PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

PCI_DSS_v3-1_SAQ_C_rev1-1.pdf PCI-DSS-v3_2-SAQ-C.pdf
83% similar
51 → 55 Pages
11845 → 12548 Words
72 Content Changes

Content Changes

72 content changes. 28 administrative changes (dates, page numbers) hidden.

Added p. 15
 Review system configuration standards (c) Are security parameter settings set appropriately on system components?  Examine system components  Examine security parameter settings  Compare settings to system configuration standards

Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Added p. 20
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols used to safeguard sensitive cardholder data during transmission over open, public networks? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Added p. 25
 Trace changes to change control documentation  Examine change control documentation  Interview personnel  Observe affected systems or networks

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.1 Are policies and procedures for user identification management controls defined and in place for non- consumer users and administrators on all system components, as follows:
Added p. 27
 Review password procedures  Interview personnel 8.1.5 (a) Are accounts used by third parties to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use?

 Interview personnel  Observe processes 8.1.6 (a) Are repeated access attempts limited by locking out the user ID after no more than six attempts?

 Review password procedures  Examine system configuration settings 8.1.7 Once a user account is locked out, is the lockout duration set to a minimum of 30 minutes or until an administrator enables the user ID?

 Review password procedures  Examine system configuration settings 8.1.8 If a session has been idle for more than 15 minutes, are users required to re-authenticate (for example, re-enter the password) to re-activate the terminal or session?

 Review password procedures  Examine system configuration settings 8.2 In addition to assigning a unique ID, is …
Added p. 28
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.2.3 (a) Are user password parameters configured to require passwords/passphrases meet the following?  A minimum password length of at least seven characters  Contain both numeric and alphabetic characters Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.

 Examine system configuration settings to verify password parameters 8.2.4 Are user passwords/passphrases changed at least once every 90 days?

 Review password procedures  Examine system configuration settings 8.2.5 Must an individual submit a new password/passphrase that is different from any of the last four passwords/passphrases he or she has used?

 Review password procedures  Sample system components  Examine system configuration settings 8.2.6 Are passwords/passphrases set to a unique value for each user for first-time use and upon reset, and must each user change their password immediately after the …
Added p. 43
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (c) Are tests performed by a qualified internal resource or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.5.1 Is a process in place to respond to any alerts generated by the change-detection solution?  Examine system configuration settings
Added p. 49
Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS

PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A A2.1 For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS:

 Are the devices confirmed to not be susceptible to any known exploits for SSL/early TLS  Is there a formal Risk Mitigation and Migration Plan in place per Requirement A2.2?  Review documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS A2.2 Is there a formal Risk Mitigation and Migration Plan in place for all implementations that use SSL and/or early TLS (other than as allowed in A2.1), that includes:

 Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type …
Added p. 53
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation This AOC is based on results noted in SAQ C (Section 2), dated (SAQ completion date).
Modified p. 4
 Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN);  The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems);  The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single location only; …
 Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN);  The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems);  The physical location of the POS environment is not connected to other premises or locations, and any LAN is for a single location only; …
Modified p. 4
 Section 1 (Part 1 & 2 of the AOC)

• Assessment Information and Executive Summary.
 Section 1 (Parts 1 & 2 of the AOC)

• Assessment Information and Executive Summary.
Modified p. 4
5. Submit the SAQ and Attestation of Compliance, along with any other requested documentation• such as ASV scan reports•to your acquirer, payment brand or other requester.
5. Submit the SAQ and Attestation of Compliance (AOC), along with any other requested documentation

•such as ASV scan reports

•to your acquirer, payment brand or other requester.
Removed p. 7
ISA Name(s) (if applicable): Title:
Modified p. 10
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.2 Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows:
Modified p. 11
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 1.3 Is direct public access prohibited between the Internet and any system component in the cardholder data environment, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 1.3 Is direct public access prohibited between the Internet and any system component in the cardholder data environment, as follows:
Modified p. 11
 Examine firewall and router configurations 1.3.6 Is stateful inspection, also known as dynamic packet filtering, implemented•that is, only established connections are allowed into the network?  Examine firewall and router configurations
 Examine firewall and router configurations 1.3.5 Are only established connections permitted into the network?  Examine firewall and router configurations
Modified p. 12
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.).
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.1 (a) Are vendor-supplied defaults always changed before installing a system on the network? This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, payment applications, Simple Network Management Protocol (SNMP) community strings, etc.).
Modified p. 14
 Examine system configurations (b) If virtualization technologies are used, is only one primary function implemented per virtual system component or device?
 Examine system configurations (b) If virtualization technologies are used, is only one primary function implemented per virtual system component or device?  Examine system configurations
Modified p. 14 → 15
 Examine system configurations 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)?  Review configuration standards  Examine system configurations
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.2.2 (a) Are only necessary services, protocols, daemons, etc. enabled as required for the function of the system (services and protocols not directly needed to perform the device’s specified function are disabled)?
Removed p. 15
 Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS  Review Risk Mitigation and Migration Plan 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Modified p. 15
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?
 Review configuration standards  Examine system configurations (b) Are all enabled insecure services, daemons, or protocols justified per documented configuration standards?
Modified p. 15
 Review configuration standards  Interview personnel  Examine configuration settings  Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? For example, use secured technologies such as SSH, S-FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
 Review configuration standards  Interview personnel  Examine configuration settings  Compare enabled services, etc. to documented justifications 2.2.3 Are additional security features documented and implemented for any required services, protocols or daemons that are considered to be insecure? Note: Where SSL/early TLS is used, the requirements in Appendix A2 must be completed.
Modified p. 15
 Review configuration standards  Examine configuration settings If SSL/early TLS is used:
 Review configuration standards  Examine configuration settings 2.2.4 (a) Are system administrators and/or personnel that configure system components knowledgeable about common security parameter settings for those system components?
Modified p. 15
 Interview personnel (b) Are common system security parameters settings included in the system configuration standards?  Review system configuration standards
 Interview personnel (b) Are common system security parameters settings included in the system configuration standards?
Removed p. 16
 Examine system components  Examine security parameter settings  Compare settings to system configuration standards 2.2.5 (a) Has all unnecessary functionality•such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers•been removed?

Use technologies such as SSH, VPN, or TLS for web- based management and other non-console administrative access.
Modified p. 16
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (c) Are security parameter settings set appropriately on system components?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.2.5 (a) Has all unnecessary functionality•such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers•been removed?
Removed p. 17
Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS?  Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS
Modified p. 17 → 16
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?
(a) Is all non-console administrative access encrypted with strong cryptography, and is a strong encryption method invoked before the administrator’s password is requested?
Modified p. 17 → 16
 Examine system components  Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?  Examine system components  Review vendor documentation  Interview personnel (e) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
 Examine system components  Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?  Examine system components  Review vendor documentation  Interview personnel
Removed p. 18
Does the documented Risk Mitigation and Migration Plan include the following?  Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment;  Risk assessment results and risk reduction controls in place;  Description of processes to monitor for new vulnerabilities associated with SSL/early TLS;  Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments;  Overview of migration project plan including target migration completion date no later than 30th June 2016.

 Review Risk Mitigation and Migration Plan 2.5 Are security policies and operational procedures for managing vendor defaults and other security parameters:
Modified p. 18 → 17
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (f) For all other environments using SSL and/or early TLS:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 2.5 Are security policies and operational procedures for managing vendor defaults and other security parameters:
Modified p. 20 → 19
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.2 The card verification code or value (three-digit or four- digit number printed on the front or back of a payment card) is not stored after authorization?  Examine data sources including:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.2 The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored after authorization?  Examine data sources including:
Modified p. 20 → 19
 Incoming transaction data  All logs  History files  Trace files  Database schema  Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see the full PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal or payment card brand requirements for point-of-sale …
 Incoming transaction data  All logs  History files  Trace files  Database schema  Database contents 3.3 Is the PAN masked when displayed (the first six and last four digits are the maximum number of digits to be displayed) such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN? Note: This requirement does not supersede stricter requirements in place for displays of cardholder data•for example, legal …
Modified p. 21 → 20
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service …
Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service (GPRS).
Modified p. 21 → 20
 Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?  Review vendor documentation  Examine system configurations
 Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?
Removed p. 22
Does the documented Risk Mitigation and Migration Plan include the following?  Description of usage, including; what data is being transmitted, types and number of systems that use and/or support SSL/early TLS, type of environment;  Risk assessment results and risk reduction controls in place;  Description of processes to monitor for new vulnerabilities associated with SSL/early TLS;  Description of change control processes that are implemented to ensure SSL/early TLS is not implemented into new environments;  Overview of migration project plan including target migration completion date no later than 30th June 2016.

 Examine system configurations (f) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:

Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to …
Modified p. 22 → 20
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
 Review vendor documentation  Examine system configurations (e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Modified p. 23 → 21
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1.1 Are industry best practices (for example, IEEE 802.11i) used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment? Note: The use of WEP as a security control is prohibited.
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1.1 Are industry best practices used to implement strong encryption for authentication and transmission for wireless networks transmitting cardholder data or connected to the cardholder data environment?
Modified p. 24 → 22
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 5.1 Is anti-virus software deployed on all systems commonly affected by malicious software?
Modified p. 25 → 23
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 5.3 Are all anti-virus mechanisms:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 5.3 Are all anti-virus mechanisms:
Modified p. 27 → 25
 Review policies and procedures  Examine system components  Compare list of security patches installed to recent vendor patch lists
 Review policies and procedures  Examine system components  Compare list of security patches installed to recent vendor patch lists 6.4.6 Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement.
Modified p. 28 → 26
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows:
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 7.1 Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows:
Modified p. 28 → 26
 Examine written access control policy  Interview personnel  Interview management  Review privileged user IDs 7.1.3 Are access assigned based on individual personnel’s job classification and function?  Examine written access control policy  Interview management  Review user IDs
 Examine written access control policy  Interview personnel  Interview management  Review privileged user IDs 7.1.3 Is access assigned based on individual personnel’s job classification and function?  Examine written access control policy  Interview management  Review user IDs
Removed p. 29
Examples of two-factor technologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication.

 Review policies and procedures  Examine system configurations  Observe personnel
Modified p. 29 → 27
 Review password procedures  Interview personnel  Observe processes (b) Are vendor remote access accounts monitored when in use?
 Review password procedures  Interview personnel  Observe processes (b) Are third party remote access accounts monitored when in use?
Modified p. 29 → 28
 Interview personnel  Observe processes 8.3 Is two-factor authentication incorporated for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support or maintenance)? Note: Two-factor authentication requires that two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.
Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see PCI DSS Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
Modified p. 29 → 30
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 8.1.5 (a) Are accounts used by vendors to access, support, or maintain system components via remote access enabled only during the time period needed and disabled when not in use?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 8.5 Are group, shared, or generic accounts, passwords, or other authentication methods prohibited as follows:
Modified p. 30 → 31
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.1.2 Are physical and/or logical controls in place to restrict access to publicly accessible network jacks? For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.
 Review data retention processes  Observe data storage  Interview security personnel 9.1.2 Are physical and/or logical controls in place to restrict access to publicly accessible network jacks? For example, network jacks located in public areas and areas accessible to visitors could be disabled and only enabled when network access is explicitly authorized. Alternatively, processes could be implemented to ensure that visitors are escorted at all times in areas with active network jacks.
Modified p. 30 → 32
 Review policies and procedures  Interview personnel  Observe locations 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.5 Are all media physically secured (including but not limited to computers, removable electronic media, paper receipts, paper reports, and faxes)? For purposes of Requirement 9, “media” refers to all paper and electronic media containing cardholder data.
Modified p. 30 → 32
 Interview personnel  Examine media distribution tracking logs and documentation 9.7 Is strict control maintained over the storage and accessibility of media?  Review policies and procedures
 Interview personnel  Examine media distribution tracking logs and documentation 9.7 Is strict control maintained over the storage and accessibility of media?
Modified p. 31 → 32
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons?  Review periodic media destruction policies and procedures (c) Is media destruction performed as follows:
 Review policies and procedures 9.8 (a) Is all media destroyed when it is no longer needed for business or legal reasons?  Review periodic media destruction policies and procedures (c) Is media destruction performed as follows:
Modified p. 31 → 33
 Review periodic media destruction policies and procedures  Interview personnel  Observe processes (b) Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A (b) Are storage containers used for materials that contain information to be destroyed secured to prevent access to the contents?
Modified p. 31 → 33
 Review policies and procedures (c) Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices?  Review policies and procedures
 Review policies and procedures (c) Do policies and procedures require that personnel are trained to be aware of suspicious behavior and to report tampering or substitution of devices?
Modified p. 32 → 33
 Make, model of device  Location of device (for example, the address of the site or facility where the device is located)  Device serial number or other method of unique identification  Examine the list of devices (b) Is the list accurate and up to date?  Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
 Make, model of device  Location of device (for example, the address of the site or facility where the device is located)  Device serial number or other method of unique identification  Examine the list of devices (b) Is the list accurate and up to date?  Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?  Interview personnel
Modified p. 32 → 34
 Interview personnel 9.9.2 (a) Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables plugged into the device, missing or changed security labels, broken or differently colored casing, …
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A 9.9.2 (a) Are device surfaces periodically inspected to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) as follows? Note: Examples of signs that a device might have been tampered with or substituted include unexpected attachments or cables …
Modified p. 32 → 34
 Interview personnel  Observe inspection processes and compare to defined processes (b) Are personnel are aware of procedures for inspecting devices?  Interview personnel
 Interview personnel  Observe inspection processes and compare to defined processes (b) Are personnel aware of procedures for inspecting devices?
Modified p. 32 → 35
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.1 (a) Does the list of devices include the following?
PCI DSS Question Expected Testing Response (Check one response for each question) Yes with CCW No N/A (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices?  Interview personnel at POS locations
Removed p. 33
 Review training materials (b) Have personnel at point-of-sale locations received training, and are they aware of procedures to detect and report attempted tampering or replacement of devices?  Interview personnel at POS locations
Modified p. 33 → 34
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 9.9.3 Are personnel trained to be aware of attempted tampering or replacement of devices, to include the following? (c) Do training materials for personnel at point-of-sale locations include the following?  Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.  Do not install, replace, or return devices without verification. …
(a) Do training materials for personnel at point-of-sale locations include the following?  Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.  Do not install, replace, or return devices without verification.  Be aware of suspicious behavior around devices (for example, attempts by unknown persons to unplug or open devices).  Report suspicious behavior and indications of device tampering or substitution to appropriate personnel …
Modified p. 35 → 37
 All security events  Logs of all system components that store, process, or transmit CHD and/or SAD  Logs of all critical system components  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)  Review security policies and procedures  Observe processes  Interview personnel 10.6.2 (b) Are logs of all other system components periodically

•either manually or via log tools

•based on the …
 All security events  Logs of all system components that store, process, or transmit CHD and/or SAD  Logs of all critical system components  Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion- prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)  Review security policies and procedures  Observe processes  Interview personnel 10.6.2 (b) Are logs of all other system components periodically reviewed

•either manually or via log tools

•based on …
Modified p. 39 → 41
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.2.1 (a) Are quarterly internal vulnerability scans performed?  Review scan reports (b) Does the quarterly internal scan process include rescans as needed until all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.2.1 (a) Are quarterly internal vulnerability scans performed?  Review scan reports (b) Does the quarterly internal scan process address all “high risk” vulnerabilities and include rescans to verify all “high-risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved?
Modified p. 39 → 41
 Review results from the four most recent quarters of external vulnerability scans (b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)?  Review results of each external quarterly scan and rescan (c) Are quarterly external vulnerability scans performed by a
 Review results from the four most recent quarters of external vulnerability scans (b) Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)?
Modified p. 39 → 41
PCI SSC Approved Scanning Vendor (ASV?  Review results of each external quarterly scan and rescan
 Review results of each external quarterly scan and rescan (c) Are quarterly external vulnerability scans performed by a PCI SSC Approved Scanning Vendor (ASV?  Review results of each external quarterly scan and rescan
Modified p. 41 → 43
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 11.5 (a) Is a change-detection mechanism (for example, file- integrity monitoring tools) deployed within the cardholder data environment to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:
 Interview responsible personnel 11.5 (a) Is a change-detection mechanism (for example, file- integrity monitoring tools) deployed to detect unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files? Examples of files that should be monitored include:
Modified p. 41 → 43
 System executables  Application executables  Configuration and parameter files  Centrally stored, historical or archived, log, and audit files  Additional critical files determined by entity (for example, through risk assessment or other means)  Observe system settings and monitored files  Examine system configuration settings (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical …
 System executables  Application executables  Configuration and parameter files  Centrally stored, historical or archived, log, and audit  Additional critical files determined by entity (for example, through risk assessment or other means)  Observe system settings and monitored files  Examine system configuration settings (b) Is the change-detection mechanism configured to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files or content files, and do the tools perform critical file …
Modified p. 41 → 43
 Observe system settings and monitored files  Review results from monitoring activities 11.5.1 Is a process in place to respond to any alerts generated by the change-detection solution?  Examine system configuration settings
 Observe system settings and monitored files  Review results from monitoring activities
Modified p. 42 → 45
Note: For the purposes of Requirement 12, “personnel” refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment.
Requirement 12: Maintain a policy that addresses information security for all personnel Note: For the purposes of Requirement 12, “personnel” refers to full-time part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment.
Modified p. 43 → 46
 Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security?  Review security awareness program 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
 Review information security policy and procedures 12.6 (a) Is a formal security awareness program in place to make all personnel aware of the cardholder data security policy and procedures?  Review security awareness program 12.8 Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
Modified p. 49 → 53
Section 3: Validation and Attestation Details Part 3. PCI DSS Validation Based on the results noted in the SAQ C dated (completion date), the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document as of (date): (check one):
Based on the results documented in the SAQ C noted above, the signatories identified in Parts 3b-3d, as applicable, assert(s) the following compliance status for the entity identified in Part 2 of this document: (check one):
Removed p. 50
Signature of ISA  Date:
Modified p. 50 → 54
Part 3c. QSA Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable) If a QSA was involved or assisted with this assessment, describe the role performed:
Modified p. 50 → 54
Part 3d. ISA Acknowledgement (if applicable) If a ISA was involved or assisted with this assessment, describe the role performed:
Part 3d. Internal Security Assessor (ISA) Involvement (if applicable) If an ISA(s) was involved or assisted with this assessment, identify the ISA personnel and describe the role performed:
Modified p. 51 → 55
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure systems and …
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update anti- virus software or programs 6 Develop and maintain secure …