PCI Watch

Tracking changes across the Payment Card Industry

Document Comparison

SAQ_B-IP_v3.pdf PCI_DSS_v3-1_SAQ_B-IP_rev1-1.pdf
90% similar
35 → 37 Pages
8069 → 8955 Words
26 Content Changes

Content Changes

26 content changes. 24 administrative changes (dates, page numbers) hidden.

Added p. 2
July 2015 3.1 1.1 Updated to remove references to “best practices” prior to June 30, 2015.
Added p. 8
Type of facility Number of facilities of this type Location(s) of facility (e.g. city, country) Example: Retail outlets 3 Boston, MA, USA Part 2d. Payment Application Does the organization use one or more Payment Applications? Yes No Provide the following information regarding the Payment Applications your organization uses:
Added p. 14
Note: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after 30th June, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.

Effective immediately, new implementations must not use SSL or early TLS.

POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after 30th June, 2016.

Is there documentation (for example, vendor documentation, system/network configuration details, etc.) that verifies the devices are not susceptible to any known exploits for SSL/early TLS?  Review documentation that verifies POS POI devices are not susceptible to any known exploits for SSL/early TLS (f) For all other environments using SSL and/or early TLS:

Does the documented Risk …
Added p. 31
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?
Modified p. 2
February 2014 3.0 New SAQ to address requirements applicable to merchants who process cardholder data only via standalone, PTS-approved point-of-interaction devices with an IP connection to the payment processor.
February 2014 3.0 New SAQ to address requirements applicable to merchants who process cardholder data only via standalone, PTS- approved point-of-interaction devices with an IP connection to the payment processor.
Modified p. 14
Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
Use technologies such as SSH, VPN, or TLS for web- based management and other non-console administrative access.
Modified p. 14
 Examine system components  Examine system configurations  Observe an administrator log on (b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands?
 Examine system components  Examine system configurations  Observe an administrator log on (b) Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands?  Examine system components  Examine services and files
Modified p. 14 → 15
 Examine system components  Examine services and files (c) Is administrator access to web-based management interfaces encrypted with strong cryptography?
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (c) Is administrator access to web-based management interfaces encrypted with strong cryptography?
Modified p. 14 → 15
 Examine system components  Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?  Examine system components  Review vendor documentation  Interview personnel
 Examine system components  Observe an administrator log on (d) For the technology in use, is strong cryptography implemented according to industry best practice and/or vendor recommendations?  Examine system components  Review vendor documentation  Interview personnel (e) For POS POI terminals (and the SSL/TLS termination points to which they connect) using SSL and/or early TLS and for which the entity asserts are not susceptible to any known exploits for those protocols:
Removed p. 15
 Incoming transaction data  All logs  History files  Trace files  Database schema  Database contents 3.2.2 The card verification code or value (three-digit or four- digit number printed on the front or back of a payment card) is not stored after authorization?  Examine data sources including:
Modified p. 16 → 17
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.3 The personal identification number (PIN) or the encrypted PIN block is not stored after authorization?  Examine data sources including:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 3.2.2 The card verification code or value (three-digit or four- digit number printed on the front or back of a payment card) is not stored after authorization?  Examine data sources including:
Modified p. 17 → 18
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols, such as SSL/TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service …
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 4.1 (a) Are strong cryptography and security protocols, such as TLS, SSH or IPSEC, used to safeguard sensitive cardholder data during transmission over open, public networks? Examples of open, public networks include but are not limited to the Internet; wireless technologies, including 802.11 and Bluetooth; cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA); and General Packet Radio Service …
Modified p. 17 → 18
 Review documented standards  Review policies and procedures  Review all locations where CHD is transmitted or received  Examine system configurations (b) Are only trusted keys and/or certificates accepted?
 Review documented standards  Review policies and procedures  Review all locations where CHD is transmitted or received  Examine system configurations (b) Are only trusted keys and/or certificates accepted?  Observe inbound and outbound transmissions  Examine keys and certificates (c) Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations?
Modified p. 17 → 18
 Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?
 Examine system configurations (d) Is the proper encryption strength implemented for the encryption methodology in use (check vendor recommendations/best practices)?  Review vendor documentation  Examine system configurations
Modified p. 17 → 19
 Review vendor documentation  Examine system configurations (e) For SSL/TLS implementations, is SSL/TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A (e) For TLS implementations, is TLS enabled whenever cardholder data is transmitted or received? For example, for browser-based implementations:
Removed p. 23
Note: Requirement 9.9 is a best practice until June 30, 2015, after which it becomes a requirement.
Modified p. 23 → 25
(a) Do policies and procedures require that a list of such devices maintained?
(a) Do policies and procedures require that a list of such devices be maintained?
Modified p. 24 → 26
 Make, model of device  Location of device (for example, the address of the site or facility where the device is located)  Device serial number or other method of unique identification  Examine the list of devices (b) Is the list accurate and up to date?  Observe device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
 Make, model of device  Location of device (for example, the address of the site or facility where the device is located)  Device serial number or other method of unique identification  Examine the list of devices (b) Is the list accurate and up to date?  Observe devices and device locations and compare to list (c) Is the list of devices updated when devices are added, relocated, decommissioned, etc.?
Modified p. 27 → 29
 Review the information security policy 12.1.1 Is the security policy reviewed at least annually and updated when the environment changes?  Review the information security policy  Interview responsible personnel 12.3 Are usage policies for critical technologies developed to define proper use of these technologies and require the following:
 Review the information security 12.1.1 Is the security policy reviewed at least annually and updated when the environment changes?  Review the information security  Interview responsible personnel 12.3 Are usage policies for critical technologies developed to define proper use of these technologies and require the following:
Modified p. 27 → 29
 Review usage policies  Interview responsible personnel 12.3.3 A list of all such devices and personnel with access?  Review usage policies  Interview responsible personnel 12.3.5 Acceptable uses of the technologies?  Review usage policies  Interview responsible personnel 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use?
 Review usage policies  Interview responsible personnel 12.3.3 A list of all such devices and personnel with access?  Review usage policies  Interview responsible personnel 12.3.5 Acceptable uses of the technologies?  Review usage policies  Interview responsible personnel 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use?  Review usage policies  Interview responsible personnel
Modified p. 27 → 30
 Review usage policies  Interview responsible personnel 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel?  Review information security policy and procedures  Interview a sample of responsible
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.4 Do security policy and procedures clearly define information security responsibilities for all personnel?  Review information security policy and procedures  Interview a sample of responsible 12.5 (b) Are the following information security management responsibilities formally assigned to an individual or team:
Removed p. 28
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.5 (b) Are the following information security management responsibilities formally assigned to an individual or team:

 Observe written agreements  Review policies and procedures 12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?  Observe processes  Review policies and procedures and supporting documentation
Modified p. 29 → 31
PCI DSS Question Expected Testing Response (Check one response for each question) CCW No N/A 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?
 Observe processes  Review policies and procedures and supporting documentation 12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?
Modified p. 34 → 36
Signature of QSA  Date:
Signature of Duly Authorized Officer of QSA Company  Date:
Modified p. 34 → 36
QSA Name: QSA Company:
Duly Authorized Officer Name: QSA Company:
Modified p. 35 → 37
PCI DSS Requirement Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know …
PCI DSS Requirement* Description of Requirement Compliant to PCI DSS Requirements (Select One) Remediation Date and Actions (If “NO” selected for any Requirement) YES NO Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know …