Document Comparison
PCI_DSS_v3-1_SAQ_B-IP_rev1-1.pdf
→
PCI-DSS-v3_2-SAQ-B_IP.pdf
86% similar
37 → 37
Pages
8955 → 8685
Words
53
Content Changes
Content Changes
53 content changes. 27 administrative changes (dates, page numbers) hidden.
Added
p. 14
Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Added
p. 17
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Added
p. 22
Review password procedures Interview personnel Observe processes (b) Are third party remote access accounts monitored when in use? Interview personnel Observe processes 8.3 Is all individual non-console administrative access and all remote access to the CDE secured using multi- factor authentication, as follows:
Added
p. 31
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:
Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2? Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:
Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type …
Added
p. 35
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ B-IP (Section 2), dated (SAQ completion date).
Modified
p. 4
Your company uses only standalone, PTS-approved point-of-interaction (POI) devices (excludes SCRs) connected via IP to your payment processor to take your customers’ payment card information; The standalone IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs); The standalone IP-connected POI devices are not connected to any other systems within your environment (this can be achieved via network segmentation to isolate POI devices from other systems); The …
Your company uses only standalone, PTS-approved point-of-interaction (POI) devices (excludes SCRs) connected via IP to your payment processor to take your customers’ payment card information; The standalone IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs); The standalone IP-connected POI devices are not connected to any other systems within your environment (this can be achieved via network segmentation to isolate POI devices from other systems); The …
Modified
p. 4
Section 1 (Part 1 & 2 of the AOC)
• Assessment Information and Executive Summary.
• Assessment Information and Executive Summary.
Section 1 (Parts 1 & 2 of the AOC)
• Assessment Information and Executive Summary.
• Assessment Information and Executive Summary.
Modified
p. 4
5. Submit the SAQ and Attestation of Compliance, along with any other requested documentation• such as ASV scan reports•to your acquirer, payment brand or other requester.
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation
•such as ASV scan reports
•to your acquirer, payment brand or other requester.
•such as ASV scan reports
•to your acquirer, payment brand or other requester.
Removed
p. 7
ISA Name(s) (if applicable): Title:
Modified
p. 9
Merchant uses only standalone, PTS-approved point-of-interaction (POI) devices (excludes SCRs) connected via IP to merchant’s payment processor to take customers’ payment card information; The standalone IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs); The standalone IP-connected POI devices are not connected to any other systems within the merchant environment (this can be achieved via network segmentation to isolate POI devices from other systems); The only transmission of cardholder data …
Merchant uses only standalone, PTS-approved point-of-interaction (POI) devices (excludes SCRs) connected via IP to merchant’s payment processor to take customers’ payment card information; The standalone IP-connected POI devices are validated to the PTS POI program as listed on the PCI SSC website (excludes SCRs); The standalone IP-connected POI devices are not connected to any other systems within the merchant environment (this can be achieved via network segmentation to isolate POI devices from other systems); The only transmission of cardholder data …
Modified
p. 10
Compare firewall configuration standards to current network diagram 1.1.6 (a) Do firewall and router configuration standards include a documented list of services, protocols, and ports, including business justification (for example, hypertext transfer protocol (HTTP), Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols)? Review firewall and router configuration
Compare firewall configuration standards to current network diagram 1.1.6 (a) Do firewall and router configuration standards include a documented list of services, protocols, and ports, including business justification and approval for each? Review firewall and router configuration
Modified
p. 11
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (b) Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service? Note: Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (b) Are all insecure services, protocols, and ports identified, and are security features documented and implemented for each identified service? Review firewall and router configuration Examine firewall and router configurations 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
Modified
p. 12
(For example, block traffic originating from the internet with an internal address) Examine firewall and router configurations 1.3.5 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
(For example, block traffic originating from the internet with an internal address) Examine firewall and router configurations 1.3.4 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized?
Modified
p. 12
Examine firewall and router configurations 1.3.6 Is stateful inspection, also known as dynamic packet filtering, implemented•that is, only established connections are allowed into the network? Examine firewall and router configurations
Examine firewall and router configurations 1.3.5 Are only established connections permitted into the network? Examine firewall and router configurations
Modified
p. 13
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
Removed
p. 14
Use technologies such as SSH, VPN, or TLS for web- based management and other non-console administrative access.
Note: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after 30th June, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.
Effective immediately, new implementations must not use SSL or early TLS.
POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after 30th June, 2016.
Note: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after 30th June, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.
Effective immediately, new implementations must not use SSL or early TLS.
POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after 30th June, 2016.
Modified
p. 14
Review policies and procedures Review vendor documentation Examine system configurations (e) Are other security-related wireless vendor defaults changed, if applicable? Review policies and procedures Review vendor documentation Examine system configurations 2.3 Is non-console administrative access encrypted as follows:
Review policies and procedures Review vendor documentation Examine system configurations (e) Are other security-related wireless vendor defaults changed, if applicable? Review policies and procedures Review vendor documentation Examine system configurations 2.3 Is non-console administrative access, including web- based access, encrypted as follows:
Modified
p. 14
Examine system components Examine system configurations Observe an administrator log on (b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? Examine system components Examine services and files
Examine system components Examine system configurations Observe an administrator log on (b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands?
Removed
p. 15
Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS? Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (f) For all other environments using SSL and/or early TLS:
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments; Overview of migration project plan including target migration completion date no later than 30th June 2016.
Review Risk Mitigation and …
Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments; Overview of migration project plan including target migration completion date no later than 30th June 2016.
Review Risk Mitigation and …
Modified
p. 15 → 14
Examine system components Examine services and files (c) Is administrator access to web-based management interfaces encrypted with strong cryptography?
Modified
p. 15 → 14
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components Review vendor documentation Interview personnel (e) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Examine system components Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations? Examine system components Review vendor documentation Interview personnel
Modified
p. 17 → 16
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.2 The card verification code or value (three-digit or four- digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization? Examine data sources including:
Modified
p. 17 → 16
Incoming transaction data All logs History files Trace files Database schema Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see the full PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data• for example, legal or payment card brand requirements for …
Incoming transaction data All logs History files Trace files Database schema Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal …
Removed
p. 18
Note: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after 30th June, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.
Effective immediately, new implementations must not use SSL or early TLS.
POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after 30th June, 2016.
Effective immediately, new implementations must not use SSL or early TLS.
POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after 30th June, 2016.
Modified
p. 18 → 17
Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).
Modified
p. 18 → 17
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)? Review vendor documentation Examine system configurations
Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?
Removed
p. 19
Review Risk Mitigation and Migration
Removed
p. 19
Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols: Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS?
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (g) For all other environments using SSL and/or early Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description …
Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (g) For all other environments using SSL and/or early Does the documented Risk Mitigation and Migration Plan include the following? Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment; Risk assessment results and risk reduction controls in place; Description of processes to monitor for new vulnerabilities associated with SSL/early TLS; Description …
Modified
p. 19 → 17
Review vendor documentation Examine system configurations (e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified
p. 20 → 18
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1.1 Are industry best practices (for example, IEEE 802.11i) used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? Note: The use of WEP as a security control is prohibited.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1.1 Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment?
Modified
p. 21 → 19
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 6.1 Is there a process to identify security vulnerabilities, including the following: Using reputable outside sources for vulnerability information? Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities? Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 6.1 Is there a process to identify security vulnerabilities, including the following: Using reputable outside sources for vulnerability information? Assigning a risk ranking to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities? Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration …
Modified
p. 21 → 19
Review policies and procedures Interview personnel Observe processes 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor- supplied security patches?
Review policies and procedures Interview personnel Observe processes 6.2 (a) Are all system components and software protected from known vulnerabilities by installing applicable vendor-supplied security patches? Review policies and procedures
Modified
p. 21 → 20
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A (b) Are critical security patches installed within one month of release? Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1.
Modified
p. 22 → 21
Examine written access control policy Interview personnel Interview management Review privileged user IDs 7.1.3 Are access assigned based on individual personnel’s job classification and function? Examine written access control policy Interview management Review user IDs
Examine written access control policy Interview personnel Interview management Review privileged user IDs 7.1.3 Is access assigned based on individual personnel’s job classification and function? Examine written access control policy Interview management Review user IDs
Removed
p. 23
Review password procedures Interview personnel Observe processes (b) Are vendor remote access accounts monitored when in use?
Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication.
Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication.
Modified
p. 23 → 22
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.1.5 (a) Are accounts used by vendors to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 8.1.5 (a) Are accounts used by third parties to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use?
Modified
p. 23 → 22
Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
Modified
p. 24 → 23
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.1.2 Are physical and/or logical controls in place to restrict access to publicly accessible network jacks? For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.1.2 Are physical and/or logical controls in place to restrict access to publicly accessible network jacks? For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.
Modified
p. 25 → 24
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons? Review periodic media destruction policies and procedures (c) Is media destruction performed as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons? Review periodic media destruction policies and procedures (c) Is media destruction performed as follows:
Modified
p. 26 → 25
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.1 (a) Does the list of devices include the following?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.9.1 (a) Does the list of devices include the following?
Modified
p. 26 → 25
Interview personnel Observe inspection processes and compare to defined processes (b) Are personnel are aware of procedures for inspecting devices? Interview personnel
Interview personnel Observe inspection processes and compare to defined processes (b) Are personnel aware of procedures for inspecting devices? Interview personnel
Modified
p. 27 → 26
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following?
Modified
p. 28 → 27
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.2.2 (a) Are quarterly external vulnerability scans performed? Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 11.2.2 (a) Are quarterly external vulnerability scans performed? Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
Modified
p. 29 → 28
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 12.1 Is a security policy established, published, maintained, and disseminated to all relevant personnel?
Modified
p. 30 → 29
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel? Review information security policy and procedures Interview a sample of responsible 12.5 (b) Are the following information security management responsibilities formally assigned to an individual or team:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel? Review information security policy and procedures Interview a sample of responsible 12.5 (b) Are the following information security management responsibilities formally assigned to an individual or team:
Modified
p. 30 → 29
Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security? Review security awareness program 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures? Review security awareness program 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
Modified
p. 30
Observe written agreements Review policies and procedures
Observe written agreements Review policies and procedures 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?
Removed
p. 31
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?
Modified
p. 35
Based on the results documented in the SAQ B-IP noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Removed
p. 36
Signature of ISA Date:
Modified
p. 36
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Modified
p. 36
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Modified
p. 37
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know …
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know …