10: Track and monitor all access to network resources and cardholder data
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 10.1 (a) Are audit trails enabled and active for system components?
• Interview system administrator.
Is access to system components linked to individual users?
• Interview system administrator.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 10.1 (a) Are audit trails enabled and active for system components?
• Interview system administrator.
Is access to system components linked to individual users?
• Interview system administrator.
Modified
p. 58 → 98
• Examine audit log settings.
• Examine documented results of scope reviews.
Modified
p. 58 → 104
• Examine audit log settings.
• Examine documentation.
Removed
p. 59
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 10.2.6 Initialization, stopping, or pausing of the audit logs?
• Interview personnel.
• Interview personnel.
Removed
p. 60
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 10.4 Are all critical system clocks and times synchronized through use of time synchronization technology, and is the technology kept current? Note: One example of time synchronization technology is Network Time Protocol (NTP).
• Review time configuration standards and processes.
• Review time configuration standards and processes.
Removed
p. 60
(a) Do only designated central time server(s) receive time signals from external sources, and are time signals from external sources based on International Atomic Time or UTC?
• Review time configuration standards and processes.
Where there is more than one designated time server, do the time servers peer with each other to keep accurate time?
• Review time configuration standards and processes.
(c) Do systems receive time only from designated central time server(s)?
• Review time configuration standards and processes.
• Examine time-related system parameters.
• Review time configuration standards and processes.
Where there is more than one designated time server, do the time servers peer with each other to keep accurate time?
• Review time configuration standards and processes.
(c) Do systems receive time only from designated central time server(s)?
• Review time configuration standards and processes.
• Examine time-related system parameters.
Removed
p. 60
(a) Is access to time data restricted to only personnel with a business need to access time data?
• Examine system configurations and time- synchronization settings.
(b) Are changes to time settings on critical systems logged, monitored, and reviewed?
• Examine system configurations and time- synchronization settings and logs.
• Examine system configurations and time- synchronization settings.
(b) Are changes to time settings on critical systems logged, monitored, and reviewed?
• Examine system configurations and time- synchronization settings and logs.
Modified
p. 60 → 99
• Examine time-related system parameters.
• Examine security awareness program records.
Modified
p. 60 → 105
• Examine time-related system parameters.
• Examine documented incident response procedures.
Removed
p. 61
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested Are time settings received from specific, industry- accepted time sources? (This is to prevent a malicious individual from changing the clock).
Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the time updates (to prevent unauthorized use of internal time servers).
Optionally, those updates can be encrypted with a symmetric key, and access control lists can be created that specify the IP addresses of client machines that will be provided with the time updates (to prevent unauthorized use of internal time servers).
Removed
p. 61
Are logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) written onto a secure, centralized, internal log server or media?
• Interview system administrators.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 10.5.5 Is file-integrity monitoring or change-detection software used on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)?
• Examine settings, monitored files, and results from monitoring activities.
• Interview system administrators.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 10.5.5 Is file-integrity monitoring or change-detection software used on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)?
• Examine settings, monitored files, and results from monitoring activities.
Removed
p. 62
• Review security policies and procedures.
Are the above logs and security events reviewed at least daily?
• Interview personnel.
Are the above logs and security events reviewed at least daily?
• Interview personnel.
Removed
p. 62
• based on the organization’s policies and risk management strategy?
• Review security policies and procedures.
Are reviews of all other system components performed in accordance with organization’s policies and risk management strategy?
• Review risk assessment documentation.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 10.6.3 (a) Are written policies and procedures defined for following up on exceptions and anomalies identified during the review process?
• Review security policies and procedures.
Is follow up to exceptions and anomalies performed?
• Interview personnel.
• Review security policies and procedures.
Are reviews of all other system components performed in accordance with organization’s policies and risk management strategy?
• Review risk assessment documentation.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 10.6.3 (a) Are written policies and procedures defined for following up on exceptions and anomalies identified during the review process?
• Review security policies and procedures.
Is follow up to exceptions and anomalies performed?
• Interview personnel.
Removed
p. 63
Are audit logs retained for at least one year?
• Interview personnel.
(c) Are at least the last three months’ logs immediately available for analysis?
• Interview personnel.
• Interview personnel.
(c) Are at least the last three months’ logs immediately available for analysis?
• Interview personnel.
Removed
p. 64
Requirement 11: Regularly test security systems and processes
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.1 (a) Are processes implemented for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis? Note: Methods that may be used in the process include, but are not limited to, wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.
Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.
Does the methodology detect and identify any unauthorized wireless access points, including at least the following? - WLAN cards inserted into system components; - Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.); and - Wireless devices attached to a network port or network device.
(c) If wireless scanning is utilized …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.1 (a) Are processes implemented for detection and identification of both authorized and unauthorized wireless access points on a quarterly basis? Note: Methods that may be used in the process include, but are not limited to, wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.
Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.
Does the methodology detect and identify any unauthorized wireless access points, including at least the following? - WLAN cards inserted into system components; - Portable or mobile devices attached to system components to create a wireless access point (for example, by USB, etc.); and - Wireless devices attached to a network port or network device.
(c) If wireless scanning is utilized …
Modified
p. 64 → 94
• Evaluate the methodology.
• Acceptable uses of the technology.
Removed
p. 65
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.1.2 (a) Does the incident response plan define and require a response in the event that an unauthorized wireless access point is detected?
• Examine incident response plan (see Requirement 12.10).
• Inspect recent wireless scans and related responses.
• Examine incident response plan (see Requirement 12.10).
• Inspect recent wireless scans and related responses.
Removed
p. 65
Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed.
For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re- scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re- scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred.
Modified
p. 65 → 104
• Interview responsible personnel.
• Detection of unauthorized wireless access points.
Removed
p. 66
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.2.1 (a) Are quarterly internal vulnerability scans performed?
• Review scan reports.
(b) Does the quarterly internal scan process address all “high risk” vulnerabilities and include rescans to verify all “high-risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved?
• Review scan reports.
(c) Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
• Interview personnel.
• Review scan reports.
(b) Does the quarterly internal scan process address all “high risk” vulnerabilities and include rescans to verify all “high-risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved?
• Review scan reports.
(c) Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
• Interview personnel.
Removed
p. 66
• Review results from the four most recent quarters of external vulnerability scans.
(b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)?
• Review results of each external quarterly scan and rescan.
(c) Are quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV?
• Review results of each external quarterly scan and rescan.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.2.3 (a) Are internal and external scans, and rescans as needed, performed after any significant change? Note: Scans must be performed by qualified personnel.
• Examine and correlate change control documentation and scan reports.
(b) Does the scan process include rescans until:
- For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS, - For …
(b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)?
• Review results of each external quarterly scan and rescan.
(c) Are quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV?
• Review results of each external quarterly scan and rescan.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.2.3 (a) Are internal and external scans, and rescans as needed, performed after any significant change? Note: Scans must be performed by qualified personnel.
• Examine and correlate change control documentation and scan reports.
(b) Does the scan process include rescans until:
- For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS, - For …
Removed
p. 67
• Includes coverage for the entire CDE perimeter and critical systems
• Includes testing from both inside and outside the network
• Includes testing to validate any segmentation and scope-reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results
• Includes testing from both inside and outside the network
• Includes testing to validate any segmentation and scope-reduction controls
• Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
• Defines network-layer penetration tests to include components that support network functions as well as operating systems
• Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
• Specifies retention of penetration testing results and remediation activities results
Modified
p. 67 → 100
• Examine penetration-testing methodology.
• Examine security awareness training content.
Modified
p. 67 → 100
• Interview responsible personnel.
• Interview responsible Human Resource department management personnel.
Removed
p. 68
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.3.1 (a) Is external penetration testing performed per the defined methodology, at least annually, and after any significant infrastructure or application changes to the environment (such as an operating system upgrade, a sub-network added to the environment, or an added web server)?
• Examine scope of work.
(b) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
• Interview responsible personnel.
(b) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
• Interview responsible personnel.
• Examine scope of work.
(b) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
• Interview responsible personnel.
(b) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
• Interview responsible personnel.
Removed
p. 68
• Examine results from the most recent internal penetration test.
Removed
p. 69
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested If segmentation is used to isolate the CDE from other networks:
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
• Examine segmentation controls.
(b) Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods.
- Covers all segmentation controls/methods in use.
- Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• Examine results from the most recent penetration test.
(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
• Interview responsible personnel.
PCI DSS Question Expected Testing Response …
(a) Are penetration-testing procedures defined to test all segmentation methods, to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE?
• Examine segmentation controls.
(b) Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods.
- Covers all segmentation controls/methods in use.
- Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
• Examine results from the most recent penetration test.
(c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?
• Interview responsible personnel.
PCI DSS Question Expected Testing Response …
Removed
p. 70
- At the perimeter of the cardholder data environment, and - At critical points in the cardholder data environment.
(b) Are intrusion-detection and/or intrusion-prevention techniques configured to alert personnel of suspected compromises?
• Examine system configurations.
(c) Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date?
• Examine IDS/IPS configurations.
(b) Are intrusion-detection and/or intrusion-prevention techniques configured to alert personnel of suspected compromises?
• Examine system configurations.
(c) Are all intrusion-detection and prevention engines, baselines, and signatures kept up-to-date?
• Examine IDS/IPS configurations.
Removed
p. 70
• Application executables
• Configuration and parameter files
• Centrally stored, historical or archived, log, and audit files
• Additional critical files determined by entity (for example, through risk assessment or other means)
• Observe system settings and monitored files.
• Configuration and parameter files
• Centrally stored, historical or archived, log, and audit files
• Additional critical files determined by entity (for example, through risk assessment or other means)
• Observe system settings and monitored files.
Modified
p. 70 → 103
• Examine vendor documentation.
• Examine the incident response plan.
Removed
p. 71
• Known to all affected parties?
• Examine security policies and operational procedures.
• Observe system settings and monitored files.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.5 (cont.) (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change detection mechanisms such as file-integrity monitoring products usually come pre- configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is the merchant or service provider).
• Review results from monitoring …
• Examine security policies and operational procedures.
• Observe system settings and monitored files.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 11.5 (cont.) (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file comparisons at least weekly? Note: For change detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change detection mechanisms such as file-integrity monitoring products usually come pre- configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is the merchant or service provider).
• Review results from monitoring …
Removed
p. 72
Requirement 12: Maintain a policy that addresses information security for all personnel
Note: For the purposes of Requirement 12, “personnel” refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?
• Review the information security policy.
Note: For the purposes of Requirement 12, “personnel” refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?
• Review the information security policy.
Removed
p. 72
- Identifies critical assets, threats, and vulnerabilities, and - Results in a formal, documented analysis of risk? Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.
• Review annual risk assessment process.
(b) Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)?
• Review risk assessment documentation.
• Review annual risk assessment process.
(b) Is the risk assessment process performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)?
• Review risk assessment documentation.
Removed
p. 72
Note: Examples of critical technologies include, but are not limited to, remote access and wireless technologies, laptops, tablets, removable electronic media, e-mail usage and Internet usage.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.3.1 Explicit approval by authorized parties to use the technologies?
• Review usage policies.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.3.1 Explicit approval by authorized parties to use the technologies?
• Review usage policies.
Removed
p. 74
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.3.10 (a) For personnel accessing cardholder data via remote-access technologies, does the policy specify the prohibition of copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need? Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements.
• Review usage policies.
(b) For personnel with proper authorization, does the policy require the protection of cardholder data in accordance with PCI DSS Requirements?
• Review usage policies.
• Review usage policies.
(b) For personnel with proper authorization, does the policy require the protection of cardholder data in accordance with PCI DSS Requirements?
• Review usage policies.
Removed
p. 74
• Interview a sample of responsible personnel.
(b) Are the following information security management responsibilities formally assigned to an individual or team:
(b) Are the following information security management responsibilities formally assigned to an individual or team:
Removed
p. 75
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.5.4 Administering user accounts, including additions, deletions, and modifications?
• Review information security policy and procedures.
• Review information security policy and procedures.
Removed
p. 75
• Review security awareness program procedures.
• Review security awareness program attendance records.
(b) Are personnel educated upon hire and at least annually?
• Examine security awareness program procedures and documentation.
(c) Have employees completed awareness training and are they aware of the importance of cardholder data security?
• Interview personnel.
• Review security awareness program attendance records.
(b) Are personnel educated upon hire and at least annually?
• Examine security awareness program procedures and documentation.
(c) Have employees completed awareness training and are they aware of the importance of cardholder data security?
• Interview personnel.
Modified
p. 75 → 99
• Review security awareness program.
• Examine the security awareness program materials.
Removed
p. 76
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.7 Are potential personnel (see definition of “personnel” above) screened prior to hire to minimize the risk of attacks from internal sources? Examples of background checks include previous employment history, criminal record, credit history and reference checks.
• Interview Human Resource department management.
• Interview Human Resource department management.
Modified
p. 76 → 93
• Review list of service providers.
• Reviewed at least once every 12 months.
Modified
p. 76 → 100
Applicability Notes For those potential personnel to be hired for positions such as store cashiers, who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only.
Modified
p. 76 → 101
• Observe written agreements.
• Examine written agreements with TPSPs.
Removed
p. 77
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?
• Review policies and procedures and supporting documentation.
• Review policies and procedures and supporting documentation.
Removed
p. 78
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.10 Has an incident response plan been implemented in preparation to respond immediately to a system breach, as follows:
(b) Does the plan address the following, at a minimum:
- Data backup processes?
• Review incident response plan procedures.
- Coverage and responses of all critical system components?
• Review incident response plan procedures.
- Reference or inclusion of incident response procedures from the payment brands?
• Review incident response plan procedures.
(b) Does the plan address the following, at a minimum:
- Data backup processes?
• Review incident response plan procedures.
- Coverage and responses of all critical system components?
• Review incident response plan procedures.
- Reference or inclusion of incident response procedures from the payment brands?
• Review incident response plan procedures.
Modified
p. 78 → 103
• Review incident response plan procedures.
• Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum.
Modified
p. 78 → 103
• Review incident response plan procedures.
• Reference or inclusion of incident response procedures from the payment brands.
Modified
p. 78 → 103
• Review incident response plan
• Business recovery and continuity procedures.
Modified
p. 78 → 103
• Review incident response plan procedures.
• Analysis of legal requirements for reporting compromises.
Modified
p. 78 → 104
• Review incident response plan procedures.
• Examine the security incident response plan.
Removed
p. 79
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A Not Tested 12.10.3 Are specific personnel designated to be available on a 24/7 basis to respond to alerts?
• Interview responsible personnel.
• Interview responsible personnel.
Modified
p. 80 → 106
A2.1.1 Where POS POI terminals at the merchant or payment acceptance location use SSL and/or early TLS, the entity confirms the devices are not susceptible to any known exploits for those protocols.
Modified
p. 80 → 106
Applicability Notes This requirement is intended to apply to the entity with the POS POI terminal, such as a merchant. This requirement is not intended for service providers who serve as the termination or connection point to those POS POI terminals. Requirements A2.1.2 and A2.1.3 apply to POS POI service providers.
Modified
p. 80 → 106
• Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS.
• Examine documentation (for example, vendor documentation, system/network configuration details) that verifies the devices are not susceptible to any known exploits for SSL/early TLS.
Modified
p. 80 → 106
A2.1.2 Additional requirement for service providers only.
Modified
p. 80 → 106
A2.1.3 Additional requirement for service providers only.
Modified
p. 81 → 108
Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.
Note: Only entities that have a legitimate and documented technological or business constraint can consider the use of compensating controls to achieve compliance.
Modified
p. 81 → 108
Refer to Appendices B, C, and D of PCI DSS for information about compensating controls and guidance on how to complete this worksheet.
Refer to Appendices B and C in PCI DSS for information about compensating controls and guidance on how to complete this worksheet.
Modified
p. 81 → 108
1. Constraints List constraints precluding compliance with the original requirement.
1. Constraints Document the legitimate technical or business constraints precluding compliance with the original requirement.
Modified
p. 81 → 108
3. Objective Define the objective of the original control.
Modified
p. 81 → 108
4. Identified Risk Identify any additional risk posed by the lack of the original control.
Modified
p. 81 → 108
2. Definition of Compensating Controls Define the compensating controls: explain how they address the objectives of the original control and the increased risk, if any.
Modified
p. 81 → 108
6. Maintenance Define process and controls in place to maintain compensating controls.
6. Maintenance Define process(es) and controls in place to maintain compensating controls.
Modified
p. 82 → 109
Requirement Reason Requirement is Not Applicable 3.4 Cardholder data is never stored electronically
Requirement Reason Requirement is Not Applicable
Modified
p. 83 → 110
Requirement Describe which part(s) of the requirement was not tested Describe why requirements were not tested
Requirement Description of Requirement(s) Not Tested Describe why Requirement(s) was Excluded from the Assessment
Modified
p. 83 → 110
Requirement 12 Requirement 12.2 was the only requirement tested. All other requirements from Requirement 12 were excluded.
Requirement 10 No requirements from Requirement 10 were tested.
Removed
p. 84
An entity submitting this form with a status of Non-Compliant may be required to complete the Action Plan in Part 4 of this document. Check with your acquirer or the payment brand(s) before completing Part 4.
Compliant but with Legal exception: One or more requirements are marked “No” due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand.
If checked, complete the following:
I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization.
I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times.
If my environment changes, I recognize I must reassess my environment and implement any additional PCI DSS requirements that apply.
Compliant but with Legal exception: One or more requirements are marked “No” due to a legal restriction that prevents the requirement from being met. This option requires additional review from acquirer or payment brand.
If checked, complete the following:
I have confirmed with my payment application vendor that my payment system does not store sensitive authentication data after authorization.
I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable to my environment, at all times.
If my environment changes, I recognize I must reassess my environment and implement any additional PCI DSS requirements that apply.
Modified
p. 84 → 111
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ D (Section 2), dated (SAQ completion date).
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ D (Section 2), dated (Self-assessment completion date YYYY-MM-DD).
Modified
p. 84 → 111
Based on the results documented in the SAQ D noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Based on the results documented in the SAQ D noted above, each signatory identified in any of Parts 3b−3d, as applicable, assert(s) the following compliance status for the merchant identified in Part 2 of this document.
Modified
p. 84 → 111
Compliant: All sections of the PCI DSS SAQ are complete, all questions answered affirmatively, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated full compliance with the PCI DSS.
Compliant: All sections of the PCI DSS SAQ are complete, and all assessed requirements are marked as being either 1) In Place, 2) In Place with CCW, or 3) Not Applicable, resulting in an overall COMPLIANT rating; thereby (Merchant Company Name) has demonstrated compliance with all PCI DSS requirements included in this SAQ except those noted as Not Tested above.
Modified
p. 84 → 111
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or not all questions are answered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated full compliance with the PCI DSS.
Non-Compliant: Not all sections of the PCI DSS SAQ are complete, or one or more requirements are marked as Not in Place, resulting in an overall NON-COMPLIANT rating, thereby (Merchant Company Name) has not demonstrated compliance with the PCI DSS requirements included in this SAQ.
Modified
p. 84 → 111
Affected Requirement Details of how legal constraint prevents requirement being met Part 3a. Acknowledgement of Status Signatory(s) confirms:
Affected Requirement Details of how legal constraint prevents requirement from being met
Modified
p. 84 → 112
(Select all that apply)
Modified
p. 84 → 112
PCI DSS Self-Assessment Questionnaire D, Version (version of SAQ), was completed according to the instructions therein.
PCI DSS Self-Assessment Questionnaire D, Version 4.0 was completed according to the instructions therein.
Modified
p. 84 → 112
All information within the above-referenced SAQ and in this attestation fairly represents the results of my assessment in all material respects.
All information within the above-referenced SAQ and in this attestation fairly represents the results of the merchant’s assessment in all material respects.
Removed
p. 85
ASV scans are being completed by the PCI SSC Approved Scanning Vendor (ASV Name).
Modified
p. 85 → 112
Part 3b. Merchant Attestation Signature of Merchant Executive Officer Date:
Part 3b. Merchant Attestation Signature of Merchant Executive Officer Date: YYYY-MM-DD Merchant Executive Officer Name: Title:
Modified
p. 85 → 112
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement If a QSA was involved or assisted with this assessment, indicate the role performed:
Modified
p. 85 → 112
Signature of Duly Authorized Officer of QSA Company Date:
Signature of Duly Authorized Officer of QSA Company Date: YYYY-MM-DD Duly Authorized Officer Name: QSA Company:
Modified
p. 85 → 112
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Part 3d. PCI SSC Internal Security Assessor (ISA) Involvement If an ISA(s) was involved or assisted with this assessment, indicate the role performed:
Removed
p. 86
Check with the applicable payment brand(s) before completing Part 4.
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO 1 Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Removed
p. 86
Appendix A2 Additional PCI DSS Requirements for Entities using SSL/Early TLS for Card- Present POS POI Terminal Connections.